BSides Las Vegas 2019 Day Two - Hire Ground

Yeah. - I know. - Right, right, no, I'm just like no I'm sorry. - Oh, the bad plays. - You want to do a little trick? - Yeah, yeah. - Just say it out to your friends. Yeah, that's right. I like that. I like that.

- Take a picture of it. - It's getting a little fuzzy.

- I'm sure that we've, of course, as you have. - Yes, yes. - Hello. - Oh, okay, okay, good. Fabulous. - I'm very close. - What does shift mean? - Shift, what can shift mean? - First two words. - Okay. - Okay. - Okay. - Okay. - Okay. - Okay.

Hi. We're here to network. My attention. Sounds like a good stage, but they really swapped you. I swapped them. Yes. Now get out. But for the third shift, there's a constant. Well, so, 12 to 1.30 is my date. Go get lunch with me. Yeah. - I'm having a hell of a stress today. - Okay, great. Let me get my slideshow thing. Yeah, every time you turn it on, turn it off, it doesn't fix it, it breaks up. - Break this thing. - But it's not. - Right, but it's not, is that the squareness of the projection? - Right. - So, it's great, but I just don't think I heard. - I just do it both. - That is not accurate.

Yes, 10 o'clock. It says 830 networking. It's live, yes. Okay, I appreciate it. Yeah, it's been a good day. Hi, you know what? It's the same thing in my life. Thank you very much. Thank you. Thank you. Thank you. Good morning ladies! How are you? Fine, how are you? We missed having you in here. Well, if you give me like five minutes, I can give you the spiel about what I do in here and we can talk. I just need to get my audio visual up. Because one of your employees is actually my career coach. Jen? Jen? Yes. So, Steven, before you leave, I have two things. So, I'm not going to yell at you.

I'm just going to come over and let you know that I have two things. Don't panic. That's my job.

Closing

Yes, but it's better than what it looks like. It's technically... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's

a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... It's a... How are you? I'm all right. - Oh, absolutely. - Pleasure. - Thank you. - And this already happened to you?

- Yes. - And this is new to me, guys. - Hi. - Do they have similar things? - Well, our entire thing is always on screen. - It looks great. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to

ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to

ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. - I don't have to ask. Yes, and it's back on the cart.

Where's the handheld? It should also be on the card. On the card, okay. So then from there... So that's a podium mic if someone wants to, because that should already be live. Okay. So you want them to hold it versus... Right, so the idea could be that, no, it's tied down. So then they have to... Test, test. Thank you. Okay, so these are also hot. They unmuted them for me, so I'll go reboot them since we're not using them today. Thank you. Because if I... Okay, that's... Could you please mute all of the podium mics except for... Actually, you know what? No, no, they're labeled. Actually, what I'll do... Oh, no. Okay, so we're going to go ahead... But this is a wired one.

Yes, but you don't... Right, but I'm talking about the other speakers, so I don't have to keep having you come back. So that's what causes the feedback. So if we, so, okay, do me a favor, set that down, please come to the board so you know which button to hit. You may want to take a note. All right, so all of those should be muted. Thank you, yeah, because it says pod on the bottom. So they didn't, they weren't so much, okay.

Okay.

Test, test. No feedback. Yeah Okay, now I trust me I haven't forgotten it's more of a finding time to do it than a Because I love doing that kind of stuff like I won't I won't forget to do it. It's Yeah, and remember pinwheel, right? Yes. Pinwheel is all excited because he loves the radio tech. Oh, yeah. So I got my tech license because he was all jazzed about it. And so I did it, and then I'm like... Congratulations. Thank you. Yeah, yeah. So I've got my, I can turn it on. All right. All right. Thank you very much. Yes. Oh, thank you. Thank you. Before you walk away, what do you need me to do? Because, like, normally I

introduce the speakers and everything, but if you want to do that. So that's what I do in this room, and that's why it's, I'm still in the learning year of how to tweak the systems, and, of course, everyone changed this year. So everyone I worked with last year, we worked out our workarounds. So in this room, I do the introductions. What I need help with is setting up the speaker, handling any of this feedback situations that happens frequently, and then doing the walking around with my friends and giving the countdown to the speakers. So countdown, you've got a new room box. There it is. Yep. Okay. All right. So countdown, soundboard during their talk, and then walking around with the microphone

for questions after the event. And helping the speaker, whatever. We have some people who are -- Outstanding. We don't have any volunteer in higher ground. So I'm not a V. I'm a room host. So I can't run the cameras and everything. Oh, yeah. Okay. Early and wonderful. - I'm late for everything, so I should-- - Excellent. - So that I can hold this. - I'm late. Yeah. All right. I think we're good. I'm here. As soon as we get baby. Baby. So, Sean, this is our 1030. I broke your shoulder, so this is a pop. Whatever you need, I'm here for you. Yeah, that's great. Are you the first talk of the morning? Yes. 1030 is probably going to be

early for our dinner. Yeah. Do we have a Mac charger? For a MagSafe 2. Or a USB-C. We have USB-C. I can also just grab, do you have a USB stick? I'll put my presentation on your laptop. We have a USB-C adapter. This is not USB-C laptop. This is a MagSafe 2. Well, MagSafe 2 is for power, right? But I don't have a power cord. That's what we're asking. Yeah, I could check you, Branch. I don't think so. Is the battery charged? Yeah, the battery's fully charged. Okay, so as long as we're... We're at 100%, so it should be okay. So the adapter that you have on the side, the connector on the side, should be a small rectangle there?

Yeah, yeah. Yeah, so we've already got the right adapter. Oh, I'm not worried about that. It's mostly just power. Can I steal this? Yes. There we go. Yeah.

It looks like they're trying to sort of basketize the old exit. I can try to come prepared, and then I leave my power cord. It is charged. It is charged. That already is good. I didn't come with zero battery and no power cord. How come it's been crazy the last 20 minutes? Because you have real locations. Yeah. That's the right answer. Yeah, you have slides up. So, I have 45 minutes for the slideshow. Yeah, just for what's on screen. And 10 minutes before we can get set up. I have spare minutes. I have a whole one of these. You have spare to play anywhere? So I have... Actually, hold on. Let me see what the battery status on this one is.

Yes, this is my... I am in here. Are you good? Do you need to use the restroom? Oh, yes, I'm definitely going to need to use the restroom. I'm not going to walk. No, that's fine. I just have a little clock. I'll also have a clock. I also have a clock on speaker notes. But I'm probably not going to run out of time for questions. One of those topics that I figured. So, have you ever had a conversation with your speakers? What's the area to do that? Even when I'm presenting to other girls, we've had, as a poor woman, it was a person. That's the coolest thing I've ever heard. I like this room. And

the whole office. She's obviously very ashamed of her. May I say it? No, I didn't put it in the AP. That's it. That's it. Wow.

There will be no break in your presentation. No, I have nothing crazy other than my actual talk, which is crazy enough. Last year I was here at the board meeting. What is the conversation that has been going on since the 4,000th? That is amazing. That is absolutely incredible. Did you get that? So this is where I always get my B-amazons. 4,000 people. 2,000 in security ops. 2,000 in security ops. Right. That's the point. You guys are doing the right thing. If everybody did it like you, it would be much more interesting to

more today than three months ago probably the challenge

Isn't that a wild thing to be able to talk about? It's awesome. I mean you know obviously I know a lot of those guys.

Thank you. - You guys are just off-putters. - Our goal is not to get you to the ground. - We're going to have to do it right. - We have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have

to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to

wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait. - We're going to have to wait.

All right. unless you're unless you're a second option - Do you understand our situation? - Yes. - I mean, a lot. - Yeah, I'm sorry. Thank you. Oh, you're the one. Yeah. Thank you. Yeah.

Thank you. Yeah. All right. Thank you.

Thank you.

This is the chat room. - I'm sorry.

yes

Thank you.

Thank you.

Thank you.

Thank you.

Jackets gonna be off. All right. My mic is not... Yeah, that kind of stuff. So is this one... Okay can we tell him to turn his collar down? You can move my computer. Test. 90 seconds.

How many years have we been doing this? So next year I'm gonna have you do the kickoff. Do you need a stress relieving sucker which is just B12? It's not anything else. Phone is off.

Good morning Higher Ground! We're kicking off our second day of Higher Ground here in Florence B. It is so exciting to have Higher Ground, one of the most integrated career tracks offered here in Vegas during the Hacker Summer Camp. We not only have great content sessions, we have phenomenal vendors and employers around the room with jobs that they would like to talk to you about. We also have career coaches and resume review going on starting on at noon, going through until 6:00. So it's really great to have you here. One thing I'd like to ask you to do once you leave, we've got some sort of anonymous surveys here at the front. It's really helpful

to me to be able to get sort of a gauge of the audience. I'm not going to give you a prize or anything like that. Your prize is giving back to the community because I need to be able to create the content year in, year out, but I need to know what's going on in this room. Are you a newbie? Are you looking for a job? Are you looking to change careers? Are you looking to change industries? So if you wouldn't mind, on your way out, stopping by and filling out a survey. So it is my pleasure for the third year in a row to introduce my friend that I only get to see in

Las Vegas. We always do this talk at the beginning of the second day because there is a good portion of the community that does not go out and get a little inebriated on Tuesday night. There are people who come here really to work on their careers and to really work on networking, and they want to hear some of the more advanced things not esoteric, but sort of the 30,000 foot view talk about what's going on in the community and really get you thinking as you move on through the rest of the day and maybe moving on to DEF CON. So without further ado, let's give a round of applause for my friend Mike Murray. And

I think my mic is live. Yes, excellent. Perfect. That handover worked well. All right, so I'm going to warn you all up front. This is my favorite talk that I get to do every year, and it's also the talk that is the most nerve-wracking because, I mean, all of us are pretty used to the standard talks around here. I would get up and I would show screenshots of IDA Pro and talk about how I reverse-engineered something or what I broke into that day, and this is not going to be about that at all. This is going to be a really... different look at, I think, a thing that impacts all of us in ways that most of us aren't aware. And culture has become a huge

buzzword. If you read any business book in the last 10 years, everybody likes to talk about culture. But it's usually presented in a pretty esoteric sort of, you know, philosophical way. And my goal today is to break it down in a way that makes you think about the place that you work today, the place that you'd like to work, whether that's the company you work at today or not, and what you bring to the place that you are integrated in. One of the really hard things about culture is actually defining it. One of the most interesting things you'll find is if you try and get a definition of culture, the basic definition seems to be Every thought, feeling, attitude, behavior that you have that's relevant to the context

in which you're in is part of the culture. And if it's not, then it's not part of the culture. But it's hard to define what those things are and what those things aren't. And so until you start to understand that culture is really all of the things that, all of the attitudes and beliefs and behaviors, and especially all of the signals that shape your behavior. And if you don't understand signals, we'll get there. And that culture is not one thing. It is not a monolithic thing. We talk a lot about company culture, but there's no such thing as company culture. Company culture is actually a set of overlapping circles. And by the way, this is

both my favorite slide in this presentation and my least favorite, because this slide is actually completely wrong. Yeah, I know, I wrote the slides. But I'm stuck with Microsoft SmartArt, and this stuff, because nobody wants me designing anything graphically. And the other parts of this is, this is only true if things are perfect, right? Culture is the idea that, the idea of culture is that we have overlapping cultures in every organization. Your team has one culture, right? Your small work group. The organization that you're in, you're in engineering, you're in the security team, you're in security ops, whatever that function is, has its own culture. If you have multiple offices in your environment, I just came, I was at a company called Lookout before,

up till about last week, and at Lookout we had an office in London, we had an office in Amsterdam, we had an office in Boston, one in Toronto, and one in San Francisco. You think the San Francisco office was different than the Toronto office? Yeah, right? And so each location has a culture, each sort of meta organization, engineering, marketing, sales, they all have a culture. And then the whole company has a culture set for ideally set from the top, right? And so this picture makes it look like all of those things align. I bet every one of you knows that that's BS. Every one of you has been on a team where you're like, "I

love the culture of this team, but man, this company sucks." Or the other way around, "I love this company, but man, my manager is terrible and I hate working for that person, and so I hate coming to work every day even though I love everything about this company." And so, like I said, it's important to understand that you have many different cultures interacting. And I have society as sort of the meta piece there, which I'm not going to talk about here, but it's sort of implied in location, right? If you have an office in Canada, it's going to be more Canadian than an office in New York City. And so understanding that allows you to

ask yourself, when culture gets dysfunctional, Which part? It's not every part of the culture. It's not every level on this chart. It's probably one of them, but probably not all of them. And because of that, we have to realize that culture is actually really, it pervades everything we do on a daily basis. And everybody's heard the, or many people have probably heard the old quote that is attributed to Peter Drucker. By the way, this is one of those interesting quotes that nobody actually knows the origin of, but it definitely wasn't Peter Drucker. If you sort of search, it's really ambiguous where this came from. It looks like it was a marketing slogan of some consulting firm in the 90s, and then somebody

stuck Peter Drucker's name on it, just like half the Einstein quotes on the internet. But the idea of this is right, right? You can have the best business strategy in the world, and if every one of your employees hates coming to work, are you going to execute on it? Of course not, right? And so, and truly, we could get really deep and talk about how culture and strategy must align, but that's a whole other conversation. The point of talking about today is to talk about how cultures are formed and how you act within them. And the most important thing about culture is actually signal theory. How many people know what signal theory is? A couple?

All right. So basically signaling is the idea that, and it was developed first in economics. is the idea that we pass information to each other in a ton of different ways that don't involve what we say and don't often involve what we do. The original example of this in the first economic papers was the value of a university degree, the value of a diploma. And they started talking about the idea of why does a diploma mean that you get better jobs? Actually, we can play the security version. Why does a certification matter? Every one of us has had, hell, I think my first year on this stage I talked about certification. If not, at some conference I've talked about certs. The point of certs is that they're a signal.

Everybody knows that if you get a CISSP, that that doesn't actually mean you know anything. But why is a CISSP valuable? What does it actually convey? When you really think about it, what a CISSP ultimately conveys is, I'm interested enough in security that I read a bunch of books and I went and spent $600 on a test. But that tells you a lot, right? The value of that signal is that I now know that you care. We were just talking about how you ended up in security. The signal of all the things you did, of coming to DEF CON, sorry, for anybody who doesn't know, you've got to go watch her talk from yesterday. Sherry,

yes. Sherry's talking to me on today, if you want to watch it. Yes. It'll be cool, I promise. But the reason that her story is so interesting is because of what you signaled, right? By coming to DEF CON even not knowing anything about security, that says I'm interested. And all the first timers here, actually, anybody here a first timer? Whoa, okay. All of you have given an incredible signal. I care about security enough to get on a plane and come to Vegas when it's 110 degrees in the middle of the summer. Right? And put up with all of the BS that goes along with being here this week. This week, I don't know about all

of you, but I'm exhausted already and it's Wednesday. And I'm here until Sunday, and by Sunday I'm not going to want to talk to anybody. But that's the point, right? We all come here to show each other, to signal to each other, "Hey, I love this industry. I want to be a part of it. I want to work here, and I want to stick around." That is a signal, and that's what signal theory is all about. And you see signals throughout the world. And humans are signal processing machines. In fact, every animal is a signal processing machine. One of the sort of common trite examples of signal theory is the peacock tail. Everybody knows what

a peacock's tail feathers look like. Why does a peacock do that? What is the point of this bird having all these excess feathers that don't help it? Anybody know? Mating, but why? What does it say about mating? Correct. The fact that it can have such an ostentatious display of tail feathers suggests it's healthy. It can provide. It can take care of itself. And that's a much more honest way of showing that than if it just sort of hung out a sign that said, "Look at me, I'm healthy." And so signaling is about showing what is important to you and showing what matters to you in ways that are honestly able to be communicated. Now why am I talking about all of this random stuff? It's because in a

corporation and in an environment, signaling is everything. And actually, I threw a slide in last night, one of my favorite management philosophers in the world, in engineering and technical thinking, Camille Fournier. She's phenomenal. If you haven't read her book on management, you must. It's amazing. Camille posted this on Twitter last night. And I had to take a screenshot and put it in this presentation because literally what she's talking about is signaling. The idea, everybody can see how I'm dressed today. I'm wearing a jacket and I'm wearing a collared shirt. I ran into a few of you yesterday. Yesterday I was wearing jeans and a hoodie. Each of those conveys a different signal. And I wore

this outfit today intentionally because it signals how to me and to Kathleen and to the audience that I'm taking this talk seriously and I'm trying to present in a particular professional way and I'm trying to be seen in a professional way. That is a signal. Every moment of your life you are signaling something. Your choice of outfit this morning, the way that you approach a meeting, whether you talk loudly or quietly. All of these things are signals to the people around you. And those are just your signals. Those aren't the signals of the organization that really shape culture. Because when you think about culture and how it's shaped, and that chart that I had earlier

of all the different levels, at each level different signals matter. So, if I'm talking about signaling to an individual and signaling to an individual how they are perceived to me, how much I pay them, that's a signal. That's a signal of value. By the way, one of the biggest signals that companies make is money. Money is a signal. If I give $10 million to engineering, that is one signal. If I give $10 to engineering, that's a very different one. And I'm sure everybody's been in an environment where you got the budget or you didn't. Or, back to the individual piece, if I'm paying you a particular amount, I'm signaling your value to me, fundamentally. Similarly,

the way I do benefits, and everybody has looked at a benefits package and thought, "Wow, this company is cutting the corners." And they're intentionally, they just don't care about their employees, right? Benefits are a big signal. If I offer specifically extra maternity leave benefits, What does that tell the women and the family age people that want to work for me? Or if I don't do that, you know, I live in Silicon Valley right now, and if you're in California, there's often these conversations about, you know, if you've got a bunch of 25-year-old startup like people, are they going to offer the kind of benefits that a 45-year-old person with a family of three is going to want? This is all about signaling who you want, right? Signaling

what is important to you. Similarly, when you get to the team, the most important signal is who you let on the team, right? And we'll talk much more about that in a little bit. But also, budgets, headcount allocations, the events that you do, the things you do with the team, all speak to how you feel about that team, how you value them, and what you think. And then at the enterprise level itself, things like stock. Do we offer stock? Do we not offer stock? Things like executive transparency. Everybody's worked with a C-level executive that either told them things or hid things from them, right? And all of these things ultimately add up to be signals

that drive the culture forward. So, I promise this wasn't entirely going to be a philosophical talk. We're actually going to talk about how to do this well. And the nice thing is there's some really good books on this and there's some really good thinkers on this topic. Daniel Coyle is one of my favorites. He says to build a really great culture, there are three things that you have to do. And we're going to talk through those three things. The first one is the concept of psychological safety. And people, if they are not safe in the group that they're in, do not engage in it. It's sort of hardwired into us as social creatures. The second

is the importance of sharing vulnerability. And this one's going to be hard for anybody who is human, probably. And then the third one is establishing a shared purpose. And we'll go through all of them. But let's talk about psychological safety for a second. How many people have heard that concept before? Good, that's amazing. Five years ago, there would have been no hands. This is all relatively new. But basically, the idea of psychological safety is you will engage in a team as much and only to the point that you feel safe. Google did a bunch of research about five or six years ago on what made teams effective, and they found that everything else does not matter. Psychological safety is the number one and probably only factor. If you have

psychological safety, the team will engage, and if you don't, forget it. There's nothing you can do. It doesn't matter how smart the engineers are. It doesn't matter how much you push them, how much you incent them. If they don't feel safe to contribute, they can't. If you think about where we came from, if you think about the history of humans, this makes perfect sense. We are, for lack of a better word, we are tribe animals. We exist in groups. If you think about how we got here, what was the big punishment for people 2,500 years ago? How did you punish a member of your society the most? No, not kill them. What was that? Ostracization, right? Exile. Exile is the most powerful punishment to a person. Isn't that crazy?

Being alone. You think about what is the cruelest thing we do to prisoners? Solitary confinement. We are wired for connection. And so if you don't feel like you can be safe at work, if you don't feel like you are able to have that connection, you will not engage. You just can't. And so how do we create that? Right? Because it's possible to create psychological safety in an organization. And the interesting things about it is everyone knows what a psychologically safe organization looks like. And everybody wants to work in one. It's fun. Right? It's when everybody's comfortable with each other. It's when we are looking at each other and engaging. When we're willing to be close

with each other. When we're willing to laugh with each other. I'm sure most of you have been in a team at some point where nobody ever made a funny joke, where everyone was serious all the time, and everyone was tightly compressed and no one spoke at meetings. That's the example of a psychologically unsafe team. Everyone's probably been in an environment where they were able to be psychologically safe. Heck, why do we come to DEF CON every year? Why do we come here? We all know, even as it's gotten to be like 40,000 people, that all of you understand me at some level, and I understand you at some level, and we are able to be safe with each other in a way that we're not out in

the normal world. Frankly, come on, most of us are here because we're a little weird, right? And that weirdness is what allows us to be connected. And that's the point, right? When you're safe and you're able to be connected, and that's when you're able to be effective, and that's what makes the beginnings of a strong culture. Now, this flies a lot in the face of a lot of the things you hear in the literature right now. Anybody on Twitter get involved in the stupid 10x engineer debates that have been going on for the last five years? 10x engineers are great, but I'd rather a team of people who make all the engineers around them great

rather than one stupid rock star. And we're going to digress for a second to my actual favorite topic in this space because there's absolutely nothing worse in an organization than the brilliant jerk. I'm not even going to define it because I know every single person here knows one. Heck, there are some walking around here. Yeah, sure, Kathleen. So it's not just this industry. No, it's definitely not just this industry. Yes. Yeah, brilliant jerks exist. I've met really brilliant jerk accountants. I've met brilliant jerk HR people. I've met brilliant jerk, everybody has these. So I am, to Kathleen's point, and this is an important thing, I'm talking about culture for us, But none of this is about us. The books that I'm referencing aren't security books.

They're culture books. And they're books about every culture. I'm just trying to bring it back to who we are. Because I think it's important. None of us really spend a lot of time thinking about this. A couple of us, but we're weird. We're weird even for security people. It's the brilliant jerks, so coming back to the brilliant jerk thing, it's the brilliant jerks that I see that destroy teams and the frustrating thing for most of us and especially as you get into senior leadership, the hardest thing in the world is to take your most productive engineer who is driving people out of the organization and realize that the best thing you can do for your

organization is to fire the smartest person you know. It is absolutely, it feels counterintuitive, it feels hard, it especially feels hard when that person is the only person who knows a code base or how a system works or how to solve certain problems, but it's the absolute number one most important thing every single person needs to do. That sounds draconian and extreme, but if you think about it in terms of psychological safety, if you realize the performance of your entire organization relies on everyone feeling safe when they show up at work, that person who walks into the meeting and pounds their fist and yells at people and calls them names, no matter how smart they

are, they will never be smart enough to overcome the 10 or 12 or 15 people that you lose. And that is so hard for all of us to get. By the way, I'm saying this from experience, and experience is the name we give to all of our own screw-ups. I have put up with far too many brilliant jerks in my own organizations over the last 20 years. And I have made this mistake. And I'm sure I will make this mistake again at some point. I'm sure all of you will make this mistake again at some point, which is why I'm hitting this without any subtlety and like I got a hammer. Yeah, go for it.

Have you ever been able to fix a brilliant jerk? The question was, have you ever been able to fix a brilliant jerk? I used to think fixing people was possible. I really did. I think somewhere around the time I turned 40, I started to realize that I'm pretty much the same kid I was when I was seven years old. I dress differently and I'm a lot smarter in some ways, but I think most of us are largely who we are. Now, I've been able to constrain the behavior of a brilliant jerk. And that's the best I could hope for, right? Can we put them in a situation where they basically don't talk to anyone and work by themselves? That can work if you've got a role where you

can isolate or something like that. But I mean, man, I'm not a therapist. I don't want to be a therapist. That's a job that's way harder than I can ever do. And to me, it's like, The other question is, do you want to take the time? If it takes me nine months to fix that person and six people quit in those nine months because they hate working with that person, is that worth the trade-off? Is that a trade-off I'm willing to make for my organization? By the way, I'm saying these numbers and I have actual examples of people in my head. I've seen this. I've seen where organizations have tried to rehabilitate the brilliant jerk,

And sometimes it works a little bit, but it generally, it's generally just not a fruitful thing. It's almost more fair to let the person go and find a culture that they're fit in, right? Like, look, there are cultures where brilliant jerks actually work, you know? Nobody here is an investment banker. So, you know, sales, and I'm being silly, right? Even salespeople can't survive for long as brilliant jerks. And I've met lots of brilliant jerk salespeople, as I'm sure many of you have as well. But the point is, It's better to move them on if they're not a fit for the thing you're trying to do then to We're not therapists our job is to serve

our customers and serve our clients not to Not to spend time hoping that our people are going to be different than they are And that sounds cold and it's not meant to be it's actually I'm trying to actually be caring to everybody other than the brilliant jerk right I'm trying to honor the fact that I've got 50 people on the team that are all impacted by this one person's terrible behavior and I'd rather take care of 50 than one in that scenario. So I tend not to. I tend to... But it's hard, man. Firing people is literally the worst thing that any of us ever have to do. It sucks. Nobody likes it. And I

think if you do, see the slide on Brilliant Jerks. But yeah, sometimes you have to. All right. So the second thing that makes the hallmark of a great culture is... It builds on the first, right? The second thing is vulnerability, right? And trust and vulnerability go hand in hand. For anybody who wants to know about vulnerability, the absolute best thing, I actually thought about like, I'm just gonna play Brene Brown's TED Talk for 18 minutes in the middle of my presentation, but I felt like that was a cop out. And so if you haven't seen Brene Brown's TED Talk on vulnerability, it's the best 18 minutes you'll spend this week or next week or on the plane on the way home, I don't care. Like it

is really great, but you have to realize You can't be vulnerable if you don't feel safe. The point of vulnerability is I connect with you because I'm vulnerable. We connect as humans mostly, and this goes through the work of Robert Cialdini on influence and all kinds of other folks have seen this same pattern. We connect with each other And we are able to perform as a team when we are vulnerable to each other and when we help each other. Humans are ultimately built on help. The absolute best way to become friends with someone is to say, "Hey, can you help me with this?" And I, so, as I don't know how many of you saw,

I'm actually walking around here with a sling on because I broke my shoulder a few weeks ago. And I've had some of the most interesting experiences when I was doing this. And this is a conversation about vulnerability. When I broke my shoulder, I was away on a trip with a bunch of really impressive people, people who I thought were just really cool. And obviously, I came home with a broken shoulder, and they had to put me on a plane the next day. But what was really interesting is I couldn't tie my own shoes. You ever asked somebody who is a luminary in the industry if they can tie your shoes for you? You want to

experience vulnerability? Try that. See how it feels to literally have to ask someone who you're like, "That person knows who I am?" to tie your shoes. That's vulnerability. And I'm now friends with those people in a way that I wouldn't have been otherwise. That is how vulnerability creates connection. And if you read the literature on culture, they actually talk about what creates connection is vulnerability loops. So, I had to have a hamster wheel slide in here somewhere. It wouldn't be a Black Hat DEF CON presentation without it. So, a vulnerability loop is basically just we're vulnerable to each other and we notice. I express my vulnerability to someone, they notice that I did so, they reciprocate and express vulnerability to me. And friendships deepen that way. That is

how we become friends. It is also how we become a powerful team. And it goes against everything that I'm looking at the ages in the audience. It goes against absolutely everything we were trained as kids. Right? And especially, I don't know about all of you, but I can speak to myself. I was raised to, you know, not cry, not show emotion, not share my feelings, you know, all of these things. And they run completely counter to how to make great teams. And so, I made a quick little cheat sheet for leaders around how to be vulnerable. The very first thing, spotlight your own fallibility. And this is where I say it runs against every training.

We were brought up that leaders are strong and militaristic and they always know the answers. Guess what? I'm not that smart. I don't always know the answers. In fact, any of you who have worked with me, which is a few of you, know that I don't know that many answers. And That's the point. The next thing is, really great leaders in expressing vulnerability show gratitude. Saying thank you is a statement of vulnerability in a lot of ways. It says, "I needed something from you and you provided it." It says, "I needed something." That is an incredibly powerful statement. In vulnerable cultures, you will hear the word thank you and slaps on the back and praise for what

other people do for you more than you will ever hear how well one person did. How many of you guys have ever been in that culture though? Literally like two hands in the room, right? We don't do this well enough. I've worked with C-level executives who literally would call you and ask a question and I'd be on the phone like, "Okay, give the person the answer." And they would hang up without saying anything. The cultures that we've created in most of our organizations are not ones where we say thank you a lot. They're not ones where we show our fallibility. And they're certainly not ones where we're good at asking for help. Think about the

number of times that a peer or a co-worker actually is willing to say, "Can you help me with this?" Not, "Will you do this for me?" That's different. "Can you help me with this?" is one of the most powerful statements that you can make to express your vulnerability to others and to signal that you are vulnerable to them and that they should be vulnerable to you. So, all right, that's vulnerability. The last one is shared purpose, and I'm doing my best to leave lots of time for questions, by the way. So, I know I'm running through this really fast. This is like seven books of work. I urge you to read Coyle's book, it's brilliant,

and anything by Brene Brown. But the last piece is shared purpose, because when you have trust, when you have safety, when you have vulnerability, the next thing is to say, we're all in this together and we're going in a particular way. Organizations that have shared purpose are really interesting. If you start to study what a purpose-driven organization is, they start to exhibit some really weird characteristics. The main characteristic that you see in a really good purpose-driven organization is they have their own weird language. And if you understand this, managers in that kind of environment realize that their job is really simple. I already know, like as a leader, I know I have a very simple job. Set priorities, right? And very

explicitly, setting priorities doesn't mean I'm going to give you a list of 6,000 things and call that a priority. You know, if the list's longer than three, you didn't prioritize. Right? Prioritization means there's lots of stuff we're not doing, these are the few things that we are doing. The second one is, figure out what the behaviors I want to see out of my organization are that align to that priority. If I say, treat customers first, and then I see all my people never talking to a customer, well, I'm pretty sure that I'm not accomplishing my priority with our behaviors. And then the third piece, and this is where the language thing comes in, and this

is the really interesting part. is really great organizations, you will find have their own language that align their behaviors with their priorities. And we know the famous ones, right? Move fast and break things is kind of like the most famous Facebook one. But there's others, right? And I'm not at Facebook, so I don't know what they are. But I know from my Facebook friends that they act differently than everybody else I know. And you will see that people in these purpose-driven organizations start to evolve a vocabulary that aligns to that business and that culture. So as a leader, your job is that. Fundamentally, you can start it with your own team, even if you're not

like a manager on a team, even if you're just wanting to be seen as somebody who leads. I talked, I think last year, all about the difference between management and leadership because they're different things. You can never have a direct report and be the best leader in the organization, and you can have thousands of direct reports and be a terrible leader. If you want to be a leader, your job is what I said earlier, figure out what the priorities are, figure out the behaviors, and then start saying things. Ideally, they're pithy, you know, like the ones that got famous because they're easy to remember. But start saying things repeatedly that align those behaviors in your

organization to the priorities that you have. And realize you can't do any of that until you've got the first two. And this is why this is a three-part thing, is because everyone's been in an organization that's tried to have slogans where you didn't have psychological safety and you didn't have vulnerability, and that's why we have all those stupid posters on the wall. Right? And everybody, you know, there's the website that has the bad versions of those stupid posters. What is it? Despair.com. I knew somebody in the room would have that reference. Not surprised that it's one of the people in recruiting at the back of the room. You get the idea, right? If you have slogans without psychological safety and vulnerability, you don't have a good culture. You just

have that annoying BS that we all hate. And so you really do have to have all three. And if you have the most psychologically safe group in the whole world, and you don't have an alignment to purpose, you've got a book club. You don't have a team that's going somewhere, you just have a bunch of people who really like each other, which I love. I have lots of people that I really like, but that's not the same as a high performing organization. So, like I said, I left a lot of time for questions that was intentional. One thing I actually want to just kind of pitch because we're in higher ground. So, I actually left

the corporate world a couple of weeks ago. I am starting a new security company focused on healthcare and solving healthcare security issues. Thank you. If you want to, so this is my statement of alignment to purpose. I want to go solve healthcare security problems. Anybody who wants to do that with me is on my team. So come find me. Let's do more of that. Anybody who thinks that's cool, let's do this together. So all of you, come find me at some point. And that especially applies to people on the internet and the live stream, et cetera, et cetera. All right, question time. And he's got the mic, so I'll let you pick who's talking. Hi, on the previous slide, that third point, create heuristics, I'm not super clear on

what that is. Can you give me something else? Slogan. So heuristics being like, so actually I like the move fast and break things one. It's actually a really good heuristic. So heuristic there meaning a small rule that allows me to decide how to behave. So, if I'm making it, you know, in the early days of Facebook, if I'm making a decision about how to do something, move fast and break things tells me a lot about what I should do. And like the Jack Welsh ones, control your destiny or someone else will. That's a very 1980s CEO heuristic, but it told GE how to act. And everybody who knew that that was the rule knew what

they better be doing. And it's literally one sentence, but it tells you so much about how to act in that culture. Does that make sense? All right, other questions. By the way, you don't have to limit the questions to this. Last year, we talked about pretty much everything. So happy to talk about actually anything. I just want to add. Yeah. So it sounds like... Just following up on that, it sounds like if you have a slogan that is not part of your priorities, but you ask your team to do other things, you actually have a broken link. You bet. Actually, broken link was a really good way to say that. That's right. You basically have a dangling reference to something that doesn't matter. And that's what you see, actually,

hold on, give me a half second. That's what you see, especially in companies that had a mission statement 15 years ago when they first started and they're not doing anything like that anymore. And you're like, we have these values things that don't align to anything we actually do. So what's interesting on the mission statement, I spent 20 years in the nonprofit community. And what's interesting is a lot of people would go into the nonprofit community because they believed in the mission. But the mission had been around for 50 years, and they built this machine that did not fulfill the mission. One of the groups I worked with was saving life on Earth. Okay, that's a

little bit too high of a mission. That's a pretty big mission. It's a good mission, but it's a pretty big one. So I think when we're talking about missions and when we're looking at career development, maybe looking at missions that actually can be done. Yeah. And I think the other piece to that is, so this mission and strategy often align, right? And the whole like culture eats strategy for breakfast. If you don't build a culture to accomplish the mission, you're not going to ever do it. Go for it. Yeah, just a small comment. So I think the other side of the spectrum for the brilliant jerk is the emotional wreck. We need to be aware

to those two because they can be also very toxic to teams. You really try to help them, but at some point you can't. You realize you can't. Yeah. Same thing I said about the brilliant jerk, right? Like that person should probably go find a different organization. If that level of emotion is not aligned with the kind of safety that your team needs, then Get them out of there. And part of it is, especially in our profession and the high stress situations that we are in, and with burnout creeping in over time, you have to be very aware of that. And sometimes the best thing you can do for somebody is not fire them, but find

them something else to do. And even if they don't know about it, that you actually did it for them, but they actually will thank you later. Because you kind of have to save them. Yes, exactly. By the way, that goes to the question that you asked earlier. Okay, I had a lovely situation where I had a brilliant jerk and an emotional wreck who are on the same team and had to collaborate. And that has been literally the last year of my life to break that apart and get that into a healthy situation. I feel like I'm on the track of having done. I'm not advocating for brilliant jerks, absolutely toxic, agree with everything that you set up there, but I'm also, I'm a strongly empathetic person and it's very

easy to see how people are broken and to want to fix that. You can't fix that. Don't ever try to fix someone who's broken. They always have to fix themselves, right? And so, If you're ever in this situation, I have some recommendations for you. Either scenario, the brilliant jerk or the emotional wreck, they both have to get into therapy. That is something they have to do for themselves. By the way, can I just echo that point? That is my advice to everyone, whoever manages anyone. The absolute most important thing for you to deal with is your own stuff. and find a damn good therapist. It is the best management, it's actually the first thing I

tell anyone who says I wanna manage, I tell them to go get a therapist. I'm just echoing you, Larkin, sorry. - No, no, thank you, that's great, because that was my next point, which is if you are going to try to engage with either of these two particular types of employees, you need to make sure you have the emotional space and bandwidth. You mentioned time, but it's also very, very hard on you personally and emotionally because you have to be there constantly like taking the vitriol or whatever it is from these people or the sadness like and helping them process it and so you're processing it too with them and that is extremely emotionally draining

in addition to taking an inordinate amount of time. And then the whole org, everyone who you're working with, they also have to want to save these people. They also want to have to go on this journey with them to get them from where they are to where they need to be and you need to test that with people in an organization that supports psychological safety so people can say, no, I can't do this, this isn't gonna work, before you start down that path. Just my experience on that. - And by the way, so obviously I know Larkin a little bit, and there are not many people who can embark on the journey that you're talking

about. It's why I'm sort of, You know me a little bit off this stage. I'm a little more vehement about we should let those people go than I ever am in real life because I think you and I are similar in the way that we emote to the people around us. But that's a tough move. That's a really tough move for almost every manager. you gotta have a lot of comfort with yourself and a lot of emotional intelligence in yourself before you can take that stuff on. So do not take on what we're talking about lightly. It will wear you out and even if you've done 20 years of therapy like I have, it will

exhaust you and it will beat you up. So make sure it's worth it, but yeah, realize. And if you ever decide to take that on, feel free to call me. I will happily give you thoughts and advice and probably try to talk you out of it. So that kind of ties into some thoughts I've been having. Specifically, I know you said you didn't really like the circular core of the earth type slide that you had where your team and the organization and everything else. Well, I just don't think it aligns in a vertical like that in real life. It's much messier, but I tried to represent the messiness of it on a slide, and it

just looked like Jackson Pollock. Yeah. But I think it really highlights something that's important that you really are focusing on, say, your team or the smaller organizational unit that you have control over. And you can normalize that behavior and that culture within your team, but you're really crushed under the weight of the rest of the organization's culture. And it's really hard to fight against that. So you can do awesome things with your team and your culture and try to normalize that behavior and those heuristics. but trying to push against the rest of the organization if none of them have that safety or none of them want to move in that direction is really difficult. So

how do you help spread your goodwill and your circle of safety further outward to the rest of the organization In some ways you do, and in some ways you don't. In some ways you have to be a missionary almost, right? And an ambassador. But so two parts to what you're saying, and this is where it gets really complicated. There's the old trite saying, people don't leave companies, people leave managers. And that's really a statement of people leave their local culture before they're crushed by the bigger culture. I don't believe that that statement's always true, right? I've seen great managers who had great local cultures who lost all their people because of what you're talking about.

And we underrepresent that conversation, partially because there's very little we can do about it, right? If I manage a team and they all bail because they're like, this CEO's a moron, like, there's not much I can do to stop that. And I'm probably going with them. I might even be the first one out the door to take the team to a new place where there's a better culture. It's tough, but to Larkin's point about fixing people, fixing people is one thing. Fixing whole other peer organizations, man, I've met many people who've pulled it off. There's some amount of things that are just too much work for any human. Josh. Building upon that, let's go even bigger. So, some people hear psychological safety and think

it's this touchy-feely thing about how you feel at work, but they study Google site reliability engineers for why they were just breathtakingly better than everybody else at large-scale infrastructure. After years of study, the two-word report was psychological safety. So, it's not about how you feel touchy-feely and hugs and fist bumps. It's if you really want to do breathtaking results that set you apart from everybody else and have high impact and high efficacy, it's about that. So, here's the bigger question. Outside of an employment relationship or a team relationship, the hacker culture has brilliant jerks, has toxic culture. Are we trending towards psychological safety where we're all going to be our best and have the highest

impact? Or are we trending towards polarization and diminishing people? So how do you change the hacker culture, which is a tribe of tribes? Dude, you and I have been around long enough that I think we've seen it, right? And, you know... I'll say it this way. I think there were a lot more brilliant jerks 20 years ago when I came here the first time than there are today. And I think you see a movement towards psychological safety even in these environments. You see codes of conduct. You see people holding people accountable for bad behavior in ways we didn't. Look, I'm not saying we've solved it. Not even close. And there's more brilliant jerks around here

than I ever want to be around. But the thing is, I think we are getting better. Honestly, I'm up here talking about this because I hope everyone goes out and thinks about how do I make a safe environment for all of these people, right? It's not just performance as a team at work, like Google Site Engineers or my team. It's us as a whole industry. How do we make it safe? So I don't know if you had walked in yet because I know you guys came in a few minutes late. I asked how many first-time attendees were in the room. Did you see that? Do it again. How many first timers in the room? Right?

All of these, all of you, I hope go out and are thinking about like, how do we make it safe? And if you see somebody being a jerk to somebody else, call them on it. Like let's drive this out of this community. Because frankly, I will say the thing I love about security and the thing I've always loved about security is it's such a big topic that no one can know enough to be good at everything. And frankly, no one can know enough to be good at anything really. You know, like I was a pretty decent exploit writer in 2005. I don't know a damn thing about exploitation anymore. And this industry changes so fast

and evolves so fast, we rely on each other. And there are a few people in this room who I pick up the phone or I send a text message whenever I'm stupid about something and they answer questions and I answer theirs. And I've offered it multiple times up here already. Call me if you've got some of these problems. I mean that. And I'm willing to be there for all of you and I'm willing to be vulnerable to all of you. I hope that you all do the same for me and I hope you all do the same for Josh and for Audie and for Larkin and all of these people and I hope we can

create a community where we all get better, right? And to Josh's point, it's not just about at work, it's about this environment too and hopefully we create that. Yeah, Larkin, hold on, you need a mic. So it's really hard to work on that in your work, and it's also probably really hard to work on that in the larger scale. This is where I'm going to put the pitch of consider volunteering in the community, like at a B-Sides, your local B-Sides are here, because you already know that you're going to be part of a tribe that is part of the mission, supporting passion, but it's going to give you another opportunity to work on those relationships because that is the problem. Where do we work

on relationships in a safe environment? And I'm not techie, I'm a newbie, but I've been part of this community for eight years and the reason why I've been able to work on some of the harder relationship leadership and management issues is because of volunteering. I work at Slack for those of you who don't know me. One of the things that I love about Slack is what an exceptional job the culture does there at building psychological safety. We actually have a culture definition that we absconded with at Slack. It is that culture is the worst behavior that a leader will tolerate in an organization. By the way, So we talked about heuristics and slogans and things like that. That right there, that

tells you so much about their culture and so much about how every leader is supposed to act within it. That's what we were talking about. Sorry. No, no, thank you. Thank you for demonstrating the behavior. That's so cool. Yeah. And I want to share my favorite interview question because this is the interview question I use to test if people are going to fit well into that culture. And it's one of the last, it's the last question I ask and everyone tells me it's the hardest question that I ask in my interviews. And I'm only telling you because this is so much more important than me getting a good signal from interviews. It's more important that

we're all helping to build this culture. And I figure you're here because you care about that too. So the question I ask is how do you support diversity? And people will ask me what I mean by that and I'll, what do you think I mean by that? Like I want to hear a thoughtful answer. My least favorite answer is I don't see color. Like, okay, you're just not admitting that there's a problem here. You're not even trying to engage in the question. Like people who have like, yeah, I've really thought about that and I've worked with my hiring team and you know, this is what diversity looks like in my organization. Like those are the

people that I want to work with. Those are the people who really thought about the problem. You can use my question, you can come up with your own, but please have a way that you're helping support, however indirectly, the idea of building a team that is going to take that psychological safety into account. I mean, what you were saying about like, you know, that team, they laugh together, they're comfortable together, like, yes, that for everyone who can contribute is what we want at our company. Yeah, there's no such thing as psychological safety if someone feels excluded. Period. Full stop. Right? If you feel excluded, you do not feel safe. Those are opposite definitions. And so

if you make someone feel excluded, you've immediately deroded the psychological safety on your team. I'm stealing your question. Yeah, so sort of building on what I was asking before, what I was trying to get at was coachability, I guess, right? And I guess your definition of a brilliant jerk includes not being coachable, right? Often, often. The examples I had in my head, not so much. Right, and you and I are about the same age, I'm guessing, so I mean, I sort of got that same thing around 40 where I just, but I feel like I owe it to the people at work for me not to give up on them, so I think I want you to tell me how I can coach them to fix this. Yeah, so

the hardest thing is if you care about people and if people matter to you a lot, we all end up there, right? And that's why I kind of put the balance on the scale of is the one person impacting the 50 people so much worse? Like, you know, we're all, and you're obviously a very caring guy, and I know this feeling, and I do this myself, and I'm like, If only I can do this one thing, they'll be better and then everything will be better, right? And far too often, I have impacted the majority by keeping that person too long in that spot when they're not coachable. If they're coachable, that's a different conversation and

they're probably not impacting everybody else that badly. If it's just something like, "Hey man, stop yelling at people in the middle of a meeting." Okay, well that's probably one thing. But the real brilliant jerks I've worked with, it's a set of behaviors, it's usually a lot of insecurity. It comes from deep, you know, Larkin was talking about therapy, it comes from deep-seated childhood stuff. And the moment you're like, "I'm gonna wade into this person's childhood issues because I think I know how to fix..." Her face is just... By the way, I've done that. It doesn't end well. It just doesn't. But I'm the same way. I really want it to be better. I like the

person and I see their potential and their ability. I'm like, I can do it. Guess what? I can't do it. Just like trying to casually let a speaker know that he's at the end of his time. Yes. So come find me. I'll be the guy with the sling on. So I'm easy to find, you know, with that fashion accessory. But yeah, come find me. I love talking about this stuff. But thank you guys for having me. Thank you, Kathleen. Always. It's an honor to be here and to do this. Thank you so much. Let's thank Mike for his time. I always hate cutting Mike off. I give him more time each time and it's just great. So Mike will probably have his office hours out there. We have our

next speaker coming in talking about moving into leadership. We'll start doing our resume review and career coaching at noon. Just sort of remind you of my little request of filling out the survey. We've got pens and just good old-fashioned paper surveys over there, and you don't have to give me your email or anything. But I want to be able to constantly be creating new content that fits the community. So please give me some answers. Thank you. We're just going to set up the next speaker, and we'll kick off in a few minutes. Thank you.

So test test. No, I think I'm good. Okay. All right. Okay. Yeah I'm good. You know when Mike Murray makes you cry right before you walk out the door? So how many people loved Mike Murray's conversation? Yes. So we have someone that I have known on Twitter for at least six or seven years. I've been on his podcast a few times. Once everyone can work through the technological challenges that I have getting on discord. and Twitch, so it's not good. I just want to remind the vendors, recruiters, if we could have our conversations down at a dull roar during our presentation, I'd appreciate it. Thank you. So what I try to create here on the second day is we really talk more about leadership

and moving up into management because I think one of the reasons why we have such turnover in our industry is that we don't have people who are looking at long-term career planning. We don't talk about that enough. We talk about the certs that you need, but we don't talk about the thinking of moving to the next level. And a lot of times we think, that our manager at our job is going to have that responsibility or the recruiter who hired me is going to have that responsibility, but they're not. Your career development and your career search is your responsibility, but we're not doing enough in the community to really talk about how do I have

that five to ten year view. Not so that you can answer that question during the interview, but so that you can put the blocks in place so that you can support your career. So I was really excited to see Joey's presentation submitted, and without further ado, Lost Knowledge. Thank you. Applause Thank you. Welcome, everybody. Thank you for coming this morning. We are still morning, right? Yeah. Lost track of time this week. So this is Hacking from Above. And so the reason... So quick background before I get into the reason I'm doing the talk. So I've been in InfoSec for about 14 years now. You know, I've done management leadership for a large chunk of that. I've also left management roles because they turned bad. I've

learned a lot in that time of what was good and what was bad about being in management and being in leadership positions and understanding the reasons why I left. So right now, I currently work as a director of security for data machines, and that's kind of where I've been able to kind of take all my lessons learned and start to focus them more into what I've put into this talk. So, the reasons why, kind of as I mentioned, sharing my experiences, letting people know what I've done and what mistakes I made, right? Because I think that's one of the things that we often have a bad time doing is sharing mistakes. Everybody really loves sharing their successes, but nobody's really big on sharing where they failed. And sharing

our failures and our mistakes, we can help other people. you know, avoid repeating them. So that was one of the reasons I think a lot of people in the community fear this path just in general, right? It's interesting because I feel like we spend a lot of time complaining about our managers don't know what it is we do or they're not technical enough. But at the same time, there's not enough of us who want to go and do those jobs, right? So if we're not willing to go do the jobs of the people who are managing us, then we're never gonna fix the problem. The other reason I've talked about, I like the idea is

it's also easier to change corporate policy, to change like ideas and the way thinking works, the further up the food chain that you are. When you're down here, even if you had 20 people on a team who all said this is being done wrong and that gets translated to the manager, if he doesn't have enough knowledge and skill to translate that up, it just fails. But if you have somebody at that level who can make the same conversations and arguments, it makes a big difference in the way things happen within a company. Couple quick slides I want to go through on kind of distinguishing between leaders and managers, right? There's this, you know, you can,

if you search around online, you'll find tons of people who will do discussions about, well, what's a manager, what's a leader, right? I've compiled a couple differences and similarities. Managers in general, it's all about trying to keep people on task, keep budgets, keep project schedules. It deals a lot with bureaucracy. Managers will So the last bullet and the reason that stress on it is last minute the bad manager take for when things go well and Will pass blame off to everybody else when it goes bad right and so we you I'm sure everybody's worked for those managers who are really great at stealing credit and never passing it around and Are great for passing around the blame and never taking it on themselves I've had

those managers before who you know project will fail and and They had much equal part, if not more of a part, in the failure of the project, but in the end they start pointing fingers at the people on the team who are like, "Well, they weren't doing this or they weren't doing that." And so, you know, that's one of the distinguishers between leadership and management because leaders don't necessarily have to be managers, right? We all work with people on our teams now probably who can like direct the room and can lead the group, but they aren't necessarily always your manager, right? Managers, you know, learn to teach, develop and motivate. You know, there's a ton

of people around at this conference this weekend, there's a ton of people you're gonna run into in life who would qualify as leadership. I tried to come up with a non-sports ball reference, but I really was having a hard time. So that's why we've got the quarterback, right? If you look at a football, if you look at any sport event, none of the players are technically the manager, right? The coaches are the ones who are actually managing and directing, in theory, directing traffic, The leaders on the field are the players that grab the attention of everybody on the team and get them to move in a common direction. They can pick up a team who's

down and make them want to fight and go forward. For me, that's the big difference. It can be hard to balance the two. If you move into management, you're dealing with all the bureaucracy, but it can be really hard sometimes to balance that with handling and managing the people aspects of it to... to kind of keep things moving. So it can be really hard to do. So there are similarities, right? As I was saying, they're both kind of the people in charge. They may not always be the person in charge on paper, particularly in the form of leadership, but they're always the people that people are going to and that are kind of directing tasks.

They both need to be capable of dealing with people in conflicts. Even the managers need to be able to do that just because they have to handle the HR side of things. If two people can't get along, they have to be able to deal with that level of interaction. Whereas the leaders can look at it as a more organic situation where they're trying to motivate people, trying to get people to work together. Their methods may be different than a true static manager's. And then the other thing is just both need to be able to understand the goals and visions of the team, right? They need to be able to delegate tasks, to know who on

the team's best at doing each function. And so that's very important. And they need to be able to motivate people. Now these motivations may come in different forms, right? So for a leader, they're gonna come up with they're always gonna have some sort of positive means to motivate the team. Not all managers will necessarily do that, right? And again, people probably work for the management team that's like, no, you need to get this done by this date or you're gonna be out in your ass looking for a job, right? So there's very much, there are good managers, they're not all evil, right? But you need to be able to recognize the differences between the two.

So the question becomes, what do you want to be, right? One of the key takeaways here needs to be that anyone can be a leader. It doesn't matter what your position is. Some companies do have leadership level titles, right? They'll have team lead roles where they're just technical leadership for a group. And some organizations won't do anything. They'll have roomfuls of senior engineers and just kind of expect them to work together at the direction of a program manager or an actual manager. And I'll admit, management work isn't for everybody. It can be a very stressful situation. Given your environment and the situation and what's going on, it can be a lot of work. So my first management gig was when I was 29 years old, and it

was very tough. I had a lot of lessons to learn then. I was definitely not ready at that age to kind of be making the decisions and choices at that level. And so it was a lot of... That was probably my biggest learning experience was learning the difference between where I needed to worry about my concerns and what my needs were and those of my team. That can be a very difficult choice to make when you're dealing with a team and choices that you make that don't just impact you and your well-being but impact everybody who's working with you. It's also, I mean, it can be very rewarding if you do it right. Like, don't

get me wrong, like, it can be great. Like, I enjoy the leadership side of it to help people develop and grow. But it's... Like I said, not for everybody. If you're somebody who's talked about or said, "Oh, well, I can run an organization," doing leadership and management before is definitely a must. If you haven't directed people and haven't dealt with those situations before, trying to do it while you're building a company is probably the worst time to actually have to be trying to both capture profit and income for your company while trying to manage your people and resources and everything else. So I want to try to jump into some of the skills that we kind of equate to both technical ability as well as hackers

and hacker culture and how I think they translate. So one of the first ones is Creativity and problem solving. So I think this is like one of the kind of essential like hacker traits, right? Like, you know, we try to, you know, hackers like to look at problems and try to find new ways to solve them, try to find the way to break systems that, you know, are functional. And so, you know, there's plenty of situations where those skills can come in handy, right? I don't care how flush with cash organization you're working for is, you're always gonna be trying to do more work with fewer resources than you have. Working in large corporate systems

is its own beast too because they have their own policies and you get into these giant companies where there's manuals for HR that you have to work within for doing hiring and management and how they do performance reviews. And so finding ways to work within and around those it can be a tricky aspect too. And so it's kind of its own level of problem solving. So our technical skills a lot of these come down to you know, you know, as I've said leadership isn't always Management, right? So you may still be in technical roles team leads are often still doing technical work They just may have less of it than the standard engineers and small organizations in particular Your

people always doing kind of a little bit of everything right? So the company I work for now is it's a small organization. I am the security guy. So I literally do a little bit of everything that is security focused across different projects, both our internal facing external. So it's, you know, I have my hands in, you know, everything from policy to penetration testing to, you know, our network defense. So it's kind of all over the board. Right. Um, I firmly believe technical leadership and technical managers have more respect from their teams. It's a lot easier to know that somebody's there defending your actions and defending what you do to people above you when they know the work you're doing and they understand the goals the same way

that the team does. And that also comes to being able to translate that information, right? Being able to explain to management why you need more money for new people, why you need more money for new tools or training, right? I know a lot of people who go into organizations and they have lots of fights to be able to send people to conferences or send people to training classes because nobody in management understands the requirements and the amount of skill sets and how things are constantly changing, particularly in our field, right? So I kind of call this the social engineering or soft skills section. And there's kind of two parts to it. If you're in management, there's a whole side to having to

deal with upper management. Having to try to get them to, sometimes, especially if you're running into a brick wall, having to find ways to get them to give you what you need and give you what you want, and also being able to affect the changes that you want to see in policy. And that's one of the things I said near the beginning is, I want to be able to have a situation where we can impact not just the team, but also be able to impact cultures and create cultures where security is understood and respected, while at the same time having people the ability to change things. So like if they don't have training policies in place, getting policies in place so that teams can have training and it's

not just a budgetary line item you have to fight for every year. It's something that can be codified and that is known no matter what happens, this is in policy, you're going to have it. Um, Then, working with team members, you need to be able to handle people within a team. I don't care how great a culture you have, you're going to have conflict within a team. It's always going to happen. We are human in the end. you know, you need to be able to handle those conflicts. People are going to have like situations in their home life that are going to bleed into their work life. Being able to work with them, to keep

them motivated, to get them focused, but also knowing when to be able to tell them, you know, you're going to have the guy on your team who's like, oh, well, I'm never sick or I don't ever need to take vacation and they're going to work, work, work. And unless you like, sit them down and help them understand, hey, you can take a week off. It's cool. We've got everything under control. If people don't take a break and relax, you wind up like me and not even 40 and your hair's already all gone. So, People will stress themselves out and burn themselves out and even at my current company, we've got a couple of junior people who are like, "Oh no, no, keep giving me more and more." And

we're like, "No, stop and slow down. You don't need to burn yourself out trying to do more work than you're capable of doing." So do all these things really add up? A lot of it is a factor of everything that you have here, but also what you've learned in life and just overall maturity. Like I said, when I had my first management gig, I wasn't ready for it at all. It took me some time to determine that that's what I really wanted to do. Before my current job, I was doing consulting work. I wasn't the manager, but I was one of the senior members of the team. I was helping our junior engineers get them

trained up, help them with their roles and their tasks. And that's when I really knew that that's kind of where I wanted to be and that I was ready to be in leadership, to be managing and actually in that position again to help people come up. Anybody who's worked in the sector and is technical, you know how much effort not only goes into our daily jobs, but even just keeping up with all the changes and everything else. And so I want to be able to take all my experience and time and help new people come up and do those things so that I can take a step back and not have to spend as much

of that time trying to keep up with everything, but help others kind of coming up and get them moving kind of in the right direction. So I know it seems like I got to closing really quickly, but I also wanted to have tons of time for questions, so I hope you have them. Next slide. So just kind of this is really the summary points if you like to have like notes and like want to like snap this or write it down I won't repeat this all because this is pretty much everything I've been saying throughout the presentation, right? You know where these things can how these skills can impact you, your organization, your teams, your leads. I think it's one of those things that a lot of people

get lost with. The other reason that some of us wind up having to look at management or get forced into it is they'll cap out our technical roles. You get to a point where this is as far as you're ever going to go and this is as much as we're ever going to be able to pay you and as much as you're ever going to be able to do. If you want to make more or do more or go anywhere else, you're going to need to become a manager. This is particularly true at large organizations that are very project focused. Some organizations do have advanced technical tracks. But they're usually very tech-focused companies and those positions are so few and far between, you're almost never going to find

them available unless you've been working for those companies for the last 20 years. Now I want to breathe because I did, like I said, I did run through that and I apologize. But that's why I want lots of questions. Yes, microphone. Yes. So we all know how the technical training is. Have you gone through or have any recommended leadership or management training courses you found useful? So leadership and management trainings, so all the ones I've ever done were both internal to organizations I worked at the time. So I did one with SAIC. gosh, that was almost like seven years ago. And another one, a small contracting company I worked for about like four years after that. And they were both good and

they were focused very much, you know, government contracting space. So they had like very like specific focuses. I always tell people, I kind of equate it to like, if you go into like the, like if you go into a bookstore and you go to like the leadership section and management section, you're going to find like a thousand books and they're all going to have different opinions on how to like to be a leader and a manager. you can go and you can read those books and you may not come out learning anything new. I really feel like I learn more from my life experiences than I did from those courses. What those courses were good for is learning the technical bits, right? Learning things that I probably wouldn't

have learned without having hands-on. Nobody likes to give you the reins to a large sum of cash if you don't know how to handle a large sum of cash. So those are the situations where those trainings can come in handy. So if you're working in an organization and you want to move into management and they're like, well, we have this, you'd be managing this program that's worth like $5 million. Do you understand how you budget time and people? Those are the skills that can be hard to learn and translate, but they're still very... they're easy to grasp and pick up on. It's just a matter of getting the experience. And I had a benefit in

the first management job that it was a small enough organization I could have time to absorb some of that in. But those are the things I think are the most helpful to learn. Because in the end I don't know how much of the leadership and interpersonal stuff is actually teachable and trainable, right? Because that's so much of how a person functions and behaves that it can be a tough trait to kind of change and to try to redirect. So we talked about this on the podcast. Yes. So again... the opportunities within any type of volunteer organization is there, I mean, this does not, this conference doesn't run for free. You know, we're talking several hundred thousand dollars. So those

leadership skills, You learn on them, you learn them as you have experiences, as you are interacting with different kinds of people. I was on a board and there was somebody that he and I kept butting heads time and time again, and I just sort of thought it was him. until I realized it was both of us. And once I changed my behavior and became a better leader and listened rather than told him what to do, we got along. But you find those opportunities in volunteering. Yeah, that's a very good point. Especially dealing with personal conflict and stuff like that, it's a great way. I volunteer here and a couple other conferences doing safety operations or some of the other conferences call it security, but the concept is

the same. Keeping everyone happy and safe during a conference, you learn... a lot about de-escalation and interpersonal skills, right? Because two people may have a conflict with each other and it's only just like, it was all about, you know, miscommunication, right? So you learn a lot of those, so you can learn a lot of those skills through the volunteering process. Yes? - So just a quick question. You touched on something that I think is sort of contradictory and not to throw you out here, 'cause I've heard it multiple times all over the place, is to say that anyone can be a leader in an organization, but then to also have a slide that says you

have to take the jump to actual leadership to be able to affect real change. So how do you speak to someone at say the individual contributor level that is a leader within their group or their team or whatever, How do they interact with leadership at that level to be able to actually affect that change? And then from the other side, how as a leader do you make sure that you're listening to those individual contributors and using your authority and your position within the organization to make sure that that change actually gets affected? - Right. So I think the easiest way and often what happens for that to come from non-management positions for somebody to have

that change, You usually have a person who's a leader within the team who also has that same respect from the management who listens and values that opinion. I worked in a situation where the organization worked at the CISO and my boss had a long-standing relationship. So anything he'd come to him with, you know, they've been working for multiple years across multiple companies, they had that trust, right? And so he had the ability, you know, he was also my manager, but he also had the ability to influence up to the CISO level because of those long-term relationships. And a lot of that is all about relationship building because you need somebody that the, because if you don't have somebody in the management position who can

do that, you need somebody that has that level of trust and also has the ability to like have the follow on and knows that they can see the results. And ultimately a lot of this all comes down to trust, right? And this is why a lot of people leave organizations is because that trust gets violated or that trust or people don't feel that trust is there anymore. At that point, you have to go and it's time to move on. Unfortunately, in some situations, there's not going to be an easy way to ever fix that until change happens at the highest levels. That can take decades in some cases. If everything's running smoothly, people at the top usually would prefer to stick with what they know is

working in their mind versus having some big change. I've worked for several organizations that have a bit of a hesitance to promote ICs to managers, choosing instead to look for people who have management experience already. Do you have any suggestions to kind of break that catch-22 cycle? So I think for organizations, so this is one of the reasons why I think, well, not think, this is one of the reasons I know that SAIC, when I worked there, had their internal training programs, was was because they knew they needed people who knew their government customer spaces and worked in those facilities, but also needed to learn the skills to manage the projects, manage the budgets, and needed to also learn, some of them sometimes needed the interpersonal

skills. So when you're doing government contracts, you may have 20 people on a contract who never see each other regularly. They're all in different offices spread throughout. I think the best argument for that is usually to show, "Hey, if we took these people and elevated our own people to this position, you can show them where the continuation of growth is." It gives people a reason to stay. If I'm in a job and know I'm never going to get promoted above my current position and I have that desire, you know, why am I going to stick around if, if you're going to keep hiring outside managers? So you, they have to be willing to, to make

that commitment and make that, that change, which, and some organizations just aren't. Like I said, sometimes there's only so much we can do until you get somebody who's up there and it is like a catch 22, right? It's like, how do we get there if nobody's gonna let us in? And sometimes the trick is we have to find the place that lets us in so that you can then pivot to the other organization and make that change. Because now they're like, oh, well he did that over here for X amount of time. So he's got this experience. We'll bring him in over here, you know, An example of this I've seen is like if you

go look at like job requirements for like CISOs, every job posting you're ever gonna see for a CISO, they want a person who's been a CISO for like 10 years. I'm like, well then where the heck is the first CISO coming from? Because you can't have 10 years experience as a CISO and get a job as a CISO. That's not how it works, right? So like at some point somebody has to give somebody that chance to see if they can do it. And if they do and have success, then yes, they can move on and grow up to bigger and better things. But I think it's a problem that some organizations just can't get out

of their head, right? - I just had a point. So related to the last question, to demonstrate management skills, volunteer at the organizations, and then if you continue to not be promoted into management, okay, well then maybe it's time to look somewhere else. So again, I hope that we can continue to have the discussions in here to help you guys think maybe outside the box a little bit, because you don't want to get stuck at your organization if you're doing the things like volunteering at other events to demonstrate whether it's management skills or whether you're trying to, you know, Obtain you know other infosec skills outside of what you can do for your job right put that down on your resume to demonstrate to

your current employer Yeah, right, and I can't I can't agree more about the trust thing. Yeah Sorry leadership is not necessarily management But keep in mind that management especially the lower tiers can be a significant career risk and Just speaking as someone who knows a company that looked at the stats and said, oh, wait a minute, we should be 80% engineers rather than the 50% we are. There's a lot of staff that aren't engineers all of a sudden that are sweating. So I want to thank Joey for his time. It was a great talk. So let's give Joey a round of applause. Thank you.

And Joey is incredibly approachable. All of his contact information, you know, please do reach out to him. He's been a great help and very patient with me every time my microphone doesn't work on Discord. So one thing I want, we're going to kick off our career coaching and resume reviews. That's going on right now. We already have two people over here available. As you're walking out the door, maybe fill out the survey for me. That would be really great. We'll have another round of talk starting around 1:30. Thank you. - All right, just speak normally. - Okay, this is me speaking normally. I don't know if it's supposed to be getting room amplification. - It

is, so can you hold that? - I can. - Just, I guess, talking until it has to be. - Talk a little so I can make sure we can hear you. - Sure, I can talk a lot if you want. I'm pretty good at that. I'll just keep talking about random nonsense. OK, sounds good. Do you want me to keep talking the whole time? All right. Well, thank you all for coming. We'll just be waiting a few more minutes here. Funny thing is I'm squeezing 45 minutes into about 20. So I can really use this time. Maybe I should just give you the slides that I'm going to blast through right now, like bonus material for the

people who showed up early. So in conclusion, you're being amplified. Okay, excellent. Yes, I can hear it. The switch is right there on the top. I'll go ahead and turn you off. Good afternoon, higher ground. So it's absolutely awesome to see so many people in the room having some amazing conversations about careers, career development. Our career coaching has just been phenomenal and tons of people have been coming in having great advice. We actually have a line for one of our career coaches. What's also interesting is how many people are now starting to realize that even though they're just getting into their career or just moving on to the next step that they do need help. So I really appreciate people being open

to that. I'm going to remind everyone in the room, including our recruiters, that since we're going to have a session going on now, if we can ask the conversations to be held at a dull roar in respect for our presenter. Our presenter is going to talk about noobs and training the next generation. They are going to talk about the fact that we really don't take the time to foster our noobs. And they're really going to talk about some of the things that have worked for them. So I'm going to let you do your introduction since you're best knowing about who you are. Awesome. Well, thanks everyone. As Kathleen said, we're going to talk about noobs.

We were all noobs once and how we're making a lot more of them. So first a few words about me. I'm a security engineering manager on Google's detection and response team. I manage the teams that do detection in Google Cloud. And I also manage the ATC team that we're going to talk about today. I use they/them pronouns. I write for Quora. So you should follow me there. I write about security and management and big tech. I love everything in the outdoors, especially physical activity. And I also brew my own beer. So, Sarah Young's talk, if any of you all saw her talk yesterday, got into this problem in depth. Every company wants to hire senior security engineers with 10 years of experience, and many fewer companies want to hire

entry-level security engineers with no experience. And that creates an obvious gap. And we don't have a giant set of feeder programs the way the software engineering folks do. There are a few formal programs, Carnegie Mellon's well known, but there isn't nearly the same quantity of programs. So what winds up happening is folks go through AA programs, certifications, but not nearly the same amount of training as a software engineer. And then they wind up in jobs like tier one stock analysts, which is a fine job, but it's not as good at training people as we'd like to see and people wind up staying in those jobs for a while and really having to make their own

education and talk their way into things. That's not really the best way to build a pipeline for the industry. So, our attempt to solve that problem is by creating a pipeline. And right now our pipeline has two components. We have ITRP, security engineer, career path, we'll talk about both of these in depth. That's really intended to be an introduction to the security field. It's not a job in security. And we have a team called automation, triage, and compliance, which is your first job in security. So ITRP, IT Residency Program, is a Google-wide program. It's been around for a while. It's not specific to security in any way. Folks in the program are hired on a

26-month fixed-term full-time contract. And what that means is they have all the rights and privileges of a full-time employee, but they have a scheduled end date. And if they don't find another job by that end date, they're unemployed. To get into the ITRP, you only need to have sort of general IT skills. You need to have a good set of skills, but it's supposed to be the foundation on which you can build your career. It's not supposed to be the skills that will be your career. And we look for lots of signs of promise, folks who have shown advancement in previous jobs, good GPAs, things like that. The ITRP requires no coding, and it requires

no security. So we consider folks in this program to sort of be raw material on which we can build. The core job of the ITRP is to run our help desks. It makes for great tech support. Actually, someone who's a great performer on one of my other teams started off at Help Desk and helped me fix my computer like three years ago. She's also captaining one of the blue teams in the CTF. And then they do a three-month rotation with an engineering team that's supposed to help them learn about what that team does. On top of that, they're not expected to work a full 40 hours. We set aside a few hours a week for

them to dedicate to learning. And we latched on to that by developing a security engineer career path. And the path has a few different components. We put together a curriculum for them to study that covers sort of security fundamentals, CIA, risk impact or likelihood, what is encryption, asymmetric versus symmetric, TLS, when you use it, detection, what it is, and all these basic concepts at sort of the definition level. And we also suggested that they go through some computer science courses, Stanford's intro courses online, we recommend that. Few people actually do that, most people just dump right in and start coding. The real meat of this is the mentorship. So we find senior mentors with about

five to ten years of experience, and we pair them with about five mentees each. They have one-on-one meetings monthly and they have group meetings every week. And we find that this is where a lot of the learning happens because folks show up with lots of questions. Things they've read in the news, projects that they've taken on their own time. And the mentors are able to help them understand what's going on and work through it. And the one-on-one meetings can be used to tailor specifically for their needs. And often that winds up channeling them towards interviews. So whatever it is that they need to work on to pass our interview bar, whether it's coding, security knowledge,

applying knowledge, that gets focused on in those one-on-one meetings. We also are able to have some folks do rotations with various security teams. I see one of my former rotators in the audience today. Hi, Mario. Not everyone's able to do that, but it's not a requisite to learn the necessary knowledge. So far, we have had nine people graduate from the program and we have 19 currently in the program. About half of the people who start the program drop out, and that's okay. That's understood. Some people are just not going to like security. They're not going to be good at it. They're going to find some other field they like better or they're going to have

some personal issue that requires them to drop out. That's part of this. This is an intro, not a job. And of the nine that graduated, we've hired six, which is actually much better than we were expecting. So if you think about it, the mentors are spending about nine hours a month on mentorship, and we're getting hires out of this program. That's like way, way, way, way, way cheaper than recruiting these people from outside. So then I'll talk about the ATC team, which is your first job in security. ATC stands for Automation, Triage, and Compliance. To be totally honest, it's a backronym. We had another name before, and we didn't want to change the acronym and

have to rename all our files and accounts, so we came up with some words that fit it. The ATC team operates high-volume, low-to-moderate complexity workflows. So basically, if you can define it in playbook form, we take it on and run it. And we have about 30 of these right now. We look for things that are below the skill level of a senior engineer, that are not motivating to senior engineers, that do not help them learn and grow and achieve their career goals. And we move that work to folks for whom it is motivating. It does help them learn and grow and achieve their career goals. So it's a win for both parties. We're also able

to invest really heavily in automation, which I'll talk about. And as a result of that, we're actually more efficient, even in an absolute sense, at executing these workflows than the senior engineers are. In other words, we're doing it better than they were doing it. And the most important thing is we target hiring for this team of folks with less than one year in industry. We hire for what's formally called security engineer level two. It's the lowest level on our job ladder. And previously, we looked for three years of experience for our entry-level positions, which is frankly kind of ridiculous. So we're not doing that anymore. Thank you. So some examples of things the team works

on, if you want to punch a hole through a firewall, we review and decide if that's appropriate. We use binary whitelisting. If you want to disable that on your workstation, we review whether that's appropriate. If you lose your phone, if you check PII into source control, we handle those things. And probably the most complex one that we handle is vendor assessments. A lot of companies-- A very high skilled team does the vendor assessments process. But what we found is that a great deal of the process can be reduced to a playbook, a set of conditions. You must do these things and you must not do these things. And those are just hard lines. And a

relatively junior engineer can understand those lines and understand whether those conditions are being met or not. And then there's a gray area in the middle where they can make security judgments. And if they reach a place where they don't know an answer, they can escalate. And we'll talk about that. This is what we look for when we take on a process, and if you're looking to replicate this in your company, these are the things that you're going to want to look for. Number one, is it worth transferring? Do you do this often enough to make it worth the effort? Number two, we're not a 24/7 team. We need some time for folks to be able

to learn if they don't know the answer to go find that answer, so we don't do tight SLOs. In practice, we actually achieve a higher SLO than we commit to, but but you wouldn't want to commit to a higher SLO. Your processes need to tolerate errors. The whole reason why companies look for people with 10 years experience is they want to be perfect every time, but you don't actually always need that. If we make an error and grant a binary whitelisting exception to a machine that really shouldn't have gotten one, the odds that that particular machine will be attacked by an attack that could have been prevented by binary whitelisting are relatively low. So you

combine a low probability but non-zero of errors with a low probability of an attack that affects that security control. And we can get away with a few things. Obviously, you have to keep your error rate low. And there will always be an error rate, even by senior engineers. But you need a process that you don't need perfection on. So like vulnerability response is probably not a good candidate for this. The process needs to involve some amount of security judgment. People won't learn if they're just being asked to bring the server back up. We're not an SRE team. We're not a help desk. There needs to be an element of security judgment. On the other hand,

the security judgment can't require too deep or expert skills because that's not what we are. That's not what we do. But what it can have is places where expert judgment is required because if we can identify where we need a deep expert, we can escalate. And it turns out that a lot of these processes that are run by senior engineers really don't need judgment 95% of the time, 90% of the time. And so we can have folks who are new to the industry handle the 90% case and escalate the 10% and everyone is happy. And the last thing is, we need a partner. We need somebody who, when we hit those escalation cases, when a

person doesn't know the answer, they can go get that answer from an expert in the field. So we don't take things and then the other team goes and runs away, except one time we had a team get disbanded. That was a little unfortunate. But for the most part, we are in constant partnership with the teams we work with. We used to include Automatable in our criteria, but what we found is that we're able to automate basically anything. So we have a few tools to do that. We built a very basic dashboard, basically just like a grid view with the ticket IDs and metadata. We built a workflow engine that is basically a glorified cron job.

It looks to see whether bugs have been updated and if so it drops them into the queue and it takes automated actions. And what's nice about this, we've kept the bar intentionally very low for coding in this engine. There's no domain specific language. There's a very minimal framework because we want somebody to be able to show up on their first day and add a new condition to a switch statement. Like anyone who knows even very basic coding can go in and add a new clause to a switch statement. And over time, they can ramp up on that. They can add a whole switch statement. They can add a whole new set of conditionals, and that

might require integrating with an API, and pretty soon, they're doing real software engineering, and they've built that skill to the next level, they can apply to their next job. The other thing that we do that's really helpful, oftentimes when you try to automate things, you find that you don't have the data you need to make decisions. So we push those things upstream. And because we're both the operators and the engineers, the same person who's getting annoyed by having to ask the same question over and over can go into the questionnaire and the code for that and add the question to the questionnaire. And you think users generally get annoyed by questionnaires, but it turns out

that if you give them an automated decision most of the time, they're actually really happy to use it because they get an instant answer and an instant fix to their problem. We've open sourced one of our questionnaires that we use for vendor assessment. You can see it is quite complicated. You can see from the progress bar on the side that it is even more complicated than it appears on the screen. But we get all the information we need to make a decision so we can follow the process from here very quickly rather than a bunch of round trips. At least that's how it's supposed to work. Sometimes people answer the questions wrong and it goes

badly from there. So we are able to operate these processes in general with under one day of latency. We process over 11,000 tickets a year with eight people. And these are real tickets. Like every single one of these tickets at some point in time would have been handled by a human. And we're able to take all of that off the rest of the organization. So this is strictly a win for the business even apart from the training aspects. The training aspects have been good too. We've had 13 security engineers come through the team in the year and a half that we've been active. Six of those have now been placed out with other security teams.

Folks have gone on to great success. We've had really excellent results. Actually, when I started this, I expected we would have to occasionally fire people. When you join the team, I give you a pitch. You have a year and a half to prove yourself. And if you haven't done it by then, you're probably going to get fired. And I've never had to do that. We do have some challenges, it's not all roses. One of the biggest problems we have is in practice everyone we hired has been in their first year of work. We would like to get more career changers but we haven't been able to do that. So folks are just not used to

operating in a professional workplace. We've had some challenges with people not showing up to meetings on time, not bringing their laptop to meetings where it's necessary, making comments that were rude or inappropriate. And so that requires some intervention and coaching from the manager. An interesting problem we have is we do reviews every six months, but if somebody shows up maybe a month before performance review, they're kind of still ramping up in their first review. By two months later, they're crushing it. They're operating at the next level they should be promoted. They're going to have to wait four more months before they get that promotion. So our review system isn't designed for folks who are growing

this fast, and that is kind of unfair to them, so something I'm working on with HR. And the last problem we have is we've been successful enough that we have more security engineers than we can place out. Particularly this team is located in Kirkland in Washington, outside Seattle, and some of our teams are not. So we don't have a forensics team in Kirkland. We don't have a red team there. And so if somebody wants to do that job, they either have to move or change their career plan. So this is a good problem to have. We've been able to find ways to keep these people contributing, but it is something that we have to deal

with. We also had a hypothesis that this program would have a more diverse set of employees than we typically find. And indeed, the ITRP program has 60% of participants are from underrepresented groups, that is not white or Asian males. And the ATC, 50% of team members are from underrepresented groups. Interestingly, we are no different on gender than other teams. We have about the same gender ratio as the rest of the industry, but we have a substantially larger number of black and Latino and Latino team members. We have a few hypotheses why this is true. We don't really know. We don't have any statistical data. But our number one hypothesis is some statistics show that folks

from underrepresented groups leave the industry at higher rates than folks from Don't really call it regular like fully represented groups. I think is the the term anyway So our hypothesis is if we hire those folks early in their career that effect hasn't taken place yet They're still in the industry and so we have to include them from there and inclusion is a really big value That's outside the scope of this talk So we do have to retain them, but at least if we can get them we have the chance to do that And we do believe we're doing a good job, by the way. I've heard someone say sometimes focusing on recruiting is just feeding

more bodies to the meat grinder, so we're trying not to do that. Another benefit is when we look for people with three years of experience, compare that to looking to people with zero years of experience. We get to evaluate a much wider pool of talent. And so we can find people who are brilliant, hard workers, who maybe haven't had the time to get that level of experience, but we're seeing We're happy to hire them and build them up to that level of experience. Actually, what we're seeing is people are getting promoted to jobs that externally we request three years of experience. We're getting them there in one year. And then they're going on to have

strong careers after that. So it's a huge win in terms of finding really great people. The last hypothesis we have, as an industry, we started all of this work to grow the pipeline 15, 20 years ago, and some of those folks are just graduating around now. And so we think that we're seeing some effect from that. But again, these are hypotheses. We don't have the data to fully support them yet. So a lot of folks might think, this is a good idea. Let's do this in our-- in fact, I hope you think that. Otherwise, my presentation didn't really succeed. So many of you, if you're hiring for senior security engineers, your positions sit open for

a long time. I hired a manager and it took me a year and a half to get someone enrolled. So that headcount is doing nothing for you. Whereas if you hire somebody that's closer to entry level, they can start today and you'll find somebody. There are a lot of people looking for jobs. And they may come in the door and immediately be executing at a higher level right away, or you can get them ramped up and have them executing at a higher level by the time you would have hired a senior security engineer who you also have to ramp up. The other thing is that somebody who has been with your organization from the beginning

is going to have a lot more loyalty to your organization than somebody who joined you because you offered them money or a meaningful project. and they're going to know your tech stack and all of the usual reasons why it's good to hire someone and keep them with your organization. We haven't had enough time with this program to know whether retention is above average, but I certainly hope so, putting that on my performance review. The other thing is we're also helping the senior engineers. When we get folks doing work that is at their skill level, they feel happier about it. It helps their morale. Good morale leads to good retention, and it also leads to good

performance. So some things your organization needs in order to support this work. You need at least three security people. If you're so small that you only have two people, you're probably just not going to be able to sustain it. You need to have some operational processes. So if you are a very small company that does everything ad hoc, this is probably not for you. If you're a consultancy where most of your work is at a client site, this may not be for you. You need someone who will be a good code mentor, someone who will take a really crappy CL and provide, sorry, changeless diff, and provide good feedback that helps that person learn and

grow rather than just telling them they're wrong and this is terrible, do it again. Because we are going to get crappy code submissions and we need to improve. And we need somebody who will help them through that process. And lastly, you need room for growth. It's a really bad deal for your organization if you invest in training someone up and then you don't have anywhere for them to go and some other company provides somewhere for them to go. So make sure that you have something to do with folks when you develop them. So the core concepts that you need to be sure of when you're implementing this in your organization. Go back to some of

the things I mentioned before. You need fault tolerant work that is broad enough to provide exposure but shallow enough that it's tractable for someone at entry level. You need senior mentors who are going to help people improve and answer questions when they get stuck. You need your junior folks to be empowered to actually make decisions, to write code, and to be able to do stuff. If you just want a robot, hire a robot. I'm sure Google will sell you one. And I mentioned, be explicit about the growth requirement. It turns out that if you put somebody on a low-level team with no career path and just leave them there, they're not very happy. But if

you tell someone, you have a year and a half to prove yourself and we're going to invest in you, that's very motivating. And people work really hard to live up to the expectations. And I mentioned we've had nobody fail. So it's really been effective. And I say that when people join the team, I tell them literally, you have a year and a half. Let me reflect back to the process criteria I showed you before. These work at basically any organization. There's nothing specific to big companies. There's nothing specific to tech here. If you have processes that meet this definition, you can do them at your company or your organization. There are some key things about empowerment that are really, really crucial to make this work. Folks need to

be empowered to make decisions. If they're not able to make decisions for themselves, then you've just turned them into robots. And that's pointless. It is okay that they are required to escalate certain cases. That's part of it. That's expected. It's also okay if you want every single thing they do to be reviewed by someone higher. That's a great opportunity for them to get feedback where they're making mistakes. There's no issue with that. They still have the autonomy. In fact, people, a funny thing is managers always struggle to give feedback, but one of the most common complaints is that I don't get actionable feedback. So having a review step where people can provide feedback is actually

really valuable to the person and very much appreciated. Folks must also be empowered to automate. You can turn them into thinking robots and still require them to do a lot of robotic manual rubber stamping and they're not going to be happy. And they're not going to learn the code aspect of the job. I know not all organizations require coding, but it's always a valued skill. I've never found a place that actively wanted you not to be able to code. But that's it. You don't need to start off as a strong coder. You can be a pretty bad basic coder, maybe taking like one Python tutorial and be able to get started because we can start

with really itty bitty bug fixes and changes and you can learn from there. You also don't need any of that infrastructure I mentioned. We didn't start with that. We built that all from scratch. It was actually built by people who didn't know how to code. They learned how to code as they wrote the infrastructure. And we started really small and we built on that and it got better and better over time. Okay, so I think we're at time for questions now. The rest is left for you to do. So ask me anything. So this has been phenomenal. Thank you, David. I really appreciate it. And I'm sorry that we had to put you on super

caffeinated overdrive. That's my usual mode. So what questions do we have for David? Oh, come on. That was phenomenal. I guess I didn't mention I condensed a 45-minute talk. Sorry I talked quite fast. So if people want to have more information or the 45 minute talk, may they contact you or ask you any questions? Absolutely. Feel free to email me, contact me, particularly if you'd like to develop something like this. But really anything. Yeah, go ahead. Reach out. How many in the room are training noobs right now or working alongside noobs? So is this different from what you've been experiencing or what you've been doing? So does this give you some ideas of what to

do? So can you make me a commitment that if you instigate any of these, can you write a thank you note to David in a year? Can someone remember to do that? Actually, I would really appreciate if folks do take lessons away from this and apply them in your organization. I would love to get any feedback on how it's working for you. I mentioned we've been doing this for about a year and a half, so I'm sure there are still lessons we haven't learned. Maybe you'll learn them first and we can go from there. Please do let me know if you learn stuff. Yeah, because I, you know, the four or five years that I've

been doing this, we've rarely really talked about training noobs. And I think what David has shared with us is we used to do it just like throw them into the deep end. And this is actually one of the first presentations I've seen on actually having a process. Richard, have you ever seen a process like this before? You've worked at a few companies. Yeah.

So apprenticeships, yes but this is a great training program. Well let's give David a round of applause. This was wonderful. So we're going to wait for our next speaker. I'm sure David would love to have some one-on-one conversations with anyone about this. Thank you. Thank you so much. My pleasure. Yep. Check, check. Check one. Check two. Normally I have somebody else that can help. Okay. Just keep talking. Check one, check two. My man Crimson running around the room. Is that pretty good? Cool. Turn it off. So it's interesting. On my business card, I have that I am the higher ground ringmaster, not director or anything like that. I'm a ringmaster because... Everything happens at the same time.

I have lulls, and then all of a sudden, three things need to happen at the same time. So here I am. So here we are, afternoon of Higher Ground. I hate to say it, our last session. Yes, we're bringing it in. We're bringing it in. So several times throughout the program, People have sort of said, I want to move from being in a big company to some kind of tech startup, or I want to do something that's a little risky, or something a little different for my career. And so I was really excited when Ty submitted this talk to really talk about, hey, it's okay to take that risk. It's okay to sort of jump

to the next level. And And I'm really excited that Ty is going to share what that process is all about. So let's give it up for Ty. Thank you, Kathleen. Super warm intro. I'm going to talk a little bit about myself as a human being in this process. It's a lot of storytelling. It's not going to be technical. It will be littered with swear words. If you're offended with cursing, if you're from a certain part of the U.S. and it's cussing, leave the room now. I'm not that filtered. So, let's get into it. So, the whole idea behind this and the inspiration was my career and a big part of who I am. I'm not

going to read all this shit to you, but at the same time, from a background standpoint, education, certificates, like all these fucking things led me to an idea. And the idea was I really like security. I found out at an early stage at a small consulting place that I wanted to be in fintech. And through my journey at JPMorgan Chase, rolling like one of the very first static analysis engines, Ounce Labs, before I was by IBM, to Capital One and rolling out, and I know that's kind of a loaded term this week, just with everything going on, but I was there over five and a half years building application security, a red team, all these

functions, but I also did some mergers and acquisitions. And with it, that was when I had a moment in my life to really determine, wow, it seems cool as shit when we acquire these companies where it's 10 to 20 people or maybe 30 people, and they've been on this awesome journey together. They're not mired with the quagmire of the OCC, the FFIC, the SEC, name another three-letter acronym that does not have their shit together and ask the same questions. When you work in certain organizations, maybe, and I'm not gonna say it's like this is how it is, but maybe you get to a point where all you do is manage people, 'cause you have a

director title, and maybe you talk to a bunch of people, and all you do is no more hands-on keyboard, and you just make PowerPoints like these. And sometimes that's the case, sometimes it's not. I have a little bit of joy because I've been beaten up a lot by creating a lot of storytelling decks. And for me, this is a part of who I am now. So I really appreciate everything from that company. But a big part of it was seeing all these cool startups come get acquired, cash out, go do their thing, and then they start it over again with a new idea. And this mentality of anything's possible versus I work in these environments

where I'm like, hey guys, let's talk about what's not possible this week. Launching every AWS instance, leaving the S3 containers open wherever the fuck you want to do it, and then kind of doing that quagmire of security. But at scale, it gets tough. So I made the decision then. I'm like, yeah, I want to start ramping down. And I fucked up and I went over to Target And that was 400,000 people. And I was told I was going to be an individual contributor. And the next thing you know, I'm managing 37 people around the world, building a team of 47. And I'm like, why did I do this? So I stayed there exactly 365 days,

started working towards getting out of where I was and going more towards IC. So I ended up in SF at a company called Lending Club, started to wear multiple hats in the Bay Area and just got the confidence to jump into this thing called Periscope Data. And we were just acquired about three months ago, not a cash exit, I'm not done yet, but at the same time, I'm a security dude for some amazing founders and a great culture. And that's a part of this discussion. those lessons learned that I've taken from all this other shit and have been able to be successful, to build a team, to get budget, to have trust and to enable

the business. So as we go through, I think I have, I don't know, 23 minutes left and a big part of it is this is the last talk. So maybe I can go over, but likely if we wrap, I'm happy to chat more in person and that's more my engagement style than like this. So I want to start with this term, ikigai. I didn't really talk about me as a human being. You just saw my resume basically and that's not a good representation of me. I'm half Japanese, half American. but I'm 100% American. And what I mean by that is I'm part of this melting pot that has been granted an opportunity in this wonderful

country, mired by all this other shit that I know a lot of people are very upset by. But if you've been around the world as a military brat or in other countries, you come to really appreciate the things you get to do, the differences you get to make and the impact you get to have. But there's a term here, ikigai, that it just doesn't translate well. It translates like dog shit. And it's really, I'm not going to draw a Venn diagram, but it's this Venn diagram, it's like what you're good at, what you're passionate about, what the world needs, and what you can get paid for. Right in the fucking middle, that should be the

thing you should be doing. If you're working at some job and making these PowerPoints and you're like, "Why do I fucking hate my life? Why am I sitting through this goddamn breach and this other breach and trying to convince everyone else this is a breach?" And the lawyers are telling me, "Hey, a botnet is not a breach." I'm like, "Well, I logged into the account, so is that a breach?" Because I think that's a breach. And those are things where if you're wasting your energy and life, don't do it. Because there are other options out there. My point for this is figure out what the thing is that drives you. For me, it is 100%

information security. Mostly app and product security, but now the larger mindset, the cultural shift. I think that's a big element. So if you want to learn more about this, search it. But again, you can chat with me as well. So, let's start thinking about this, like the planning for the move. I mentioned I was at Capital One, I got this fucking bright idea, but I also had this thing called a development action plan. Most folks have a five-year plan of what they want to do, and they're like, this is cool, I'm going to just say some shit and never do it. I'm a person that doesn't have time for people that say things but never

gets it done. Development action plan actually... Cranks it down just a little bit. You can give whatever time whatever stipulation I say shoot for one to two years I say shoot for three top-level goals have a whole ton of micro goals 10 to 12 under each one and just start checking these boxes and not only is it validating and feel and But every six months when you go back and you check in or say you get a new boss at work and I've used this as a tool to help me expand my career every fucking time. They're like, hey, nice to meet you. I'm your new boss. I'm like, cool, here's who I am. Show

them this thing. Say, here's where I need help. Here's where I want you to lean in. Here's what I'd like to do. And if there's nothing here that you can help me with, Just say everything's awesome and let me know when I'm fucking up and I will just make you look great. Those are things where I think a development action plan is huge. It's not your fucking resume that says what I've done. It's saying where I'm going, what I'm going to do. And you'll be surprised how many leaders will be like, hey, I got a friend that maybe at the startup they want to talk to you. I'm like, cool. And that turns into an

advisor role. That turns into things where you build relationships and you get to do more things because you're just putting it out there and stating a mission and a manifesto. The next one, no one loves talking about this. Jumping into a Series B startup, I took a 30% pay cut. It was fucking painful, but at the same time, I never let my lifestyle inflation outpace my expectation. I will say taking a 15-hour flight to Israel and economy is pretty goddamn rough, but at the same time, that's part of the growth of the company I'm at now, and I just have to roll with it as opposed to getting business class and eating steak dinners every

night. Eat steak dinners every night while you're here on vendors. I highly recommend it. But a big part of this Make sure you have enough cash in case there's that oh shit quarter, that oh shit month, and next thing you know you walk into a meeting room, they're like, hey, you're one of our highest paid employees. I'm like, but I'm not, and I don't make that much. Just to be clear, I'm very much underpaid like a lot of other people. They're like, well, this could be your last day. It's like, all right. All right, be prepared to be confident. And what I mean by this is your financial buffer should be a thing that you're

working your ass off in your career to save money. I'm not gonna get into the whole financial freedom aspect of everything, but have enough confidence where if you didn't have a job tomorrow, you will have a job tomorrow. Insecurity right now, like if you just have no job where you're at, fuck it, I don't care. What that means is you get into this enabler mindset where you can take on risk, you can try all these things and you can actually present to the board and be like, hey, I just wanna let you know, it's fucked up. And they're like, oh. well how's it so up i'm like you remember that cyber security tabletop we did

we still haven't rolled out hashicorp vault we still haven't done social media training we haven't done this and you can be very blunt and direct without having any personal attachment because you're like hey i like what i do i love working with y'all but at the same time i don't have to be here and in the moments where you have these hard discussions and i'll explain one a little bit later It gives you empowerment. And that's what I mean by having that financial buffer is have the confidence to go in because if times are tough and you're like, yeah, I need a new raise and like sales aren't working, half the team's bleeding out, attrition

is garbage, you're not getting a raise. And I highly recommend when you talk about money, it's before you join or before you get promoted. Other than that, shut the fuck up, enjoy your money, be cool. The last one is your support network. So the big one there with your financial buffer. Whew, my wife is my keystone that keeps me enabled to do anything in life, like putting on pants, and these specific pants. But at the same time, having that conversation of like, we're not gonna do X in the next couple of years. We're not gonna do Y. I know you want a two carat diamond ring to replace that one I bought 10 years ago.

It ain't gonna happen anytime soon. Sorry, babe, and then you deal with that wrath. But at the same time, you need to have that support not only at home, but in your actual professional network. And that's why I love B-Sides. This is one of those environments where you meet all sorts of cool people because you didn't have to spend three Gs to go to a thing and it's just snake oil and sales and you're just like, I'm tired. As opposed to here, you should come, get energy, get inspired, have good connections. And this piece here, the hard lesson for me, going from a Capital One to a Target, A lot of companies don't call you

back when you're like, "Hey, I want to use your service." They're like, "We're not able to sell for a deal less than $50,000." I'm like, "I have $12,000 for this. Can you help me out?" You got to really hone in on the friends and the relationships. Prepare for that shitty moment when you had all this power. I was 26 and I'm working at a fucking financial institution and they're trusting me with a two million run rate and a two million investment budget. $4 million a year. I didn't have four million, I don't even know how to rock four million. But at the same time, these are the things you get enabled, but at the same

time, when you're dealing with the sales cycle of certain companies, your four million, they want all of it. When you're a dude with like a quarter million dollar security budget because you had to convince your organization and the board to do it, you got to be very critical of how you spend money. But at the same time, you have to be critical because your options that you're investing to get there, you want them to be worth something. So you don't want to just spend money all over the place and ruin it for everyone on that journey. So which startup? You're like, sounds great. Sign me up. This goes back to that slide, Ikigai, right? What

do you care about? For me, I've been working in all these security teams, building out things where top 10 financial becomes a top five. A security person organization needs to transform because all they did was a compliance hammer and how to create this thing called product security and all this other shit. Fun, great. The big problem I found in every security team, there's a data problem. How many people have a data lake? One person, congrats. It's a data swamp probably 'cause you're like, it's unstructured and I can't actually get to it. I can't use any of this data. One of the places I worked, we built basically the company I work at. It was cool

for a little bit. It was great. We actually even built a mobile app. Our CISO was like, "We should sell this." And I'm like, "I can't work for this guy anymore, because he's just going to steal the thunder. I got to go." But the data problem within security teams is very real. How do you translate the message of all these metrics? And you can hear other talks on that. But for me, every fucking place I worked, and I want to make PowerPoints, and I want to use Tableau, I just want to tell you, it ain't good. Here's why and here are like our top three risks or here are top five like you want to

review the 50 we can but that's a waste of time because you're not going to prioritize shit out of that. I'm going to give you three. I'm going to go crush three and we'll work next. So I think a big thing here when it comes to data for me, the vertical is very simple. I love security. This company wants to pay me a lot less money to come do everything besides security. But the interview is super critical. If you're interviewing for a company and they're like, hey, I don't have a job description. And in my last three jobs, there was no description. It was a conversation, sounds great, let's talk money, interviews, all this shit,

and we get there. But in the interview process, if you're going to a startup, request that you meet the founders. Request that you meet with legal. Request that you meet with HR. If you're a security person and you're not friends with these people, Good luck. You have no constituents. You have no fans. You have no champions inside the org. If you go in and you meet with like engineering, maybe there's like a person that's external audit that's kind of in the company, but not really in the company. So they're not fully there, but they have options and it's really weird. You're not going to get the benefit of what is that company and how is

the culture. So when you unpack these things, make sure you're working with good people. Make sure you're gonna be in the slog with people when shit's bad, the quarter sucked, and the marketing team just flipped and that's seven people gone and you're resetting the cycle on it again, you're willing to fight. If you're not willing to do that, don't fucking join that startup. Go somewhere else because that commitment of maybe one year, probably not. Five years, maybe. Seven years, probably. But you have to be in this long-term mindset even though it's in this microcosm of every day must count. Every day has to be a result. So when I think about interviewing, make sure you

have clarity around the people you're working for and what their expectations are. The early versus late stage is a tough one. I think if you're in a scenario where you're used to a healthy paycheck and a bonus and really great benefits and 401 matching, do a late stage. And late stage is like series E. Series F, but that also means your options are gonna be like an okay bonus if things work out. Like if you joined Lyft a year before they IPO'd or Uber before they IPO'd, you're gonna get something, but it's not gonna be like when you joined when they were disrupting the entire market, right? Series A, Series B, it's a bigger dice

roll, but you get to grow with the company. Keep that in mind. That's gonna be fun as hell. If you join a company like 12, 15 people, I was just going to say, early stage as a security professional, it's very hard to find. It is. Overwhelmingly lack of desire for security. And that's part of the interview, right? I joined a company, and they're like, we want to do this. We don't know how to do it. We're kind of doing some things. Going as VP of engineering or something, and you can offer. - Correct, and again, I think I had a very lucky experience so far. I might not have a job after 30 more days,

and I'll explain why later, but the early piece is rare. But this is part of that network. That's part of building this thing out of what is the plan to get there? You will find a lot of startups actually want security. They just don't know what the fuck it means. Next. So let's get started. Let's start with like fucking grinding in this like startup. We got the job. We're there. They said a bunch of shit, but they have no idea what they actually want. Number one, have an agile roadmap. I have a lot of friends that are from bigger companies. They said, Ty, plan out your three year roadmap before you even get there. I'm

like, I have no data. I don't know people. I don't know who I'm going to piss off when I present this thing. That's not how I roll. Show up, knock some shit out. For me it was GDPR compliance, SOC 2, Type 2. It's like check, check, kind of did those things. They weren't that difficult as a security person. My Agile roadmap adjusted. So every quarter, it's like, here is this clear, crisp vision of what we're gonna do. I'm committing, I'm gonna execute. I don't have a team. I'm gonna get the help of the rest of the org to lean in and get this shit done, 'cause it's important. Otherwise, maybe we get sued for GDPR.

Maybe we don't. I don't know. I don't have data to back it up, but I gotta go run and get a bunch of shit done. The next thing there is really building out that roadmap from, okay, your first 90 days are done. Likely that job interview was all they had the vision for what security is going to be. Now you got to tell them. Now you got to let everyone know. Using consistent language, a framework, something there will allow you to have that dialogue. For me, NIST, CSF, the cybersecurity framework, super easy to use. Not that easy to bubble up in a pretty chart, but at the same time, you can just show like Red,

yellow, green. Here's how we're doing at the top four. Cool. We have no ability to fucking respond. Why not? No one's ever thought about a response because we've never detected shit. Why didn't we detect shit? Because we're only looking at one thing. And you have to go through those discussions to bring reality. The intelligent risks. This is back to make sure you have your financial buffer because you're going to roll the dice on some of these conversations where like, I'm going to pull in the CEO because a third party just got popped and I I want to push a communication out to our customers because I believe their connections will break based on this message.

I've done the analysis with an engineer to find this specific Ruby gem, thanks Salesforce, that they had a bad thing. Their security team basically captured everything in the URL and that include username and password, but it was an old data gem like this shit happens. But at the same time, your security team can be your biggest risk as well. Long story there, I pull in the CEO to a room. I'm like, Harry, it ain't good. What I say is like I have 47 customers out of a thousand and I believe that on this date Wednesday at this time based on this email that we received these customers probably also received it now what that means

is if they fix it great they update their creds they update the job like we do all this work and everything will be fine. Or we disclose this quickly, we contact, we use our CSMs, we get ahead of it, and we just say on the context of this is not a security incident for us, this is more, we want to make sure your functionality doesn't break. And he's like, Ty, what do you want to do? And I'm like, I want to communicate this shit now. He's like, sounds great. And that was the first time I had leverage. I also had support. And I went to bat with a really not great scenario. And I knew

I had trust. And I was building trust through these little battles to get to this larger war. The next thing is that larger war-- When people bring you the stupidest shit like, hey, we have a flat network and there's nothing on it, why aren't we scanning it? Because it doesn't fucking matter. If everything's cloud-based or SaaS-based or you rely on Okta or you have some VPN tunnel or you have maybe SSH that's done properly to your production environment, your network might not matter. One key example for me is everyone bitching about Chromecasts. These Chromecasts, Ty, they're unsecured. Is this a problem? I want to be honest with you. From an impact likelihood standpoint of me

giving a shit, this is very low. And what I mean by this is like, you have to physically be close or maybe you try to get to it based on our network and it somehow is exposed. But like, why am I going to spend more than three to seven seconds unpacking that? I'm not. So that's what I mean. Like, do you want to be known as the person with a brand that like, hey, you know what? Ty did a great job. He secured all our Chromecasts. No. You want to be the person that enabled every fucking large deal because you're like, hey, our SOC 2 is done. Oh, they had questions. I got on a

fucking call with their CISO and we agreed on all the red lines and the deal is done. It was like, wait, how'd that happen? I'm like, you talk experts and then... You push out the lawyer and things just get done. So you get these wins, you think about what is the thing you're trying to be known for and what are you trying to do. More to that, you'll notice here at the bottom, PowerPoint to a minimum, storytelling to a max. The Bay Area and tech startups, no one wants to see slides, but I had a great boss at one point in my career and an active mentor, Brian Orme. He used to do this to

me. He did this Jedi mind trick. He's like, "Tai, I want you to tell a story, whatever fucking presentation it was like, hey, I need static analysis. Hey, I need to build this code review factory. Hey, I need to do component analysis. He's like, I want you to tell a story. And with that story, If it happens to be PowerPoint, that's okay. If it's a whiteboard, that's fine. He's like, but I'm not going to tell you how to tell the story. But ultimately, he Jedi'd me into always making a goddamn PowerPoint. And it was very precise and brief. But at the same time, I've seen him do it to his, like, future employees in life.

But a big part of it is, some of your engineers don't want to see slides. Whiteboard it. When you whiteboard the SDLC and you say, here's the software development life cycle or here's DevOps, I'm going to go on a small rant. Stop saying SecDevOps, please, if you take one thing away. Stop saying DevSecOps. It's just DevOps. Quality is built into DevOps. Security is a subset of quality. Stop. I kind of throw that in there now and then because I'm sick of this shit and I know it's a marketing term. No different than zero trust. But at the same time, be a part of the team. Be a part of the culture. I'm grinding with engineers

looking at fucking... PRs, I'm sitting there and having intelligent discussions because we went through a vulnerability to fix, and then I can go to a little sharing session that the engineer's already doing. I'm like, "Here's time of use, time of check, and why it matters when it comes to authorization." And that churns into a lot of good conversation. So next, let's talk about where these requirements came from. Why do you have a job? I don't know. Because I got lucky and someone called me one fucking day and it was just the perfect time when I was sick of the shit. No, for me it was like, it was this thing where they had no idea

what they wanted, they kind of heard some things, reached out to me and I'm like, you know what, I'm tired as fuck of my current role. And I turned that page where I was open to new opportunities and it was just the perfect time. So I got lucky. But at the same time, the origins of their security requirements for Periscope, it was customers. Customers want security, they want assurance, they want trust, they want confidence. We're a data company, and if we have all this data for data analytics and the data science lifecycle, and show me how many data scientists redact or reduce or make things structured or have any idea what's in the data lake,

swamp? let's call it a swamp still yeah whatever it is like every data science team you work with they want everything our platform enables that so i always have to be like you practice your hygiene everything's encrypted here here here here's all the things here's the native controls in aws but for me the origin of where you're getting the drive is going to tell you a big part of that interview process if they say it's we want good security we want to empower our customers to have a clean smooth cycle you're probably sold. You're going to get a lot of wins. But if they're like, you know, we really don't want to do security, but

you seem all right. You don't want budget, right? You don't want headcount. You just want to sit here and we just want to put you on emails to say we have a security person. Don't be that person. I've got some friends that ended up in those roles and they're just sitting there and they're like, how do I get budget? I'm like, storytelling. Like, when was the last incident that you used? When was the last thing that mattered? When was the last customer that they lost to a lead because you didn't have SOC 2 type 2 or you didn't have fucking ISO? Those are things that you have to generate as the business mindset. The expected

outcomes, when we start getting into this, what are you being measured by? I think that's pretty simple. If you want to talk KPIs, KRIs, go somewhere else. I don't talk that way. I talk about, like, what is the thing that led to the business outcome? And the continuous iteration. For me, this is taking feedback, adjusting, and rolling with it so you can empower that business once again. So let's switch. I'm not going to spend a ton of time on the culture of security, but this comes back to the business model overall. Know what The goal is, is it to sell? Is it to get users? Is it to get market share? Just be a part

of that. And don't be waiting at your desk or your shared space or whatever it is and hope that someone pulls you into the meeting. Go. Just be like, how are we selling today? What are the deals? What are the things that matter? How many users do we have? How many bots do we have? Start injecting a lot of that thought process into the business model and then start really focusing. And I put sales enablement It's just purely enablement, right? I'm gonna cover it up. It's enablement. Enable the culture, enable the business, be a person that's not a no person. This is just fucking 12 years ago in security. I'm just gonna say it again,

be an enabler. And that means someone that has a logical thought process to a contextual threat model. If you're another person that says, "We don't wanna be the next Capital One "just because you use AWS," that's not valid, right? Think about your company, think about your programming language, think about, are you even in AWS, right? And you have to have these logical conversations. If you're all GCP, maybe you're not gonna be that way. But at the same time, If you're a bored ass, we don't want to be that, why'd that happen? You're like, I don't work there. I don't have those details. That's not us. The things I care about is this environment, this threat

model, this attack surface. So iterate on that and really ground people when you start to educate them on it. So I'm not going to spend a shit ton of time on training. I think the previous person did a great talk with it. I just wanna just mention presence over policy. Don't point back to the InfoSec policy unless you really need to. But coaching is gonna get you a lot more wins when you sit down with one engineer to do that thing to say, I'm not gonna tell you to validate all inputs. We're just gonna talk about the framework we're gonna start using consistently to validate all inputs as opposed to whack 'em all to death.

Again, I think this is pretty simple. I hate CBTs. Most of you hate CBTs. Your engineers don't like CBTs either, just as a reality check. And if you go in without a contextually grounded thing, like you're like, we gotta do AppSec. We gave them an OWASP top 10. I'm gonna go into a lot of rants on that one. I'm gonna save them. Contextualize why. If you go in and your AppSec program starts with OWASP top 10 because PCI or something else, you fucking fail at AppSec. I will not talk to you. If you go in and say, these are the things we care about because of the languages, because of the frameworks, because of how

we deliver software. And here's the thing, if you don't deliver software and you outsource everything, your AppSec program is in your contract language. And I think those are things that you should think about before just rolling out shit-ass CBTs. Next, staffing. This one hit me pretty hard. I was willing to take a 30% pay cut, but shit, none of my friends were. Now what? I didn't have an answer. I sat there and I'm like, okay, let me go to the well. Let me see all the people that I've been like mentoring, chatting with, wanna get into security. You're gonna see a commonality, especially at this conference. people without security backgrounds getting into security. And that's

the only thing I hire for. You got a passion? It's going to be security for the next two to three years? Shit, let's go. If you want to get into security because you see a large paycheck, get the fuck out. Don't do this to us because you're lowering the bar. If you're joining because you're like, this is interesting. I've always had this mindset. I'm looking for people to help. As you're running a program, you can't do this with your entire team. It's going to be very difficult to spend those times and that energy to mentor, educate all the time in your own team. Take the time to choose wisely. And if you choose that one

person or two people, you will get to a really great place. The pay now or pay later, I say this shit all the time. It's like, hey, we either do the security thing or we just deal with a breach later. For me, it was like cybersecurity tabletop, I want a security retainer. They're like, why do you need a security retainer? I'm like, in the tabletop, show me how you're gonna get ahold of anyone that we don't have a contract with. And the answer was like, well, I got friends. I'm like, they didn't pick up the phone. Like, Ty, I called another friend. I'm like, they didn't pick up the phone. This breach is so bad,

like as you're talking through a tabletop, you're just like doing a gamified way of saying, Look, if we have no structure or anything planned, you're not gonna have that relationship ready to go. The last thing I'll mention here is the employee life cycle. Outside of what we were talking about building your team, look at the org, look at the people within the org. Your sales cycle may cycle every 18 months, maybe 12 months. Your marketing team, for me, it's been like eight months. It's been rough. But when I look at engineers in our current org, Two to three years, four years, five years, it's unheard of. It's crazy to me, but that's part of the

magic of the why I'm choosing to be here and staying. But also, I asked those questions during the interview process and they all turned out to be true. This goes back to your contextual threat model of off-boarding, thinking of how you're managing people if you give them a Mac or if you give them a Chromebook or would you lock down or not lock down, right? So, we start getting into this, why we did this, why did we join this startup? We want our options worth something, right? We're not just these good natured people that just want to help change the world. We want to cash out as well. So, going through an acquisition, it can

be fucking rough. I will say in my past 120 days, I rolled the dice. I'm going to go over time, if that's okay. Yeah, that's cool. I'm going to keep going. I had to negotiate my own job in the new world and a part of that was I was already 30% under and now I'm going to do this from 160 people now for 800 people in a global entity. I'm not ready mentally, emotionally, financially. And those were a lot of hard ass discussions being acquired, not a cash exit, just more opportunity to get to that exit. That line under IPO, initial public offering, we all kind of want that, but that's not always what we

want. An IPO can go poorly. I was in a company called Lending Club. My shares are worth nothing. They looked great when I signed up, and now they're worth dog shit. When you look at the strike price or you look at the math behind valuation of a company, there's a couple of great articles on Medium. I think Robinhood just put out on their one article Newsletter, it's kind of just a breakdown of how to look at options. And if that's something you need to spend time on, I'm not gonna cover it here, but I highly recommend understanding what is the valuation, what are the options, what's outstanding, and then what's your delusion? If your delusion

becomes this illusion that you're gonna have money, maybe this isn't worth it. And then the threat model changes. When you're acquired, everything changes. you have to think about who were those key engineers if they leave, this shit is fucked. Who are the people that are like the domain knowledge owners? Like are they incentive to stay? Who are the people that are running like the project management initiative to combine the company? Are they being transitioned out? I'm dealing with that this week. Literally my project manager has been hanging for over four weeks and as a human sitting there being like, what's it even like? How are you dealing with this? How have we done this to

you? It's like they're trying to manage this project, but they're also managing to their own exit because they just can't say, "We want to keep you," and everyone around is saying it. These are things you have to really consider when you go through these types of changes. Now what? We've done this talk. We've chatted. I'm over time. I want you to have a couple of takeaways, and then we can chat after this and get off the stage. Have a defined plan. I think that's always good in life. Be ready to be agile. If you haven't read the Agile Manifesto, I highly recommend it. It takes two seconds. But be prepared to wear many hats. The

thing I didn't cover when I joined Periscope, I signed up for security, I took on compliance, I owned governance, I took on IT, I played lawyer, convinced us to get internal counsel nine months after the fact, but I played lawyer quite a bit, and I also did physical security, because the Bay Area is scary as hell. If you've been to RSA or anything out there, it's kind of getting better, it's kind of getting worse. But these are things that I didn't really build into my own mindset before I got there, but at the same time, I care about the people. We can respond to a cybersecurity incident. I don't know what to do about a

physical security incident, and I've spent a lot of time doing that. So wearing those hats, be open to just saying yes and doing. If you're coming from a world of just like, this is all I do, The startup life is not going to be for you in that early stage. Go to the late stage and then figure out how to be a little bit more flexible. And then cultural enablement, we've already talked about it. I will skip the rest there and let's wrap. Hit me up on anything. I'm best on LinkedIn, I think. I suck on Twitter. Instagram is mostly just my personal shit, but LinkedIn is the thing. Connect with me. Send me a

message. I'm always happy to chat. That's actually a place where I get real connections. Twitter for me. I don't know about you. Some people love it in InfoSec, but I feel like I'm screaming into a chasm and then someone says something back and then there's no dialogue and then like, do I DM them? Like, do I not? I just, it doesn't work for me. So yeah, thank you for your time. I'm happy to field any questions. So what I'm going to, let's give him a round of applause. And we can go on and on about Twitter and LinkedIn, but I really think it's to the person. It's to the person. So I'm sensing that there are probably a lot of questions. I'm going to flip

this and just sort of say, Ty, why don't you just come down and you guys have a round table and just really sort of talk about that. Because I have a feeling there can be a lot of questions and we have streaming going on and videotaping and I think that we're... the real conversations you guys want to have won't happen. So I'm going to invite Ty to come down here. You guys can all sit around. You can move the chairs around. You can do whatever because this is the last session and just go at it. And thank you for coming to all the sessions here at Higher Ground. The sponsors will still be here for

another hour or two, so please... Talk to them. Thank them for supporting Higher Ground so that we're here. We have the resume reviews going on. We have the career coaching still going on. So please stay around and take the chance to talk with them. Take care. Thank you.