Take Charge of Your Infosec Career!

okay guys uh so first off i'd like to thank all the uh sponsors and uh the volunteers you know who set up this thing it's been a great conference so thank you and i appreciate everyone that's attended as well so i've managed infrastructure and security personnel for about 15 years and uh i've learned a lot of things along the way and what i'm going to present is some of those key learnings and i hope that you get some stuff out of it this should be an interactive session so feel free to just uh blurt out anything that you want at any time it's not a big deal it should be encouraged it won't sidetrack anything so we've got a full

hour here

to start out with no we're here to develop our skills mostly technical and most security conferences focus on the technical i applaud b-sides you know for taking on this presentation which is a a lot less technical and a little bit more career-centric i think that's something that's missing right now as an example of the amount of attention and money we spend on conferences this is a typical conference that's going on later this year in orlando it's about five thousand dollars for a class and then you've got twenty six hundred dollars for the flight the hotel it's a lot of money and it's it's worth every penny you know this is something we're kind of used to and it's

good quality training but if we're willing to spend that much money on a conference you know we should be willing to invest a little bit of time in our career as well to supplement that we're going to go and talk through a couple of ideas for you to look at anybody spent seven thousand dollars uh travel and expenses course included before yeah more than seven thousand eight thousand nine thousand okay so eight thousand wow what was the conference i soccer conference okay note to self online training for ice soccer all right well it's pretty expensive and we spend a lot of money like i said on security conferences and we need that but are we also developing ourselves and

our careers you know technologies are constantly advancing and we need to learn those skills we need to stay current but these technologies come and go and if you strip away all those technologies that are coming and going you know we're still there and we need to be able to develop ourselves so that we're in it for the long haul so what i'm saying is remember to develop yourself not just your technical skills you know try to try to think about when the last time was that you maybe sat down for an hour even on a picnic table you know just kind of sketching out your career path like you know what an inventory of your

strengths you know where you're going with things and you know if it's been more than a year then then this is definitely something you're going to want to focus on because you know you're the one constant in all of this you know as the technologies come and go so you know those technical skills are just one piece of a very big pie so to provoke you a little bit i've got a couple of questions for you who here is completely satisfied with their current employer okay the guy in the back sitting next to his boss okay brown dozer okay all right but uh you know the truth is you know there's things that are satisfying about

our jobs and there's also some things that aren't as satisfying and that's normal but our goal should be to have a greater percentage of the things that get us jazzed every day and excited about our career the contributions we're going to make in the industry and such so other questions are you compensated based on the value you deliver or are you just coming in punching the clock every day and you know you could do a great job maybe invent some really innovative technology and not really get any recognition or additional pay for it is what you do on a daily basis is it making a difference in the world are you feeling like it's making a difference you're

making a difference and are you working on your life's work and do you aspire for a more meaningful role so those are just some provocative questions any questions to reflect back to me right now

no that's okay i mean i let me let me uh summarize the question and make sure that it's the right one but what i think what you're saying is your job is just uh a sliver maybe a large one but still it's just a sliver of who you are as a person and where you're going long-term you've got some goals that are bigger than just a job or a paycheck right would you mind sharing what that is okay

yep

um

yeah that's a very good point i think it's it's different for everyone i can tell you the way i deal with the struggle is if i feel like i'm fighting upstream all the time and i'm kind of stressed out then i know i'm i'm over allocating myself towards the job you know when it becomes stressful instead of passionate then i know i've gone too far and maybe it's time to take a break and reevaluate things you know take a break take a weekend but uh let's let's continue on and let's see if some of the bullets address your concern i'm thinking in a couple of slides or maybe something that's helpful but uh i appreciate the question

so the whole point of this talk is really empowering you and kind of getting in that mindset that you know you can take charge of your own information security career there's some things that you might be able to influence but there's a lot of things that you can completely take ownership of and and that's the majority of this topic so if you're not jazzed about what you do every day it's it's definitely time for a change that doesn't mean you need to go out and quit but there's something that needs to change and it could be your attitude it could be that what you enjoy doing you're not doing as much of right now and you need to talk to your

boss about a role change or propose a new role altogether that sort of thing but life is short and we need to make the most of it and do what we love doing with the people we love doing it with you know like this security community so that should be part of our goals and living our purpose and focusing on delivering that life life's work that's what your career should be about and if you can get an alignment between what you want to do in your life and what you're doing in your career it's a really good feeling and i think that gives one purpose and a feeling of confidence that they're on the right

path you are the main ingredient to your success so it's important that you take charge of that career okay so i've got two mindsets to compare here one of them is what i call the victimhood mentality which is obviously negative negative nancy kind of stuff and the other is the take charge mentality so just to compare the the two here with the take charge mentality you have a vision to fulfill with your career and so your career is kind of a building block in your path and so you're picking your employers based on how to further your life's work the victimhood mentality side of things would be you know feeling like they have a vision for you

and they are using up your career and perhaps wasting your time on the take charge side you're maximizing your impact in the world through your career on the victimhood side you feel like you're not good enough to make an impact how could you possibly make an impact you know that sort of thinking on the take charge side you have a deliberate effort to align your work with your career goals and it's a constant work kind of like trimming sales if you're sailing on the victimhood side you're doing what people tell you to do and just going through the motions and you just end up wherever they throw you wherever they need you and the last one on the on the take

charge side recognize when it's time to move on so that you can continue your growth on the victimhood side you're stagnating at your current job you're just paralyzed by your fear of well what if i left you know am i going to get another job and some things that's not on the slide i really think that the on the victimhood point i think we've all been here i know that i have but you're waiting for a promotion and maybe you're waiting for that performance review cycle you're waiting for a promotion you're waiting for a raise you're waiting for someone to tell you that you did a good job and um you know maybe the the

corporation is offering some accoutrements for you to stay with them from a retention standpoint even though you're not really liking what you're doing i consider that all victimhood and so the goal is to obviously be more on the take charge mentality side of it any questions on that okay yeah

yeah so how do you balance the uh the mantra of you know if you're not enjoying what you're doing making a change and moving on versus you know there could be a danger of moving on constantly and you know not being able to hold a job i think that there's a whole lot that goes into making the change so you know you have to validate some assumptions when you set about making a change you need to make sure that first of all the change would really be in alignment with your career and that means asking a potential employer and some of the employees some really tough questions that you feel uncomfortable doing that you might feel

like is going to blow it on the interview but you really have to make sure that it's a good fit and you know josh moore was on the podcast recently and he wrote something about you know if you share certain things with an employer they may not call you in for an interview such as you know your race or you know gender things of this nature what you know your true nature who you are and i really thought it was powerful when he said that if they don't like you for who you are then you shouldn't work there anyway right because it's just not going to be a good fit for whatever reason it is

whether it's legal or not um so i think a lot of a lot of the ways to prevent thrashing when you're looking for new jobs all the time is to make sure it's a very deliberate move and you might have to sleep on it i also like it when i see people talking to other people about the change and you know mentorship and find out you know bounce some ideas off them see what they think and just get some independent views tap into that mastermind concept good question so what i've got here are five tips over the next few slides for owning your infosec career and it's visualize your success create a plan build your brand build your network

and take action action being a pretty important part of it on the first one to visualize your success i've created this model here that i just kind of think about and i call it the pads model and it's a purpose which is the most important part having a definitive purpose you know what you're passionate about what makes you unique that sort of thing and having a great attitude and um it's important to really focus on the attitude i think in our space because a lot of what we do uh is some of the darker side does anyone here uh focus on the darker side of infosec where you know you're reading something that you just can't believe someone is

doing yeah um that kind of takes a toll on your attitude and you got to get refreshed you got to refill your your attitudinal pot discipline is pretty important too because some of the things that's important to your career requires a certain cadence you know like keeping up relations with uh various uh friends former co-workers that sort of thing that requires discipline it won't just happen on its own left to your own accord you probably wouldn't do those things discipline would be putting a calendar invite for yourself to sit down for one hour once a quarter to look at your career plan figure out if the goals are still the same and where you are relative to those goals

and if you want to make some shifts at all and of course skills it's i saved it for last for a reason you know i i don't think we need to dwell on the skills too much but i will say that it's more than just the technical it's also the leadership skills and building the next generation of security professionals that will come after us so one of the things with this little triangle here the pads model is that i'm advocating that if you're only focused on any one area of that triangle you're not going to get it done and if you do get something done it's not going to be complete to really have a rich career you're

going to have to focus on all of them have you ever known someone that had great skills but had a bad attitude you know that's kind of career limiting i think we've all known people like that and what about someone who has great discipline skills but they have no definitive purpose you know this from a profile perspective might be someone that's new to infosec and uh you know they can be counted on but they they're just kind of wondering they don't know where they're going yet so you know the point is embrace embrace all the challenges that come up uh with your attitude purpose skills discipline anything that makes you uncomfortable in any of these areas

really focus on it and try to do it because that uncomfortable feeling is you growing so make the most of wherever you are as well so your job if you're not enjoying some aspects of your job make the most of what you can with it and i'm going to talk to you a little bit later about some things that you can do to have those conversations with your boss etc to make that a better role but just try to maximize all the experiences that come your way so this slide here is an interesting one the um the plan consists of defining what your mission is what your goals are identifying the gaps that you have in yourself right now in your

experience maybe your resume and developing an action plan to fill those gaps and then taking action and continually reassessing where you are relative to that plan so on the goals piece we're talking about short-term and long-term goals and when you're identifying gaps think of it in terms of could be training gaps technical skills interpersonal skills maybe it's presenting that sort of thing and on your action plan i like to think in terms of one year two year three year five ten twenty and you know that's why you have this cone this career cone here which i'm going to go over in just a second the the continual assessment part i think is the most important piece

because this is what determines how fast you're going to advance in your career so the more frequently you assess where you are relative to your plan and start tweaking certain things if they need to be tweaked the more confident you're going to be that you're headed the right direction because you will be you'll be making changes ever so slightly along the way it's important that when you try certain things and it doesn't work out that you get back up and try it again if it's the right thing but maybe you do it a different way but the point is you don't give up you keep persevering and making tweaks to the way that you proceed that's all part of the

continual assessment and feedback of lessons learned so with the with the cone there this is just an example it doesn't work this way for everyone in security but imagine on the far left side of the cone you're starting out as a noob just getting into security and you're going to progress through that cone all the way to ciso i'm not advocating that everyone should be a ciso either this is just an example though if you were to lay out a career plan in a fashion similar to this and have a few uh steps in between i think that it will inspire you to come up with actions that you should be taking along that road and those actions

along the top are experiences connections you know making connections with people in the community could be connections in the business and knowledge skills abilities accomplishments that would be expected of you projects publications and presentations that you might deliver these are things that i would say as a noob as an analyst if you knew that you were going to be a ciso i think it would be a good idea even way back there to have a bullet that you're going to be bragging about when you go to interview as a ciso so we're talking about maybe there's a magazine article on uh managing a security team you know that that you write possibly five years before

but when you apply for that ciso position that step has been taken so i think that you should be taking these steps with that vision in mind several years down the road you should be taking those steps all along also i like the analogy of lock picking does anyone here enjoy locked sport at all yeah me too so if you think about this you know these are kind of uh pins these phases are kind of pins in a in a lock and you're kind of lock picking your career and um you know if you look at the wavy line you know it's a little bit of a jiggling effort that you'll have to do with the

continual assessment and adjustment along the way to uh you know release all those pins and unlock your dreams on the subject of building your brand i think it's important first of all to say we've all got a brand whether we know it or not and we just need to be conscious of it and whatever that brand is that we want to project it's ideal for it to be who we really are and be authentic because anything else just won't last you know there's only what makes you special is you are unique you are special so when you build your brand it's good to kind of focus on your strengths and uh your experiences that sort of

thing but you want to build your brand consciously leverage that uniqueness and some of the things that you can do to project your brand would come across in the tweets that you do the presentations you might give articles that you write the value that you deliver to the community in your area so with all of this you should be developing a portfolio because all of these types of things are going to be crucial for you as you seek to advance in your career and get hired or get additional clients

on building your network i think that one of the most important things we can do in our career is to make new connections and build relationships and you know cause those relationships to become deeper and deeper in trust over time these are people that you'll be relying on you may end up working with them for them maybe they work for you down the road but i think the relationships are everything and the way to build those relationships is to think about it as you're building your network and taking a genuine interest in people that you meet and finding out what they're skilled at maybe they have skills that you don't and it complements you so you want to build your relationships

with others you could do that by helping them adding value to them helping market their skills provide introductions and help others to be successful in expanding their networks so it's important to nurture the relationships as as i mentioned earlier and stay in constant contact with these individuals even if they no longer work at the place that you were working at with them one of my favorite quotes is the sales guy zig zigler it says you can have everything in life you want if you'll just help enough other people get what they want and i really believe in that philosophy because i think that you know in service to others a lot of times we find ourselves

and we also find that those other people help us in our time of need

the last tip taking action so it's not enough to know what to do and just leave it as an idea you really have to take action and so you want to unleash your gifts to the world and deliver your life's work your art and to do that you have to constantly stay focused on taking action and knowing when good enough is good enough you don't have to seek perfection you want to continuously produce so take advantage of opportunities as long as you're living authentically and you're not a jerk what's going to happen is people are going to know what you want to do you should be sharing your career path with other people and they are going to want to help you

that's just the way the universe works and so unless you're a real jerk you know these these other people are going to be going out of the way looking for how can i help you how can i help you and your career and so you have to be ready for those opportunities you have to be able to share with them where you're going so that they'll be able to line those up for you too you should be doing the same for others so constantly takes take steps forward along your career path and don't wait or beg permission from anyone to move forward in your life in your career it's your career we're talking about taking

charge of it so you know just uh stay on your career path and sometimes that means you have to make a change but if you have to make that change then do it i remember i heard a story and i'm sure you guys have heard this before about this gold miner and they were like one foot away from reaching the gold you know as they're digging and they just quit but you know a couple more strikes kablam you know they would have the gold and so it's important to just never give up on yourself in your career and where you're wanting to go if you're passionate about it even if you're not getting the results just yet

to the level you were expecting because maybe you had unrealistic expectations stay with it a lot of these things can take multiple years to really get going it just depends on how well you exercise some of those tips such as the relationship building and connections

all right so here i've got a call to action and the call to action is to meet five people at this conference that you don't already know and find a way to interact with them get their contact information find a way to help them so it could be some sort of a referral it could be that they're struggling with a piece of python who knows what it could be but we're all struggling with something so you know there's probably some strength that you have that can help someone else has anyone here already met five people that they did not know before the conference okay so several of you that's one of the disadvantages of presenting on the second day but

what i'll say is i'll give you two other choices meet another five people or try to get an awkward hug with jason street is that fair so um i really think that these types of conferences especially b-sides just phenomenal a lot of work goes into it so i'm going to recommend also that you find a way to volunteer even if you're volunteering for next year right now you can get with some of the volunteers of the conference and find out how you can contribute and help the conference next year it's a great way to network right any questions on what we've discussed so far

you