The Long Con: Surviving 25+ Years in InfoSec

thank you very much guys I'm a Dai liyan from far away Atlanta it's a that's wonderful to be here wish I was up in Knoxville it's a great city we'll definitely be doing this again I'll be coming up again next year I do get around to the you know southeast regionals besides I packed I'm sporting my Birmingham beside shirt so if anybody here from the great state of Alabama shot up to you guys so today I'm going to be talking about my experience in the in the field I feel very fortunate that I've been able to survive as long as I have and I wanted to share those experiences I've had a number of different careers or and and shifted

gears quite a bit and I wanted to bring those experiences to you guys so that you can hopefully learn something from my you know path and help you you know be happy in your career so so that's the goal here so let's get the right button there all right so a little bit about me so my name is Xavier Ashe I have been hacking since late 80s and I got my first job I started started a job in 1992 we've got a real job in 1994 so so basically I've been doing computer security for for about 28 years now so I worked for a lot of different type of companies I've worked for a large

companies like Gartner IBM and worked for very high growth companies Carbon Black was on my very fun ones I was joined when they were bit 9 I think I was employee number 142 for that so I was able to see that to grow to a thick goes Oh a little over 500 by the time I left and they transformed into carbon black did that a couple times I was independent consultant for a while I always joked that hey you're you're you're never unemployed you're just an independent consultant but that is because all my so basically that get back on track here so yeah in freaking so you know and we'll talk a little bit about those different working modes here

a little bit later in the presentation and I've done a couple startups I was employee number one for a start-up that deal with micro segmentation that was fun I've I was part and I've started my own companies a couple of times so I've got lots of failed businesses under my belt right now I am the VP and security operations I run a two different two or three different teams boarding on a yes I went countermeasures production support and I still kind of help out with my security engineering team so I've got a couple of teams on the knife under my belt I like to brag of a little bit about this is and I think with this type of presentation it

is pretty important but I was a lay minister for a while and that's really helped me and my leadership skills I've and as carried over here and you'll see as the things that I care about is it might be a little bit different than what you might hear and a lot of you know technical presentations as is that I think happiness and and your success in your career is not a purely you know how many search do you have and how much money can you make yeah that's that's definitely you know what I find important a couple of different places you can find me on the on the interwebs so what do I want you

to take away from this presentation I started this presentation all this research when I was looking at people that were leaving the company that was working for for a variety of different reasons and I found that it was it was disheartening because I could see that they were me you know some of them were making leaps for the wrong reasons and and and so when the opportunity I had to coach some of them you know to find out why they were looking at leaving doing X interviews you know and and hopefully you know guided a couple of people but so I thought well you know there's a lot of good like mental health and and you

know how to avoid burnout type of presentation so I said yeah this is it's gonna need to make a you know non-technical presentation this year for the rounds of cons and and share my experiences here because I think that this is very important so I want you to take away a couple points you know that you are probably not alone we're gonna go through some statistics to look at how people are feeling about information security right now you know find out why people change jobs why do people get up and quit and and then boy and talk about burnout it's obvious we're going to you know talk about you know how to identify a toxic

situation I call them hard lines things that you really shouldn't put up with and I hope that you will you know if you find yourself in those situations be able to make a change alright so you know if you get to a point where it's like yes I do want to actually move on to something else you know what is there gas like on the other side so I'm gonna go through and talk about a couple of different job types and really talk about the motility of the job like what is it that the job is like not from a technical point of view because uh you get a lot of that already but but the day-to-day the and

and anybody that's ever if you've ever you know done any kind of job hunting search you might have come across this book what is the color of your parachute I bring that up and talk about why I think it's a very valuable tool because it talks exactly about this what's the the type of job that you want to have not necessarily that the content of the technical stuff so and then yeah let's make sure that you can feel confident that you can make it to that twenty five year mark so we're going to start things off with you know is it just me so what you know let's look at a couple of different statistics here the this is

from the ISS a research all the big differing up statistics from with all the different big organizations this one is you know if last year most of them not published this year the trends go back and you can see there's not huge differentials from 2019 2018 2017 so this is a you know a fairly good study first off tell me if this sounds familiar my company doesn't care anything about security we are so insecure is that that's sound familiar you know in this study is that 91% of people believe that they're there about their organization was under yeah for significant cyber attacks that's that's that's a big deal in general you know it seems like Issa members are pessimistic

about cybersecurity in general you know cybersecurity professionals are doing paid to question the status quo and and we we are paranoid people you know that said we still are very skeptical about our chances for success when asked about the the balance of power between you know the cyber adversaries and the fenders fifty nine percent believe that their chances have a you know that their adversaries have a big advantage over cyber defenders and I think that's a pretty big deal right so the next one here is my company does training this is uh you know sometime you know I've heard a lot I have challenges getting my team all the training that they need I've been in

that boat for a lot for a lot of different companies is that training is there expensive and it's hard to get to everyone so what does this the Cystic say about this one this one you know says you know 63 percent of works I feel like they have fallen behind in providing adequate training and this is uh you know it's like pretty significant here and so training and skills you know are still a big problem you know the research indicates well 93% of surveys survey respondents in this one agree that cyber professionals must keep up with their skills or or else you know or will be vulnerable so you know here this you know sixty-three percent say that

they've fallen behind so this differential here between you know it's very important to I'm not getting what I need shows that there's still a gap that we need to be able to address right so what's what what else we've got there we go so we are totally understaffed right yeah I'm doing the job of two people you know you heard my description I'm running a couple of teams right now so it is you know it's a kind of a commonplace problem and so when asked what is the biggest challenge your cybersecurity challenge at your organization the number one answer is cyber security staff is understaffed for my size of organization so other top challenges in this particular survey

business managers don't understand or support an appropriate level of cybersecurity and then the next one was my organization depends upon too many manual or informal processes for cybersecurity I thought those were pretty interesting so let's look at another one of the studies we have this one is from is e squared again their their last study that they published again number one at the top is lack of skilled experience is is is pretty a big deal so that that's still common you know can't find the people and you know when they're not trained I like this one the twenty percent lack of standard terminate you know terminology I think that we're getting better with that with

the mitre but I still have to every time I'm talking with somebody that is new to the company or outside of my company we have to make sure that we're talking the same language and and so I definitely feel this one is that the you know without understanding exactly what is what you know and is it's still pretty painful to be able to get our job done you know twenty seven percent of you know don't have the resources right now have what they need work-life balance so we'll talk about that a little bit later in the presentation and then in adequate budget for C key security initiatives at the toll tools that you want alright so

more from this study I thought this was a pretty interesting review so the vast majority of recipients here say that they are where they expected to be in their career given the skills and experience so well well well over half say they have either very close or exactly where they expected to be and that's that's good that some good news from here is that they are where they they want to be and in almost half you have forty nine percent their say they have a good idea of their desired career path and I would say I'm still even you know if twenty eight years into my career I'm so probably on the second one I have some idea of my desire creep I'm

not entirely sure I think that's an okay thing to be I I like to sometimes just you know what see what opportunities arise and and where the wind takes me I think that this is a an okay place to be as well so let's talk a little a and the problem with surveys and so I came process when this is the ISACA survey though went through and it's pretty interesting the why cybersecurity leave their jobs I thought well this is exactly what I'm talking about from my presentation is was great data so there at the top 82% leave their jobs for better financial incentives now I challenge as I said that doesn't seem to line up with my experience is that

people don't seem to really leave their jobs for money so I took a closer look and reread it and it says which of the following factors do you feel are causing cybersecurity professionals to leave their jobs so this is not why people are leaving but why people think they're leaving and and it's very important I pulled up another another book that I had read as part of my management studies called why do people quit and this is a pretty good study the from Leah Branham that did it's there this research is based off of X interviews III always tried to have exit interviews anytime somebody leaves company and and and pulled out the statistics so

employers that think that their people leave for more money is 98 percent that's that's exactly what I stock I found a very high percentage but employees who actually leave for more money is twelve percent so the reality here is as a big gap between what people think are happening and what what actually is happening and I think that's very important so so if you think that everybody else is you know waiting for you know getting paid more and it's going to hop over reality is that doesn't happen that often so what are reasons for people to leave so the job was not expected you know that they they thought they were getting into something else that really wasn't there

the job doesn't fit with their talents and interests this is goes all right along the lines of the color parachute and so we'll talk more about this and and hopefully give you some insight into what these different jobs are they got little feedback or coaching now as a leader this is very important to me because this is something I can control and I want to make sure that you you know are getting that we can also talk a little bit later about how you can you know get get this for yourself is that you don't need to kind of wait for your leaders to do this that you can act on this without having to change jobs no

hope for career growth I a lot of my management training I took from IBM IBM you know I took what's called the IBM MBA it's a two-year course and and and what's really great about there some things are really annoying about the way IBM does management however one thing I did take away is that there you always need to have both a technical truck and a management truck and for people to accelerate in their jobs and if this isn't present you get people that you know are very talented but if they don't want to become a manager they have nowhere to go to so if you're a leader make sure that you have you know a

career growth for your people but just don't want to move into management that's just not a given for everyone feel devalued unrecognized again this is something dear to my heart since you know it's I think it's really in the hands of our leaders to make sure that we are valuing and recognizing our employees I feel overworked and stressed out we will definitely be covering this topic here you know next couple slides and last one is lack of trust or confidence and leaders this falls under my hard lines I do not think that you're in a situation with no trust or confidence your leaders is a place to stay so I I understand these that this is stuff that in my

experience I've seen this that this research fits my reality and my experiences and so helps as I understand that this is what people you know really you know move on for so let's talk about stress and burnout so burnout is the you know exhaustion cynicism and avoidance this is the and I don't know if I'm pronouncing this right but the mollusc burnout inventory MBI the mulaskey burnout inventory is a kind of a-- it's a research tool for people that want to try to understand burnout and gives them ways to you know do the surveys and index the different impacts these different things have to to somebody that is in in different industries this did not start in the technical industry

this actually originally began in the medical industry is that we have you know of course the the stress that you know people working these these long shifts in the medical field were hard even before the scope in 1900 real thing and it does cross different sectors so let's kind of look into this so exhaustion is you know this classic stress response you know basically you know coming out from from you know from the big problems employees encounter but instead from the smaller to day-to-day issues such as like too much demand with too few resources so both physical and mental exhaustion is as part of this burnout cynicism alright one of the you know particularly thorny issues for

cyber sex professionals since many are paid to be cynical and find problems right so this is if kind of as expected of us but can lead to our burnout you know the consequences our employees tend to get negative about the job that they're doing and the people they're working with that sound familiar because we just saw in our other thing that one of the you know we we think that you know vast majority of us feel like we are vulnerable to a significant attack so this this definitely feeds into it the results in people doing the this results in people doing the bare minimum and you know let's take this job and shove it mentality that can lead to poor

performance and absences you know cynicism is it's definitely one of the factors that can lead to burnout so we have to keep up with that perceive this avoidance is the last factor so avoidance is you know perceived lack of self efficacy alright this is this Scythian feeling that you're just not good at your job you're not feeling confident you're asking yourself what you're doing there and this this survey you know says that you know or the people are behind the server saying is it begins to erode at the person's perception of their value now I am am i worth anything and the sense of what they're doing is is just not enough so I think that you know there is some you

know there are things that we can do as individuals to help identify burnout is to to understand what is burnout and then if there's any you know leaders here on the call I think there's a number of ways that we can you know start to address these things you know looking at our workload giving people autonomy or choice to get you know how you get the job done reward and recognition okay you've heard me say it a couple times it's very important even the little things and then it's not just salary and raises you know we do want to reward give that financial incentive but that's not the only thing that we can do creating a workplace community very

important especially in your the scope of nineteen is keeping connected and and making sure that it's not just you to your people but your people are talking with each other and working together fairness with practices and policies making sure that they're clearly articulated so people know what they are and it's you treat everybody the same and the values includes including what makes up an employee makes it makes them what makes them excited and proud to come to work so if we can take these things on and I think that we can have a direct impact to to burnout now I want to talk about the difference between stress versus bright now because stress is going to be there no matter what you

know especially InfoSec we are in you know it's going on which rolls your artists operations has a little bit more stress than somebody like in governance and whatnot but it's it's still a very stressful role so you know you know first let's help define stress so stress is defined as a person response to a disturbing factor in the environment okay Ally it leads to physical psychological even behavioral divergence for organizations for individuals inside of an organization it's it's an important part of our work life encompasses the interaction between us in our environment and the stress is just there and it's it's not always a bad thing the factors from our environment which you know cause stress

or your home stressors and the intent the intensity of the stress is not all the same for individuals right some might get highly stressed as they overreact to stressors while some have the stamina to cope with that same stressor in general stress you know seems to be negative but you know has a positive dimension when stress is positive is known as eustress there you go you know if you take your psychology class you learn something for today it is it's often viewed as a motivator right you stress provides an opportunity for an individual to gain something the stress is said to be negative when you know women actually impacts our physical body you know hard element you know

represents itself marital breakdown drug abuse alcoholism so here is kind of a breakdown of a couple of different things that you can start to pair out the difference between stress and burnout and what stress does to us versus burnout so you know won't go through and read the entire slide no but you can see the differences here that you know stress and burnout can do it now stress can be harmful you can still be completely stressed out and not experiencing the same things as burnout and it not be healthy for you so figuring out what that balance looks like and understanding the differences between stress and burnout I think it's key to identify and and the reason I

bring these up is is I'm trying to identify you know why somebody might be unhappy all right so we talked about stress and burnout let's look at some other things of saying why we might be unhappy in a particular situation

all right number one is it in the workplace all right are you challenged at your job yeah do you get a sense of the fulfillment these are things that when you're looking at your unhappiness could it be that you know you just want to do something else so is it the job itself the actual workload that is making you unhappy that could be a possible sense of source of your happiness is it the people all right do you have a particular person that you are having friction with or does it seem to be a lot of different people and if it's a lot of different people is it the corporate culture you could be in a

situation that just doesn't fit with your upbringing and just you're having a hard time fitting in had the situation where I managed a team in Atlanta and we had the exact same team in Kansas City now Atlanta there's you know it's a high tech city lots of people you know Georgia Tech and ISS and large security folks and and the the culture for most of people in Atlanta is that people love their job and if they had a problem they wanted to solve they would stick around and solve even though this was shift based work as a 24/7 operation center it was you know people would go and pass their shift and and and make sure

problems you know that they help solve problems Kansas City on the other hand they were you know 95 or you know whatever their shift was they would ensure that you know they were very good handing things off and and they were staunch defenders of their of their work-life balance they did their there eight or nine hours and and then called it a day and it was very interesting the friction between the two teams because we're supposed to kind of be working together and so it was it's fairly early on in my career kind of help point out even you know a couple hundred miles between Atlanta and Kansas City the vast difference and culture and you know we obviously work

with teams all over the nation of the world now and so you know paying attention that culture is something that could help open your eyes on why you might be unhappy okay absence of trust so this comes up again and so that's that's one thing that we can you know dive into here a little bit later and no character at all no carrots only six there we go is that you know you know you're not getting the recognition you're just getting also it's a negative feedback so we gotta get a balance of positive and negative feedback all right so other sources of unhappiness could be in the condition of your job all right so is it the commute

here in Atlanta Atlanta's got really bad commute times it's I think it's one of the worst three in the city or in the nation but but even within Atlanta I have one job that I had to go and it was all backwards and the stop and go backwards was painful and I did not enjoy you know as an hour commute but it seemed like a particularly painful hour because a lot of it was just sitting there waiting for a red light to go it was not enjoyable at all so so that can provide you know source of unhappiness so but there's something that can easily be identified as the source worker working hours of uh you know work-life

balance you know this is a a particular hot topic for me again because as a leader and I try to you know control this for my people is that you know you've got to make sure that you are in a place where you you know enjoy the hours that you work some people really just love to put in those those 10-hour days and they don't feel fulfilled until they do that I don't think that you know if you're in a position where you're working too much for a long period of time is is not healthy and can lead to that unhappiness its next point office open office I hear this complaining a good bit unfortunately I'm not the ultimate

leader so I don't have a whole lot of say over this and fixing this for my people but I can definitely understand the stress that comes toward you know working in an open office is that you know when you've got people that really want to be enclosed they don't want you know the constant walking up and having people interrupt them all the time I can lead unhappiness so you know can you fix this by working at home some more I mean obviously now everybody's working from home and so hopefully that's that's leading to some relief for those people that really hate that open office equipment or software are you running five-year-old machine running when there's ninety eight I might be

insensitive stress for you I'm dealing with red tape and practices another so so again the whole point of this this lies is so when you're if you feel like you're unhappy and it's not stress or burnout maybe it's one of these things and so being able to identify these helps you determine is it you know time to leave and if it is time to leave where do you want to go but before we go into that topic let's talk about my hard lines these are you know a lot of different studies and toxic workplaces is a situation where I found that any of these these things are present it's it's you know it either needs to be fixed or

I need to move on and you need to find those for yourself so that you can understand when you do not get stuck in situation that you need to put up with these side things so well I could transfer see now this one doesn't sound bad right lack of transparency but what I'm talking about here is the not knowing how you're being measured and seeing that measure SiC be a different length for different people all right you are getting fussed at for something that you know somebody else gets you know does the same thing and they they do not give us that you know and those type of things where you don't know what your expectations are you

can't be successful in that and so if you and and the other point along this topic is is around the people you know being shifted around moving moving from different roles to different role and and management is not forthright with what's going on and obviously since I've been on both sides you know I think that's a big crime I would I would say that this is one of the hard lines chronic overworked so talked about this a little bit before but you know if if you were constantly working 50 60 hour weeks that is a failure of leadership to staff appropriately and it's not something that you should put up with for a long period of time there's some

exceptions to this and notably is you know startups and we'll talk about that in a bit and and you know you might think hey I'm young in my career I need to you know cut my teeth and and and yeah this is expected and and no abusing your employees is not expected just because you are you know in an entry-level position does not mean that you need to work 80 hour weeks and get paid for 40 so everybody should stand up and insist that this is another problem now we're all going to have those situations where we will have 80 hour weeks there's security incidents things that break we got to fix it you know lots of reasons

to have a stress where we can do some overworking I'm talking about you know overtime every week is not acceptable next point narcissists and bullies okay these the narcissists are people that you know care only about themselves bullies are statistics statistics sadistic people that are looking to you know that really get pleasure out of abusing other people and these people are poisonous they're toxic and says a lot about an organization if that is the person if that person is able to survive I will say that you know there seems to be a couple of these in most large organizations I still don't understand how they keep their job and and but they generally these type of people are very

smart about how their clinical evil and it's very annoying so if you cannot move out of that role and not be reporting to that you know narcissistic boss then you know moving to another another job don't wait around for the organization to figure out that this is a bad guy now not to say that you shouldn't take things up with HR always take that route of you if there's a particular individual you know open the open ones communication with HR and see if you can do anything there might be other you know other people that are afraid to go to HR and you might be the one to be able to help get one of these

narcissists out of the organization next topic is the back-channel backstabbing so this is a situation where everything seems to be normal everything seems to be good nobody is fussing or yelling at each other but but in the you know on on a slack or Instant Messenger everybody's just typing away talking bad about the leaders talking bad about other people you know lots of negative gossiping this is a telltale sign of a toxic workplace it's it goes to lack of trust in your your people of communication and and people fill in the gap with negativity and last one is a big one hate is tolerated this is all of your isms racism sexism ageism you know true truly hateful people again

like the Marshall system bullies still seem to be able to thrive in some organizations and if that type of negativity is not dealt with by your HR then that is not a company that you shouldn't be a part of and and you know it might even be like for the folks in different West Coast organizations that stood up and and and went public with that you know that we need to be able to hold people accountable this really goes 2020 we should not have to be dealing with this kind of stuff in our workplace anymore and sad that we still do so hardline for me all right so I'm kind of talked about some different you know things that could be

making you happy things that could be you know hard life for you and you've decided yes I want to move on let's look at where you could possibly move on to and so this is where you know hopefully bring my experience and different working with different companies that kind of help you understand some of the experiences that you might get I find that the security department of these different size companies is works a lot different ISO start-up unless the security unless the startup itself is about security likelihood is that you will not have a specific security job and the startup this is startups usually used in virtual CISOs and consultants to kind of come in and do security for them

but there's not going to be a security position you know there's an exception to that rule I'm sure but in general if you're going to be working for start-up it's probably gonna be a security startup it's a lot of fun but that with startups and you know the last boat they're starting on business is that you know expect to to be putting in lots of hours you you exchange something for either starting on business or joining a start-up you do not get paid as much but the passion is there the reason that you're there is to help build something build a company that is very important to you and and that passion is usually shared by everyone that's on the team

and it translates them too often you know very long hours because because everybody you know really wants to see it succeed so so go in there with wise wide open if you get the it I would say if you get the opportunity to do this just make sure that you're in a good place where you can help support that passion that's not going to negatively impact your family your spouse or anything along those lines you know so small company is that you know as it gets bigger like I said I joined you know I told you time to joining bit 9 when they're about 150 people I did the same thing early in the 2000s with a

consulting house and train company and and these these are can be a lot of fun you're gonna wear lots of hats you're probably going to be an IT guy that also does security or a security guy that mostly does IT you know the type of people that just focus on supporting the company is a few and far between and so if you're the type of person that wants to kind of run it all working for a small company is is a good place to be medium sized company once you hit about thousand employees somewhere between 500 to a thousand employees companies start to trans transfer in or move into this you know taking the 30-hour large

company and so you start getting a lot more specialization you know usually at this point you know company's going to pick us see so or you know have some type of senior leader security and and that the security needs that that company is going to start to have a fully fledged security department but also expect to be wearing lots of hats I really like working for these size companies the reason is is that you you generally have some pretty decent budgets you can buy lots of toys but then but then you also get to play with lots of different toys there's not the Ebor specialization that you get in the larger companies and so I was a security

director for a company that had about 1,500 employees you know it was great because I could go from working on secure coding with the programmers to vulnerability management to Incident Response and you know and even as a Security Director I was able to kind of you know see all the different areas now as we move into the larger company you're looking at a much different experience you start getting into the kind of uber specialization I work for a company now that is about 90,000 employees and and so we have you know specific teams to do you know just data protection just DLP just encryption just you know so that you're able to like focus on a very slim area of security

and this is a great to become like seven uber expert in a particular field also working for these large companies give you a chance to to move between different roles so very often I encourage my people that report to me if they you know to move on every year so into something else if they want to to be able to you know get the experience of going from becoming a tools administrator to an engineer to an architect those type of things all right now working for a security company is not the only way of doing this right you a security vendor is also a great place to move into what's great about working for you know a security

vendor is that if you are not the Ober technical type let's say that you like writing blogging or social media you like you know sales and marketing on you know you can be in the security world and do those type of non-technical things and so if you're if your parachute is of a different color but you still enjoy the security world reach out there for those security vendors now security vendors also have a tend to have a bigger aptitude for being able to work remote they tend to pave a little bit better but you also are probably going to be bought out and go and work for one of the big then there's like Broadcom or IBM and or Cisco and so

I kind of expect if you put any time as a vendor you will go through a merger and acquisition security integrators and resellers this is a you know companies like Optive but there's also small and mom-and-pop resellers that are really fulfilling I did this for a couple of years and and so you know that your experience and it's gonna be a lot different if you work for a smaller integrator then you do with these the bigger shops the bigger shops are gonna feel a lot more like third boat there which is the consulting shop and and consulting is definitely a different beast if you work for a consulting shop you know and and sometimes even as

resellers you're you know you're the profit right you're you're that you're the revenue generator and so you need to be out there in a billable mode which means there's there's a lot of work there it can be a lot of travel and but you also get a wide variety of experience this is what I did when I about half of what I did when I was at IBM is I traveled the world being consultant for lots of very large different companies and and it was a great experience so but know that like I said with the high demands of work and high demand of travel even though that we're not traveling right now if you're

looking at moving into consulting make sure that you can understand that going in that again that you're at a good place where you know travels I can be detrimental to family or whatever your situation is managed to carry brighter that's another good one where we hire a lot of people that have been worked for you know IBM slash is us here in Atlanta it's a it's a good way of kind of mixing both worlds you have a situation where you are providing security for somebody else but you get to do you know some of the more blue team type stuff and and work in a sock but get a wide variety of experience and then end up in a

consultant so there's the times in between the jobs now as an independent insulting I basically used LinkedIn as a sales tool basically turning myself on as available I get flooded with people saying hey you want to do this you want to do that so this you know are it's commonly referred to as gig economy is can be very lucrative I made a lot of money but then that also went with times where I did not work and so going into either starting your own business or independent consulting you have to be able to plan for times where you're not gonna be making money for example it might take a month or two to get a

contract in place and then they've got net 30 or net 60 terms which means they won't pay you for your work so you work for a month you build them you don't get paid for another month or two months so you can see how this could be a large gap of getting revenue in so there's business loans that can help cover that gap but you need to be make sure to plan for that all right so there's some colors of the types of companies let's talk about different roles and so I'll go through a couple of these will read the entire slide will preview for writing a slide deck for everyone on both the schedule page and if it works

out on discord so the sake analyst or security operations so this is looking at these types of roles like stock analyst and this in response you're going to be typically a work typically a shift worker so that means that you could be working second or third shift and that might change so so be prepared for that the type of job there is typically process and procedure driven is that you're going to be given you know you need to do every time that this button comes up you need to do XY and Z and very prescriptive it's good for you know grateful places that were your entry-level and you're learning and you don't you know necessarily could not

self-drive but but that you know it's not for everyone that you gotta understand that the that those type of process and procedure driven jobs is a it's for a particular type of people Security Administration so this is security engineering tools production support your this is these type of people were going to probably work a day shift but carry a pager pagers are little things that you know for you young kids that you've probably never had but you'll be on non call rotation and so okay expect that interrupt-driven work you probably are going to be doing your own little projects you're going to be improving stuff upgrading doing stuff they keep the tools running but it's an interrupt

driven job you kind of work normal until something breaks you get a ticket in you get a call it's interrupt-driven job so it's a different mode of working security architecture and sometimes in engineering as well is you have you know typically standard hours this type of job is very project driven and so you're you're always working toward either a sprint or you know a milestone or something along those lines and project management terms and and the work is very different from somebody this interrupt-driven so I kind of want to drive that home is that you know if you're going into a role try to figure out the modality of how the job actually works threat intelligence you know this

is a job and I also got later threat hunter very similar is you know I've seen it both standard you know nine to five or sometimes if work is but it's research driven so you get you know you you are chasing down ideas thoughts you know you've got something that you want to you've got a hypothesis or you want to prove or not these type of jobs are research of and so I said I've got a couple slides here that have a couple of different roles like this and you know looking at the different modalities of these jobs like I said I won't go through every single one here's a couple more call out you know

governance governance is a great place for people that really feel that security operations might be too stressful typically governance roles are you know you get to do some you know third party risk management policy governance writing policies and and guidances and going through those type of risk management models you've got business experience or that's something that you really you know you know are interested in governance is a great place to get some it's another good good entry point into security and it's also a good place to give a lot of different varied experience because of the different places that you could be interacting with as governance and like I said it's it's it's usually either a project

driven or interrupt driven according the roll and then audit is another kind of you know different animal auditors tend to be it's a much more detailed oriented role and and it's something that you know is you know a lot of people use it as an entry point to get into security but it's something that I would say is it's definitely you know got a different you know flavor or taste have been the rest of the these but it's a great way to kind of get in and get a lot of very good experience so I do love my auditors and a couple more here I'm sake of time I'm just going to glance over and and

move on to one of my favorite books like said is the what color is your parachute so if you are seriously considering moving jobs or even if you want to figure out that how you work and and would like to work pick up this book it's not very big book there's lots of different editions you can have the I think there's a twenty20 I'm sure there's probably one for like technical work I didn't look closely there may even be one for information security but they're all basically the same the idea is to figure out how you how the actually the realities of the job are and what is something that you would like to do and

this to me translates into a lot more happiness and career success then having a you know being the most technical being the smartest being the you know personal with the most followers you know those are not my goals my goals are to find you know jobs to me that fit my modality of what I like so on the graphic here is is from that book you can see you know it's this is one of the worksheets that takes you through and you can see the kind of things that it's it's gonna have you write out and and then you can take this and then look at the different job categories and figure out you know yes

oh I'd love to be able to be a sock analyst well you know is the reality of what a sock analyst does besides the fact that it's young pays well is it the type of job that's gonna keep you happy is if you're not happy you know back to those seven people seven reasons why people quit if it's not fulfilling it's not challenging you if it makes you so unhappy and so stressed the money is not worth it so how do you find happiness so you know a happiness is something that you have to go back is you have to constantly you know be seeking happiness and so the ways that you can do that

self reward don't necessarily wait on your leaders to get to give you your own rewards you know you can you know what you've done you know what you've done and you know give yourself some incentive reward yourself on an ongoing basis this is very important responsibility so we are entitled to ourselves before anyone else a happy employee is always willing to take charge of his or actions and proactively engage his or their skills and this it's that's that's very important too for seeking happiness job satisfaction is a savior yep Hey how we doing on you have much more I hate to interrupt but second to last slide all right wrap it up so job satisfaction is often you know mistake

to be the same as workplace happiness but I believe that there's two different and finally a cognitive awareness and flow and the same time won't skip over that but you know I I think that in the end finding happiness is something that we have to ensure that you are actively seeking on an ongoing basis so to summarize here so how can you redefine failure make sure that you understand that what has been successful for you and what is not and understand that probably the things that you might have considered failures in your life are just learning experiences and and shock there's up to wins make make those a success for learning that this is not the type of job that

you want um so you are not alone out there you know there's a lot of people that are stressed about the same things that you're stressed about and don't let that be the reason alone to move to a new role avoid you know stress then and make sure you do not does not lead to burnout and and if you are unhappy try to find the source of that unhappiness and be you know maybe you can fix it or or or shift it in some way that you don't have to change roles look before you leap and and when you do know yourself before you leap there so that you know what the color of your

parachute is and what's going to make you happy you know as you that I want you to always continue to seek happiness with no matter what your role is I appreciate you guys sticking with me for the last 55 minutes and I'll go ahead and hand things back over to our moderator thanks thank you everyone and have a good day yet before you jump off we do have a few questions I think you mentioned on you you might be uploading the slides to the the sked I will get that uploaded yep and so when we open up my discord here so besides Knoxville so the the the discord has an 8 meg file limit okay I

should be good I think it's gonna count out most most slide decks but sched should be fine to upload attendees besides Knoxville 2020 dot s CH Edie comm sked comm that's how I'm choosing to pronounce it it might be wrong but that's what I'm doing and and we do have yes so a few quick questions here I think we have time for Shenmue gum asks how how would you advise on getting higher up in the layers without being a manager how to tune one's career in situations where you get exposed to every technology but only a short amount of time due to the changing nature of the job yeah and that's that's a lot of

times you'll get that in either smaller organizations or in the consulting roles and it is you know to me I just did that shift is where I spent probably about 10 15 years and these consulting so I was going from job to job to job and saying you know hold on I'm gonna move out of the vendor world and go back to you know working for a company and so if I'm moving into you know those type of roles for a larger company I'm able to stay in one place for a lot longer and to me that's where I met my wife has given me more happiness now that I can you know stick around and build something as

opposed to the all the different experiences that you get with consulting and so yeah I would look for you know a role you know say maybe with truest just saying possibility yes I've seen larger organizations that have like a distinguished engineer route where you can go a technical route up the chain yeah this thing was engineered IBM term but uh but yeah those those that is definitely something that you should look for if you would like to stick around at a company so in a situation where you feel singled out the environments toxic your managers don't have your back when when is it time to leave versus sticking it out like how far do you stick it out before jumping

yeah it's being able to like when you identify and if you're able to identify what's making you unhappy you know you know some people might just have a general dread of going to work well then let's drill down into that and find out is it is it you know is it the people is it the place is that the work and then once you be able to identify what's really making you unhappy can you do something about that and if the answer is no then then yes it's time to move on that's that's basically is figuring out what you have control over and what you don't and if you don't have control over it then it's

time to move on all right excellent thank you very much I think that's it for the questions and I really appreciate you giving this talk I found a lot of it really interesting having been and management's son myself and been in a lot of the situations that you described I appreciate it was a big for you sharing and thank you everyone for joining and spending your morning with me all right hope you will hang out for a bit in the discord we'll see you there