[Slide 1 – Intro]
Hi, it’s me. I have been around a bit, which means I’m old and wizened, but it also means I’ve seen a lot of stuff and experienced a few things. This talk is to cover some of that in the perspective of how and where to meet your peers, your management, other organizations and the community in whole about what you do… do, can do, and what to do in this career space.
Think of this as a guide on how to bridge gaps between different roles, functions, and opportunities in this space and what you can do to make your life a little better, your job a little easier, and maybe have some fun while you’re at it.
[Slide 2 – Defining the problem]
• A little history
We are, as a simple calendar recounting of it, are about 40 years into what is now commonly referred to as cybersecurity. This isn’t saying that hacking, phreaking, building and defending secure systems didn’t exist before that time—but as a space that can be clearly defined as such, this is where we are.
As we wake up each morning, some of us jokingly refer to ourselves as “greybeards”. Our joints crack, grabbing the occasional NSAID, and wonder why the heck we are still punching the clock each day. We look back and think of where we came from and where we are now. Sometimes, we’re way better off than in those early days, and sometimes, things are much, much worse.
This isn’t a career talk, this isn’t a pipeline talk, nor is it a diversity talk. This is real talk. This is a talk on where we can conceivably go next, given four decades of slogging along, coming from folks ripping apart hardware in their bedrooms, basements and garages, to where now people can claim a PhD in an area of expertise we all may have done for fun or laughs a while back.
• A little current events
So, as it stands, I’m a few minutes into the kickoff of a conference that can nearly add a tens digit to how long it’s been going on. DEFCON, or about 1/3rd of what we affectionately refer to as “Hacker Summer Camp”—turned 30 this year, but yet we still encounter new things every day, but much is based on mistakes or issues introduced to languages, hardware and operating systems years ago that adversaries are still discovering and working against us on. It provides some of us a good paycheck, and for new folks here, it’s a suitable answer to family members as to “what do you want to do when you grow up” questions that get asked around a communal meal table.
Personally I started out as most my age, I think, wanting to be a vet, an astronaut or in my case, get into visual effects for film, well before I fell into my current career and glommed on to it the same way a remora uses cast offs from a shark to survive. I’m not one of the rock stars, ninjas or pirates that have a blue checkmark on a bird platform, or honestly, make a living on a speaking circuit or are known for a “thing”. I’m a working stiff like probably most of you here, and I have some news from two out of those four decades to impart where the next four or maybe just two upcoming decades may lead us.
• A little crystal ball glaring
I currently “work” (quotey fingers) for two organizations. One is my primary source of income, a large entertainment company that may be reflected in my clothing I’m wearing today, but am prohibited on speaking on behalf of. The other is a side gig doing research for a DC think tank on security policy—oddly where my primary interests lie.
My full-time day job says, because of their business, asking for a 3, 5, or 10-year plan and strategy may be out of the question due to the nature of what they do and how often tech changes. Whereas the side gig asks me to think about what’s hot now, and help develop strategies that can put those 3, 5, and 10 year plans into something that can be managed and trusted. It makes my head hurt having to context switch several times a day.
I look back to when I was a bit more operational in “finding evil” in a tech environment. Where things are coming across threat feeds or social media today, and realize while somewhat more sophisticated than back in the late 2000s, it’s still primarily the same actors doing the same thing and targeting the same stuff. We have new tools and techniques… and so do they… not so much a cold war, but an escalation of brinkmanship at times.
I look hard into this abyss of the future and know anything I say today will be invalidated, probably by the time I step off stage to some extent… and that’s what we deal with collectively.
[Slide 3 – Our hottest challenge(s)]
So many of you here, who call this space a career, have a title that, based on research for other talks I’ve done over the years, didn’t exist before 2010. Honestly.
For those who aren’t my age, this is either also backed by a certificate, a certification, a degree, or some other track you followed adjunct to any personal curiosity you had in this space before you drew a paycheck. That’s cool and that is okay.
However, it’s a current barrier to entry for many job opportunities. Please have this cert, this degree and be this tall to get on the ride, and have a decade’s experience in a tech or language that’s barely a half decade old. Shit is broken, I say, but we keep feeding it. Differences between expectations and reality, but also the desire, driven by regulations, laws, and a general sense from private companies (the public sector has different issues) of “please don’t sue us”, and then ask the world for help and get maybe 30% of what they wanted in resources and talent.
Me, I sure as hell didn’t start off thinking this was my space. While I have a degree, it is in no way related to my current job nor any of my time where my title had anything remotely associated with security. Don’t put faith in paper. Put faith in yourself. However, those who are hiring, stop asking for friggin unicorns… they don’t exist in a quantity or cost you can afford, so re-jigger your asks and think deeply and better about your actual needs.
Even the US government doesn’t have it right. In my two, lovely, data-based talks on hiring in this space for security and DevSecOps, the data which drives this demand is so out of sync with reality that it feeds an entire news cycle about how screwed the world is, when it actually isn’t. Hire SMART people, hire CURIOUS people, hire CREATIVE people—most who have those talents can learn all the rest. There’s no ISC2 or EC-Council cert that’s gonna foretell when you get popped by a nation-state actor (which is the in-vogue adversary now) how those staff actually will perform under pressure or given a particular situation. Been there, done that… it’s all down to how people work with one another and if you can look at the situation and realize how screwed you are and a plan to fix it.
So, I mentioned “greybeards” earlier, and that’s a more affectionate term for folks who’ve been around, seen some stuff, and tend to better regale us in stories of yore than face the fact that we’re at a different level now, and just being technically proficient at fixing stuff doesn’t make the grade. We actually have to properly interact with other humans to be more effective at our chosen vocation.
We, as humans, have a self-protection switch… namely, if we feel threatened, we find ways, barring traditional weapons, to fend off impending doom. So, as I noted about folks who’ve been around, or those who may be in self-protection mode, are about keeping control, knowledge, experience, or just general act like a-holes when it comes to welcoming or supporting new folks in the field. Seriously, just stahp it. I can count in large volumes how much I’d appreciate another person to help with all the work I have done and have to do. Your fear is about transferring knowledge and trust to somebody else.
• Management vs. Engineering
Most orgs, as it seems, and maybe your own is different, but often they identify person X as being fantastic at what they do, and to think about how to transfer and manage that knowledge, they promote them. Yeah, in most cases, that doesn’t work.
Management of people, projects, and so forth is another skill that is entirely different from doing the tech thing you may be known for. Being forced to basically lead people, or even projects or programs, may push folks well beyond their personal comfort levels and even career desires. Much like in academics, because you’re a talented researcher doesn’t make you an excellent teacher. If you have the talent for people and resource management and communication skills, and by far that is rare, but it is also desired – it’s up to you to determine how you want to use it.
For managers, listen to your people. If you take the route of placing your staff in roles or duties, they have no interest or desire to be in, then you may not only be at fault if they leave, but if they stay, it may adversely affect the overall operations and goals of your org. However, provide opportunities and growth avenues for people to explore. Strictly being dogmatic about keeping technical people technical or management people management, removes the ability to build trust, empathy and build communication and work experiences for your staff.
• Everything changes
There is, at no time in your career, where you or your peers have mastered all of what there is to be in this career space. Stop comparing yourself to others, if they are super deep in a topic or if they are super broad- you do you. The one constant here is that everything changes and evolves – so can you, but don’t let it get overwhelming. Finding your niche or sense of enjoyment is part of career and life development – it may be immediate, it may take some time. Heck, I’m 25+ years into this and I’m still dancing around with what gets me out of bed each morning short of an alarm.
The other part about change is, if you’re a little lost now, it may be a bit until something comes along that hits you where it is “the thing you want to do”. It could be something that doesn’t exist now, or it could be the smashing of two subject areas together. Heck, I had been doing cyber threat intel analysis well before it had the fancy title – it was interesting and fun, but it was so long ago, I don’t think I’d want to return. However, it informs me, like tools in a toolbox, that this capability is there and having somebody now specialize in it where it’s just part of a day job or activity is now all unto its own. You need to fill your toolbox, put it’s okay to loan those tools out, or even get rid of those tools when it doesn’t suit what you need or want to do. If you learned it before you can learn it again, it’s not going stale, it’s focus and relevance.
[Slide 4 – Think globally, act locally]
• Your personal sphere of influence
So, I get asked “what can I do to get to X or get Y” and it all comes down to knowing where your sphere of influence covers and where you need to work with getting it connected with others to get what you want or need. It can shrink sometimes, it can expand in others. Often, the sphere of influence shrinks when you change roles or employers, or even careers. Again, this is okay.
Figure out what you can change… both in the near and strategically, in the far. This is chess, not a speed run. Those who aren’t you require nuance and manipulation. Not gaslighting or something malicious, but understanding each person and their role needs to be handled uniquely.
A lot of frustration arises when you start in on something, a new gig, project or other activity, and you feel nobody is listening, paying attention or seeing the value in your work. That “sphere” is part of where those edges can touch and influence. Sometimes it’s aiming too wide in your “blast radius”, thinking you have a megaton idea, when it’s only a few kilotons, and those who you wished were paying attention have sights elsewhere. However, a number of small blasts can get the attention you may so rightfully need.
Your sphere can increase as you move up the proverbial ranks, but isn’t always guaranteed, as you can have an enormous influence but also be isolated because of having to pull the switches and levers to manage things and become more distant from the main action. So carefully figure out where you feel comfortable and where your skills and influence find the balance you’re comfortable with. There’s also a way to chain your spheres, like a perverse Venn diagram, where your work and messages are carried up the chain and across the org through the network and structure.
• Getting the gang/band back together (aka “why security conferences?”)
You find yourself here, at a conference, some of you as attendees, staff or speakers, and to be honest, in our field, one of the best ways to expand your sphere of influence. You’re acting locally in this case, and hopefully spreading the knowledge globally, especially since our career space rapidly adapted to sharing talks via YouTube and other means. This comes often because of the need to disseminate our timely research quickly to the world and others, but also a need to just be open and transparent about cool stuff we found, build or know.
While we evidently see the social aspects of get-togethers such as this, like sitting in the one you are in now. It’s that way for folks from different orgs and situations to come together, learn, exchange experiences, complain at times, but also do a check on their work to see if they are doing the right thing or what they could be doing to make their lives easier and do their jobs better. It’s often harder to show value to those, especially if your attendance is sponsored, to demonstrate back these types of values, but the aforementioned items are exactly what should be conveyed.
I’ve always been dismayed that for the longest time, senior leaders in our career space often never make it to smaller cons, and even the larger ones were sparsely attended. However, in my current role, which has me addressing technical partners outside of just security, typically vendor conferences push to have “guided attendance” for executives. By that, they are often handed a VIP experience that somewhat shelters them from all of us, but focus on the general tech, or something top level that leaves us left to gather all the details. While that seems insurmountable, it is an opportunity to bridge those gaps – a conversation starter, at least knowing that they had some exposure, and try to keep that momentum, if any, from the time there.
• You don’t need to be a security person to help
While I was going to note this under the last point, my own time as to trying to do outreach was not at a security conference, nor wearing a day-to-day security hat when trying to reach out and up to executives. Sadly, it almost cost me my job, but it emphasized my seriousness in making sure I busted them out of the bubble they were kept in at an event. It did work, required some time in Photoshop, a trip to Kinkos in the morning and a little passive social engineering, but I got time in that space without following the rules and literally busted them out of it.
While this is an extreme case of trying to connect these roles, sometimes it’s warranted. You have to pick and choose when you want or need to stick your neck out, and sometimes you also find somebody willing to do the same. This isn’t about breaking the rules, but emphasizing you are serious about your work and getting others involved and aware.
This also may be where you do outreach outside of your tech circles, perhaps somewhere in a business line, budget and finance, HR, and somewhere you can show tangible benefits without trying to slog through the orthodoxy. We are hacking the org, but also demonstrating value outside of the typical org structure. Some folks may get pissy that you went outside the chain of command, but you need to find those areas and opportunities to have others carry some of that water for you and spread good words about your work. Create your own marketing as it were.
• Paper, shmaper – can you do a thing? (aka “screw certifications”)
Yeah man, screw certifications, degrees and all that crap. Yeah, I have one, and while I think maybe early, early on it may have helped, those times I wasn’t doing anything really related to my degree, and definitely nothing security directly. This comes from both sides, putting too much emphasis on outsourcing trust, that it ignores that experience and knowledge exists. Even as a hiring manager, I’ve been stuck by some interviewing rules that prevent me (and my panel) from directly asking about a skill – that’s where some of this has gone horribly sideways. There’s never a way to directly show it short of – oh wait, taking a certification exam.
However, this does nothing but to standardize answers and remove creativity – which then seems to play in against the supposed demands of orgs wanting “unicorns”, postings we often like to roast on social media for being out of touch. This is where some fixing needs to come in to play – and possibly, if you have extra spoons to do it, or are in a role, or can influence a role that is involved in hiring, is to help change that part of the process. I believe one of the folks here (who’s on the board, or staff) has written a book on this topic and given a few talks, so I’ll refer some of that more in-depth stuff off to them.
We will often hear that organizations use this as a bare minimum, but what it is, is another level of gatekeeping – from those who partake in non-traditional learning, those who are do’ers and explorers, non-neurotypicals, or a host of other folks who find this “card collecting” an antithesis to how they think and perform. When I resume review, I will usually recommend folks focus on the concepts they understand and things they’ve done that have improved where they’ve been. If new, express where your interests lie and a willingness to explore and learn. But, there’s always the other side, the hiring side which also needs changing and adapting.
[Slide 5 – Hacking people, it’s not what you think]
• Be a useful disgruntled employee
Let’s be honest, if you’ve been at this stuff for a while, you’ve been in a role, org, or other situation that has not been what you’ve deemed as ideal, good or even healthy. It’s a paycheck or something to keep you from staying home and playing video games all day, but I’m sure most of us have been there.
Well, the key thing to keep you moving forward, and hopefully out of that situation, is being a useful disgruntled employee. Why would I say that as that seems counterintuitive? However, take a moment to examine how you got where you were, the situation that helped everything go wrong, and if things were ideal, what would need to be in place to make it better? Sometimes you can adjust a few things where you are to make it better and worth sticking around. That’s some growth. Other times, you need to document what’s off, and if you know you can’t be there to help, find somebody who can carry that message forward – either while you are there or after you have moved on. If you don’t, it may just get worse for anybody who comes in after you. As they say, folks don’t leave their jobs because of the job, but because of management. In short, it may really be them and not you, and they may be open for a change or a suggestion, especially if they are moving forward without spending some time reexamining what and how they do things.
There’s also the other way, by burning it all down – but after nearly 30 years of professional work experience, I will say that it’s not the best thing to do – trust me. I mean, if any recent example of how to sort of do both, I’d point to Mudge and the Twitter story – and let that simmer and work through the process on how to do things better. As somebody who’s worked for an inspector general of the Federal government, we have whistleblower facilities to help with this. For publicly traded companies, there’s the SEC and Congress, and for others, an ombudsman typically is employed to collect and move these things forward. Don’t give up hope entirely.
• Play with your management, and always win
Management isn’t as smart as you give them credit for. A good leader will always staff the org with people smarter than them, an excellent manager will listen to their staff and learn when they can, but trust them because of their knowledge and skills. Knowing that, but also understand when you can check your ego at the door, will help with the day-to-day work, and allow you to understand your impact without playing politics. Granted, you will have to play a bit to their blind spots at times, and know where you may push softly and those where you need to push harder.
I will say that some of this is loaded with some gender and age complications, as each of these is affected by societal and cultural biases. However, it may be useful to team up with others when you may feel you’re not being heard or getting the momentum you need. Having what you want to say coming from somebody else’s mouth, with an understanding with the other ally, that this isn’t to raise them up and kneecap yourself. Know what credit is worth fighting for, don’t get petty, don’t get greedy – find the highest value ones to fight for?
• Communication is more than waving hands and jumping up and down
I know this may have been beaten to death in other venues, but even when I go back for alumni mentoring events for my alma mater, I note if there were any non-major specific training/practice I wished I could have had, it would have been a debate/speech and a writing class. Much like folks joke about schools not teaching life skills like filing taxes, letting young adults know that no matter which career they end up in, communication skills are key. This goes from engineer to programmer to journalist. If you can’t get your ideas across well, all the items I mentioned about gaining support, growing and evolving in this space are all for naught.
Know when to gesticulate though, although I recommend not using “The Bird” too often in meetings, but you have a right to get animated. Properly extolling your excitement, urgency, or other attention to a point may only “get into people” if you’re grabbing their attention at the right moment. This can also work for meetings and presentations – although this career space is pretty well known for catchy talk titles, memes and other witticisms.
• My motivation is not your motivation
As I said earlier, what gets me out of bed each morning may differ vastly from what gets you out, or my bosses. Knowing that folks have differing priorities is key to navigating daily interaction with your personal AND professional lives. It is probably the essence of social engineering a process. Figure out what the end goal is and, obnoxious as sport analogies are, work out a game plan of how to avoid being blocked and/or tackled. When I was a CTO, I worked with business representatives more often than fighting with specific techies about a point. I knew my CIO boss was not as technical as I was, so I used similar business language to ensure he was on board and aligned with the business units. Observe and react.
[Slide 6 – It all starts with policy, and ends with engineering]
• Finding the right path, bludgeoning the right things
It’s very easy for technically minded people to basically think you can engineer your way out of everything – whether it’s technology, math, or a proper use of detonation material. Sadly, as noted before, communication skills are the easiest and most precise, but yet fungible, of all tools to wield. We are often forging ahead, introducing new tools, solutions or gizmos into an already muddled process or problem, often not taking a moment to step back, talk about it, eliminate, change or otherwise reconfigure the entire problem to better align to a goal.
But, that is assuming everybody can use the same tools. For some folks, language or other communication tools may be difficult, so assessing where you can meet in the middle or assist with bridging gaps will be paramount. Some of the most amazing and rewarding work can be that gap bridging, as it generates an outcome of learning and adapting. Beating your proverbial head against the wall just because it’s the only thing you want or can do is going to be counterproductive. Sometimes it may just be pivoting a little to the side and then going at it – you could be oriented incorrectly, trying to figure out the controls for the console.
• It’s not always a tech problem to be solved for, or applied with
Again, not everything can be solved (or the popular term of the last 15 years has been “disrupted”) or wants to be solved with applications of tech. Sometimes if that tech fails or is too ubiquitous, folks forget there are alternatives or have the ability to fall back on original methods – rendering everything unusable and untenable. Supplanting a process with automation or a fancy UI also may miss crucial, more organic ways that method or process was moving along that be more resilient or optimized because folks just have “it must be tech’ed up” in their heads. I’ve hated this trend for a while, and right now I believe there’s way too much money going into this philosophy.
I know I don’t have to reiterate the “trust but verify” culture the security and hacking space has, since any time we’ve taken things at face value, we’ve often been proven wrong or harmed. How many of you would blindly accept IDS rules, vuln scan results, or generic threat intelligence to make a crucial decision on how to act? Think about who’s involved, how it got that way and what the possible outcomes will be. Sometimes it’s a lot simpler when you take a beat… or even take things away from the equation, like factoring.
• Need something, learn how to ask for it
Besides learning to say “no” and managing expectations, the most important thing I learned in my career travels has been how and when to ask for stuff. We are proud folk and tend to like to toil away, trying to spin gold out of spit and bailing wire and straw. There are times where, when it comes down to it, it’s more efficient and results in better outcomes if you ask for help or resources. Now mind you, you won’t always get them, but making others aware that there’s a need can start a process to remedy a situation. Most orgs are trying to spin things from a “gut-based decision-making” paradigm to something data based, so if you also bring things up to fix, have the data to back it up – and come with some solutions rather than just highlighting the problem. It’s easier to quickly gain resources when you lay out where it will go, clearly and plainly.
My own personal method is to give three options: a gold, silver and bronze plan as you will. The Gold will be everything that would make a top solution, but may be a little too much of an ask. The Bronze will be a worse case scenario, mainly where things are as they stand, highlighting what will break if not given some love. Silver will be exactly where I would want funding and resources. It’s a little manipulation of people and egos, and it may surprise you if you get Gold every so often, but most likely you will always manage to get all or most of a Silver of options. One of many ways to get leadership to at least make them feel like they are contributing to resolve an issue and sort of “make it go away”. This goes back to trying not to wave hands and jump around to get attention, but rather to play their game.
[Slide 7 – Facets of engagement]
• Volunteering for effectiveness
Right. There’s three volunteering types I see – overzealous, reluctant, and silent. Some will just take on extra work because it will appear that they are eager and willing to do what is worthwhile to get ahead and improve the situation. Reluctant ones are usually those resigned to just doing it because they were told to, voluntold, or figured to do it and get it out of the way. Finally, the silent ones are just helpful folks who see a problem and dig in, for lack of glory and recognition, but know that they’ve affected the outcome, and that’s usually just enough to keep the motivation going.
You can fit in all these categories, but it’s important to recognize when you can and need to be a bit of them. The key thing is to evaluate what the task or problem is at hand and see if you want to do it and see if there’s an outcome you can affect. Being a spare body sometimes makes things harder, especially if you’ve got nothing to add. I know conferences like these and others tend to not ask for specific skill sets, and that is where it’s up to leadership to manage and muster resources. Other times, be aware when you need to step away and when you’re not helping. It’s okay to say no or to bow out.
This goes for even our spare time stuff, our hobbies, possibly a coding or programming activity, as well as work. It takes a lot of spoons and brain cycles to be an effective volunteer. Don’t be afraid to be a bystander and observer as well.
• Be clever, be applied, be helpful
This ties back into volunteering, but also to when you get asked or assigned to a team or some project. I know I learned to say “I am not what you want” back during a major life experience in 2011 when I was thrown in on a project and felt my skills and role were a terrible match for the team assembled. It took a few tasks that were given to me to say enough is enough, and I extricated myself from that team and activity.
However, other times, you might need to inject yourself into certain things if you observe them going awry or are even asked to give something a once over. Like before, come with solutions and less on calling out only problems. By the time some folks will ask for help, they will already be in the problem and want some different perspectives, and they select you because they want a unique set of skills or experiences. Don’t laud that over them, but understand that you’re a scalpel and to be very direct, careful, and meaningful in what you end up providing.
Don’t be a bull in a china-shop as it were. Don’t make a mess and don’t do things to just stir it up. That is, unless you never want to be asked to help again. That can be a double-edged sword in this case, for one, getting you out of being bothered, but it can also lose you some respect among your peers if this is a consistent interaction. I did a talk on this a few DEFCONs ago at the Mental Health Hacking Village called “Fire All Your Ricks” – I’ve essentially open sourced the presentation on how to address stress and burnout in organizations, so I’d be more than willing to share it for those who want it.
• Hot take – how to share it so it means something
Probably 98% of you are on social media and the nature of our industry, or even the hallmark, is our skepticism or a lot of “been there, done that” to where we are often viewed as sarcastic husks or professional bullshitters. But, in that process, as much as we say “hey this may be a hot take”, we are also often in a position to look at something, if you squint hard enough, that could use with some poking and prodding to get a bit more out of it.
Much like the subtitle of this talk, our “hot takes” can’t just be something you throw out without context, an alternative, or a well researched or throughout out critique. We can be funny, we can be biting, but because for many of us, this career space isn’t just a job, but it’s a passion, we get a little emotional, and sometimes irrational when we see some stupid shit… you know, like vendor booths at RSA. If you end up taking something down a notch or two, try to be useful (or at least funny) with it. I’ve seen several people go from taking a Devil’s Advocate mentality and just see how much of a storm it causes and will just move to posting stupid shit all the time.
• Extending your reach – security “astral projection”
Now, this differs from that of the sphere of influence noted earlier. This is more about planting ideas and innovation and letting it grow and expand and, dare I say… “infect” the minds of others. This is a matter of winning mind share, getting change through ideas and deeds. Knowing that humans don’t scale as well as ideas, this is the carry-on of getting information into the hands of others, such as figuring out how to stop a piece of malware, to defenders without worrying about credit or care.
There’s also some mindfulness involved. If there is a good outcome from your work, your ideas, the platitudes and respect will return to you, there’s no way to go seek or demand it. If there are questions as well, about how it works and so forth, it’ll generally find its way back to the source, and conversely expand your network and get stories about your impact elsewhere. It doesn’t have to be technical either – it can fix a process, addressing an attitude or widely held belief, looking at a concept from a different point-of-view, but everything is open for contributions.
• Calling it out without being an asshole
Here’s my problem – I am the proverbial a-hole in most stories. Prior to 2010, I was a bit more meek on how I approached trying to affect change or take part in things. I wanted to grow, advance and expand, but it was more about squeezing through the holes I found rather than plotting a course and going in that direction. Post 2010, I pretty much have zero fucking filter; I say my mind, and I realize that in some cases, when I exist in a space, it may be the first, last and only time I’ll ever be there, so why not take the shot. It’s important to recognize when to pass and when to shoot, but also when to be a team player and when to possibly grandstand a bit.
The key thing goes back to language and communication style. Read the room, know your audience (and topic) and understand what your goals are. If it’s a selfish way to highlight yourself and ideas, it’s the wrong tactic. If it’s to further an idea or goal for the greater good, then you’re on the right track. Look for partners if the load or concept may be too big to handle or bear on your own. It’s okay to make it a team effort.
[Slide 8 – But I only know about this one thing]
• Don’t say all you know, but know what you say
This is a phrase my dad, somebody who was the first in his family to go to college, and ended up a PhD enrobed chemist, albeit after failing out of his initial program, said to me. The value of knowing what you know, timing when to share it and when and how to apply it is paramount. In some instances, and this is where I think it applies, is to not to go around as a know-it-all. Some of our rock stars and celebrities in this space tend to maybe lean a little too hard and we tend to bolster some of the ego and feed it by over elevating them at times, thinking they can do no harm. When they do, and I won’t call out some of the drama currently circulating, but it then makes them reproachable because they are human beings, not deities. It’s okay to ask a supposed expert a question. Knowledge and our understanding evolves. There are 8 billion people on this planet. There’s an excellent case that there’s an original thought or another expert in the same space as them.
If you are elevated, such as a speaker or a titled expert in an area, be damn sure you know what you are talking about. There’s a good reason I don’t have technical talks about IR/IH, malware analysis, exploit development, social engineering and other topics, because while I have experience in these areas as part of my career growth, I’m not as micro-deep or board as a focus area that I consider myself talented enough to teach or talk about it. Therefore you get very weird talks from me. I’m an ideas person. I’m a connector. I’m somebody who likes to put a nugget of an idea from exposure into the minds of others. That I will claim myself as an expert in. Know your limits, but don’t be afraid to learn and take in more and more.
• Clever hack/kludge/sploit use it for good(ish)
Speaking a bit of some of this focused, carnal knowledge, we peddle to become a respected peer in this space – much of it is built on a clever hack, kludge or other little thing we did to get our jobs done. Personally, there are a lot of tools, scripts and other doo-dads I’ve authored or created over the years that, in retrospect, I wished I still had, now that I’d find them useful in other situations and places. These, in some form or another, were to help automate me out of some menial task, or to fix some shortcomings of other tools, primarily ones we paid for. I’m going to guess the bulk of this audience has had the same experience – and for some, doing these little kludges are the kind of wins where we jump up from our seats and explain victory over our technology oppressors.
These can be useful to raise your profile, get you more free time, or to remove the menial from our day-to-day so you can do something more enriching, fun or even contribute to other things you find more value in. The key thing at times is to also document the heck out of this. If you’re automating your work to get yourself out of it, eventually there’s going to be some poor schmuck who will stumble across this when you leave or when something changes, such as a promotion, and will need to know what it is doing and how it works. Don’t EVER forget that.
• Focusing curiosity… into a white hot laser beam
I got asked, when I had my CTO gig, to come up with a mission statement for my team. I forgot where I stole part of this from, but it was to basically “foster permissionless innovation”. And by that, I mean, have an environment and culture that values and supports knowing a good idea can come at any time, and may need some time or resources set aside to chase it down and build it out. Find those places that offer this, as they are also those who value personal development, training, and time for creative pursuits to help solve problems, business or otherwise.
Along with environments such as this, fostering curiosity, to go beyond the surface read, what the manuals say, or even the rules, can result in tangible benefits if you have leadership who recognizes the value and invests in it. Finding those partners is key, and it may take hopping around to a few orgs to find it, but they exist and don’t give up and don’t feel undervalued. It may just be a fit issue. To be honest, I’ve only ever found parts of this wherever I’ve worked. If you find that spot and it’s recognized, focus that shit – white hot – and do the thing you enjoy and do good.
[Slide 9 – Hot button items you can help “solve”]
• Standards (got make a new yardstick all the time)
As I was introduced, I hold essentially two jobs. One that is 98% of my focus, and another that is 2% depending on the day. I’d like to be doing more of that 2% because I find it interesting as hell, but it doesn’t pay. Currently, I’m taking my broad experience and trying to help un-fuck a standard that has got a lot of focus and energy behind it, but for some who are in the policy sphere, feel it’s not quite baked enough to be useful to folks who have to deal with it daily.
Most standards are by committees, some even include and take in input from subject matter experts, but often they are high minded academic exercises, that, as I’m sure if anybody has had to comply to a standard or audit, found pretty much useless when it comes down to it. These usually result from compromises, or an effort to get anything out to satisfy the request to come up with something. As we all now feel, that often standards, guidelines or best practices are only a start and every environment and situation is different and has to be accounted for when you are held up for compliance or adherence to a standard.
Volunteer there if there’s an opportunity. If there’re listening sessions or other standards meetings, see if you can take part. If there’s community input for review and mark-up… do it. That is often the only way to get some road-tested input into these processes, ground some in reality, and change how we approach paper versus actual situations. This even goes for laws and rule making by the government. If you haven’t submitted comments to agency rules or wrote to your congressional representatives, you’re missing out on a great way to make change and take part.
• Operations (grunt, grunt, grunt)
Typically, this is where many got their start – slinging hardware, typing in shells, running cable, watching dashboards and tailing logs. This is the lifeblood of any technology environment – thinking about resources, resiliency, configurations, and the potentially annoying system owners and end users who disturb your peace after pulling an all-nighter getting your setup perfectly balanced and purring. Now you can’t eliminate end users and system owners, but you can figure out ways so that they cause as little disruption as possible.
Now I won’t tell you how or what to do, as every solution in these cases is generally unique and situational. But knowing how to handle these folks is an art in itself. Sometimes we put on fake smiles and voices, and just tolerate them enough or snidely work them down to being on our side during an explanation. So that manipulation is a good, but hidden, negotiation tactic.
The other side is, as it’s the place where folks start and leave, knowledge transfer, and general recognition as this being the birthplace of many a tech expert before they were one. Document what you do so those folks can make it a place folks want to be a bit longer and enjoy the art in the architecture of a well-operating tech center. Other chances are, they learn quick enough to join you on the next quest and help solve the pipeline issues in tech by minting folks who can understand operations in their backgrounds.
• Research (& Development) (cool, sexy, hawt… but who cares?)
Admittedly, I’ve presented no research that measures a level of academic scrutiny where I can claim to have done that kind of R&D. In fact, very few people in our space can also say they’ve been or are at that level of scrutiny. However, most of us got here by poking and prodding at things we’ve had access to – whether it was an old clock radio and learning about hardware and electronics, or access to your first computer, poking and prodding beyond the GUI, eventually, depending on your age hitting a BBS to explore on-line or a website to see how it processes requests. That’s research.
The development side is, namely, if you find flaws or ways to improve on problems or bugs you’ve found, you’ve highlighted a fix, the problem itself, or worked to make something new that’s entirely better. Even that quick kludge mentioned prior is development, because you’re bridging gaps in using tech. At your employer, every day you’re improving on what was before is also development, and hand in hand with research. Guess what, you’re doing R&D – it may not be a published paper level of sexy and cool, but it’s work that goes on every day and your peers and bosses should damn well be aware of that’s what’s happening and respect it.
• Sales & Marketing (yes, I know, it sucks, but it needs to be fixed)
My last job before my current one, it could be labeled as much technology related as it was part of marketing and sales. It sort of made me feel icky at times, because, well, I was always sold to at other roles, but this was selling ideas. As an advocate, or even lightly titled developer relations role, we were bridging the gap between the tech or concepts we sold and those who wanted to consume them. However, given a visit to our SKO, or sales kick off, those folks were using the same social engineering techniques we are always in awe of – I kid you not. So if you play in this area and what to ply your skills in a spot that pays off in pretty high dividends, that’s an opportunity.
For marketing, it’s all about how you talk about it. You don’t have to sell a product, but sell an idea or concept. The key things are to not lie and not over promise, or more likely you won’t have your product or service bought, but also probably be blackballed from the org, and possibly worse, via word of mouth, elsewhere. Do, however, work to understand the problems and challenges of those who may end up having this sold to them? The interesting part about both roles is that you have to put yourself in the shoes of somebody else, try to understand the value, but have very little often to go on.
When I was paired up with one of our sales teams, they had a hard time trying to figure out how to crack in on the potential client (well; they had some of our products already), so I worked with them by doing some OSINT, looked for what was publicly announced as projects, challenges they were addressing, staffing in certain roles, tech that some listed they were using via LinkedIn and other job postings. It armed our sales folks and marketing teams with very precise knowledge of what the prospective org really needed and allowed them to be ready. It’s oddly fun because it changes so often. Sometimes the folks in the org may not even know what we present them with.
• Advocacy & Education (it’s why you’re here)
Since I’ve progressed to being less technical than in my early days, I’m up here on stage doing my best advocacy work. I’m sharing lessons learned, experiences and trying to foster new ideas and ways to look at things. This isn’t to a point “those who can’t do, teach” but more of the “those that have done a lot, want to teach and inspire”. There’s a lot of work to do in this space, we’re not scaling appropriately and we’re having a hard time keeping up with cleaning up messes and problems of the past. So when there are new ways of getting ahead, it’s time to share that in venues and methods like conferences, meet-ups, brown bags and so forth where this can be best had.
Education, on the other hand, and while I railed against certifications and degrees, is still necessary, and the structure of learning all about something is still very important. But people learn in different ways, and want to learn different things. I think one of the greatest travesties of our modern education system is now losing things such as vocational education, apprenticeships and other “learn while doing” types of opportunities. If you only get book taught, all you will know are books. I love to read, but I also like to experiment, try to do. From trying to debug code to burning my fingers on a board while trying to solder, it’s really a hands-on thing here, but we tend to just want to mint folks out of classrooms.
I love places that have CTFs, hardware villages, lock picking and so forth. It’s tactile, and you get instant feedback. It’s organic and best of all, nearly anybody can be exposed to it and pick it up. There was a fancy conference put on by a trade org in DC that they put me on to help organize a track, and I was suggesting getting a CTF space. I had to fight to get them to consider it, but I also figured the best way for the executives there to get a feel for what their staff does was to get them to do it, however poorly. You didn’t have to get all the flags and clues, but one would be sufficient to understand that it’s a lot of hard work and those who are good at it have a lot they can contribute. Even if you have a C- or VP- something in your title doesn’t mean you can’t learn and feel a bit.
• Yes.. Managing People & Things (If I can cook, so can you)
I left a role three years ago that was primarily a people and project management spot. I got burned out managing people and projects jointly. It’s tougher than folks let on, and it’s emotionally draining – but also rewarding given the impact you can have. I took the tactic in my career that I wanted to do as much technical and process stuff in my early years, because, as it was suggested that most folks will eventually be asked to manage people and projects. My idea was primarily to build up the experience and empathy in work and roles that I knew I’d have to manage.
Why is that important? Well, easily the best thing to have with your staff is an understanding of what they are dealing with. If you have done the thing, there’s less of a communication and skills gap that is typically put upon them to have to bring you, a manager, up to speed on. You can use short hand and with that skill set, you can also use your own translation and visceral memory to effectively communicate their needs to your peers and management, thus removing the worry and extra effort of having them have to do it. It’s a very useful role we lack a lot of, and that is one of those types of bridging positions.
In this role, you also act a bit like an umbrella, sheltering some of your staff from annoyances and, well, to put it plainly, stupid questions and requests that you can most likely answer. Many of those staff will appreciate that, but they will also appreciate not filtering important things that are communicated. I was pretty open about sharing management decisions and status as it engendered trust, but to also let folks know where things were. I still do not know why this isn’t a more common practice – but then again I watched the Mudge testimony this week and realize it’s sadly an SOP.
[Slide 10 – Closeout / Summary / Call To Action]
• Cool, non-traditional stuff to play with
Most career spaces have some level of impostor syndrome. Feeling they don’t fit in, know enough, or are just overwhelmed. Get that out of your head. You all have something to contribute. You all have a new way of looking at a problem and attacking it. It’s also okay to pivot, pick something new, or even something totally out of your area of expertise. Some of my best hires were not always tech folks, but those willing to learn and blend what they knew.
I still like the details of the minutiae of setting up systems, occasionally coding and such, and I miss the chase of incident response, but I was surprised when I stumbled upon policy development as an area I felt I was relatively good with and enjoyed the creation and debate around it. I think some of the best policy people are not lawyers, but those SMEs who have good communication chops. I give nods to folks like Katie Moussouris, Kwadwo Burgee, Art Manion and a host of others who can scrub in on both sides and do the bridging functions – but also communicate why they are important to multiple groups.
Dan Greer, in another, who was at @stake and was a microbiologist, the same goes for our beloved Jack Daniel, creator of B-Sides. Folks who weren’t from a computer background but have left their mark on security and helped bring groups together to share their knowledge and experiences.
• Sorta-Cool, more traditional stuff to play with
My current day job is extremely far away from day-to-day security concerns directly. While there are sometimes where I talk to that team, I’m generally up to my eyeballs trying to figure out the industry, what’s broken in the process and structure and try to align it to something that can be resourced and managed. However, the industry it is in, video games, literally rewards people for being clever and finding new ways to win. It’s a great security challenge – looking at the software level and attacking the client program to poking and prodding the infrastructure it runs on, to going down to hacking hardware. It literally has all the fun stuff we talk about in here, in the lobbies and on-line, and I’m surprised more of you haven’t sought opportunities in this vertical.
There’s a lot of industries that have these security components tangential to the principal business, but they are still needed. Consider the brou-hahah that was made of John Deere and their problems with folks flashing their systems to get around DRM and other restrictions. If you were on the defensive side, that’s an interesting challenge, but who’d have thought about working in the agriculture industry as having that as a gig. I’m sure John Deere will staff up for that.
Other roles, could have similar challenges, but be open to where your skills and impact can best be had. There’s a lot of work to do on a lot of things. You don’t have to go work for a FAANG, a big consulting company, a big conglomerate, government, or some other sexy spot. One thing is known, we will always have something to do, and there’s always a need for clever and smart folks to do it.
It is your job anyway.