 Welcome back to Hacking Career Village. It has been so great to listen to so many wonderful presentations. We have people who are in various different stages of their career trying to figure out what to do next if they wanna do anything next. So I'm really excited that Amalek Haran decided to present to us the idea of being a tech executive and then coming from an individual contributor and then maybe going back again. So Amalek, take us on your journey and give us your best insight. Great, so yes, you guessed it. This is the Lord of the Rings Hobbit themed talk. While I'm not a Tolkien nerd, I am a firm believer in the hero's journey of story and character development seen in many forms of pop culture. My first ever keynote had a slide where I sufficiently stole the story wheel from Dan Harmon and Jester Royland's Rick and Morty but I didn't really tell anybody. For me, I'm 45 and I've had every job, title and role I ever thought I wanted to have and work to do by this point in my life. I count my blessings and consider myself lucky. Along the way, I've had two marriages, several cats, a few cross country moves and even managed to transition genders. I didn't just get my cake and eat it too, I demolished the entire fucking bakery, croissants and all. But what does that mean to you, the lucky visitor to this digital corner of the world and audience member for my talk? Well, I know plenty of you are at various points along your life and career and I know no matter who you are, you're looking for answers to burning questions and even though I'm here talking to you, I seek them out myself. A brief background on me, my day job is essentially now that of a professional storyteller but in tech parlance, they call me a technology advocate and I work for Splunk as of December, 2019. Prior to that, I spent a little over a decade in public service for the federal government as a contractor, member of technical staff of NFRDC and over nine years as a federal employee starting at the U.S. Department of the Interior, treasuring finally at HHS with a rotation working cybersecurity and IT modernization policy at the White House. All before that I left college with a degree I was told that was useless in society as it stood decision science and started my career as a user interface designer at most of my classmates went directly into tech consulting. This was obvious during the dot-com boom and I decided to dot-com things just as it imploded. Do not count on me for reading economic trends friends. I moved up during that time to a systems engineer and managed to get my first job involving security in 2000 and my first official title as such in 2003 working for a power company as part of a two-person security engineering team for a Fortune 125 company. Ah, yes, the good old days of slammer, hurricanes and blackouts. During those three formative years, I transitioned from an individual contributor on a team to somebody who was leading teams of others. While the first team was small, about four people, when I left government last year, I led about 150 people of both federal employees and contractors. This is not always a growth curve and responsibility everybody here will desire but some will, to each their own on this journey and that's what I'm here to speak about today. Back in the day, I was all idealistic thinking back to when I first was introduced to BBS's in the late 1980s and wondering that I may have put my dreams of being an astronaut or veterinarian on hold for chasing down this computer stuff. I mean, I doubt anybody then was going to expect we go from modems to high-speed direct to the home fiber optics in less than 20 years and what was the domain of kids in their basements would end up being the most amazing invention of the 20th century or perhaps all of mankind. I had college with an idea that yes, this technology thing is something but what do I want to do? So I started as an electrical engineering and computer engineering major who sucked at coding and wanted to do something more applied. At the time, computer security topics were just covered undergraduate programs of which my work study job supported the information networking institute. I changed majors twice to basically survive but I still wanted to seek applied computing, basically how folks use what we now have. This is what I call the start of a career. Granted nowadays, this is what can be had in high school but then it's usually after an initial stint in a post-secondary education whether it be a four-year college or university or trade schools or community colleges. What most of this progress process really teaches you is how to gather and organize your knowledge and thoughts to manage output. Yes, learning particular point skills especially in security roles is now available in what is typically makes up these degrees and certification programs but as somebody who's hired quite a bit over the years I value how people are curious and put their thoughts together. So starting out unless you're literally starting your own company dropping into the family business or get literally recruited to be the manager or director out of college while commissioned military officers are a whole other story. You're gonna be joining an organization as an individual contributor. What that means is that you were hired for an initial skill set and organization needed. This also doesn't mean that this is all you will ever do. They expect you to learn and contribute but typically in their way of doing business aligned to their market or mission. This is not to say that this is not useful or non-transferable. No, just the peculiarity of the business. Oddly, these business processes and methods are often covered as trade secrets and they do likely protect them and many ways of doing that is keeping employees happy and content. Again, if you see a lawsuit proposed by a company because some high ranking or major category lead and left for another competitor, the lawsuit is not just there to be officious but they're protecting those trade secrets and data that that person may have. You are a valuable asset. Sadly, not all organizations see that worth and treat you as such. For me, early in my career I was trying to find that niche and I'm sure many of you or are still trying to find it. It may take a few places to figure that out and find especially in the security arena. You could start in a sock working crazy or shitty hours or make like the variety, this could be your jam. Maybe pivot to IRIH work, then to forensics and maybe RE. The amazing part, at least this career is it's got a lot to explore. And as I noted prior, if you're curious, it'll serve you well. For me, as I started to think about leadership roles whether it be a line manager or all the way to wondering if it ever be a C level tech exec I figured a broad background would serve me well. However, not everybody wants to move up in management but unfortunately the tech sector is still grappling with how to manage highly skilled and competent technical talent and not to recognize that some wish to remain individual specialists and contributors and not be a team or group lead or even an exec. Not every high performer has the skills to lead people on projects and it's another entirely different skill set from core competencies for some specialists. And this is where we approach a fork in the road. At the point at which the realization that you may or may not want to move into leadership or management will usually occur between the times you're considered junior and where you can be considered a seasoned professional with a number of projects and deliverables under your proverbial belt. I know the quandary that many folks in the security community have when trying to sell the value of an information security program to non-technical leaders and executives. It's selling the value of zero. I gave a talk on the concepts of zeros in organizations a few years ago for all day DevOps. Most security work is to work toward zero occurrence of an event or get close to zero. While many other roles seek to maximize your roles than to minimize. This is also seen in safety roles. And similarly, public perceived value is difficult to quantify and qualify because the lack of being in the news is beneficial. This can strangely be seen by a challenge that healthcare and other public safety officials have had toward to deal with during the pandemic. It's also hard to put a review that you've prevented a lot of stuff from happening. Since documenting it proves challenging and having to quantify what the impacts could have been in hypotheticals is a tough game to play and can lead folks to challenging your estimates and hyperbole is really kind of a new win situation. So what are you to do to advance your career? Well, first off, don't get dismayed. The folks who can see the value work rather than just tabulate numbers will be the places where you want to work. However, those are a bit harder to come by but things are getting better. Another tactic is finding a raft of good peers. This is your fellowship. This doesn't mean that you have to bounce on to a new role when they do but this is some informal parallel between mentorship and support. I've kept in touch with a lot of former coworkers and such both let them hear to vent and like to hear from them and share my problems in kind. Share the challenges and successes I've had as well as sharing those in kind as well. Sometimes when you need a hand sideways or a hand up, they may be able to help you as well. This is more of an informal form of networking but just as useful as more formalized online sites and professional networking groups. So back to skills development for a moment. Say you're at three to five years in your professional career and you're finally deciding that what you may want to specialize in. First off, I'm sure you'll like, wait, three to five years in, yeah. Your first one to two years will probably be figuring out how to work in an organization. Feeling out what like the culture is like, learning how to work within the processes and structure. I mean, I had non-pro jobs while in high school working at a convenience store and a pizza delivery which had their own rules and culture but I wasn't anywhere to the point of calling them a career anymore than they were pickup jobs during my pre-adulthood. But the two to five years is where you start to build up that launching pad of skills. The core knowledge you will expand upon. This doesn't need to be formalized either. In fact, my work as a hobby got me the practical skills that formed the basis for my security career. All unpaid, all essentially unsponsored but that extracurricular skills development is useful. About the third year in, your company, if you are on that first or fifth, will have programs, hopefully, for training in other skills building. Take them up on those offers. Those are usually the first to go when the budget belt tightening occurs unless it is literally built into an audible benefit that they offer. When it's not formalized, and I can tell you as a manager for many years, a good boss will fight the carve out training expenses for their teams and see the value of professional development. I've gone to the carpet many, many times to ensure my team has had at least one to two training experiences, even if some may be non-technical. They can still network with peers. Fostering continuous education will be the greatest asset to your career, regardless of which path you choose to take. Realizing that skills are not evergreen and require refreshing as another. Knowing that you will need to adapt to the changing phase of business and environments you will operate will ensure that you will continue to be able to call a career as you inevitably age. But this isn't saying that you can't carve out a corner and specialize, but you have to ensure that you're also innovating in the right way and being useful as a resource. As much as some cockles that get raised when somebody raises a spectra of a rock star or a luminary, either they will be a momentary flash in the pan or they'll be required to constantly reinvent themselves. Continuous learning ensures that you can always build on what you have and not be that one hit wonder or rock star. So let's broach the rock star discussion for a moment. Like most rock stars, it seems, and I've met a few, the actual musician rock stars, they may lack a little bit in the soft skills department because they've often hyper-focused on the skills development of their core work, but haven't worked on the soft skills that make them interact with people as a human. There's plenty of examples of those infosec rock stars being, to put it lightly, assholes, particularly to the new people in the career space. There are exceptions and those are the good ones. They often forget that they were not all born with what they have and remembering that helps you get a career progression. Ego is not something that people will suffer well and it's easy to break. As I've said in other talks, when hiring people, I much prefer the reliable and skilled roadies and sidemen than the star or front men of a band because they show up every day, do their job, and because their employment is based on how well they do their job, usually have a vested interest in the outcomes. It's hard to think that some jobs are so at will as such, but the best combatant against that is being an exceptional contributor. It's also a case of balancing and not getting abused by a boss or a peer and that's the next piece in the career to plan for. Again, I've been in the show for over 20 years and I've had the opportunity to walk away and to be honest, the idea has crossed my mind more than a few times. Just like a match, burn it all down. The flip side of worrying about what's next is also something that hangs over as a cloud. Often those thinking of making a radical change or a leap to something different burn a candle at both ends, a day gig and then the buildup of the next thing whether it be independent, be your own boss or a new venture. It's trying, it's stressful and it's not for everybody. But this is another route to use your experience to be a leader. Even if the goal is to flesh out and build out an idea with a goal of being later acquired, the opportunity exists to stretch your legs and see if you can cut it. At best, you can go back to being an individual contributor, go further into management or cash out and live other dreams. You're writing your own story. So that's all well and good for those who are less risk averse. You mentioned that you were all over the map. Yeah, I was. And it seemed like working for a lot of well-established organizations, especially the government. What about that? Well, I'm glad you asked. And to say that this wasn't a route I valued for my own needs would be disingenuous. I had and still have a lot of going on in my life where I value the rough sense of some bankable security. Technically, public service is one of the few places that rarely sees layoffs. And if they do a reduction in force, known in the private and public sector as a rift, there's a lot more justification for seeing the door than on a whim, especially if you're a high performer. Safety or the perception of it is a good thing. If you're trying to do a lot. The fact that there's something tangible and reliable there is good. This is why folks may call it the daily grind, but it's what others will base an entire career doing. And it often affords them a lot of intangibles. This is not to say a smaller company, a startup or even deciding to pull up roots and become an ex-pat or go on a sabbatical isn't going to offer benefits either. They will, but it's up to you to evaluate what your needs are. Well, how do I evaluate my needs? This is essentially where the rubber hits the road. This is where you need to do a little planning. This isn't locked in, carved in stone, but an idea, given your experiences and desires and dreams about where you want to be or see yourself being in a few years. It can have a timeline or can just be an endpoint with no planned speed. For me, I had hoped to possibly become a C-level techie and at some point in my career, I just wasn't expecting that opportunity, even if it was for a smaller work, by the time I turned 45. Your timeline or desires may be different, possibly even fueled by your experience with working for and with individuals, you may have a role that you desire. This is where we get to the one ring part of the story. Sometimes this overall exposure to what some can term the brass ring can be toxic, much like smeagle and golem and the exposure to the doggy dog boiling crab pot of the corporate and even public sector, world of ladder climbing can cause significant change in who you may be. The desire for more, greater and perceived better can change a person if they drive themselves too hard thinking that the next rung is gonna make them happy along with perceived success. They will step and crush on whoever seems an impediment to that path, break relationships and go through the world with a single-minded purpose at the expense of nearly everything that doesn't generate forward movement. All I have to say is, you can't take it with you. For a lot of us, and as I noted earlier, is that our curiosity fuels our passions for this job or career that we chose to have. Nobody forced us into it. Well, maybe a parent wondering if this is better than being a doctor. So we're here by our own free will and so why not enjoy the journey? I mean, typically if you're working from the age of 18 to 20 to 65 to 67 years old, perhaps longer, that's 45 or so years of hopefully gainful employment in doing something that you love to do. It's really not a dash and more hopefully a leisurely stroller hike, a marathon if you're really trying to torture the metaphor for the runners. Smell the flowers, enjoy the scenery. Granted, there's some externalities here which I may gloss over, which is the bias, even though illegal in many forms towards race, gender, sexuality, disability and other characteristics which really shouldn't have any bearing on how good you are for a given role or opportunity. This particularly comes in play for minorities within a given field, whether it be gender, race, socioeconomic background or LGBTQ status. And when you stack them, it becomes even a bit more complex. And while I won't go into the discussion about how much about diversity here, I wanna make a point of the fact that this seriously changes the calculus for many in their careers. And this is something serious to consider both as one in the career and those who are in charge of hiring and leading those teams and efforts. There are plenty of other better talks on this than I can give at this moment. So I wanted to at least bring this up to your attention and note that this is still very much a going concern. Once you've walked the path for a while here looking at your preferred end roller state, you're considered a senior level material. And this is what can be construed with a few more worry lines and occasional less than natural colored hair of gray. Then you may get plucked to be asked the question would you like to be a manager? And this may give some folks pause. One, they didn't ask to see the manager unless you're the person asking was a Chad or Karen. So double check. But what they asked is you have the possibility demonstrated enough leadership qualities in order to be considered a good candidate, not just to be an individual contributor to a team or project, but to actually lead it. Granted, you could be asked this sooner if you displayed an early aptitude for it, but usually after you found your way with what you wanna do, got the ropes of an organization or two and I've had some history to point on for some successes and yes, failures. For some, this comes with an exclamation of cool or awesome or even maybe a dance in your cube. Others, it may be an oh shit moment because this potentially ends the comfort of isolation or just being part of a team or better yet, not being responsible for anything other than your own work. However, for those that are in the crux of this decision point, there's hope if you play it right. Some come to this point worrying if they will be able to maintain their technical focus and chops that they decide to become a leader or manager. The short answer is yes, but it comes with some caveats. The further you move up the leadership chain, the more divorced by design you will become from the day to day minutia. If you think you can go back and pull every ore and steer every rudder of your fleet of ships, disabuse yourself of that idea entirely. The same aspects of managers you hated who may have been dictatorial or micromanaging in their roles, you just adopt it, just don't. Your job is to find and raise up trusted lieutenants and by that I don't mean sycophants but find the right talent to raise up and effectively fill the gap you and others may leave when they progress to the professional development lifecycle. Essentially, you also inherit the role of talent scout and when I mentioned before about taking advantage of training opportunities you had early on to keep you sharp, you are now directing that role so I hope you learn something then. This doesn't sound like maintaining my technical job, she say, but you're just leveling up. I know folks like to code, work hands-on with hardware and so forth. I get it, I miss the ChesoIRIH work and building up a network defense systems. However, I feel that the benefit from being a senior level individual is the experience and lessons learned that you can impart to others. My own jump from engineer to architect worked that way as it gave me a broader view of the mission and business we were doing. I got to work with a lot of other people with other skills and help bridge the gaps and understanding and communication across various teams and business units. The key point is not to be cynical about the fact that you're possibly now in charge and that as much as all the crap that may roll up to you, the accolades may also be the first to hit you. How you balance it is where you start to succeed as a leader. This is about the time where I started to broaden out my own background. As I noted, I did the system in engineering and started into architecture but I also started into compliance policy work. I figured that the compliance people were gonna grade me on my engineering and architecture skills. It may be about time for me to walk a mile or so in their shoes and get you to re-examine your approaches and how and why you do your work. And because it's a different layer and working with different types of people it delivers some skills you wouldn't normally get if you hyper-specialized. As much as folks will push the red, blue and purple team and any other color that's in vogue right now as a way to run multiple angles of learning about offensive and defensive sides of operational security. The policy arena is also a way to take the tabletop or live fire aspects to another level. I know many will think that policy is merely just coming up with ways to be more officious. However, a good policy people will examine things from every angle they can, thinking about scenarios the same way a defensive or offensive team would to ensure it's the best way to apply it and govern a policy. In other cases, you, if you end up doing policy work maybe on the front lines of a new technology proposal or action or other event and need to quickly react and develop a working framework for how to handle everything. It requires a nimble mind with a deep background and experience in the topics of policy is to cover. And then some. You'd be surprised, but some of those policy wonks are pretty awesome people and really interesting way to expand their applied skills when you may feel a little bit of the techie burnout. Given all of this, you'd think you'd be nearing an end and yeah, it's kind of near there. By this point, you probably have touched about every little aspect of this career space and even getting to speak at conferences like this and others, potentially volunteering and giving a little back, but you're now about to decide, do I stay or do I go? And by that, I mean being a leader is a lot of work. A lot of paperwork, emotional labor and a lot of time. You need to essentially still find those balance points in order to not burn or flame out. Say you've been a senior leader for a time, it's okay to go back to an individual contributor role like from when you started. The answer is a resounding yes. In fact, it should almost be standard practice. For me, I'd been a manager again for about five years before I realized I needed a break from the stress and the politics. That stuff I mentioned before, especially the emotional labor will wreck you if you give a hoot about your staff and your work. I know a lot of folks will say to try to separate work from the people, but when you're doing things that has a good mission and a potential, it's a very hard thing to do even when you think you can easily do it. As a leader, the relationships you developed are useful in order to get things done, but as part of building trust, people will open up to you and get invested. In a way, you can say that this is the I care too much issue, but it happens. Then again, besides all that, you may want to take a break, try something new. That continuous learning stuff and build a skill set that you don't have or feel you may need to advance even further if you are a senior leader or executive. For me, when I started as a deputy CIO for a federal agency component, I was thrown into areas I had no formal training in, including budgeting, human resources and more formalized project management. I had people who had PMP certifications working for me. I ended up hiring a budget officer to help with our budget management and procurements and contracts. Well, this may sound like a cop out as to, why don't you do it yourself? Well, the answer is I try. I worked with these folks, but also knew that they knew way more than me and did a better job of it. This is the sign of a good leader, which is to know where your expertise and quality ends and somebody else's begins. It's not ego, in fact, it's humbling. Know when to ask for help, know when to delegate, know when to hold them, know when to fold them. It's an important skill that many CTOs, CIOs and CISOs, I know definitely do not do, but could also ease your lies if they admit it that they can't do it all. This is a bit of the type A control freak personality type that draws some people to leadership, but they will also fizzle out over time or move on and create a potential other disaster. As I moved on, I realized I needed to learn better communication skills. The last few positions I had for the federal government had yearly reviews that constantly harped on this. I was also always eager to go and speak, work on those skills in a more public forum. You obviously hear me here and see me now so part of this is working out. However, one of these experiences I didn't have in my career and especially in a particular sector was working for a vendor. And as such, in a role that is now strangely considered part of marketing is that of an advocate. Now, many will look at such roles and think, well, that's just a pitchman or pitch woman and it's no better than sales, but it's really not. In fact, many of the senior folks here, goons, speakers and such, actually have roles similar to mine. It's an educational role as much as the customer facing an interaction role that not only requires being able to speak intelligently about a topic, but also listening. Listening is a very underutilized skill among techies at times. Obviously you're here and listening to me, but actively listening in order to synthesize a useful interaction with a customer or teammate or executive is a very useful skill to develop. Much like critical thinking, this is much in an innate skill for people and an important navigating to career development. The refinement of communication and listening skills are the ones that will mature over time as well. As an advocate, I get to touch many parts of our organization. I get to develop strategies for all sorts of things for a very broad viewpoint, but also get to dig into some passionaries. It's outward and inward facing. If it wasn't for the pandemic, I'd have been on the road for a significant part of the time, which is something new and interesting for me. I can freely admit that some of the, was possibly to build up some frequent flyer and hotel points for eventual time off, but those are some things, the fringe items you consider when making changes like that. I'm about eight months into slipping back into a visual contributor role. It's drastically different from my prior C level role, but also somewhat similar, because I'm looking at interactions with people at my former level from a different perspective. Conversely, I'm getting time to explore a few things I wasn't allowed to do or had the time or resources to pursue. There's a lot of these considerations for changes. My boss says, be comfortable being uncomfortable, which is actually a really good bit of guidance. We are typically kind of risk adverse in our roles and lives and we value the basic needs of housing, food and sleep, maybe a good hot shower on occasion. So we tend to sit there until we have to move. This is a skill while you have your day to day, is encouraging to walk the knife edge and explore new things and new ways of looking at it. To be honest, it's one of the best moves I've made. However, my desire is still to go back in the leadership. I figure that the skills I develop here will support what it needed to be to be a more effective executive when I hopefully return to those ranks or with the time and experience afforded to me to do something different from my day to day, possibly strike out on my own and start something new. I already did my own hobby like startup for a decade and a half and it ended up in the black barely and was sold when I lost the time to actively participate in a way that I wanted. If I start my own thing, it will be from skills acquired through doing everything. I think it's the best kind of skill sets to do this. So it will help me with those I plan to hire as well as learn what I need to take to make it in the marketplace. I'd have the budget, purchasing, management, sales and marketing, development, engineering, policy and even some legal background in order to make a good go at it. The path is mine and yours to choose. This is the journey. This is your quest. Good luck and best wishes. Again, thanks to DEF CON, the new career hacking village and the staff and volunteers who helped with all of this. Such an amazing story, really great inspiration. Thank you so much Amelie for sharing your story and your tips on how people can get from individual contributor to leader to individual career contributor, but also making sure that they're getting a fulfilled life and a life that they can give back. Thank you so much.