BSidesSF 2019 - Career Mutation: A Panel on the Evolution to Management in Security

hello ok welcome to the last half day of b-sides SF 2019 right now we have a good panel for you but before we do that I do want to ask well I want to tell you a couple things first of all there's a playing of hackers tonight if you want to go to it you got to get tickets you can get them at besides SF org slash hackers the other thing I was asked to tell everybody was please take your garbage with you when you leave the room we're not gonna be cleaning up after you well actually we probably will have to so please don't make us so right now this is the 1:30 if you are in here for

this panel yeah the right place if you're not the door is over there so the panel discussion is a career mutation a panel of the evolution of management and security I'm gonna hand it over to you thank you everybody for coming today my name is Zack powers I am the seaso at one medical prior to that I was the vice president enterprise security for Salesforce and a plethora of years of engineering and that I'm here today with a bunch of really awesome people that I've worked with in my past who all transitioned in managing and security so I'm gonna let them introduce themselves before we dive into some questions here everyone my name is Chris DeRose I'm currently at stripe

leading security infrastructure just a little bit about how I got into security and the D talk about nonlinear career paths was awesome mine's pretty plain and in comparison but how I got into security I wanted to go to grad school at Carnegie Mellon and couldn't afford that so I found this scholarship that would allow you to go there if you studied security and then if you worked for the government afterward to pay it back and I thought I'm gonna scam them I'm gonna go there I'm gonna say that I'm studying security and not really and I ended up absolutely loving security and I've been working in it ever since and then just real quick how I got into

into management we had a bit of a leadership void at a start-up that I was at because her manager left and we had no leader for a while and so I just started doing those things that the manager was was doing and and then I went to our director and and had like a pitch of like here's my here's my road for the team here's what I want to do I think I could do this they didn't go for it right away but but they were very supportive and allowed me to sort of go to some classes and learn about management and been sort of doing it ever since so you elbowed your way in yeah sure oh

cool my name is Sharon Wong I'm a TLM at Google security assessment team and spoken to many people who are confused about what TLM is which is quite natural stands for tech lead manager and it's basically in a nutshell is I'm an engineer that also managed other engineers so for me I got to spend around half of my time and doing IC work and doing technical contributions while the other half managing a group of five engineers so I started in Google in 2016 and around 2017 I became a tech lead on the team and a year later into that I realized that and not only enjoyed the giving the technical devices to to folks working on our team but also trying to

help them with their career growth and getting people on board into Google and and things like that so around mid of last year I spoke to a manager who at the time were managing 25 people directly and I asked him maybe you also need some help with people managing some engineers on the team and I felt like I really liked that part of being a manager as well and he said that that's great and there's actually rolling Google that's doing kind of a half icy work and half management work that's how I got into management so now it's nine months since that's change was checking to production we don't have too much outage yet and I spoke to my manager and

he hasn't got any customer complaints from my customers either so I take that's a good time for me to march forward with my responsibilities hi everyone I am Rachel I am a senior manager of application security at one medical I've been in the security space for just over eight years but I've recently made the switch into managed within really the past six months so I lead a very small team of two but we're growing come talk to me afterwards if you're interested but to be honest if I had looked back at my career at about three years ago and if you had asked me if I wanted to be in management I probably would have just laughed at you

it was never something that I kind of envisioned for kind of what I wanted looking into the future but as I kind of started looking at all the different types of projects and programs that I was kind of naturally drawn to a lot of them ended up being more management oriented so things like mentoring new team members building out team processes how do we streamline the work that we're doing it just felt like kind of a natural fit and so within the past six months I just do it in and haven't looked back Dave Latrobe I lead security for Cisco Meraki formerly at Salesforce with most of these fine folks I really got in security my way of following in with a

bad crowd and managing was somewhat similar you know you watch a bunch of your friends like get a me managing you like that person should never be responsible for other humans if they're doing that I can probably do this too really the realization that it doesn't matter how good your findings are if you're not able to help people understand them and drive a passion to fix them it does matter nice my name is Kyle toner I'm a director of enterprise security at Salesforce I've been in security for about eight years too similar to Rachel I got into management because as an IC and my function I was really really opinionated about kind of the strategy and operations of my team

and I kept thinking like I can do this better I can do this well I can do I can change this to a way I think would run more smoothly so when the opportunity came up I actually talked to Zach and was like let me do this it's really so what I want to do is open this up free form and you guys feel free to answer the questions however you see fit here but what opportunity before you became a manager what opportunity do you wish you hadn't and I see as an engineer that would have helped you out now has a manager Kyle you're looking at me all right so this kind of plays into how I became

a manager I'd been talking to my boss at the time and I said I think I want to be a manager I think that's an opportunity I want I take some training and he's like sure go take the training and a couple months later I'm in the training day two of the training my boss left the company and I was like well I wish I'd taken this two weeks ago so you know the timing is critical I think if you want to be a manager at some point starting early is a really good idea because you never know when that opportunity will present itself for you to jump into the leadership role and I suspect we're all I have basically the

same answer this you know I wish I had had training or mentorship or adult supervision but most of those things didn't really happen so I've sort of tried to be that for others who are looking a few years down the road I mean I think I was really lucky in the space when I was considering living into management I was actually working for Kyle at the time and he suggested that I take some of the different management classes that maybe he didn't get the full benefit of before he moved into that spot because I think for me the thing that I didn't really understand about moving into management was like what about the people stuff like I

understood like the other side of the world but what do you do when you have to potentially fire somebody or have a conversation about like lack of performance that gave me a lot of anxiety and so getting to kind of sit in some of the training classes or they teach you some of those skills about what you do in those situations really helped me to get that different perspective of you know what it would be like to kind of be a manager that I thought was actually super helpful I actually want to provide some Condor points to all the fine points that people mention when I guys got started in management I wasn't confident in the

magic management space at all so I enrolled myself into a lot of trainings and also a perform apart from that I tried to read as many books as possible for Crucial Conversations how to give feedbacks how to do coaching and stuff like that interns are there are so many frameworks in the world and you try to memorize all of that I was felt like I was confined into the prison of all these kind of structures and when I try to do key feedbacks into coaching I always worried that I wasn't good enough cuz I wasn't following exactly how people are doing it in the right way so eventually I realized that the best self I can present it's just to be authentic

there's nothing better than bring your authentic self and to be genuine care about the people that work for you and then to to work the work with them as a partner the someone leads into the next question and Chris I want to start this off with you some something you're hearing is that when you step into management you have to balance a lot of different topics and you often haven't been trained in many of those so how do you balance being a manager managing people managing teams was learning all these business business skills that you know the higher-ups expected managers while still staying technical and staying on top of security how do you deal with all that yeah sure and I think

this is something I still struggle with today and then I don't know whether I'll ever get perfect at this but one of the things that I've been at sort of experimenting with lately is setting a theme for each of my days and so I'll have a day where I spend that day on team coaching I'll do one-on-ones that day I'll make sure I'm really looking out for how everyone is doing and the health of the team and then the next day is like oh that that project that I'm I'm sort of a project managing let me spend that that day focused on that and moving the needle on that one and then I think sort of in in addition to these

sort of experiments you really have to practice that muscle of letting some things go so it is important to to stay technical of course but you also have to make sure that you build trust with the people on your team such that when they come to you with a decision you you're right there and you support them and you might have to use a sort of a disagreeing commit model but that's super important and for me being on TLM role basically means that I got to spend at least fifty percent of my time on I see work and technical contributions so for me it wasn't too challenging to stay on the technical track and for learning

more business skills I actually don't like reading too many kind of directly business focus books but I do like reading things like history called diplomacy and philosophies so those kind of things I feel like even though they're they're not directly contributing to your business skills but they definitely help me to grow to have more humility more sympathy as well as having a better way to structure my my arguments when I want to give feedbacks and things like that I think the biggest thing for me is kind of similar to Chris is to have kind of dedicated time set aside specifically for technical work it's so easy to kind of get drawn into the latest fire of the day and kind of

lose some of that so one of the things that my team does is we have bug hunting every other week and so that's dedicated to hours on my calendar that I never schedule over and so that kind of helps make sure I have that time to make sure I don't lose the technical side of things because that's even though I'm in a management position it's still important to kind of keep those technical skills up so I'm gonna sort of cheat and say I try and spend my time on places where those all come together as much as possible so if I'm spending time with our product and business folks understanding better how I can give them

an overall sense of risk and what's most important to our customers I'm hitting most of those buttons if I'm spending time with my team helping them understand more about our business it's same thing goes so it's it's definitely difficult to keep on top of all that and keep all the places plate-spinning but the more that I feel like it's taking multiple boxes the more I'm convinced I'm using my time well my counterpoint to all this I guess would be that I am trying specifically to lose a step technically I think my team can benefit from my technical expertise sure but they depend on my business savvy they depend on my ability to get them resources to fight for opportunities for

them and that's where I want to be spending my time and I'd rather be depending on them for their technical expertise and you know leveling them up yeah I can I consider it a failure if I am the most technically qualified to do a job on my team I'm like this is bad we need to hire someone exactly so I want to play on that a little bit you know the classic conundrum going in the security management is we all at one point in time thought we're really good at what we were doing how do you then learn to trust others how do you move from being that implementer to a delegator somewhere you're saying I'm not going to

do this myself and it's okay to delegate it to somebody else knowing that they might not succeed how do you handle that as a manager because that's what you're talking about right now Kyle is taking a step back and asking others to be the most technical you have to deliberately practice giving people the space to fail which you know when you're kind of an alpha I want to succeed all the time personality is really really hard but it's really important for people to feel like they can do a good job or maybe if it's a new territory for them maybe they're not going to do an amazing job but they're gonna learn that's important too because you know if they stick them

with you for a couple years you're gonna have a much better security talented they've had a few failures along the way to grow and I think taking the long view really helps it's like sure I might be the better person for this job right now do I still want to be doing it for years no yes funnel I mean I think there's also that loss of ownership that's definitely hard during the initial transition from I see to management you know when I was brought on at one medical I was building a lot of programs and processes and helping to revise revise the way that we were doing a lot of things and when I kind of

transitioned that management role it's all this work that I had created I wasn't a single owner of I now had hand to another person to kind of help run and manage and and change it in ways that maybe I didn't necessarily think of and that's hard to go from being the single owner of a project feeling like your decisions are the ones that are helping to drive it to have somebody else take that on and kind of move it in a different direction definitely something that I struggle with but I think it's important to be able to give people those opportunities and and I gotta be honest since I'm only nine month into management I I don't have a

perfect answer to this I'm still learning how to do more delegation my reports so one thing we do do well on the team is that they're always chores that when we want to kind of get done but nobody are very interested in those so we try to consolidate all of those into a ops interrupts week where we rotate people on that interrupts so the whole team can share the burden of that so at least that's how our team can try to delegate some some part of the chore work into the whole team I think I'll just really underscore what would Rachel said to Jen and just call out how difficult that really was to get through that pump

for me this it sort of rooted in fear that up until that point I was in full control of my own performance I knew where all the bodies were buried for the systems that I was building I knew how to keep them running and as soon as you make that switch all of these other people on your team that now reflects on you my manager didn't care that someone on the team wasn't doing such a great job they want me to make sure that the team is operating smoothly the right people are there the performance is good and so that was just quite quite a hard shift and and building that trust and making sure the other right people is

like super important so I wanna turn this around a little bit for some of the people in the audience I don't know if any of you are considering going into management if you are high five it's horrible job what might you what might you give engineers what advice how do they manage their own manager how do they get their manager to help them out with their own career growth because as many of you have talked privately it's something that not every manager does and so what advice could you give start this off with Kyle down there okay I think what I look for the most in an Icee is someone who's willing to take on

challenges so you know the eye sees on my team that tend to be the the ones with the best performance and are highly operating to me are the ones who are looking at what's on my plate and taking as much of it away as they can finding opportunities and grabbing things for me and that gives me more space to then invest back in them so looking to you know have meetings with other teams look for opportunities for projects that can potentially get them up to their next level I think the less on my plate the more I can take on their behalf and I can say I was actually that person for Kyle if I used to work for

Kyle back in the day I was actually the worst I see on the planet every time we would sit in one on one so you'd be like what do you want out of your career what are you looking for I don't really know I think things are going okay like seems fine he would ask me if I was interested in management or like I'm that's not really kind of what I'm looking for and so I think having a strong support system of somebody who can potentially see that in you is actually really helpful but if you're not in that position ultimately as an Icee like you need to be driving your own career your manager can't read your mind luckily

Kyle kind of could but that's not always gonna be the case so really kind of thinking carefully about you know what is it that you're trying to get out what are different opportunities that you want to try even just knowing the things that you don't like can actually be really helpful for your manager to identify new opportunities to flex some of your skill so to help figure out what the right career path is for you so have that conversation with your manager as early and as often as you can to really kind of help figure out what the right path for you yeah I would echo that make sure that they know what you're excited

about doing they should start that conversation but if they don't and then also basic stuff often really screws people over so make sure you're on the same page about how they're gonna be measuring success what your performance is based on how they like to ingest the information that'll go a long way yeah exactly what they said and one of the first things I try to do is not only set expectation for for me expecting what my reports want to do but also setting expectation of what they want to get out of me so I think this is kind of a two-way communication where you want to set all those Sal straight yeah just +1 to what everyone said already I think

great managers are gonna be looking out for the people on their team and trying to figure out what's next for them in career development but even the best managers can't read your mind and so just put yourself in in in the managers position and think like I go to this one-on-one and then say like I don't know what I want to do tell me what to do versus like here's where I want to go this is where I want to go like in the next one year five years ten year help me get there think of how much more exciting that's gonna be and how you're gonna actually motivate your manager to help you get it to the right place so

something I often hear from engineers that I talked to or somewhat curious about getting into management they think that they're not going to be marketable once they become a manager because security engineers are incredibly marketable we all know that what do you guys think about that do you feel that engineering management is a marketable career you know that that fear of oh my gosh I won't be able to get a job again that so many people talk about are people going to be insulted if I just laugh when I do well if I take this job if I move into management like it was very easy for me to see what the opportunities that were out there that

were in the kind of the technical space it felt like that's very easy to access but I was legitimately concerned that if I moved into management that I'd be kind of stuck in one role one position one organization kind of for the rest of my life which again it's kind of silly now thinking about it but I just don't think it was as broadcast and the awareness wasn't necessarily there for me so yeah you're definitely still marketable and if anything you can always go back just because you move into management doesn't mean that you're stuck there forever as long as you continue to invest in your technical skills like most of us have on this panel you have the opportunity to

go back into an ICU role if that's something that you'd rather do and I think there's an increasing awareness of that as a viable career path it's not like oh man you were in management and now you're out what's wrong with you it's more like no I just like both like I know a lot of friends like that who continue to be successful and don't try and do both at once and I will put that caveat out there but in terms of alternating because you want to keep your skills fresh and sometimes like building teams like people love that on resumes now I'll also say that the industry is in a period of tremendous growth everyone is simultaneously

realize that they need to build a security team from scratch and so if you have any interest in management whatsoever it's an incredibly easy time to make that switch for a small company yeah spot-on third of the record I bounced back and forth between management and engineering more times than I can count so you can always go back in this switch so I want to dive in a little bit to misconceptions or preconceptions before you became a manager I'm sure each of you like many people in the audience same sentence I had some preconceived notion or perception of what management was has that changed now that you've been a manager I know some of you are six to

nine months into this how has that changed if it has starts up sure I think I underestimated like how critical and important the people management part of being an engineering manager is I had some vision that I'd be like a commander of the team setting the vision and like we're gonna work on these cool projects and I knew I knew about the people management part a little bit but I underestimated first how difficult it is to do well I still struggle with that and I'm still like on the Sharan you talk about like reading books and going to trainings I think I haven't stopped that and I don't think I ever will but i-i've just have realized how critical

and important that is for the team and how really that should be my number one all the time and the other things are nice if I can get to them and when I first started management I felt like I has to be the one that knows about everything because otherwise I would just look at that and from my reports and that turned out to be very very draining for yourself like if you have to push yourself to be the most knowledgeable in both technical and the management site you're just going to be suffering the trip so later on I kind of feel like the better way to be a manager is to not too much attached to the

management role or the halo but more to be a partner in solving a problem with them together so that's how my perspective change after I became a manager I think one of my biggest fear is when I was kind of looking over the fence into potentially moving into management it was to be honest what do you do all day I felt like as an ICU is very clear to see you know the different programs the different projects assessments what have you that people were working on but management just felt like this fuzzy thing that I didn't fully understand and I was legitimately concerned that as soon as I made the switch I'm just like hanging out twiddling my thumbs maybe

taking some meetings but wasn't really sure what I was supposed to do and so that's not the case I'm definitely way busier than I thought I was would be and so I think it's just it's hard to understand you know what it actually takes because a lot of the things that managers are doing essentially kind of putting seeds and building for the future and so that it just wasn't as immediately accessible to me as an IC but I promise you there will be a lot for you to do if you decide to make that job they got underestimated the sheer magnitude of chaos that you're rodeoing as a manager in security you know I had a flavor for

it having been a security engineer for a while but it really like greatly exceeds your expectations especially when you first get into it as a new manager there's usually a few month period like oh god what have I done followed by wow this is actually kind of entertaining and then I ruined four normal jobs for me I think I went into management thinking like you're given all this responsibility it can be a little isolating you need to kind of be you know a one-man army as a manager and I've definitely learned like your support system as a manager is even more critical than your support system as an Icee like you're gonna come up with some

of the weirdest challenges day to day and you need someone to talk to and it can't always be the people that work for you it should it should work for you so you need you need other managers to talk to to bounce ideas off of to get ideas and things like that so this session here was kind of born of our support structure where we all talk to each other all the time awesome so we got about five minutes left and what I want to leave the audience with from each of you is that one thing one piece of advice if somebody's trying to move from engineering into management especially like dad you said right now is a great

time to do this in our industry one piece of advice for that person first just start doing it today don't wait look at all the things that that the your leader is doing or where you want to go and just start doing it at some point people will recognize it this person is doing that stuff already they're on the path to the next thing to be a manager yeah I think exactly what Chris said these things can always change back and forth and just try it for a couple months if it's not good fit for you where you don't like it there's always paths for you to roll back yeah yeah I mean I think having the

commitment there is important it would also would recognize that those opportunities aren't always going to be available where you are so to being kind of selfish and driving your career if that's something you really want to do don't pull on pursue it go forth and I wouldn't add to that very tactically you know talk to us talk to other leaders you know like we know who's hiring everybody's building a team right now your network is gonna be your best tool and landing that first I think also on the team that you're on now you know you may have several other coworkers one person you know if your manager leaves there's probably going to be only one person who can replace them

you should be a leader on your team today take responsibility take ownership of things you wouldn't normally grab and show that you are the best candidate for that role well before it becomes available yeah I would say you know I want to chime in on the advice I give to a lot of people who are trying to go into a management or leadership position it's don't doubt yourself I think a lot of us have impostor syndrome we always feel like we're not good enough we don't know enough we can do something to be better most people I know who got in the security management didn't know what they were doing they were talented they were driven and they cared about

security they were evangelical about security that's what got them in just don't doubt yourself if you do want to get into management take that lead do it reach out to other engineering managers in the industry most people I know are very willing to talk you can come talk to any of us after this talk or here at this con or another con you know building that support network and you know putting the self-doubt aside is key if you're gonna get into security management so we do have about three minutes left we can't take a lot of questions but are there any questions in the audience that we can answer go ahead if you have a loud voice know otherwise

yes hi my name is Maria so the current situation is that my company might not have something for me and the near future like I know that I want to get into management someday and I am looking forward to career advancement but how long should one wait or should I should I stay or should I go and that question is like I think it's very hard so I'd like to know what your thoughts are so one comment I want to give is that there are other other form of management and formal people management there are technical leadership's we're kind kind of utter leadership roles where is a dry project to to finish where you lead a bunch of engineers on the big

projects and maybe work across organizations and get something to this finish line so those are all kind of leadership skills that you can acquire and depending on how much those of those are available in your company you might have more more time to try to before you switch to a different company I think it depends how good your support structure is if you have people that you can kind of Leon to help you through the process you have you're starting a new company in the broader community here just just go for it if it's new for you if you're like most of the people that you know what secured here at your company I would wait a while and build on that you

don't have to have a management title to lead like you have permission to lead right now so I think you can you can go back to your company tomorrow and just start practicing those skills and you know at some point maybe someone will recognize that and if not then you'll be in a really great position to go somewhere else and talk about all of that stuff that you just practiced I will say this is kind of a trap for minority employees a lot of the time though like if you're doing work without the title then it becomes hard to get the next thing and you kind of thrown away time you could be spending under

title somewhere else sure yeah I mean yeah just generically I'm just thinking like it is practicing leading wherever absolutely all right that's a good question I do think we are out of time you are unfortunately so if there are more questions we're happy to stick around you can reach out to any of us [Applause]