Managing Misfits: Lessons Learned from a decade leading a penetration testing team.

welcome everyone to managing misfits lessons learned from a decade of leading penetration testing teams or our original working title uh managing misfits and epic meme adventure um let's dive right in the things we wanted to talk about today uh first you know chrissy and i will give a quick intro of who we are and how we got here um we'll talk a bit about building a penetration testing team for success um we'll talk about some of the the epic battles that you might have with the business and that could be uh your clients if you're in consulting or your business part partners if you're an industry tester or a red teamer for a large organization

next we'll talk about managing misfits or managing a team and last we'll open it up for some questions so let's jump right in chrissy with your intro all right thank you nick and thank you everyone for being here um it's a privilege to be able to speak to you all and uh share with you some of our uh insights that we've got here so a little bit about me my name is chrissy sofie i am a managing director and i'm also the global practice leader for our attack and penetration testing practice operativity i live currently in the denver area and some of my hobbies include things that you find here commonly in colorado we really enjoy camping

hiking adventuring i love to travel i love food i went to culinary school so i like to call myself a chef i also find myself momming from time to time i've got a three-year-old and a four-year-old and then i'm married to a really great supportive husband who is totally on board with my obsession with various ah gadgets fun so how i got here so i have had kind of an interesting journey kind of not your traditional journey in the cyber security space i've been in the industry for about almost two decades now and i really did start my journey as a hacker so when i describe uh to people kind of how i how i got to

where i am it dates back to when i was a kid so i'm most famous for circumventing rules of my parents however i did it always as stealthy as i could i didn't want to get caught i thought their rules were dumb anyway but the punishments were pretty bad so um you know whether it was figuring out how to make long-distance phone calls for free or how to stay up on the internet all night long without america online charging us things like that but i never really thought about how that could morph into a career so fast forward a few years i went to the university of colorado at boulder i started my my college career as a math major

then became a biology major and that was that was hard i somehow stumbled into a pen testing internship with ibm however and they promised me that if i had an undergrad degree and anything i wanted um they would hire me and so naturally i got my degree in italian i did study abroad in italy and i spoke a little italian just for the fun of it but it was my quickest way out of school and ibm held up there under the commitment there and they hired me i started as a pen tester i'm working on various client engagements doing a lot of internal penetration testing overall i spent about 10 years during that period of time with ibm in

various cyber security roles so became a security advisor for like major fortune 50 fortune 100 companies that had outsourced their security um i was an offering manager i did a lot of different things and then somewhere along the way i decided i needed a change of scenery from colorado and so i moved to washington dc i got my mba at the university of maryland i that's when i went to culinary school shortly after that and then i think it's a rite of passage when you live in the dc area that you have to work for the government for at least part of the time so i went down that path and i got a job

with the us government i traveled the world for a few years doing infrastructure security at embassies probably one of the coolest jobs i've ever had but then i was recruited back to ibm security to help launch what is now known today as ibm x-force red so that was a few years in the making i wore a lot of different hats from being the offering manager to route to market leader and left that position running the americas in japan for them and then in april i was recruited to practice to become the global practice leader for the penetration practice penetration testing practice and so here we are yeah in the future i'm gonna have to go

first because my story isn't nearly as cool as that but but i'll try i'll try my best um so again like great to meet everyone virtually um what a weird situation to be in having to be kind of at home and virtual but you know i'm glad we could still have the conference this is great so a bit about me my name is nick britton i'm an associate director at protivity first and foremost i'm a proud texan despite growing up in a military family where i moved every two to three years and kind of found myself in a lot of weird places we always found a way back to texas and i've been here since really high school

and now it's it's absolutely 100 home for me i like to describe myself as the world's okayest penetration tester that is my background i was a penetration tester by trade for a number of years and i lead the team but as i've grown in my career i've realized that compared to the people that we have on the team now i'm i'm certainly just one of the okayest i am not the best and i've got so much to learn you know despite leading that team and one of the things i am exceptional at however is is just buying stuff on amazon so you know while pen testing is you know there's a lot of room to

grow there amazon i've got figured out so if you need tips on that certainly let me know um a bit about how i got here so similar to chrissy my i'm sorry my career in pen testing or kind of that that um whole mindset really started early as well i was a professional quote unquote gamer in high school the esports world didn't really exist back then so i put professional in quotes because i just found a few online retailers that would give me free stuff or free swag for putting their company name and my handle on counter-strike but it really was that type of thing that got me interested in building my own computers spending a lot of time on irc finding

games things like that and that that really led to spending a lot of time looking at how to hack games and how to hack different things because you're in that kind of culture and it's really when i started to fall in love with the security community and just the computer community in general i ended up going to baylor for undergrad and i ended up in the business school somehow and i found myself at productivity right out of school and i actually spent a few years as a project manager and realized that that was absolutely not what i wanted to do i respect great project managers it's it's a hell of a trade but for me i wanted to be down in the weeds

and in the technology of security um and that that really started when i attended b-sides las vegas for the first time and i just fell in love with the community and realized that pen testing was was my passion and something i wanted to do and i was really fortunate that protipity kind of gambled on me gave me the opportunity to jump into the pen testing space and i was absolutely carried through the first few years of offensive security by the people around me on my team by the community by everyone that publishes you know open source tools and open source articles you know i had no idea what i was doing starting out and i was just absolutely carried

through it um since that time i've developed the pen testing practice for productivity in dallas and we've built you know an absolutely amazing team that we'll kind of talk about as we go here and my role has really transitioned now out of just thinking about dallas and really thinking globally with chrissy and i'm now the practice development lead for attack and pen and productivity and i'm super excited at the rate we're growing and i'm excited to talk about kind of the techniques that we've used to grow the team and you know how you might be able to leverage some of those yourself awesome thanks nick all right so enough about us let's just uh jump in and get to the

part that you really want to hear about so this next section that we're going to go through focuses on building out a team and i'm going to specifically specifically talk about hiring and kind of the structure of the team that we've built all right so how to conduct a meaningful interview so let me just start by saying this i do not have the technical chaps to go toe-to-toe with the very technical candidates or the recruits that we're going after um i i've got a whole team of people that can do that and you know we've built the trust and that structure there um that i let them run with that part and i really focus more on the emotional

intelligence aspects of the candidates so really you know who is the person what are their behaviors things like that so i usually gear my questions around things like you know could i see myself working with this person would others want to work with this person others in my team will this person be a culture ad to our team and i don't mean just a culture fit you hear that often but i'm looking for ads so you know what are their extracurriculars what are their interests and their passions and their backgrounds what kind of diverse perspectives can they add to our culture to make us even better what is the person's emotional quotient so what's their eq

score what does that look like so i look at things like you know how do they present themselves both verbally and physically during the interview so you know are they on time are they dressed appropriately how do they articulate uh their thoughts are they self-aware are they prepared for the interview things like that um i also like to leave time at the end of an interview for questions um i'd like to kind of hear you know what are they thinking how does how does what i'm saying resonate um and you know one of the things i keep in mind too is you know how are the questions that i'm asking of them received by them so for example you know

asking a simple question you know like what side projects are you working on you know that could be interpreted as you know maybe this person is trying to get insight into what my life circumstances are when really in fact all i'm trying to figure out is you know what are your passions what are your interests so like another way that we look at phrasing something like this is you know if you had 20 of your time at work to dedicate to a project of your choosing what would it be and i think that really gets to you know the pieces of information that i'm looking for to see if this person is going to be a good fit or not

so next i just want to share with you um some insights into you know what i look for and um what i avoid when hiring as well so you know you can look at the list here kind of things i call winning and the red flags a lot of them are really obvious right you know so having that confidence um being prepared for the interview being enthusiastic things like that but there are a few that i do want to point out that maybe you haven't thought about and you know we see some of these trapped sometimes um and uh and you know take take note of some of these and consider them for the next interview

that you might be going through maybe it'll be with me um so what i look for um is oceans okay so open source intelligence gathering what has the candidate done to research the company research the job research the team research me um you know that helps show that there's an interest and an understanding they didn't just get caught up in the title of the job post for example ooh it says pen tester this will be great um really digging in and trying to get an understanding of the business that the you know the potential employer is in and and the team that you'd be working for um i touched on asking questions i love seeing questions shows shows you're

engaged honesty um you'll see that as a theme actually throughout this presentation um we value honesty here in my team and operativity has ideas and noticed that i didn't say has good ideas i like ideas um any ideas we can work with you know these things it shows that somebody's thinking and maybe it morphs into something else that becomes some sort of really great idea that you know we spin up a new a new thing a new tool a new offering i don't know um i also like disruptors now i put in parentheses there with pact okay i like disruptors that want to challenge the status quo but do it in a tactful and respectful way

um i hate hearing um you know oh this is just how we've always done it or this is the way i've always done it the best way to do it and like kind of being closed-minded from listening to new ideas and things like that so um from a red flag perspective um again a lot of obvious things here but some of the the traps that i've seen is kind of this uh victim mentality if you will so you know kind of blaming everything on somebody else or my previous boss hated me or my old company was out to get me or i was ignored for promotion those kinds of things like i like to see

people that really take ownership and even take ownership for their mistakes kind of goes back to the honesty aspect also i don't really like to hear the gossip about you know previous bosses or employers or colleagues things like that i'm kind of sends a message of you know if this doesn't work out are you going to go do that to us as well um yeah those i think are the highlights um um there and yeah just to keep these things in mind they really do they really do help during the interview process especially when you're interviewing with kind of a leader of the practice versus somebody from a technical perspective so next i want to get into team structure a

little bit so when i think about building out a team and kind of what i've done here at productivity and in the past is focusing on things like depth and breadth okay and i don't mean just depth and breadth of skills um i mean things like diversity diversity of the people of the backgrounds of people's aspirations the people's interests things like that and i like to make sure that it is visible to my team what opportunities are available for growth a lot of people have you know different things that motivate them they have different aspirations in their career so making making that known so maybe they want to pursue a technical track maybe they want to get into leadership

or in business development project management i guess nick's not going to be into the project management route um but operations so i really um subscribe to the model of you got to see it to be it so i make sure that these kinds of opportunities are known um and then from an engagement perspective the teaming structure we do a lot of deliberate pairing of testers on our projects so we tried to run with you know at least two people on a test of like varying skill sets um you know some are specialized unique skill sets some are maybe folks newer to the practice and we use it as an opportunity to really do a lot

of cross-collaboration and cross-training i do believe in scaling up our internal team versus you know just recruiting from outside to fill a specific gap if it's possible um and then the question that you know i think we're we're all debating right now you know remote to be or not to be i've actually worked most of my career uh remotely so i have a lot of very pro remote things to say and i think it can be done successfully and it comes from an environment of you know being on site and that certainly has this pros and such and you know covet is really kind of testing how we can all operate um in a productive and collaborative way so

um a lot a lot more to say on that um you know when we get to the q a piece if anyone has questions or um you know specific insights around that i'm always happy to answer that yeah you're absolutely right chrissy and kovitz tested my you know kind of theory that you have to be on site and i know you you laugh because you you heard it right when you started and you know i love being on site but there's so much you can do now virtually and i'm learning that you don't necessarily have to be face to face with somebody to learn from them and teach them and you know be successful so it's been

an interesting year so next we're going to jump into our next section which is battling the business so some common challenges and issues facing teams pre-engagement as well as during the engagement um and ideally right we say battling the business but ideally in a perfect world it's it's the spongebob rainbow partnership right it's a pen test is wanted by the client or the organization that you're hitting they want your findings they're receptive to it the scope is whatever you want it to be everything goes well and it's it's just amazing but in reality right that's not probably it and i feel like this sums up the majority of my day i'm having difficult client conversations because you know they

don't like the way the findings are positioned the the scope isn't what we want um the budget you know there's so many things and of course during those conversations i'm nice spongebob but i have to kind of stew over those things because i would love it to be you know perfect and you know then of course when i describe the conversations to my wife i'm i'm hulk spongebob and and portray it as if i just told them exactly how it was going to be but that's that's never actually the case um and so there's there's really three things that we think of and three battles that we fight um and i wanted to give you some tips on

how at least chrissy and i and you know we even handle these differently sometimes how we handle the battles that we go through day in and day out and first is foundational it's fundamental it's scope and you're probably rolling your eyes already at home because this is something everyone has to deal with always scoping assessments is so important and it's getting harder because pen testing is becoming more commoditized um every day you're hearing about some artificial intelligence or some machine learning program that's gonna you know automate all the pen testing jobs and you know you're just gonna click a button and it's gonna run a red team quote unquote scan right well we all know that's not the case

like there has to be a human element because there's a human element on the other side right so it you have to be able to talk through that with your clients during the scoping process to ensure that you're on the same page and that's where we'll start right ensure you're speaking the same language so the first thing i do with a client is i make them if it's the first time we've talked define pen testing to me if that's what they're asking for and i say you know i i know what i think pen testing is but what does it mean to you do you see it as automated scanning a vulnerability scan do you see it as

threat emulation like where in kind of the the uh maturity level do you see it and what do you really want and once you get that common understanding of what they're actually looking for you can start actually building out the test and the program that they're looking for without even worrying about the language and what you're calling things next is not everyone needs a cadillac this was really tough for me as i transitioned from a pen testing role where all i wanted to do was deep you know multi-month red team engagements into leadership where i was having conversations with clients and scoping engagements if you're a hammer everything looks like a nail right so i wanted to do red team assessments

so all i told clients they should do was red team assessments well small businesses businesses that aren't necessarily in a secure posture yet they don't need a full red team assessment some of them just need a va scan some of them just need a basic net pen to identify some of the low hanging fruit so that they can build their posture and eventually get to a more mature state and that was tough for me for a long time but you got to remember you know some people don't need that that cadillac red team with physical social engineering and you know the works right um and i think that goes kind of really well with my last point here is

you got to work through scope restrictions and you know we could probably have a whole talk on scope restrictions right i'm sure there's memes and gifs galore on reddit about scope restrictions and pen testing you know this happens all the time but you have to be somewhat understanding of the position that you're putting the business in it's not always your point of contact's decision on what the scope can be you know we are here to support the business and there will be times when you know that system that they know is vulnerable is going to be out of scope not everything needs to be a red team not everything needs to be in scope every time

sometimes it goes back to understanding what they need to make sure that you can you know still give them a good test without just kind of barreling through the scope and making you know the claim that if not everything's in scope it's not a real test maybe an unpopular opinion but i'll say it so battle number two is all about expectations so you've scoped your assessment you are you know already started and you're proactively managing expectations with the client by defining scope ensuring you're on the same page you're using the same lingo you have a common understanding um but now you need to channel your inner noaa and apparently chrissy's never seen the notebook somehow so i had to describe

this meme to her um so for anyone else out there that's you know not seen any movies for the last 10 years in this movie noah is getting back with his wife and trying to figure out what she wants and he's just continuously saying what do you want what do you want what do you want kind of berating her with it so probably don't do that to your clients your business partners but i think it's important to to continuously ask through the process what they're looking for out of the test and it can be hard to drag out of some people like what are your actual goals and objectives with this pen test is it just to check a box

is it to you know get more security budget is it to test some changes that you've made to your network like keep asking until you get to the real problem of why they're having a pen test or why they're asking for a pen test because you can start to get some really great information that can really drive the way you approach the test and drive the approach you use and sometimes it takes a few you know a few times going through it for someone to really understand why they want a pen test you know sometimes it's uh it's a battle for them as well oh yes battle number three so when it all goes wrong

um kermit says oh no so this is this is taboo to talk about right this is the thing that no one wants to say it's uncomfortable for me to talk about because i think we all just pretend it doesn't happen um but in reality like i said this is a human-centric practice so pen testing is not artificial intelligence that just does everything right every time it's it's human-centric and it has to be and so with that things will inevitably go wrong sometimes so first you know we're doing something that's inherently risky and we're targeting things on a network that is typically in production and eventually if you do this for long enough you or one of your testers is going to

break something for example maybe a bank mobile app that controls you know mobile banking just an example and it's really important to tell your testers and instill a culture in your organization not to encourage that but that it's okay that these things happen from time to time a because you want your testers to be able to come to you and tell you immediately if something's happened and not be scared of ramifications if you scare your testers or or if you're scared to tell someone you're either going to try to sweep it under the rug and it's going to get caught anyway you're going to be in a terrible position or i think even worse your testers are

going to be scared to do things that are risky and they're going to be scared to push the envelope and you know try new attack techniques and and we have to manage that but at the end of the day you know i tell my guys and girls the relationship we should have is you should come to me with crazy ideas that you want to execute on a network or on an application and it's my job to manage the risk but i want you to be brainstorming and thinking of new things and pushing kind of the boundaries of what we can do and i think it's important to have that relationship and have that culture in a

team because you want the team to constantly expand their skill sets um and the second thing that goes wrong you know you're going to have clients that say you know you missed something you did something a year ago and you you didn't catch this and i think it's important that we start talking about this more openly as a you know really as an industry and as a community that you know it's not it's not a silver bullet pen testing is human centric it's a point-in-time assessment and there's a lot of things a lot of variables in any test and you are not going to find every single vulnerability on any test and i think it's taboo to say that to a

client or to a business partner and so they have this maybe expectation that you're finding every single thing and chrissy mentioned it earlier we need to be honest about what clients are getting and tell them you know we have you know these capabilities here's what our team does you know maybe write the narrative all of all the things you tried but at the end of the day there's you know limitless possibilities of ways to attack your network or your application so there's always the possibility that there's more out there that's why it's important to build a program around testing and not just have you know one a year one every five years or you know

whatever it might be so we'll wrap up a little bit on on the battles we have with the business and we'll switch to our namesake managing misfits and spoiler alert we're all misfits here i think you kind of have to be to be in security it comes with a certain mindset and it's what makes us successful and so we'll talk a little bit about embracing that as we go um i looked up the definition and i only stole part of it because after this part it gets kind of unflattering but this is the part i decided to focus on because i think this is what really matters to me you know a misfit is a person whose

behavior or attitude sets them apart from others and i think that's exactly right especially in pen testing so if you look at at our team and me and chrissy you know i think we do have a different attitude or mindset than most and i think it's the curiosity and the competition that that makes us successful in the things that we do and makes us so good at security you know we're always kind of poking and prodding at different things whether it's trying to get free long distance calls or you know hack counter strike for uh for better gaming purposes right so with a team of misfits is going to come a lot of unique personalities and

that might be an understatement and i kind of put this statistic together um and my thought is people management is 40 organization 30 leadership 15 preparation and like 80 to 90 awkward conversations um and if you're in leadership you probably have a giant smile right now if you're not yet and you want to get into leadership be prepared when i got into management i was not and i was flabbergasted by the number of awkward conversations that i had to have on a daily basis and you get better at it but it's i don't think something you can really prepare for you know you're going to be leading a team you're going to have to have

conversations that are going to be weird you know about performance about other people's careers about their you know their goals and aspirations in life about their feelings about you know hiring and firing decisions and it is awkward um but you have to be willing to embrace that if you ignore those things you will not be a successful leader and your team will not be successful as a group because they'll feel like they have to you know kind of hold all that in and so you know open up and honest communicate communication even awkward communication is essential especially in something like pen testing where there's so many variables and so much going on um and i stole a quote from general

mcchrystal if you don't know him you should look him up absolutely amazing leader he has some great youtube videos but he mentioned great leaders can let you fail yet not let you be a failure and i think this ties back really well to when things go wrong so it's important to instill that culture in your team that you know failing on an individual project is is not necessarily a bad thing and and just because you haven't you know succeeded in you know a daily task or you know a project or something doesn't mean you as a person as a are a failure it just means that you you know you drop the ball on something and

it's something to learn from right so we have to instill that culture to keep everyone driving forward and then this is my wonderful microsoft paint work as you can probably tell looks very professional excuse me i won't spend a ton of time here this is something that i've drawn on the whiteboard in my office a number of times for new consultants who talk about kind of what their development plan looks like and i view it kind of as an hourglass so i see this kind of broad you know we want people to have a lot of experiences as young consultants and we want people that are getting into the industry you know regardless of kind of how they got here we want them

to get a lot of different experiences and exposure to a lot of different things people will inevitably come in and tell you exactly what they want to specialize in day one that's great you can't tell what you want to specialize in until you've had some of those experiences and so push your team as they come in and they're new to the industry to get a broad kind of a broad strokes example of all the different things that you offer and what will happen is as they progress in their career they will gain expertise in a single area and start to specialize and then they will eventually broaden back out um you know potentially or or not maybe you

know they'll stay that expert in a specific area but a lot of people kind of broaden back out and that's kind of where chrissy and i are at is kind of getting out of the way of the people that have that have you know super specific expertise below us and letting them do their jobs exactly thanks nick and then you know something no matter kind of where you are in that inversion there um something we're all dealing with right now is burnout so i want to talk about that for a minute um but you know for some statistics because i really do like numbers in a recent survey 63 percent of organizations are experiencing a shortage of i.t staff

dedicated to cyber security i know you all know that um and that is a very big number and we are all working toward you know closing that gap with um you know cyber security skills and things like that i feel very fortunate to work for protivity which is a subsidiary of robert half we have the ability to reach in to robert half to help fill some of these needs so that we can avoid some of the burnout that um even our client staff is is feeling right now especially um 57 of workers in the tech industry are currently suffering from burnout so you're not alone um 65 of stock professionals say stress has caused them to think about quitting

ninety-one percent this just seemed really high to me um a fisa say they suffer from moderate or high stress i might need to rethink my own career path i kind of always thought i wanted to be a cso but um 97 suffer from stress um but yeah i mean we're all feeling it right now um especially with the times that we're in with covid with politics the social inequality issues that we're hearing about every day um the natural disasters you know here in colorado we've been battling fires this summer so there's just a lot going on it all contributes to that stress and kind of that overall burnout so again you're not alone um but you know really how do you how do

you avoid it i don't know just kidding i mean um but but really like i really do wish that there was a silver bullet for this um you know what i've learned through the years is that you know different things work for different people um some people are good at things like setting boundaries and sticking to it taking vacation some people aren't as good at it specifically nick he's pretty terrible at it i'm not sure when he actually even sleeps um but i try as a leader to really reinforce that you know we need to take that time we need to set some boundaries um and i i personally set boundaries and i communicate those things with my team

and with my leadership and i try to set an example of that's okay it's okay to say that you know for me between 5 30 and 8 is when i spend time with my family that's when we make dinner that's when we you know bathe children read stories um they go to bed at eight and then after that is kind of a free-for-all you know it's either time for me to get some self-care um or you know maybe my husband and i will watch a show or just catch up on the day or our plans for the weekend but between the hours of 5 30 and 8 i'm really pretty good about sticking to not looking at my phone i'm not looking

at my emails things like that because that is kind of the only time that i really get to kind of disconnect uh from the craziness that is you know cyber security and the world that we're all in um you know so so again it there's not a magic bullet um but this is my advice you know just just try to set those boundaries communicate your needs disconnect when you can um even when i say really just do it uh it's it's hard it's hard to do um and for me too like when i go on vacation i do take vacation i'm really good at it actually i love it um but i do make sure

for my own stress levels that i check in periodically like every every day or two you know just open up the email just see if there's any fires burning um and you know if there's any kind of escalations or things like that um but i've also built a really strong team under me um and so you know i can trust they can handle things um but for me it helps just to check that email because then i don't come back to a pile of mail and you know have that thought of uh no good vacation goes unpunished a lot of companies have a wellness programs available you know i've seen some cool things around exercise platforms

mindfulness sessions i've recently been seeing some guides for you know healthier meal planning and things like that so the list goes on but again different things for different people um it it's easier said than done to to really take that time now there are some things that your company can do and you know these are things that i instill within my practice and creativity certainly does as the companies things like you know genuinely genuinely supporting the needs of the people you know so being flexible with work schedules so you know some of the things that we're doing is you know we've got parents in our organization that are now teachers and homeschooling their kids and so if

they need to you know shift their work schedule because between you know 10 and 12 they have to teach math um then that's a time when we're not going to have meetings and you know our clients are respecting that as well to you know not you know to be able to shift those meetings to a different time to support those those parents that are in those test positions um we also try to do no video fridays because you know now with everybody being remote i swear we all used to be fine with the phone and just talking like via audio and suddenly there's this like influx of like you know everyone needs to be on video we all have zoom fatigue

and so on um so so you know studying aside like fridays or whatever time is okay to not get on video go take a walk while you're on this call um we also do you know different types of recognition and training realizing that different things motivate people differently um try to get out of that whack-a-mole mode you know try to you know not always be like that knee-jerk reaction to everything quit quick everything's a crisis like let's get a strategy and a plan together um so that we can avoid that burnout as much as possible we're also looking at different technologies that we can reduce that we can implement to reduce workloads so different automation techniques you know

free up some time for our people to focus on you know kind of the more interesting things and get away from some of the mundane tasks so i wish i had the answer and the silver bullet but hopefully some of these suggestions um will help you and help your company um as well as we kind of all get through this crazy time all right so i hope you feel so much smarter and wiser you're ready to go start your own pen testing practice um really just some of the key takeaways we want to leave you guys with uh you know things that kind of resonate and bubble to the top for us is really the big

priorities here is you know when you're hiring hire for potential don't just look at current skill sets um you know you can upskill people if they have the right attitude and the right passion and things like that um we need that diversity in the diverse background that sometimes you can only get when you look at you know people from that perspective the team structure is critical um it's critical for employee engagement for people to be able to see their future potentially you know what leadership roles or what technical roles or other roles that they could potentially move into is really it really helps people to stay engaged and be productive and contributing to the team and

themselves and the organization communication is key key to manage all the things whether it's communicating you know the expectations with your clients with testers with others in your organization um even about you know any special like flexible work schedules you might need really communication is key and embrace the inner and outer misfit um we we love you all and um we i love this space personally i love um you know the the personalities and the mindsets that this particular space and then cyber security in general uh brings and just want to give everybody a big virtual hug and then again yeah no sir no silver bullet for avoiding board up sorry but thank you for being here um we

really appreciate your time and over to you nick yeah thanks chrissy no i mean i agree i i thank everyone for joining and we're asynchronous now so i believe we're gonna have a forum for questions but if not you know feel free reach out to chrissy or myself on twitter linkedin kind of anywhere you can find us and we're happy to chat and we look forward to talking to everybody thanks thank you