Hacking Is Easy, Hiring Is Hard: Managing Security People

[Music] one of the reasons why we scheduled Mike for the second day for kickoff is because we know that there are a lot of people really want to focus on their career really want to focus on giving back to the community but also sort of understand that yes there's a hiring process but even more difficult than hiring is managing people in this space and helping them with their career development helping them with their own issues as they battle going between technical and soft skills how they they go through that evolution and Mike gave a fabulous presentation last year we cut him down to only 30 minutes last year and I realized that that was a horrible

mistake so I asked Mike if you would be willing to speak for a long a lot longer than 30 minutes so we have them for about 4550 minutes I do apologize that so hot in here we try every year to get air conditioning in here and it's just not gonna work so it's not you it's the room please give a warm welcome to Mike Murray all right did I turn that on good you got it excellent thank you for such a fantastic intro I this is my favorite talk to give I love getting to talk about things that aren't the typical security conversation and this one specifically is one that I've been wanting to do for a long time

as Kathleen said I did 30 minutes last year but I'm gonna change it up a bit and talk about a few different things this year as well as go a little deeper on some topics that we as security people and even we as managers don't think about that often so I think I'm gonna start in a different way than I'd planned I personally and I've said this in other talks but I personally think security is the hardest industry in the world to actually have a long term career and by extension it makes managing security people the hardest place to manage and especially as you go to the higher level of technical skill insecurity the pen

testers the reverse engineers the threat Intel analysts the people who are that you know the the Bernhard's of the uber nerds in this you know at hacker summer camp here the difficulty in maintaining that becomes incredibly hard and and I don't actually think that I'm not just paying lip-service I can I can back that up if you think about where all the security issues are in the technology lifecycle all of the security issues are at the front right when a new technology comes out it's got lots of vulnerabilities when a technology has been around for 15 years it has very few vulnerabilities I am old enough to remember the late 90s where there was a remote remote root

vulnerability in the main ISC bind DNS tree every single month what was the last time that happened anybody even remember it's 2011 maybe 2010 because at the beginning of the technology lifecycle we have lots of bones and we have lots of problems if you think about where we were ten years ago everyone was talking about oh my goodness social media security if people can get access to Facebook at work they're going to destroy the company and there were all these things that popped up about blocking access to Facebook and Twitter and social media if you walk the floor at blackhat or if you walk the floor at RSA that's not a product anymore because the industry of all so

fast and all the issues are at the front end of the technology lifecycle well what does that mean if you're building a career means your skills are out of date every 36 months that's not true in the rest of technology if you were an Oracle DBA in the 90s yeah there's still stuff to learn I actually to my best friends are people soft consultants they learn PeopleSoft in like 2001 and their skills are all still relevant for people who still run people so right now they have to learn workday but you know oh wow every 15 years you have to learn a new thing with us if you look at the talks this year this conference and you look at the

talks five years ago they're completely different and if you were great five years ago you're useless today that means every single one of us has to either reinvent where we wash out every 36 to 48 months and if you're two cycles behind you're unemployable do you know what it's like to manage a bunch of people who are so information crazed that they have to completely reinvent their skills every 36 months it's insane and to do career development and to keep those people happy and challenged and motivated as a manager has to is incredibly difficult now couple that with the fact that most of us end up in security management by being security people can ask you all a

question how many of you got into this because you like computers how many of you got into this cuz you like people yeah the four people at the back of the room wait are you guys recruiters point taken yeah what ah that's a different coat that's an entirely different conversation but when you're talking about moving into management it's not about science or not science it's about people and in fact if you just take a screenshot of the word hackers and the word managers on Google Images you notice on the left hand side it's all single people and on the right hand side it's all groups and I I resemble this remark I am the biggest introverted nerd

in the whole world I would far rather be reading a book than talking to people especially this week like going to parties not my thing and I am now signed up to be in a job where 40 people literally talk to me all day every day and that's what you have to accept the interesting thing is we all think that because somewhere a hundred years ago when people were making factories the career path went like this you are on the SM doing assembly line stuff and then when you got good enough you stepped back from the assembly line and you were a manager and then you step back further and you were a manager of managers and

soon enough you're the CEO the only way to make more money was to get off the assembly line and stop doing work and become a manager luckily that's changing I would bet that any of the people around the outside of this room and if you don't you need to change this have a career track for high skill individual contributors that are not managers even I used to work at GE the oldest of old companies and they have a career track for people who are highly skilled workers who do not want to manage people that wasn't true 20 years ago and so when we were all growing up everybody in this room grew up more than 20 years ago

I can I'm pretty sure when we were all growing up we were all taught my parents and my grandparents all had this to say repeatedly you know you have to go get a job and then move into management right you don't have to do that anymore and I'm up here to tell you being a manager sucks it's really not all it's cracked up to be unless you actually really want to do it now here's a here's a little insight into me and here's here is to me the reason to become a manager I was a smart technical person relatively so I could do more work than most but I now have an organization of 40 some-odd people I can

never be smart enough to get the kind of results I can get with 40 people and for me it's about doing bigger things having bigger challenges solving bigger problems and I can't do that by myself so I had to figure out how to do it through people and ultimately what management is is the act of getting results through people fundamentally your job becomes instead of I'm the smartest person who gets all these things done I need to take 40 people and make them all smarter and make them better at getting things done than I am that is fundamentally my job and that is ultimately how your performance as a manager should be measured if you haven't read Andie gross

high output management it is the the sort of seminal magna carta on technological management in this era you have to read it it's required reading if you ever want to manage the idea being that a manager is successful when two things happen first their organization performs well and also everybody that relies on them performs well as well because we've all been in organizations where you see one manager who his organization does great but everything else they touch goes just crater's that's a crappy manager that's a manager who's not doing a good job you know is they if you if anybody's a sports fan they always talk about the really great players elevating the play of the people

around them that's what a really great manager does as well now how do they do that I mean none of us came into this world with really good ability to figure out how to get results through other people frankly it's not something we were ever taught we all used to get in trouble if we would read each other's schoolwork right we used to get in trouble if we would solve problems together but ultimately that's what management is management is the ability to solve problems through other folks and fundamentally the managers currency is one thing it's meetings how many people hate meetings you're doing it wrong that's what I'm here to tell you the rest of this talk is going to be almost

exclusively about meetings and that's because that's what managers do now I'm not saying that it's all meetings but in some way it is if you write a document or you send a long email to explain something all you're really doing is making that document a proxy for going and sitting down with the person you're sending it to and having a meeting right there are ways to skip the actual meeting part but acts are the same and the acts are three things when you're doing management well you have meetings that do three things they transfer information and that's where emails and documents and in the old days memos conference calls and things like that come in the second is decisions and the

third is influence and we'll cover all of those by the way that is actually my calendar from last week I put some gray boxes on there because I didn't want you all to see exactly who I was meeting with there about what but that's literally my calendar and it's color coded red for strategic or tactical decisions that have to be made yellow for regular things regular meetings my staff meeting iteration open iteration clothes stand-ups where we have or where I attend them I don't attend all of our stand-ups etc blue one-on-ones with either my people let my port s-- or other people beneath them in the organization's skip levels or other people you know in my peers that I might

need to have one-on-ones with you'll notice there's a ton of one-on-ones on my calendar and we'll come back to that later and then green the last thing because as far as I'm concerned no meeting is useful else you're really prepped for it Green is either somebody stuck something on my calendar ad hoc and I didn't get the chance to change the color or it's blocks so that I can prep for other meetings really my life is I'm either in a meeting or I'm prepping for one because that's where all things happen that's where all decisions happen that's where all information transfer happens now like I said I can proxy that one I can send information transfer through

email if I want to but often it's easier to just stand you know I can I can spend two hours writing a long document or I can walk into a room have five minutes of conversation and transfer the same amount of information or it's about influence and training so you all hate meetings the truth is there's nothing more important than meetings if you're a management that's what you do that is your currency in the world and if you are having bad meetings it's because you're doing it wrong I'm not kidding there's a great book by a guy named Lencioni called death by meeting and in it he says that all bad meetings come down to one of two things either

you're unclear on the context of the meeting and by context I mean is the meeting a decision-making meeting is the meeting for you to transfer information and I really hope it's not most of the time or is it for you to influence or train and often you will have meetings that are just sort of all three you know the senior VP walks into the room spends 15 minutes kind of rambling about something that they think you should know and then says all right let's make a decision on that that's a crappy meeting the truth is a really good meeting has a solid set context you know exactly why you're there and then it has something else

everyone hates meetings no one hates movies why our movies interesting what's the fundamental core thing that makes a movie interesting not popcorn I'll even if I bring popcorn too bad meetings it's still a bad meeting what in a movie what do you mean well it is one way but that's not what makes it good go what makes a good story Ben Stiller know the fundamental thing that makes all stories a story is conflict it is man versus themselves if you've ever studied storytelling man versus themselves man versus nature man versus other there is always conflict in a movie even if it's only the inner conflict of one character a a movie that has no conflict is not a

useful is not a useful movie or an interesting movie at the very least certainly not a blockbuster my staff will tell you none of them are here amazingly they've all seen this my staff will tell you that my staff meetings almost always developed a conflict I've recently let them in as I was giving them this presentation on the secret to that my staff meetings always have conflict because I make it that way if we're making a decision and everyone walks into the room and completely agrees without saying anything why are we having the meeting waste of time if I'm gonna say okay should we invest in this or that and everybody already knew the answer I shouldn't have asked the

question I didn't need to I certainly didn't need to waste everybody's time having a meeting about it we're sending an email or whatever so if I'm asking that question somebody in the room disagrees with somebody else it's my job to make sure that that comes out in the meeting and I will tell you when people start to debate everyone listens no one gets bored when there's actually a debate going on in a meeting it's only when someone's droning on for 30 minutes about something that you already knew for like the last two years that everybody Tunes out right so a good meeting always has conflict unless it's an information transfer meeting how many you folks do agile and have stand-ups

your stand-ups drawn on for more than 15 minutes pretty much all the same hands the problem with information transfer meetings is we tend to go to them and just let somebody talk forever information trance and ups should be 5 to 10 minutes tops and if it's really bad 15 unless you've got like a hundred people in the room in which case why are you having a stand up with that many people but if you have five people if they can't quickly say here's what I'm working on today and be done you're doing it wrong and so you end up with one person droning on for five or ten minutes of you're five or ten minute

meeting and the other people are all checked out because there's no conflict because all they're doing is saying what they're doing that day now this doesn't count the rare case where there's actually a conflict and actually something has to be and actually something has to happen in which case it's not really a stand up anymore it started as a stand up and it became a decision making meeting the only other time you really want to use meetings to transfer information are like this meeting I could have written this as a book but most of you wouldn't have read it and it would have taken me months to write it as a book I can give

this presentation in what did you say I have 45 minutes I can give this presentation in 45 minutes and it serves itself well to interaction two questions which I will take a ton of - me interacting with you guys in a way that if I had written this all out it would have wasted all of our times collectively you know this is 45 minutes of your life if I write it as a book first of all it takes me months to do it and then it takes you a week to read it so sometimes information can be transferred very effectively if I were doing a detailed technical spec I probably wouldn't do it as a PowerPoint

presentation up in front of a room right a detailed technical spec writing makes more sense all right decision making how many of you're good at making decisions through other people other than me yeah not very many of you which makes sense most people work trained to make decisions right most people were trained to make their own decisions and this is fundamentally what a manager is there to do beyond transferring information to people and keeping everyone up to date on status the fundamental thing that we all are supposed to do is help our organization change pivot move get things done which requires decisions and if you stop making decisions all activity the organization stops just think about it if nobody made a decision

today we wouldn't do anything you all made a decision to be here instead of the I am the cavalry track right that that is how things happen and if you stop making decisions things stop but if you're not good at getting a team of seven people to make a decision with you as a manager you're probably not doing it very well so the I'm not going to go into this in too much detail there's a really great blog entry that I linked at the bottom of that and I assume we're gonna share slides good so you can I'm gonna transfer that information through the slides and you all can read it later but basically what it comes down to is when

you're making a decision you have to know how the decisions gonna be made before you try and make it that sounds like a really obvious statement but far too often we don't do that how many of you guys when you walk into a meeting you say all right here's how we're making this decision this person's making the decision I'm making the decision or we all have to agree before we make the decision if you don't know that and half the room thinks everybody has to agree and one person thinks the decision is all theirs that's where you get a really messy organization and bad things happening that's where we that's the bad side of office politics when we

do a terrible job of actually figuring out who's making a decision and how so everybody's unhappy about it and if you do that most of the other stuff is easy present the present the arguments on both sides have conflict come to the end of the conflict and when you get there resolve it make the decision however you said you were going to at the beginning and move on the last one and this one's my favorite because this is the one we do terribly badly Andy Grove in high-output Management said training is the boss's job and it fundamentally is and we do as an industry a terrible job of training our people we send them off

to here we send them to a course and think that that's what training is but fundamentally on a day to day basis as a manager your job is to make sure your people are equipped with the tools to do their job and that means understanding one thing when you're training somebody what what results are you trying to get what posit yes positive generally well actually know you can you can be training them negatively right if you're training a puppy not to pee on the rug that's negative reinforcement right the answer was encoded in there somewhere what are you trying to get when you train something specific outcome to find that outcome outcome how what is the

outcome in all cases behavior it's a change in behavior all right master class what's a behavior it's a conditioned response I'll go I'll go along with that or you psych major I actually personally like BJ Foggs model of what a behavior is says a behavior is a response you get when you have sufficient motivation sufficient ability and you're reminded or triggered at that moment that's what it behaviors that could be an example of the puppy not peeing on the rug earlier that could be knowing how to respond to a particular alert in 90s that could be convincing myself to go for a run even though I'm tired or go to bed early I have to have sufficient motivation which

that's the one we all focus on there's lots of motivational speakers in the world but most of the time when you're not making a just when you're not doing a behavior it's actually because you don't have the ability and we don't spend enough time thinking about ability the ability is not just skill or capability it's also time right we all make lots of we all fail to do lots of behaviors because of what is perceived lack of time it's cognitive resources at the time sometimes I'm just stressed out and I don't respond the way that I would potentially like to or are motivated to it could be money it could be any anything that limits your behavior and

so if you think about that your job as a manager or a leader is fundamentally to spend your time ensuring your people have motivation ensuring they have ability and reminding them to to do things at the point where they have motivation or ability it was really funny one of my one of my leaders actually has a monthly report that he does and we were talking about this I was talking with somebody else about this slide yesterday and he was sitting next to me he said that's why you emailed me the second Tuesday of every month and asked me where the report is you're triggering me look yeah that's exactly what I'm doing because I know the by the second Tuesday

of every month you probably have the ability to have written the report already I hope you're motivated to have done it if you're not I've got a bigger problem and so I remind I think of my job in terms of influence as spending my time increasing people's motivation increasing their ability to get their jobs done however that is and reminding them at the time and the most important place to do this is a weekly one-on-one I have weekly one-on-ones with everyone who reports to me and unless I'm on an airplane or the CEO calls a meeting I make those meetings as much as I can because that is where you get to assess motivation that's where you get to

accessibility and that's where you get to trigger how many of your managers have every week of one-on-one with you half the room not even 30 percent of the room that's terrible that's what it's scheduled but they don't show up so there's another great book on management called behind closed doors written by Esther Derby and Johanna Rothman and I took some of the things on this slide from that that to me I don't know how do you feel when they cancel like when it's canceled every week if you like the care I mean to me that's a sign that like if I was cancelling a meeting with an employee every week I would I would actually have to ask myself why I hate

that person because that's probably actually what I've had people like that involve anybody who's managed for a while has had the employee they really don't want to deal look we're all we're all humans I'm a human there are some people I just don't want to deal with if I find myself wanting to cancel their one on one every week that tells me I have a much bigger problem and I should probably figure out how to address that yeah slow them down yes but I don't think that there's ever an organization that slows down by having better connectivity between managers and their people and truly for me that meeting is for them not for me so the agenda the things that we want to

talk about unless I actually have something that I want to shift from a motivation or ability perspective that weekly one-on-one is their opportunity to talk about whatever is on their mind and if they're not if they go ahead [Music] potentially it's just hard to keep I find it and and other people that talk to it's hard to keep a rhythm that way you know if I talk just imagine if you only talked to your girlfriend every two weeks right you get the idea that like there's a there's a frequency and a regularity thing that is that's important

yeah see if that's the case then I can I can hear that I just never run out of things to talk to them about you know if I if I don't think there's gonna be a topic I'll often all right every one of my people has things that they either they want to work on right for their own careers I have a couple of people who are relatively new managers and so even things two weeks ago we had one of those and I said all right what's on your list and he said nothing and I said okay let's talk about the structure of your one-on-ones with your people I always have a list in my head of things that I

can bring to that meeting but and I've yet to run out of things that did either I want them to work on or they've told me they want to work on that we can use that 30 minutes or or in in a couple of cases where especially as someone joins my org I'll have all of weekly one hours for for the first few months because there's a lot to teach right there's a lot to even even just you know here's this person here's how to interact with this person better or you know have you talked to this person about this other thing I'm struggling out these real examples I've yet to run out of of

content for those one-on-ones where I want to make the organization better yako

yeah what no it shouldn't so so I'm gonna try and recap some of this conversation for the for the video it shouldn't your strategy shouldn't change week to week but if you can communicate your entire strategic vision for three years for that employee in 30 minutes one time I think you're aiming too low right like I have so much to talk about and to teach and to get from here to three years I could probably do an hour a week and not run out of content it makes sense well except that what do you mean when you say three your strategy right I'm not talking about three year business strategy I'm talking about you know yeah who do you need to be if if I

can't spend if I can't spend 52 hours a year helping them become who they want to be I'm you know that's my job right go ahead I don't I don't have directs for 40 people right I have an organization

yeah well no I actually absolutely have that time left that's all the strategic decision meetings were not one-on-ones right there there's a lot of content there's a lot of time spent and and by the way I don't work just nine-to-five either all right so there's time outside that calendar that I'm doing prep work and other you know other stuff but you brought up a really important point which is span of control nobody can directly manage 22 people effectively because you're you're never going to really understand the three-year strategic goals and how you're interacting with them at a level where you can actually have significant influence if you're trying to do 22 one-on-ones a week and track all of

those people's growth and all of those peoples of evolution in your head you're just not right so I mean to me if I'm over about seven direct reports my head starts to swim and you know that's to me I've heard people say three to seven I've had good managers who had as many as 10 but that generally is the more senior levels you know as you get farther down the org really being hands-on managing more than more than seven to ten people it starts to get crazy like you're right you all you would do is handle one-on-ones and growth or what really usually happens is you just ignore all of that right and you spend your time doing strategic and

tactical work and those people see you a lot and interact with you on a surface level but you don't know anything about them like on a deep quick actually connected level you I realized as I'm talking like what I said at the beginning is really important I really spend a lot of time trying to actually work with people and the people in my work and I think you're doing a disservice if you're not when I think about how you actually get results through people it's through the people and if you don't like people right and I had to come to this learning like I really I didn't learn any of this naturally I really am an introvert I

actually don't do this easily I am much better sitting with a book than I am with with people just in terms of my natural disposition but I realized when I went into management if I wanted to get results through the organization of 40 people I actually had to invest the time and energy to learn how those people worked and to learn exactly how to get those behaviors on a week to week month to month year to year basis in the same way that I invested all that time learning you know how an MEP works and how to write shellcode and you know the the difference between a buffer overflow and a formats stringing bug like I I

invested the same amount of learning time and learning how the people work as I do in learning how the technology works it's if you and this is why I started out by saying management sucks right if you're not if you're not willing to do that it's like the technical person who's not willing to read technical books not willing to invest in technical books how good at technology are they gonna be they're gonna suck at their job right and and far too often we have managers and we think that the most technical person is suddenly going to be the best manager because they know all the technical stuff it's useful from a training perspective but if they're not willing

to put in this effort and by the way as an early manager I wasn't I didn't know this and I was a crappy manager if you went back and talked to the people that reported to me back then I was kind of shitty at my job and I've worked really hard to hopefully not be nearly as bad at it anymore but yeah yes somehow yeah

so the question just so for the video was basically how do you select I've got a group of technical technologists from whom I have to promote a manager somehow how do I pick the manager out of that group is that or lead or whatever yeah basically how do I pick the person that's going to do this it's the person whose eyes didn't glaze over when I started talking about meetings and I'm not kidding like if you want to nerd out about that like this term the people who show up to this track and they're like there's a talk later about office politics I and my first thought was oh I want to see that that's the person that

should be the managers the person who wants to go to that talk instead of a technical talk at the same time be and they self-select you know the I have one one guy on my team fantastic technologist but he's always the first one to ask me about a people question before he asked me about a technical question and I have other fantastic technologists on my team that have never talked to me about people at all right and so it's really back to that first slide it's back to do you want to just work on technology by yourself or is what really interests you like oh how did that person make that person do what they wanted you know I

went and learned hypnosis at one point so that I could be a better manager but that but I self-selected on that that was something I nobody told me to do that I was like oh I bet this would be useful for me are you referring to creating some kind of social currency between your employees and you during the one-on-one or is that what you definitely do you definitely create that social currency I mean not just keeping it on a technical level but actually getting to know the person a little bit to get them to do your bidding yeah well actually I just want to know the people that work for me to I you know I've I'm

Canadian so I'm nice by by nature right it's built into my genetics and and so I my first thing is like I do want to know them you know I actually want to know what makes each of them tick like I want to know what makes them happy when they show up at work because I like making people happy and so yeah there is social currency to that it eventually translates into influence but part of its just I like it I hope so right I'm actually so hang on something he just said something really important he said that that that'll help me keep my my attrition and turnover numbers low in some cases I actually don't want that

right I only have a certain number of roles for people that I can you know I'm not going to promote 40 people in the management there's times that I've actually said hey let me help you go outside the organization because it's better for you or you should take that job because that jobs better than what you're gonna do here I'm not I'm not a slave to turnover numbers I'm actually more should be obvious I'm focused on what makes them happy and what makes them grow because I figure this industry is really small like I can't walk 10 feet out there at this point this is we were talking about a yes is my 16th black hat its 16th year here in Vegas in

the summer and I can't walk 10 feet without somebody I worked you know that works for me that works with me that I worked for at some point and many of them I've worked with or they've worked for me or whatever more than once so doing the right thing today maybe it's hard today but at 2 years from now it might be the best thing I ever did as a manager what degree do you find yourself assigning accountability within your own organization do your people step up and take accountability themselves or as you as a manager have to delegate that I think it it's really situational I don't think it's as simple as that because in

a lot of situations especially the work we do which is a threat Intel Group right there's a lot of self-motivated people you know people who show up for DEFCON on a weekend because they want to I don't have to assign very much accountability now there's other situations especially with younger employees or in different different situations where you can make that happen but I'm lucky alright I work in the kind of organization where people kind of self-select to do stuff like this which means a lot of them just do it natural right it just happens um excuse me and I actually yeah I count myself very lucky to have people like that um I think part

of it is I'm like that too right you like I said sixteenth I'm here I'm I pretty much like this industry and I pretty much love what I do so I think that that probably impacts how I put people around me I like to have people that are excited to come to work every day and love their jobs what happened to the microphone Oh what do you feel about technical managers in other words those that aren't necessarily wanting to be the CEO someday but yet want to stay technical and yet be it but it have a little bit more say in what they're doing absolutely I mean there's a lot of us out there yeah yeah I'm not the CEO I

I happen to be a business nerd too and and like the I'd you know like starting companies I started a company many years ago and really enjoyed it but I've been a technical manager all my life

yeah I don't I don't buy that whole yeah I don't buy that I mean you if I have a person who's really great at what they do you know the Peter Principle the idea and the Peter Principle has always said as this really cynical thing like for those who don't know the Peter Principle is the idea that everyone gets eventually gets promoted to the level of their own incompetence and it's actually a very profound thing it's not cynical in the and it's exactly what you're talking about what we tend to do is we take someone who's really great at the job and say hey you're fantastic of this go do something else yeah I got I got a

promotion for you I'm gonna take you out of the job that you love and you're happy and everything's awesome and I'm gonna make you do something you didn't you didn't ask for that's not really a great idea right if you find somebody that's super happy and doesn't want to move and doesn't want to change and just kills it at what they're doing why would you change that right but you're right we have an industry-wide thing of like okay you're your senior manager you should be gunning for a director you should be you should be learning to manage managers some people like managing people who are doing work rather than managing managers who are managing people who are doing work and

it's a different skill set I it's a different skill set to manage engineers than it is to manage managers and we don't give that enough we don't give that enough play in our industry well actually I was gonna ask my second question first which actually ties into that because I'm in a situation right now I'm managing somebody he was promoted to manage a technical team but won't extract themselves from doing the day-to-day because he's lost the trust of some of the people that he's managing so that's a challenge which is to basically tell them to kind of cut or fishbait have you have you run into that and have her manage that okay okay how

do you avoid that that's you can't that's that is that is the ultimate situation where he asked the right question earlier that person doesn't really want to invest in managing and in invest in the trust right there they're falling back to their technical skills because that's what they know if that person really was eager to manage rather than eager to just get stuff done they'd be learning this stuff rather than focusing on the technical work in that situation you got to you got to make a determination does that person really want to manage and a lot of the time the answer's no they were thrust into that they were the best technical person they were given this and now they

they're not very good at the job and that might be the case you might just have the wrong person in the role now if they actually you know if you sit them down and say look do you really want to manage then you have to I joked at one point about taking away someone's commit access right take away the person's commit access or basically just say look you're not allowed to do this anymore you have to figure out how to work through your people and I don't care if you miss this deadline you by the way this is gonna be a hard one on you because you're gonna have to let them fall on their face if they really

want to manage you have to let them fail so that they learn how to manage and and if you're not able to let them fail then you got to figure out how you're gonna play that because clearly they're falling back to committing code you know solving the problem themselves because they don't know how to get their people to do it and you something's got to give there is that yeah that sounds good if you want to chat like for real afterwards you grab me but the other one was so at least in security arena you mentioned you got people that are motivated due to the mission or whatever they're doing there's some other cases where you're trying to get trying to

instill motivation in other people what have has been kind of like the little trick there to kind of that nudge to kind of like see their value and get them to kind of to get to the next step I'm this is a really by the way this is where we're gonna have conflict in the room I'm about to say something really unpopular I don't think you can genuine I genuinely don't think you can motivate other people I think if you have to instill motivation you know like the beatings rule can will continue until morale improves I think if you have to instill motivation the person's in the wrong job and if it could just be that

their demotivated because of some thing and if you've evaluated okay why is this person not motivated well they hate the person they work next to okay I can solve that I can move their desk fine great but if they're not motivated because they're just miserable and not motivated they're in the wrong job like period end of story and all of your efforts are ultimately just going to be small pieces of scotch tape on a very large problem and you're you're going to you're going to let them go or they're going to quit a year from now hurry up or it's a [ __ ] it's higher right yep so early on you mentioned the high rate of

skill set obsolescence in the field yeah and you also mention that it's you know the boss's job to make sure that the people are trained yeah so how do you sort of reconcile or get buy-in on the idea that people sort of might need to be trained you know not for the thing they're doing right now but something for one year three or five years down the road you know maybe if it's not directly applicable to the company's current sort of mission or or contract well so we were talking about this this is this is that this is like how you fill it one on one right if you see that something's going to change right if you

see that their skill set they need a skill set three years from now and you can see around that corner break it into bite-sized chunks and figure out how to feed it to them very small pieces at a time and figure out how to lead them there over the course of the next three years that's the slow steady you're not just going to send them to a training course and be done with it like this is going to be a development path you got to know what the development path is for each of those people we're gonna say

oh I'm not usually sending them anywhere I mean I'm not used yeah I mean if you're doing it as if you're doing it you know piece by piece send them a blog entry a week you know a this is what I mean by piece by piece if I don't if I know they need a skill three years from now I'm not gonna send them to a 40-hour boot camp for it all right I'm gonna put that 40 hours over three years in which case it's probably not the kind of investment you're thinking of now there's some situations where that's that investment happens I talk through the development of all my folks with my manager always right and you know I

actually just got a new manager recently so I haven't started this with her yet but it's my natural thing to at least once a month in my one-on-ones talk through if I'm having issues with these like my boss got there because they're a good manager generally and if they didn't I probably have the wrong boss and I'm probably at the wrong place but generally my boss got there because the in my new boss phenomenal phenomenal manager I have zero qualms asking her everything okay I'm thinking this person needs to learn X over the next three years what do you think here's my plan got any ideas and then I don't have to get buy-in it's their idea right they

bought in just by talking to me about it and whatever we come whatever decision we come to I'm then gonna go action because we've already said right back to meetings and decisions right it becomes a decision at that point and and I don't have to work for buying because they've participated we either get one more question all right one more this is a little bit different I've struggled to identify candidates that are coming from IT like mid-level or junior level positions into entry level security positions they're not understanding that security isn't this I call this sexy thing it's kind of boring and tedious and it just is not as exciting as people lead it up to believe and I've I've

hired people that seem like good IT firefighters that know the technology can learn and they come into a security role and they just suck so I'm curious what your techniques are to kind of prove somebody out and she level positions security is a mindset purity is alright when you guys walk into a casino how many of you see where the cameras are look around the room it has nothing to do with skill you find the person who sees that and they learn the skills and you find the perfect I IX wife we would walk through a casino she would never know where a camera was most people most normal human beings by the way we're not normal normal human beings

don't know where the cameras are that's the problem you're having you're taking people who don't see things like that who don't look at a system and inherently go I could mess that up like everybody in this room if you've taken people with the wrong mindset that don't just naturally and I I don't think you can teach it I really don't I think like there's a reason we come to this conference and we all come voluntarily right we pay to be here like the folks who pay to be here on weekends you know in the middle of summer when kids are on vacation I can take anybody in this room and I can turn them into a great

security person because you can all learn the skills you have to have that that mindset that way of looking at the world and and you just have to learn to select for it

mm yeah motivations a big deal right you have to you have to want it you really have to want it all right I'm gonna get kicked off the stage here but feel free to grab me I this is this is one of the things that nerd out about so I love talking about this so thank you all for listening thank you Mike [Applause]