Panel: Cyber Engineering & Architecture

all right i think we're live um can we give an appropriate amount of time for people to join our engineering and architecture panel here at besides 2021 it's been a great great conference so far and i'm very pleased to bring a few people and everyone on this panel has some connection to me which is interesting but i'm very pleased to introduce them and i'm going to start with on the couch next to me with dave martin a senior cyber security systems engineer with booz allen hamilton virtually here we have robert lowe principal security architect from fannie mae and dan hyam managing partner with hybrid pathways so today we're here to talk about security architecture and engineering

um and it's it's an interesting dynamic because many of us were engineers as we discussed and we transitioned into architecture so for those of you that are new to this field i think it will be it'll be helpful it'll be something that can help you to uh to shape your career as you move forward and our first question of the day will be for robert and uh after after robert gives the first answer it will be robert what are some looking mistakes you made of your career did you see rookies make now yeah um i came into this field a little different than many people may have i had a long history beforehand in systems administration and also network

administration so that gave me perhaps a little different perspective on some things and also helped me maybe avoid some of those mistakes but one of the things that i think i would encourage people to do is not to specialize too early really dig in and learn a lot of the basics and fundamentals of operating systems networking and don't be afraid of coding i think that's really an important part of where we need to go as a profession um besides that i think one of the major mistakes that i often see people make is um you know we're in a position where we bridge the gap many times between i.t and the business and we sometimes

express risk in the wrong terms for an audience right we tend to try to geek out sometimes and express things that maybe a business audience won't necessarily understand so we have to be really careful about that um and then also maybe just making assumptions we sometimes assume that you know all risk is bad or that all low risk is when in fact there are combinations of risks that sometimes can add up to something much bigger and along the same lines of making assumptions i guess uh don't just stay on the happy path i guess i would right it's it's important to think about how things that we design and build can be abused and misused

and to do that you really need to start developing uh thinking skills so don't don't make those kinds of assumptions and then i guess i would add to that also that be detailed um sometimes i can smell i call them you know an nda napkin drawing as architecture you know we get a lot of those sometimes a few boxes and some lines and we think it's good enough um in my mind only people like bob metcalf can get away with that but otherwise add a lot of detail and don't be vague in your use of language i think that those are things that i think of as you know ways in which it's really important to

progress i'm sure others have different perspectives as well dan you want to jump in yeah i'll add a little bit to that that's really a great overview if i think of the one big thing when i reflect back on my excuse me career is i think you know you're fresh out of wherever whether at school or what have you you're entering the field and those types of things and you want to change the world and just use a little bit of a colloquialism you know wanting to you know unknowingly boil the ocean which is you know thinking you can change everything all at once and that's the hardest thing and it depends where you're working but

especially in large enterprises you really have to take phased approaches uh you have to break it down into bite-sized chunks um and ultimately and we'll talk about this later in the the panel discussion as well but uh you know if you want to be able to enable change you have to be able to understand the business to be able to do that and that was already talked to about you know by rob as well which is being able to put it in an understanding that you know understanding what your audience is and who your customers are now of course that comes with you know experience and practice and learning and you know being open-minded is going to be very

important as well now we're saying you know we're talking about mistakes now one thing that i love about the united states is that we have a culture that sets us apart from a business perspective than almost any other place in the world and that is we shouldn't be afraid to fail it's okay to take chances because you know with high risk come high reward as well so you always have to try to find that balance and i think it's very important in any work culture that uh people should be willing to be able to take chances because that's going to create greater growth for the business if that's one of their goals as well and that's it for me absolutely

yeah yeah definitely reinforcing that my first thought in the question is you know um make mistakes like we learn so much more from our mistakes be willing to um make a mistake you know it is a balance uh i have you know been the cause of my own denial of service before but uh it balances risks but at the same time you just you learn so much more from your mistakes and as long as you're straightforward with your um like as long as you haven't promised the world and then made a mistake uh um i think you you'll learn so much more from it than if you again you don't take risks you don't like you said you don't learn anything

you don't you don't want anything new i do want to add on though that um we're talking about like rookies so assuming rookie engineers i feel like uh documentation is is the thing that drives me like documenting the things you do on a daily basis the truth is like when we learn to do that we become architects right but like starting out everything you do you should be possible um and then essentially you know notes become um technical guides right to learn that until we're ready to transition to the next level instead of that should be the first thing we learn is you know play around with the system but write everything down every switch every

button every setting everything yeah i think you all have great points i know for me i started my career as a developer and i felt very very comfortable what i was doing and it wasn't until i again left my comfort zone and moved into i assumed a security role that wasn't there related to code review and i realized that i liked figuring out what was broken in order to establish processes to fix it and it gave me that that first skill but i was i was in that first job out of college probably too long because i got comfortable and when i forced myself to to be uncomfortable is when i and i could say that with every single

move in my career um was getting out of that comfort zone pushing yourself and showing other people that you're willing to push yourself and solve a problem maybe that they didn't know they had so that's that's my addition to that which echoes the comments from the rest of the team here so moving to our next question and i'm going to target dan to answer this question first um dan what is the what does a day in the life of an engineer and architect look like for you and your role all right so uh just to get a little background of my experiences i can't believe this now but 21 years ago i started out as a network engineer with

losing technologies and then while i was there i evolved into network security engineering and then decided to focus on cyber security for for my career and the rest is history now having said that most of my career i've spent as a professional services consultant but i've done some uh stints in the corporate world such as citigroup and also voya financial now the reason why i'm giving that background is what i love about professional services is that i do something new every day yeah and i love that it's just um i get quite a diverse exposure to all different types of customers and their challenges that they're trying to overcome and those types of things um having said that you know the

corporate world is uh can be just as rewarding and just as good as well and the reason why i'm saying that is regardless if you're kind of inside the corporate infrastructure or an enterprise business or what have you versus a professional services consultant uh the approach is relatively similar and the background i'll start with is is that you know there's some very high level categories that you can put around you know what are you doing to support an information technology infrastructure that's enabling the business processes because we can never forget that which is we're here to enable the business for them to be able to accomplish their work and their growth and their business drivers and their strategies and so on

and so forth and so you know at a high level you know as an engineer or an architect you know what we do is we plan build and run and i'm gonna kind of describe the phases around that and then i'll talk about it from an engineering perspective and then also from an architecture perspective so i'll talk about my current uh role as an architect and then i'll talk about you know what i used to do as an engineer and still kind of do uh when there's engineering needs for my customers because i direct technical themes to help service my company's customers essentially now if i look at that there's kind of two ways of looking at

that because you have this concept of you have typically you start off with architecture which i'll get into just a minute and then you move into engineering and this is the planning phases um and then um when you look at the build part of it so that's the plan and then when you look at the build part of it that's kind of the implementation part of it so if you're building something new or making a change in the environment or something of that sort you're actually building something new within the environment that's enabling a change or it's just a brand new capability within the environment and then after that cycle once you've built it and you've done your testing

and those types of things uh then you go into maintenance or operations which is the run part of it now when you look at it from that perspective is typically um you know my approach is and this is what i do every day is you as part of the planning phase you start with architecture because this is what's going to give you your road map to where you want to get to go so typically what you do is you'll go in it doesn't matter if you're a consultant or if you're in the corporate world or whatever business you're working for or organization that you're working for is that you do your discovery um and this is an

important though and we'll talk about this a little bit um in later parts of the questions uh as and discussion as well but know the business that's a really important part of it so especially we're going to talk about and i'm just going to give a little preview um we talked about you know how do you break into the later on we'll talk about how you break into the door and how do you break into this field and what are some tips and tricks that you can do to help with that and one of the things that i always tell my employees is that you know especially for our customers um if you're a professional services

consultant learn the business uh even before you first step foot in the door you know there's things that you can do like i know some people don't think about this but read the 10k and the reason i say that is because typically you know a 10k is a financial statement around the business but usually a company will put a whole bunch of stuff around that financial information that says what its business strategy is what its growth goals are it will actually give you a ton of information and what their mission is uh what they're trying to do in some cases it's really to try to help society and all these different types of things besides

you know worshiping the almighty dollar and those types of things so learning the business really becomes important you can do that before you even step foot on your first day and then continue to do that as you move forward because that's the only way you will understand um you know a couple things when you're looking at the planning stages is you start from the top down which is understand what the business drivers are understand what the growth goals are if growth is one of the strategies for the business understand what the business processes are and then you get into your discovery phase um for your planning what i mean by that is is typically you know what we'll do and this is what

i do every day is i'll go in and if it's a large enterprise this will consist of like 40 to 60 interviews and what i mean by that it depending on the domain of architecture and those types of things from that perspective but what you'll do is say okay i want to understand you know what's the current state that we have today and then once you understand that you then look at um you talk about okay what are your challenges that you have a lot of the times as the business says you know i want to be more efficient i want to get this market faster now that's a very general term but there's certainly things that you

can do to help them do that as you continue to move forward and identifying what are their challenges and pain points and then also it's very important to ask them you know you can help document that for the business and also for it is understand what's their vision of where they want to go to that's all tied to their business drivers because once you understand that and you go through your discovery of what the current state is and what their vision is and what you think you can do based on your experience to help them then you start to create the vision which is really documented through you know architecture diagrams which is my you know i'm doing this every day now

which is creating diagrams and usually you're creating current state diagrams and then this is very important if you're creating future state diagrams based on your experience and the domain that you're working on because then you're going to develop the migration plan of how do you get from current state to future state um and that becomes very important and that migration strategy and that capability that you can document in project plans and program plans and microsoft project and gantt charts and also you can identify the business value and the return on investment and so on and so forth is you create that roadmap and this goes back to not boiling the ocean and also this is a key thing we always

typically talk about in terms of road maps um you know one to three years out because the business is nowadays especially with this information age and the information technology age and so on and so forth is the business is changing constantly and it can be very hard to predict beyond three years but having said that one of the key items is is that you do want to be thinking about okay i may not be able to understand what the landscape is going to look like five to ten years out but you want to be thinking about that so we're looking at things like how do we future proof our architectural diagrams that comes down to modularity

and flexibility um and the whole concept it's a principal that makes sense has existed for two decades now and for us that have been in the field for a while things like enterprise service buses and service oriented architecture they still hold true today but just in different concepts uh now because you're looking at you don't want to be monolithic and that goes back to not trying to boil the ocean but you want to be modular in terms of what you're designing and how you're going to get there so a lot of my day is spent in um doing the discovery efforts identifying what the future vision is going to be and then diagramming and documenting

what that's going to look like from an infrastructure perspective and ultimately tying that road map and how you're going to get there to the business and the business drivers i you you'll hear me harping on that all the time is that you can't lose sight of the business because if you lose sight of the business the business is going to move on without you and i'm serious when i say that because i have many examples in my career around that now um i know i'm taking a bit of time right now but let's say a couple more things now if you translate that to an engineering role uh my role was different in a day in the life so

typically what that would mean is i would actually be let's just say first you would go in and you would do the implementation so that means you're building servers or virtual infrastructure you're configuring the systems to the specs that you've defined by or that the architects um and the engineer you're that you've that you've defined and based on you know not only cyber security but also what the capability of the service needs to be from that perspective and then of course you go through your testing exercises and everything like that you operationalize it and then a big chunk of my time especially in maintenance mode is always spent troubleshooting that's the big thing because when the

service isn't working you do want to have resiliency there but there's always going to be times when you have to be able to log into the system look at what's happening uh with it um and then i'm starting to get that experience to understand okay if this is happening you know if a is happening then potentially for me to be able to solve it to c i have to look at b essentially i'll be able to get to that resolution that was a big part of the work that i did as a as an engineer in maintenance and operations mode when i did that type of work as well and then the last thing i'll say

is is that as you start to because a typical career path is you start off as an engineer and then you move into architecture it doesn't always happen that way but once you start to get into architecture and you start to get into enterprise architecture and seeing that big picture and we were talking a little bit about this before the broadcast started was that it's very important that you think of yourself as an agent of change now you can have all the technical skills in the world but if you can't see the reasons why this change is happening and be able to influence because usually my job is just a huge amount of influence i may not

have anybody reporting to me but i want people to be able to get to my vision for the architecture as a team and as all of it and for the business as well so it's really important that you network and that you collaborate with people now this is very important you don't have to get along with people at work but guess what it makes it a lot easier if you get along with people because they'll actually want to do the work with for you and with you not because they have to but because you're making it a more fun and enjoyable environment as well that can actually uh believe it or not can increase the pace

of change that the business always wants as you continue to move towards the target state now i know i've been talking for a while so i'll stop there and allow people to jump in now that was fantastic dude do you want to take the next scope this one um i mean yeah he covered a lot too a whole lot to add there but yeah i do i would agree with the sort of building relationships and getting along with people because it's not just about um it's about the free flow of ideas as well like when you work with the people the users essentially you know you get a better understanding of what it is they're expecting to see and what they

and you know that actually will drive what you're working on you know and give you a specific context that you may not have um you know we can set up a tool to do all these amazing things but if you're not really you don't really know what the user's doing then and and the way to know is to again make yourself available to them and like be friendly and be get along and have those conversations and then they'll actually seek you out to say hey can you know i'm working with it can it do this yeah i want to echo dan's comment about reading 10ks too it's really important to understand the business and also in those 10ks

they will often highlight risks that they see for their business whatever the business is right and those are important to understand um especially in uh well in any business those are really important too so that you have an understanding of what what the business sees as their risks one thing that i want to ask the other guys as well is okay dan you specifically talked about you know creating uh target state or future state kind of plans and architectures and have a vision for what that will look like and how to get there maybe in a in a one to three year time frame one of the challenges i see quite often is that many times there's not an appetite for

projects or big the big rocks kind of projects that go beyond a year or two in many cases they want to see things done in six months and oftentimes in combination with that you see changes in the leadership team itself over the course of a couple years and then suddenly have new people at the top completely different vision for where things should go so it's difficult to maintain continuity and i'm just wondering if you know others on the panel see those same types of challenges yeah i mean i think i'll jump in on that one the direction as a whole may change slightly in the technology direction you'll still be following those business drivers we've all alluded to as an

architect for me in my role you know i want to i want to be the the one of the ones leading innovation our security goals um we can do it better if you're helping a company migrate to the cloud we can introduce better security than we had on-prem um we can evaluate something new and we can shift directions if we we set achievable objectives early on if we're going to hit our objective as a security team at the end of year three of a major project and we're not hitting objectives along the way at a milestone level that are reducing our risk increasing our security posture and we're not going to be successful we've got to be we've got to be ready to

move with them and i think you know moving to an agile mindset or moving to it security into an agile mode and security is not generally agile but i think to what dan or what all of us pointed out finding that part of understanding the business and finding those partners in the business that understand securities for me and i found that you know if i have a current state and i have a target state and i am false into that current state to target state to show what attack surface we're adding what problems we're solving along the way that it it's achieved a lot of buy-in and i found security champions within the business by

by taking this model that when i push back they'll become an advocate for me or want to partner with me and um you know when i when i when i push them they'll listen they'll listen you can educate them and you can you can share the same objective together you understand what the business is doing so if anyone else has more to jump in on this one yeah i'm just going to add because i think you hit on a really key point rob which is you have to be flexible and you know it's interesting it doesn't mean that uh you don't create you know one to three year road maps because you want to strive towards something

but what it does mean is is that you're probably going to be changing what that vision looks like every three to six months and it's interesting it's it's only with you know so obsessed you know on cloud computing you know with the advent of that which has really been around for 10 years now or so which i call the next generation of agility computing has even sped that up more and what i mean by that is it used to be like maybe every year there'd be like a major disrupting event or those types of things and then now you know over the past you know three to five years it's like every six months would be a major disruption

um business event either like the business announced that they're gonna outsource all of it i've seen that happen you know or um you know there's a merger and acquisition going on or whatever it is from that perspective that is pretty disruptive and now i'm telling you it's like every three months at this point in time so you don't actually have to you just have to be flexible and know that you're going to have to update your documentation you know that shows what that roadmap and that vision is going to go to and really the pace is really accelerated because you know it compete in computing in general is becoming more and more agile which is the whole goal

i completely agree i think this is uh we could have given the whole panel on this topic frankly you keep going right but let's go to the next one maybe we'll come back to it at the end if we have time to as well but so for my next question dave this one's for you and um you know how did you progress in your career and what advice would you give to someone new in the field so i have an unusual career i'm a 20-year veteran in the navy so i started off as a sysadmin on subs and uh that was they were just putting networks on submarines it's kind of a new thing uh to have a network and to be able to

check your email onboard submarine so um uh how i progressed was really based on the military at the time but it was good you know we talked about it before i think it's just as a sysadmin it's a good place to start you should always you know know how to manage systems before you move into security in my opinion um but um the easiest thing the biggest thing is to take advantage of opportunities is you know um really that's really what happened to me is uh i had a gap in my career and there was a school available and i took it and it was it was the assistant military course and it was the security course

and uh and then uh the job again the job opened up and i like i literally took it you know i didn't like ask permission i was like this is this is my job i need this job um so when you see these opportunities take them um even if you feel like you're not quite ready yet you know uh you get yourself there like take them don't let them pass up um because that's that's really that's the only way otherwise it's really easy in our job to sort of get comfortable and stagnant um uh you know i see i work with guys you know i've been doing sort of the same job for a real long time

and uh i mean our technology moves too fast for that right like um if time's moving you should be too so uh sorry um we can we can come back and handed robert jump in i think it's extremely important to learn the technology not try to bypass that um you know dave talked about being a sysadmin i mean that gives you kind of the insider view and you're learning a lot about the technology underlying technology that we're working with and architecting right and that's i don't think you can skip that mom yeah yeah yeah another thing you know that i'll point out and i think i mentioned it a little bit earlier is you know critical thinking skills and

problem solving troubleshooting skills if you are good at that in my opinion i think that involves you into the top ten percent because it's such a huge gap in most cases there are very few people that are really good at troubleshooting right they start out with something and then they just make a lot of assumptions and guesses and it turns into you know not a very scientific approach to solving problems and learning to develop those skills will really help you progress in your career dan jumping on this one yeah yeah so i'm going to talk a little bit about what we had talked about just before the panel went live which is so i'm going to kind of work backwards into it

so i'm going to talk about a few things in just a moment in terms of what i call to get your foot in the door or at least get the door open a crack a door a little bit open and then it's up to you and this goes back to seizing the opportunities you know they were speaking about before dave as well which is then it's up to you to step through that door showcase yourself that you are and should be and have that job and get the job offer from an organization from that perspective um so you know just showing up some in some cases is good but then you need to take it

that next step further and it can be hard too because you know people are trying to judge you based on your cv or resume and then you're trying to you know conduct that first interview maybe a few interviews and then they're gonna make a decision you know kind of based off that you know so it goes back to what rob was saying you know be able to showcase your critical thinking skills be able to even if it's not that applicable to the job that you're applying for um and you're going through the interview process you know be able to take things that you've learned in the past and apply them in the storytelling that you're doing

trying to describe the type of person and background that you have and how you can help that organization that you're applying for a job um becomes very important because even just being able to do that shows a critical skill and be able to translate and be able to interpret uh things that happened in the past and things that you want to be able to do in the future now that's getting you know that's stepping through the door um and we can talk a little bit more about that in the future if we want but getting that door open for you you know this becomes very important so and this is what i always tell my

employees as well which is you know certifications are great um but you know there's always this uh challenge in any industry not just cyber security or any other part of the it industry as well which is you can have paper-based certifications and they call them you know paper-based you know engineers or consultants meaning you can have all the certifications in the world and you can just not be the right fit for the right opportunity and right job and that could be a challenge so that's why it's very good to be able to get you know make sure that you research you know reputable certifications that are in your domain and industry that you're looking to

be able to get into like for example you know for cyber security isc square um has the csb um you know isaka has their certified information security manager and also a couple other certifications um associated with the the cyber security field and so on and so forth the cloud security alliance has certifications out there but my point is is it's good to get that base to show that you've taken the first step which is you can study you can learn and you can pass the test um you know again that only gets the door open but that can be important and on top of that i'm a little bit of a tree hugger i love

the outdoors my undergraduate degree is in environmental science and after i was doing i.t for about five years i was self-taught um i decided that i probably should go back to school and actually get a degree that's related to my field so i went and got my master's in computer science um uh after that and all of this was to be able to show that i at least have the foundations to be able to talk to organizations that may be interested in me and then it was up to me after that to be able to show them that i'd be a right fit now the last thing i'll say is is that a couple things one is is when

you're first starting out that becomes very important to be able to get those door openers you know and having that type of background whether it's certifications and a degree in the field or something of that sort from that perspective on top of that and i think we probably all know this but internships become very very important i used to i can't believe it was so long ago it was about 15 years ago or so but i used to work at ernst young and i'll tell you right now you know i was a manager there that uh we hired about 90 of our new hires were through internships and of course it makes sense right which

is you get to try and buy um you know and that's that's the best way to do it and at the end of the day that goes into the last piece i'll talk about and for better course i've been very very lucky so um based on my certifications um and those type of things you know i i was able to get the door open to be able to go work for lucent technologies you know back in 2000 but ever since then every job that i've had since then i've never applied for a job or submitted a resume it's all been through my networking um and that's becomes very very very key which is continuing not only to develop your

relationships inside the business and the organization that you're working for but also outside as well so for example attending this conference is a great thing and you know that uh you know going around and trying to make new relationships and um doing that becomes very very important because you never know where the next opportunity is going to come from as they've said you know the opportunity is is right there then you go and seize it you know as well so that's a very important part as well is networking and having those relationships uh as you start to break into the field and i'll stop there robert do you want to jump in actually jump back if you don't mind

okay yeah yeah just uh there's a few points that i always tell new people right um always be learning something new right so even if you're hired maybe maybe you're hired as an engineer for a system right but as part of a team you've actually got access to four others then you should be learning one of the others because uh especially i mean now you know orchestration is what it's all about anyway so at some point someone's gonna want um or set up orchestration between those two tools and if you know them both then you're there and ready to go always be learning something new if it's not available to you at work you know do it offline um you know

i do agree with him about you know getting your shirts is good but getting your shirts is a check in the box but it it it means you can get a shirt it doesn't necessarily mean you can do the job so uh yeah it means you can do the research because that's what most of our job really is doing the research do your research um but always be learning something new and always sort of prove that you can do the work too don't just get the shirt and go okay i'm certified good to go now you still need to uh keep learning keep working um uh if you're brand new now and this has actually happened to me a few times

people come up to me and wanted to change careers from something completely unrelated right like uh and they come up start with the vocabulary you know um it's been a little while and i don't even know i don't know security plus is still around but security plus is it was just a vocabulary quiz it was just a really long vocabulary quiz of acronyms and things if you know what all those words and things mean then you can and again the rest of it's about self motivation it's about you doing the work right uh once you get the job the work's not over uh get in there get your hands dirty do what you need to do

and then um the lastly is uh i've never told someone i can't do something right when they you know can you do this absolutely have you done it before no but i can do it i can absolutely give me you give me a little time and some effort i can do the research i can do the learning and i can do it if it's doable i can do it so i never tell someone i can't do something or i can't make that happen i might say i'm going to look into that and get back to you with a lot of technical information but just yeah never say you can't do it uh yeah those are the talking points

that i always start with sorry and you know as a as a leader in an organization i want you to tell me how you're going to get it done so being on the other side of that i don't want to hear i can't do something ever i want to hear how it's going to get done you know what's what are the resources necessary to accomplish what we need to do what is the level of effort how long is it going to take uh robert give me a chance to jump in on this one yeah i think i'll hit on something you know that you mentioned earlier and that's have a plan right if you just let your career happen it's

likely to meander and take a lot of you know or stagnate maybe at different levels right have a plan for yourself and figure out what you need to learn what you need to accomplish what you need to achieve next step right and part of that may be associating yourself with people that have already been there you know find a mentor if you need to but definitely associate with people that know more than you do right because you'll rise to the level of the people that you hang out with so to speak right they'll have an influence on you and help you in one way or another so find out find those people and connect with them

use your network yeah i want to get it off of the plan i don't i don't know what you guys do but i the way i attack my plan literally the last week of every year i write down objectives for myself and when i matured a little bit in my career and i started doing that i started accomplishing more i think you know one year i literally wrote down that fall i was like i'm going to talk at def con this year and i did it you know i made it what i wanted to do um you know i think and i've done this on a lot of when i did my cissp very early on i wanted the

credential i wanted the paper because in the highly regulated sectors financial and government it was government for me at the time i needed it i needed it to get the job with the contractor the job that i targeted and i said i'm going to do this and i executed so i mean i literally write it down that is how i approach big objectives smaller ones are not as uh you know well-organized but big ones are i'm going to and i think the last thing i'll add to that is if you're feeling it all stagnant and the opportunity's not there the cert gives you the next opportunity is don't be afraid to move don't be afraid to move to the next job

and take that chance get out of your comfort zone and grow there if you can't grow where you are because there's there's great need in our in our field and the opportunity is there you just have to take it like they said right this is this is another topic that we could talk about for uh a very long time but uh one thing i'll just add another quick 30 seconds but uh you know i've just been very lucky in my career because i've been mainly in professional services you know i've interviewed over 700 candidates in my career so far and it's going to continue to grow and grow and one of the universal items that i

try to figure it out in the interview is to try to identify a love of learning and dave you already spoke to this but i just want to emphasize you know things are going to change constantly it's just the way it is you're going to have to be adaptable you have to be flexible and you're going to have to learn new things and so i'm always looking for for my employees is that to identify that they have that love of learning um because it's a continuous uh skill that you need throughout your entire career yeah actually i i just as an anecdote i i joined the navy because i thought i wasn't ready for college and i haven't

stopped learning since i did you know so always studying always learning yep it's continuous learning is always how we grow it's a hallmark of of people that are successful and uh it's it's something that that i think anybody knew in the field should plan for and if you you know if you want to work on an assembly line that's a different different role it's not it's not these fields so it's growth growth that growth mindset is the way the way i see it yeah oh go ahead i'm sorry no you go ahead you go ahead i'm sorry well i'll last context you know but uh i feel like we're talking about skills that apply to the business and corporate

and organization just world firms and those types of things and life and the reason i say it is because it made me think about what i try to teach my kids every day and my kids are are older now they're teenagers and those types of things but one thing that i try to teach them this is very important because it's applicable to the work world as well which is you said you know you take those big rocks those big milestones there's big objectives and then write them down that's really important and then what i try to teach my kids is to have that long-term view and what i mean by that is is actually think

about what your life could be like you know five ten fifteen years from now what do you want to be like and then start identifying you know those big objectives of what's going to take to get you there and you can write those big objectives down and then you you have to actually write these down and then you identify the small objectives the small habits the small steps the small disciplines that you need to do to be able to get to that bigger objective and if you break it down that way um you are i believe at least going to be successful so you just keyed in on something rich that you made me think of think of that because i

teach my kids not every day yeah so we had been blasting through this and having a great conversation i think we needed a two-hour panel so we're not going to get through all of our questions i think we're going to end up taking some questions we're going to do one more man we've got three great questions we could literally talk another hour so for the audience so rob me to aim this one at you um and i'm gonna change the question that you might have thought so what's a misconception about this career field that you want to address and uh let's let's let's start with that and you can branch off in any direction you want to go

oh wow

i think probably the major thing is that others think that people in security are are all geeks or or you have to be an uber geek to succeed um in some cases is it true well you have to have the skills to be able to bridge the gap between the geeks and the non-geeks and it's it's one of those uh skills that i think we have to struggle with developing continuously right um it's it's not one we ever we ever arrive at um it's something we just have to keep learning and learning and learning over and over again um another one is that you know people learn that you work in security they think you know

everything about everything in security and that's never true as well because we never truly uh grasp the entirety of our field it's so enormous and involves so many different areas right yes we need to be continuously learning new skills and expanding um and and be generalists in a way when you know everything in in our work environments and all the pressures that we get are to specialize and you know generalists are almost like a lost um it's kind of almost a lost art in a way being a journalist but i think that's something we have to learn to do and specialization and security is something that people just assume that we do right that's the

only thing we know about yeah that's i'll look to others on the panel to add whatever they feel is important there yeah i was actually gonna yeah you hit right on the uh the everyone thinks that we're you know naturally computer geeks you know but i i i have this thing i also like there's no genetic disposition to computers right like that's not we haven't evolved yet to to interface with computers now um skills are learned you know you can learn to be good at something uh there are natural abilities like pattern recognition you know when someone says they're naturally good at math you know you're not again math doesn't math isn't something that you evolve to

do it's you have a maybe you're good at pattern recognition and you've learned how to apply that to math you have skills you have strong suits um you take those and you apply them to the field that you want and you learn how to play off them anyone can do what we do there is not you know uh i just yeah anyone [Music] can everyone has the skill set they just need to practice and get the experience that's all it takes yeah i agree i'm gonna key in on that as well which is the whole super geek uh misconception now granted that can be helpful maybe not super super geek but you know having some technical skills is probably

going to get you you know pretty far in the field as well but i think what's important and i'll just have a little bit more context both dave and rob said is that you know diversity is very important and i just feel like in my career for the past 20 years i've seen it time and time again which is having a diversity of and especially as these up-and-coming you know generations behind us come up and become leaders themselves i'm going to encourage everyone that you have diversity i always will refer back to is that you know because my dad was a kind of a history month and so he loved you know he always was talking

about lincoln's you know which is lincoln brought his enemies um politically into his own cabinet and you know at least you know history so far supposedly told us that you know he had a very you know successful internet and what i'm getting at though is don't be afraid to be challenged and diversity is key you don't want just all super geeks you don't also need just geeks in general you want people that are uh have skills in understanding the business you want people that have skills then in um enterprise risk management and risk management and operational risk management and cyber security management um you want people with skills and governance and policies standards development and what the

regulatory landscape looks like and so on and so forth and you want to be challenged you know when you go in with a diversified team and you're creating a product whatever that product is it could be a new system a new service a new capability even just a new piece of documentation but when you have diversity and routine and people feel comfortable to challenge each other um while doing it respectfully that was a main rule of mine at least is that still need to be respectful even if you bring in in your quote-unquote political enemies whatever the vision of what you're trying to get to it will make it better time and time again i think it just is very important that

you have diversity it doesn't have to be all about technical skills for sure another misconception is maybe that we're all like uh super paranoid people right and that's yeah we have to be a little bit paranoid no but not so much that we're just uh total nut cases right yeah well so although well i think we touched on the well-rounded part we didn't get it get to ask a question we were going to talk a little bit about burnout in the industry and i think that the misconception that some of us are not well-rounded individuals and you had a different undergrad uh robert i happen to know you're a musician i started you know i went to college for an art

major basically i started thinking it was for dance and i pivoted over to i.t and you know on my list of things i do each year to prevent burnout and keep myself well rounded i pick different things you know ham radio kind of doesn't really count but that's there but i became a beekeeper i've been a beekeeper for 10 years i do things outside and and you know i mean you might think i'm a farmer if you just saw me talking about beekeeping and the level of detail i can go to and to with it but i think you know all of us have that that that aspect to us we do this this job that we have and we unplug some

of us are security researchers too so that may be part of our outside but you know i think being a well-rounded individual no matter what career field you're in is is important important to having a thriving and fruitful career and being happy so i know it has been for me yeah there's actually um of course off the fly i can't remember the reference at all but there's there's a statistical correlation to success and um uh uh multi-discipline people people that learn that have multiple skill sets right so yeah you know um i was an emt for example and you know i do carpentry mechanics and there's there's something about learning multiple disciplines that allows you

to critically analyze situations better you know you can see more you can you can you can um you're better at analyzing and coming up with unique solutions if you if you work outside of just your one field okay all right we only have a few minutes but there was one question um it was a little more generic we they want to know how you guys feel about networking and building your network during the pandemic i know it's a long one for the short time i did not yeah i am so glad to be here right now virtual next year make sure you come down in person um you know i think it was kind of

minimal this whole this whole thing it was i was remote before covet but it changed um it it changed aspects and people talked about you know i have co-workers that are in new york city co-workers that are all over and some people went through a lot you know i had i had a lot of family in my house when i was used to a quiet house with just my dog and i you know i think it uh you know with some people you were able to touch on a personal level because the way that you you get through things as humans is just to communicate and you know you you celebrate the good you you you communicate what is what is not

going well and you accomplish your work together and i think having that clear and candid communication with your peers your leadership and the people that report to you you know if you understand you know whether they're happy whether they're not what you can do to help them i think it it it makes you closer in the relationships you have maybe you haven't matured as far as establishing new relationships extremely difficult and you know i mean they could have been with personas too it's possible yeah i'll just say real quick is i i know it's going to sound like a a little bit of a negative but you're a little bit out of luck in this pan because i'll tell you like i

mean you know the first six months of this pandemic you know trying to be gung-ho you know which is you know virtual happy hours you know doing virtual trivia nights you know those types of things and i'm sure they'll still exist today although i think we're finally seeing the light at the end of the tunnel for this pandemic from that perspective but it's really tough and challenging and uh you know what i'll tell you no i'm done with 10 hours of zoom meetings or video sessions a day at this point i am like so ready to go live full-time in the offices of my customers at this point in time it's it's a big challenge at this point um

it's very hard to network the best you could do is find you know those virtual events that are going on and they did happen you know it's just a little bit harder depending on how they're structured so you almost have to find almost virtual recreational events as opposed to a panel where it's uh it's hard to meet the other pieces of the audience or the audience members because you just don't even have that capability so it's very difficult but you know there is some things that you can do yeah it's getting easier i mean i've met with some people in an outdoor setting that i haven't been able to get together with for a long time

that's that's been helpful i mean yes we're very social creatures and having that personal interaction is important and a virtual environment doesn't really quite cut it when it comes to substituting for that i mean it's it gets us maybe part way there but it's in the end relatively unsatisfying i guess in that sense so that's where it's really important i guess to maintain your connections to family and friends that are close but you know even if it's the kinds of things you can do in a setting where it's safe to do that go for it yeah i don't i don't have a good answer yeah to be honest with you until you ask the question i have no thought about it but

you're right i have not networked for until now i have not networked for over a year like i did my job and i talked to people that i needed to for my work but you're right uh there's a lot of sort of schmoozing that doesn't happen anymore it hasn't happened for a year and i agree i am anxious to get back again that's why i'm here in person is because i was not going to pass up the opportunity to not be in person at something uh like ever again um sorry guys you guys are on you're looking at us yeah we wish you were there too but uh yeah yeah so yeah i don't know that there is a good

answer he's right there there were things i actually looked into like there were some meetups if you're familiar uh for you know for our industry sort of like cocktail hour stuff online but um but i did a few of those and we got that these are b-sides so come out and uh let's give a virtual fist bump or a real one if you're vaccinated sorry no that's okay yeah that's uh yeah that's a good point i was going to say that the birds will have airdrome i think to say i should probably should have mentioned that i'm happy to point that out yeah i think you know the last thing i would add there is that we've all been able to

perform and we're putting in more time not less you know i know that you know my peers in industry everyone's talked about how we had a lunch when we went into the office and now that's a meeting and work starts when we wake up instead of at 9 00 a.m and i mean in this field work lasts as long as it has to depending on what's going on right but um we've all proven that we can perform and if you're a business that is wanting to operate efficiently you realize that you have overhead costs that you can remove from the equation so i think the whole paradigm will change but we still need to get together

and interact to build new relationships it'll be a hybrid model i believe going forward but we'll see we'll see where we end up yeah yeah i couldn't agree more on that and i've actually just real quick i have seen um enterprises because of how long the pandemic has lasted is they moved to no meeting fridays and asking employees to walk off their lunches but for that very reason i like the idea yeah yeah uh i've set my entire workstation up at home it's it's now voice activated so when the family walk when they know that i've been working past my working hours they'll shut it off on me tell them to shut it down thank you

thanks reminder hey you've got you've got an excuse you've got you know the partnership in your family and they're in control i mean that's what you do have to know when to step over like yes there's always going to be work to do but it is important to step away and you know it like when you're like us i'm sure all four of us here love our jobs so it's really easy for me to just sit at my computer for you know all night because i'm enjoying what i'm doing but want to see me and those those relationships are important too so yeah i can't say i've been successful it's it's important to find ways to

separate work from the rest of life and when you're working from home you're essentially sleeping right it's you have to find mental tricks as it were to kind of draw a line between the two whether it's you know you change clothes after you stop work or whatever whatever it is right something that you do differently to say okay now i'm on my own time and i'm not you know not this is not working otherwise the temptation is you know i'll just step back into my space and check email and then that turns into you know an hour and a half two hours later you're following up on something and doing something related to that