 So, hi everyone, thank you for coming to this talk about the Infosec Mentors Program. My name is Marissa Fagan and today I'm going to talk to you about this particular project and then also a bit about mentoring in information security in general. So the Infosec Mentors Project was actually inspired by something that happened at Source Boston this year. Casey Thayer, the director of Source Boston had a workshop where I was a participant and I was connected with one of 20 mentees and it was somebody that I didn't know and we were introduced and then started a mentoring relationship as part of the conference. And most of those relationships that were started there ended there too, sort of a week long understanding that you would be, you know, more like conference buddies. So I thought that that experience was fantastic and I wanted to take it even further. So in May of this year I started the program and almost immediately we got a lot of volunteers and up to this point we have 55 matches, more than 110 people in the program. And if I could just take a minute to tell you how the program works, I have volunteers give me biographical information and then talk to me a little bit about what their interests are and their experiences. And then things in those profiles stand out and we match them based on those things that stand out on a manual basis and go from there with a one-on-one relationship. And the program supports that relationship by following up and providing ideas and support. So the main thing I wanted to get out of the project was to introduce people in the information security community to people that they would not otherwise get a chance to meet. So not people in your social network, but people completely in somebody else's social network and try to combine these networks, you know, even across countries and really grow the community. And at this point we've gotten worldwide participation. So why be a mentor? This is really the most important question I hear. It might take a lot of time people are concerned about. They don't know if they want to meet a stranger. But I'm here to tell you that there are essential things that you should really be doing and you really can't afford not to be a mentor. First of all, it makes you look good. If you have mentoring project on your resume or you're doing your quarterly reviews and you're talking about how you're helping somebody in the community, I mean, how could that not look good? The program is established and we've got some official relationships now. So it's really going to be something that you can rely on to put together as part of your career in the future. And we're trying to make this something that people can talk about reliably as part of their careers. So the second thing is that mentoring can be an essential training activity. In the IT community and in security, we talk about don't make yourself irreplaceable. And the way that you need to make yourself not irreplaceable is by training your replacement. And then you can be promoted. So having those soft skills, being able to train someone else for the job that you have is a career skill that all of you need if you're going to have a successful career and move up in the organization. So this project is a free way to get essential training. And in this economy, free training is pretty good, right? So the next reason you should be a mentor is because we're all in this together. One of the main drives for this program is to grow the community aspect of information security. And if we all grow together and try to improve each other's skills, we're going to increase the base level of the technology as a whole. And that's going to give us all a lot less headaches. So the higher the base level is, the more we can grow as a community. And the last reason that you should be a mentor is because soon the student will become the master. You're going to start out as a mentor-mentee relationship, but the mentee, the more you help them, the more they'll grow, and they're going to become your peer. And this is, it can start as a training sort of opportunity, but then it becomes a networking relationship. And it's somebody that you can rely on in the future to work on projects with you. So what makes a good mentor? I polled the 1,000 or so Twitter followers that the Infosec Mentor's Twitter feed has. And above and beyond, everyone said, patience, enthusiasm, and belief in the relationship. The most important thing you can do as a mentor is be an advocate for your mentee. This means trying to get them involved in the things that you're involved in. Make sure that they're doing things that are worth their time. They're going to not just any conference, but the good conferences, the ones that are cost-effective and have new information. They're not reading any books. They're reading the new books that are not going to be discovered three months later to be mostly just plagiarism. You know, they're really spending their time effectively, not just taking a random guess. I'm sure you all can remember when you were first trying to get into the community, it was basically a crapshoot. DEF CON was pretty much the center point where everyone knew that something was going to be going on. But as far as regional stuff, it was really hard to know what the best use of your time was. So an advocate can help you grow in a much more efficient way. So the last thing, or the next thing that makes a good mentor is sort of going on being an advocate, recommendations to cut through the nonsense. They're really sort of tips and tricks that you've learned along the way that you wish somebody had told you. And the last thing that you can do is open doors. Actively try to improve the career of your mentee. And this is the altruistic aspect of being a mentor. So most of you out here are probably going to be mentors. So I wanted to tell you what you should expect from your mentee and what it's okay to ask for. I believe that mentees should surpass your expectations. Expect determination, passion, and energy. If you're in this industry and you are not passionate and energetic about it, do yourself a favor and get out. Because it is a lot of really long caffeinated nights. And if you don't think this stuff is super cool, you're probably going to burn out way faster. And that's just unfortunate for your mentor who probably would have been able to help somebody that is passionate about it. The next thing that you should expect your mentee to do is follow through on your suggestions. Especially in the beginning, the most important part of the relationship, hands down, is trust. Many mentees are not really sure what they're getting into and they burn out and they lose interest. And this is just really a shame because it creates a bad relationship for the mentor. He or she may not even want to do it again for somebody else and that is a very big shame. So trust in the mentee is the most important part in the beginning. So for the first activity, for the first project you work on, as the mentee, you should just go with it. Do what they say. You can argue back and forth about what you really think you should be doing later. But in the beginning, it really requires a leap of faith for the mentee and trust. The next thing that the mentee should do is add value to the mentor. Yes, you can. One of the things that I think that a mentee can do, especially if the mentor is working on some of these open source projects, or maybe if the mentor is working on a promoting a conference or has some kind of pet project, your mentee is your street team. They are going to provide energy and enthusiasm and possibly some networking that you don't have. And it's not out of line to get your mentee involved in some of your projects and use their energy and really open doors for them in that regard. The mentee also is the one that should be responsible for maintaining the relationship. It is okay to put that on the mentee. It is up to them to maintain a monthly. Monthly is probably about the ratio of emails, contacts. If you're working on one or two projects every year, that's about right. But just conversations, at least monthly, is the mentee's responsibility. And then the last thing that the mentee should do is think about it in terms of what their mentor is doing. Think about it in terms of paying it forward. And when you think about yourself as what you will be like when you become a mentor, you're going to get a lot more out of the relationship. So on my last slide here, I just wanted to give the contact information and talk about how all of you can get involved in this program and just mentoring in general. The website is infosecmentors.com. And there you can sign up to be a participant in the program and also get information about our future projects. Right now, our main project was doing an infosecmentors meetup during Las Vegas this year at the Security B-Sides Conference. And that was on Wednesday and that went really well. So we're going to try to continue to bring not just two people together, but also the whole community together in some of these activities. There's going to be some regional stuff that happens in the Southeast and in the Bay Area. And then if anybody can pull these things through in other areas, please talk to me. Right now, we're trying to build the project with volunteers. It's still very small and it needs to grow. And I'm looking for people that have technical skills that can help us grow a social network style of web, web presence, and then also just people with enthusiasm that are trying to grow the social network. And one of the things that we promised in the infosecmentors program was to support these relationships. So most of that is happening on the infosecmentors blog. We have someone that is doing interviews with our current mentees and mentors asking them what specific things they're doing, what activities they're doing. And these interviews, if anyone is currently involved in the program and wants to be a part of it, please get in touch with me so that we can talk to you about what you've been doing with the program. And that's been a really good resource so far for people to get ideas for tangible things that they can contribute to each other. I just wanted to mention also that one of the ways that you can bring mentoring into your network is by talking to the people at your workplace. A lot of the larger organizations have official mentoring programs in their offices and I think that's a really good thing. Some of them are better than others and we're trying to learn from those sorts of things as to what works and what doesn't. And then just this sentiment, bring the newbies up to the new level. If you see somebody around here this week that kind of looks like they're more enthusiastic than knowledgeable, really use that and help them find out what to do next, later this week or later this year and act on this and make a difference. We are all in this together and this is really about community building, so you are the ones that will make the difference. If not for yourselves then for the whole community. Do it for us. So if anybody has a comment that they would like to make about mentoring or a question about the project, you can either shout it out or come up here if it's a comment. We have a couple of minutes left. Do you wanna come up here or just shout it out? So it'll be recorded. So where do you normally find your mentees? Are they coming to you? Do you go out and reach out to them? There's been a lot of outreach to some of the universities but mostly it's just Twitter. It's all online right now and basically everyone is hearing about just through word of mouth. So there hasn't really been one characteristic that any two of the volunteers have. So it's mainly been the social networks that have kind of brought them to you and kind of brought you guys together. Exactly. Okay. Infosec Mentors is the Twitter feed. One word. Sure, come on. I just wanted to say that I work for a larger company and we have an official mentoring program and in the beginning when I was mentee for the first time I really didn't know how that all is supposed to work and I learned at a certain point that you find your mentor and your mentor finds you and usually for me it was always a situation where I had one or two mentors at the same time and I was looking for them for a specific issue that I had an issue with. One of them was security and I am a mentor myself now. So it is a match. So assigning mentors is something that some people do but that usually doesn't work. You have to find yourselves or each other. Thank you for bringing that up. That was definitely one of the big questions that we weren't sure if this was going to work or not. Two strangers that may or may not have the best social skills might be a huge disaster and about 20% of the time it has been such a disaster that we've repaired people and about 20% of the time people are so excited about it that they're now telling their friends. So it's kind of a, you know, it's a bell curve. I personally think that it worked for me so I tried it but some people it may not be right for. Did you have another comment? Do you want to introduce yourself if you have so much? Sure, I'm gay real everybody. So a lot of us work in very sensitive fields where we may not be able to talk a lot about what we do day to day. How do you address that with the mentoring program so that we can mentor someone without having to get into all the sticky stuff about getting them involved in what we do? So there's the social aspect of it and then the technical aspect of it and you kind of find that balance. You have to be able to be honest with yourself and give what you can. I think that there is really no expectation that you're going to be using your personal work activities as your subject matter because they're not going to come work for you. You're going to be talking about the open source projects and if they're interested in web apps you talk about web goat, that kind of thing and it doesn't necessarily have to be your personal projects that even come up at all. The Infosec Mentors program does not require you to tell me a whole lot of personal information if that's a problem for you we can work with that and there's still a way to help. The question was is there any part of the project for non-information security professionals and right now the scope is small. We are looking for information security professionals just that community and that's pretty complicated in and of itself so 50 to 70 different sub-fields of security sounded like plenty. You should have co-presented with me. I know I could have. I'm working at the same time to bring people in because we have a mentor program inside our organization but it's not focused on security people specifically so I'm trying to bring the guys that come in with their comp side degrees and stuff and bring them over and say hey, we got this fun thing we can do over here. You can come and apply some of those things because I spend all my time in meetings but I've got a lot of cool things I can have you do for me so but one of the things that I run into is training and especially for these new guys coming up figuring out what training they need to build up kind of a core competency that qualifies them at some level. We all, obviously if you've made it here someone's either you or someone else is paying for your travel paying for you to come to the conference and the poor college kids don't always have that. How do we bring the training, roll the training into the mentoring? A great deal of the volunteers right now have two or three years of experience. Even the mentees are a little bit more experienced. I know that that has been an issue that Joseph Socoli sitting in the audience right now talks about the young and the restless of information security. This stuff is expensive and right now I don't have a good answer for how to incorporate some of the financial problems that come up but you have these online relationships and email interaction and that sometimes can be enough. But so he said that ISSA for example has free training and one of the easy stuff is free. The free training is something that a mentee might never find out about if not for somebody guiding them to that. So that's the kind of thing that we're really talking about the tricks and cluing people in. Leading the horse to water as it were. Well I think unless there's any other things that people want to say about mentoring I just wanted to say that this is a pretty good turnout and I really appreciate everyone's involvement. One more thing. That's an interesting thing that you've just brought up. It's been brought up several times. Half the people are very interested in where everyone else is and what everyone else is doing. And then the other half of the people are very concerned that they don't want to be exposed in that way. So we're trying to work right now with a feature program that may expose the geographical locations of each of these pairs so that they can be connected to each other as well in making a mesh relationship. But for now we're still trying to work that out. So if you look at the infosecmentors.com feed or infosecmentors Twitter you can find out if we do that in the future. I think that's it. Thank you everyone.