 Welcome everybody. My name is Mike Murray, my co-presenter here is Lee Kushner. Thank you for coming to the presentation. Absolutely, and we're going to talk a little bit about security careers today. And I thought we'd start by talking about where this all got started. This whole conversation, I think between Lee and I and even before that, got started a few years ago at Black Hat, when a good friend of ours whose name is Scott Blake asked the following question. What's the difference between a hacker and a security professional? And what answer did Scott come up with? The answer is a mortgage. So, from there, that was one of the first conversations Lee and I ever had. He was telling me this joke. And we actually met a few years ago at Black Hat as well. And the story has a lot to do with what we're talking about. Because for once, we both stayed at the Mirage. And that's pretty weird. We had both booked late, neither of us was at Caesars for Black Hat. And we got in the elevator at the Mirage one day. And we didn't know each other. We had never met before. I knew who he was. I mean, he's Lee Kushner. He's like the security recruiter, right? I mean, I put our bios up on the screen. But I think most of you probably know who he is. And at the time, I was running vulnerability research for a little company or an office up in Canada for Encircle. And we got talking. I mean, anybody who's ever walked from the Mirage to Black Hat at Caesars knows we had some time to chat. And we got talking about where I wanted to go in my career and where he had seen people go from vulnerability research and how you get out of being just a vulnerability researcher to be something more. To be regardless of where you want to go, whether you want to be a CTO of a company or a CISO at a bank or whatever. The whole question was, okay, how do you go from wherever you are to wherever you want to be? And I think that conversation started about three years ago. And I think we talked at least once a month about that same thing to this day. And we got talking and decided, well, what the hell? Let's do something for DEF CON. Let's come here. And there's probably a lot of people who are either just starting out or regardless of where you are in your career, trying to go somewhere. And I've been there and I've been the one in the seats kind of wondering how to get where I want to go. So hopefully we can talk a little bit about all of those things. It's very interesting when you come to a conference like this or any of the other events that you might attend in the information security industry. And the one thing that everybody has in common is that everybody has a career. Everybody is proud of what they do. Everybody has aspirations to do things past what they're doing. And with any young industry like the information security industry is, I mean really, I mean it's really only been significantly on the corporate map for ten years or so. Because the industry is so immature, there isn't any really well-defined roadmap on how to get from point A to point Z. So going through talking with your friends, understanding what you want out of your career is quite important. And we're going to talk about a lot of those discussions here. We're going to talk about probably a lot of things that you think about on your own, things that may be discussed with your friends, talking about things like, what's important to you? Do you want a job in a paycheck? I once had a, when I was first starting out, one of my first jobs was selling vacuums. I answered some ad and I'll make $100,000 in a year and it was all great. And the first thing they did was show us this, I guess, you'd call it a PowerPoint now, but they had job and they said, job stands for just overbroke, you don't want a job, you want to own your own business, you want to sell vacuums. So that was my shortest duration of any of my jobs, T minus two hours. But you want to talk about things about what is your career path? Because your career path is different than anybody else's in this room. It's unique to you. Things that are important to you are things that are important back to other folks. Just in things like taking ownership of your own career, how do you go about doing that? Building your own brand, helping define who you are, what makes people think, what others think about when they hear your name or when they think about your work and your work product. What really is the best job that you have? How you can make the most out of your own job the one that you do have? How could you make your job better? Understanding why is a good reason to change jobs? Really understanding what might be a bad reason to change jobs? And really trying to figure out how to get where I need to go. So we've been up here for about four minutes, and I think between the two of us we probably said the words career path about ten times. And you guys have probably all heard those words a million times. But I think we need to define what that is. I know a lot of people in security, and I'm sure there's a couple of people out there in the audience that just jump from job to job. You know, oh this sounds cool today, this sounds cool tomorrow. And that's kind of a neat way to live, you know, it's fun. But I mean we've both seen a lot of people who look up ten years later and go, well my skills are obsolete, now what the heck do I do? All those things, all your decisions, and I think the one thing that will be a recurring theme today is that whatever decision you make regarding your career you will ultimately reap the rewards from and you will ultimately pay the consequences of. So when you're making any of these decisions you have to really think about getting the information, getting the right information, and figuring out how that affects you personally. And security is particularly interesting for that because as Lee mentioned it's a young field. You know, if you think about a lot of the careers that maybe our parents had or people that we know that aren't in tech had, the career path is very different. And we need to be clear about what's different in those career paths than is different in ours. In most careers you get this well defined steps. You know, if you look at, you know, let's use accounting as an example. We all like to pick on accountants, don't we? Yeah, you gotta pick on accountants. So, I mean think about the career path through accounting. You go through school, you get a degree in finance. And then you start working your way up. And it's pretty well defined. You start out as a junior financial person and you pretty much move up through senior person, controller, CFO. Some people jump off to do their own accounting firms and that sort of thing. But for the most part, the steps are pretty well defined. There's a degree in it. Everybody knows that you have to get your CFA. I think is... CFA is Canadian. I can't remember where your CPA is, your CFP is, or some sort of C. Yes, and actually in that field the C actually means something. Well, the other thing is this, if you asked a hundred CFOs how did you become a CFO? You would probably find a hundred very similar career paths. And they'd all look like that actually. Somewhat. Yeah, pretty much. And security is different. I mean security is really more like a real mountain. Where there's a whole lot of different ways up the mountain. I can probably... You know what? I might actually do a little bit of the survey here. We can look at the security career as a whole bunch of different pieces on the bottom. I mean there's not... Let me actually ask the question. Is there anyone in this room who went through school and has a degree in security? Give a hand. Give a round of applause. Exactly. Because I know if I had asked that question five years ago there wouldn't have been a hand in the house. That's actually really cool. But it still wasn't very many hands. If we walked into an accountants conference and asked who has a degree in finance, the number of people who didn't put up their hand would be less than the number of people who just did. So really security has a particularly interesting career path because everyone starts out in a different place and everyone has a different way to get there. One of the things that we have been very lucky to notice is that there's really a difference between the technical track and the management track. And at some point you have to make the decision. One of the best things to talk to Mike is that one of the best things about this industry and I think one of the things that drew me to it 11 years ago was the fact that people come into this industry from very diverse backgrounds. There are not cookie cutter personalities in this industry. There are not cookie cutter education paths. The respect is earned in this industry. It's not just given because of some school you went to. Some letters after your name. It's kind of about what you've accomplished and what you've done and that own, I don't know if you would call it, whether it's the secret handshakes or the understated respect of what people share for each other as professionals by coming to conferences like this. I mean that's unique. People come to this profession, some of the best folks, they started out when they were 8, 9, 10 years old. And I'm sure most of some of you are in this room and you just became interested in things and you just became interested in wanting to learn and you become passionate about it and your avocation became your vocation because someone's now writing the checks and that's a really great thing about this industry and what Mike said that five years ago people wouldn't have had a function, a degree in information security. It just didn't really exist. Here and there, a couple of programs the fact that it's coming so quick and it's accelerating so much I think that's just a testament that finally we have a place where people who are interested in doing the type of work that you all do it's great because opportunities are being created and when there are more opportunities there are more challenges because there are more choices and I think that's kind of what it cuts back to. Absolutely and so fundamentally we're pretty excited about this. Anybody who talks to either of us for more than five minutes has probably heard us talk about some facet of this but really why should you guys care? And that's really the big question and my answer is that the rules have changed. When our parents went to work, the game was different. My mom worked for a large bank in Canada for 34 years. Same job, she moved up and her boss always took responsibility for making sure she had the right training and they defined her career path and every year they reviewed her and said hey you're doing a great job on your career path, keep that up and very few people changed careers. Very few people went out and changed jobs but the world is different and especially in our industry the world is different. This is not an industry so I actually spent six years at one company in this industry and by the day that I left I was the only person that remembered the day that I started. When I tell my parents or my grandparents how often I'm switching jobs they look at me like I've lost my mind and I'm seeing a lot of nodding heads out in the audience so I've got a pretty good idea that you guys have all experienced that and what we're really here to say and I hate to be the ones to tell you all this but it's all up to you. In our parents generation the company took care of you. The company made sure you had a pension when you retired the company made sure that you were growing the company made sure that you were doing the things that needed to be done not no more. It's all up to you and so you really need to take the responsibility for your own career because nobody's going to make it happen for you except you really. Ultimately you're the one that will have to take the responsibility for what you've said before that you'll reap the rewards or you'll pay the consequences so every decision that you make has a cause and effect to it and you know Mike was talking about you know it's a personal it's a personal issue here you really have to know yourself you really have to know what's important to you you have to know what makes you tick and you have to know what gets you excited and what you actually might want to get to. So fundamentally and you know the quote from the previous slide is an important one and was said a few thousand years ago by a guy who kind of knew his way around and it's the fundamental question when you're asking yourself about your career what are you good at you know what gets you out of bed in the morning what gets you excited and what are you not so good at I'll tell you about myself if you put me in a job where all I did was watch logs all day I would go absolutely insane I would just go nuts if you put me in a job where I just had to manage you know that everything just kept going the way it was going yesterday I'd go nuts but if you put me in a job where there's nothing going on you know my job in Canada they the only thing that was in Canada when I got there was a cafe we didn't have real estate, we didn't have an office we didn't have a team, we didn't have anything we started interviewing, there are a couple people here who actually interviewed in that cafe before we had an office and that's the kind of challenge that gets me excited I bet some people in this room would be absolutely terrified by that the point is you have to know what you're good at you have to know what you like and only then can you really make the decisions about where you want to go I always think of it as the vegetable theory when your child your mom or dad prepares you some vegetables you figure out which ones you like and which ones you don't like and if you keep liking broccoli well then mom continues to cook broccoli if you keep liking, if you hate cucumbers you don't get cucumbers anymore so the truth is this is that you're trying to figure out what it is that you're good at and you're being able to either dismiss it or be able to embrace it and I think that those things are just very important and when you think about yourself thinking about kind of what might be your strengths what might be your weaknesses where you might want to develop your own careers and your own skills to either make yourself a more rounded, well rounded person and be able to find yourself's positions that enable you to do things that actually take your skills, utilize them to the fullest develop your weaknesses so they don't exist anymore and those types of things so all the research shows that you're going to be happiest when you're doing the things that you're the best at if you read most of the research out there it will tell you that when you are working on the things that you're already competent at and you're expanding those strengths you're happiest and most challenged we'll talk about strengths and weaknesses in a second but I want to talk about skills for a second because when we have a tendency to talk about skills the first thing that comes up is what programming languages do you know and have you used Ida before and can you reverse engineer protocols and how comfortable are you with TCP dump on the command line and that is a really important part of skills but it's not the whole deal there's a whole lot of skills that when you're a hiring manager and I've hired enough people to speak to this pretty authoritatively you're looking for more than just the technical skills I mean there's a lot of people in the world who can code there's not necessarily a lot of people who can work together to solve a problem or who can solve a problem they've never seen before or who know how to research and find the answer to something that they didn't see in a book somewhere and so I actually I ripped off this model from something that was in the Harvard Business Review a couple of years ago and I sort of expanded it over that course of time to the point that it doesn't really look like what was in HBR anymore but it was called the portfolio model of human capital so the idea is how do we talk about all the skills that people have because technical skills are only one of those and technical skill here there's a reason I put quotes around technical because if you're a manager the technical skills of being a manager aren't necessarily what we would consider IT skills there are things like budgeting and power points and doing Excel spreadsheets and making sure that you can make a strong cost justification for things those are the technical skills of managers but there are a whole lot of other skills that we don't talk about as often strategic skill where you're talking about can someone think on a broad scale everyone pretty much can get a task list done can someone prioritize and figure out how to make decisions with strategy how well do they know the industry when you walk into DEF CON or actually more accurately when you walk into RSA how many of the companies do you know how quickly can you ferret out the snake oil how do you know how the puzzle pieces fit together and how does that relate to your job not just what your job is but what your company is doing as a whole I mean one of the questions are you talking about skills just by a show of hands how many people here think they have good communication skills how many people think that all the people they've talked to recently have good communication skills I think there's a mismatch there communication is a skill and everybody thinks in the recruiting business people always say to us well I'm a people person that's great we're all people persons you know I mean we're people people but I mean when you think about it though communication is a skill it's a skill that has to be developed just like technology it has to be developed just like anything that you do and it's a skill that you have to work on in degrees of people's communication skills how many people think they're good negotiators of course everyone's a good negotiator everybody goes to go buy a car of course we're going to negotiate those prices well the truth of the matter is is that that's a skill as well so all of the skills that we think about are just actually kind of coming towards us of things that we just assume that we're good at the assumption that we're good at it almost discredits yourself so when you're thinking about all these different skills that create a skill matrix or enable you to be successful in your career you have to then be able to put your own value and your own score to those skills take a baseline of where you are and then figure out and be honest with yourself about what do I need to do to improve how can I go about improving and is it even worth improving absolutely so there's actually something I wanted to sort of backtrack and talk a little bit about on here it's that line that says weirdness quotient and I think it's a really important thing that we all overlook because you know there are places where you will fit in and there are places where you won't if you like to wear a suit to work every day there's a lot of tech startups where that's going to be kind of strange if you hate to wear a suit every day I wouldn't suggest working on Wall Street and that's an important piece to know what is your sort of style and how does that fit into whatever company you're looking for are they going to think you're absolutely freaky and out there because you have to be able to form relationships with these people and so jumping away from that for a second we talked a little bit about strengths and weaknesses we came to the realization of talking about this everybody only talks about strengths and weaknesses but there's actually three categories because all your strengths usually matter but we spend a lot of time and I'm sure everyone has been in that performance review or at least a lot of you have been in that performance review where someone tells you that you're weak in something that you know has absolutely no bearing on your job and that if you don't improve that that you get your job done just fine every single day of your life so there's actually two types of weaknesses there's the ones that actually keep you from advancing in your career and actually impact you and there's the ones that don't and you really have to figure out which ones make the difference because unfortunately back to the whole theme of this nobody's going to tell you it's up to you to figure that out and learning which of those are which is going to allow you to spend a whole lot less time wasted on fixing weaknesses that don't matter you know again I'll use a personal example I have a tendency to get bored really easily luckily I'm in information security that doesn't much matter because I work in an industry that's fast enough and on in in jobs that give me the opportunity to work in 12 different ways on any given day you know I can be working on power points in the morning and excel in the afternoon and coding you know later in the evening I don't have to worry about getting bored in another industry that would be a difference that matter if I was an accountant for example that probably would not be such a good trade so you need to figure out which are which and move on you know move on that so you know all about yourself you know assuming assuming we've gotten through to you you sat down and you thought about who you are and what your strengths are and and what your weaknesses are and you're working on yourself but the question is who else does because your career is impacted by other people as well and what do you you know when you have your career and you know you're talking about who you are I mean I think one of the things that you talk about and Mike says he uses the term personal branding and you know when you're in your career you're all responsible for marketing yourself you're all responsible for marketing yourself on a daily basis you're responsible for enabling the people who you work with the people who your industry peers the people whom you report to to really understand who you are so they have a good understanding of what you're capable of and what you'd like to tackle and by doing that on a daily basis by doing that continually over the course of the time you're able to develop a personal brand both within your organization both within the industry at lower levels of your organization and at higher levels of your team and I really I hesitate to use the word personal brand it's the hot career topic of the moment if you read the career blogs and the career books but I really think of it really is just you know what do people think of when they hear your name you know and I've got some examples up there I mean if you have some thoughts shout it out what do you think of when you hear Schneier's name? airport security yeah exactly secrets and lies I mean we all have this pretty much the same picture of Schneier in our head don't we I mean I bet if I asked if I asked all of you about Bruce we could all give a pretty pretty similar picture any of the names that are up there and so that's what your brand really is what do people think of when they hear your name and if you can find a common denominator there that's what represents you in the world now of course I'm talking about this and I'm using all these names that everybody's heard of right I'm using all these famous names and you're probably sitting there going yeah but I don't have books and I don't have all of this stuff but it's not just about that because you do have a personal brand branding happens on smaller scales and I think it's really important to realize that you have a brand whether you like it or not I mean anybody can think about their friends and think of the guy who's always late or the girl who's always late everyone has that person in their life I'm sure and realize that's their brand to you that's their brand in your circle of friends you have a brand at your company whether you like it or not whether it's you're the person that everybody goes to when everything falls apart or whether it's you're always late to meetings you have a brand and these are the things that are going to cause you to succeed or not so much to succeed in your career so ask yourself what's your brand what do you want to be known for what do you want to represent when people hear your name and the hard thing is it's not always easy to change your brand I mean if your friend who's always late started showing up on time you're not thinking of them as the friend that's always on time takes time with that where it doesn't take time is with new people and the opportunity to meet new people is an opportunity to teach people about a different brand we have some people in the audience I mean I see some nodding about there's definitely some people here who are good branders but it's really an important thing to realize that brand will be the limit of what you can do I have a question I just did three slides on branding and talked about it for like three and a half minutes there's a common theme in all of it what was it it's your fault actually that was a common theme but there's actually another common theme and it was all about relationship your brand doesn't exist in you it exists in other people when I noticed I wasn't asking Bruce what he thought his brand was I was asking you what he thought what you thought Bruce's brand was your brand doesn't exist because you think you're the smartest it's because everybody thinks that you're the smartest and so it's all about being known your brand is ultimately a function of who knows you and who you know because the people around you ultimately determine who you end up being I love this statistic it's a fascinating statistic that if you do the research your income will be almost always your income will be within 10% of your five closest friends almost always that speaks to the power of how important the people around you are not only do they hold your brand in their hands but they hold your image of yourself in your hands and you live up to who they are ultimately the more friends you have and the better friends you have the better brand you have and the better network you have and the farther along that you go so what's the best job for you I mean the best job for you is basically the job that you have and that might sound really crazy coming from a guy who makes his living about helping people move jobs but the truth of the matter is the best advice that we give and Mike and I do each other for about 18 months before we ever even talked about any potential opportunities for him because the jobs didn't line up with what he was doing with what he wanted to do and the truth of the matter is that in your job that you currently have it's really up to you to try to figure out ways how to make your job better because you know the grass is always greener I mean when you talk to you think about what people might be doing in other businesses or in other careers or in other environments say wow they have it really good there you know their bosses they have a bigger training budget or they have half day Fridays or they're getting paid 10% more than what I'm earning but you don't really know what it's like to go up and work in that environment on a daily basis so the truth of the matter is that everybody creates an illusion that their job's really not as good as everybody out there and I think that you always think about what might be and I think that's a big trend because you hear stories about someone who just got a huge pay raise or you hear somebody who's just doing something uniquely different and say I don't want that job too a lot of times you could have that job in your own company if you know how to actually work the internal channels you know how to develop your brand and be able to look at opportunity and seize opportunity that you can create for yourselves I think that it's a pretty good assumption that there's more security work than there are qualified people to do it but most people agree with that statement and I think that there's generally more work where people do not understand information security in a corporate environment that could really utilize somebody who understands information security from a technical perspective from a business perspective from a marketing perspective about how that will all tie in with their careers and they're looking for help they're looking to understand people inherently want to know what they're doing nobody ever likes to feel like they're an idiot so by taking opportunities to help educate people about what you're doing and seizing opportunities seizing roles seizing different areas where your expertise can be applied to people who don't have it ultimately you will create more opportunity you will create a better job and when that promotion comes up when that opportunity comes up your name's going to be the one on people's cons inherently finding better opportunity it's your responsibility on a daily basis to try to drive yourself in those directions I got a great story about that which about I guess about a year ago now I took a particularly interesting job and it was a fascinating opportunity and it was an opportunity to work with a really cool team of people and work for a really cool CISO incredible work two weeks after I got there CISO got fired and they didn't replace the CISO they basically decided to mothball the entire department and it got particularly ugly so if you talked to me a year ago I wasn't I've always been interested in careers but I certainly hadn't studied this stuff to the point that I could get up here and speak about it and it was a great opportunity to work in a place where I mean I've never seen a group of security professionals so unhappy in one place it was like you wouldn't believe and so I called I talked to Lee and I talked to some other friends and basically it was it was do I go to work every day and be miserable with all these people or do I go to work every day and figure out why these people are miserable and figure out how I can help them and figure out how this stakes again and how I can never put other people in these places and so I spent the best part of the almost 10 months that I was there doing my best to figure out what the silver lining is doing my best to help and doing my best to find the opportunities to learn and add value where I could even in the worst of situations and I think that's really the key I mean your job might absolutely suck every day but I bet there's at least a few things that aren't so bad about the place I bet there's a few things that you can find that you really like or there's some opportunities to learn some things that you would really like if you're bored at work great time to learn about other things what most of us do when we're bored at work is we end up surfing the web reading random crap it's fun it's not necessarily the most constructive thing and if you have the opportunity you can really you can really find that silver lining and I'm not going to be the one that stands up here and sort of you know rose colored glasses says that's an easy thing to do I'll tell you those those 10 months there were a lot of days when I didn't want to go to work but knowing that I could go there and make something out of it made it a productive experience whereas I could have in the other direction thrown up my hands and not done anything I think that a lot of the things when you think about the environments that you're in trying to figure out those ways to make your days better trying to figure out ways to get more notice to get more information to just be seen and heard a lot more so you can actually have more influence so your job becomes more rewarding I mean most people when they leave jobs they don't leave jobs because of money they leave jobs because they believe nobody cares about what they're doing they believe that they're unwanted they believe that their advice is not listened to so I mean there are a lot of things that you can do you know as far as you know when you're talking about your skills you know you're doing it on a daily basis you know what you try to do is to really try to think about the skills that you have and try to how to build them and how can you go out and build your skills you know is it the idea of getting a different certification is it the idea of you know going to a different training is it building a skill that you don't necessarily have whether it's developing some communication skills whether it's picking up a new piece of technology whether it's learning a little bit about compliance and business type things or maybe it's even going back to getting a master's degree or an entry level degree whatever it might be you know whenever you're making an investment in yourself you can never go wrong I mean most people a lot of times will look at companies and say well my boss is not giving me any training budget well whose responsibility is it to train you is it your company's responsibility to train you or is it your responsibility to train yourself if you're not going to make investments in your own career how could you ever expect somebody else to so the idea is that when you say it really is up to you it's about it's really about not only understanding about where you want to go but really how you're going to get there and what sacrifices that you're willing to make to attain those goals and I think that everybody who has a job and has aspirations it's very easy to say I want to be the boss it's very easy to say I want to be a CTO or a CISO but it's very hard to understand the sweat the long hours the extra work that you do the sharing with your friends all the sacrifice that's the hard part that's the part that nobody sees that's the part when that happens when nobody is looking those are the things that you really have to think about what you're willing to do in order to achieve the things that you want to and you know what what's really unfair it's unfair because you might do everything necessary at least how you think is necessary but you cannot be able to get there you can push and push and push and sometimes those doors don't open up but there is a lot of value knowing that you have given your best effort to get there and that you've pushed on as many doors as possible to help you break through and there's enough personal satisfaction in that alone that should be enough but at the point is is that as you're developing those things as you're continuing to develop your networks of people and your personal brand and all those different things that go into helping you aspire to get to that place if your own company doesn't notice it somebody else will so everything that you do that betters yourself everything that you do that invest back in you your money maker your career planner everything that that happens you will ultimately see that benefit it might not be today it might be three years down the road from now it might be ten years down the road from now the one constant in everybody's job is time I see that I didn't know that when I started I didn't know that when I was at I guess Black Hat 2 or whatever it was but you know back here after ten years you do realize that you realize that as you mature that things do continue to stay the same and you continue to in your own mind that the more that you continue to build and build on a good strong foundation the better prepared you are to take on new challenges and when that bell rings you're going to be considered and I think that's the one thing that we talk to people all day long they'll call our office up all day we'll get the emails I want to be a chief information security officer okay what do you do I'm an assistant administrator okay so if I have any other jobs that will help you get there you don't want to hear about them no I just want to be a chief information security officer of course or my customers want to see those people the truth is this is that it's a long, arduous road but it's one where we're lucky enough that there's so much opportunity that's being created on a daily, monthly semi-annually basis where we are fortunate we're not accounts our industry is growing people aren't eliminating our jobs we have three or four customers right now that are laying off three to four thousand people but they're hiring their information security teams how do you think about that ten percent of their organizations are going to go home without paychecks and jobs are probably going to be very hard for them to replace at the same pay periods but the people that we're recruiting are getting five, ten, fifteen percent increases based upon the skills that they're letting other people go but they're hiring this skill the skill you all possess in one degree or the other but our clients don't pull us up for a garden variety people they don't want to pay our rates for a garden variety people they call us to find specialists they call us to find the cream of the crop they find us the ones when they ask questions that our people have the answers to them and as much as what you're doing it's about differentiating yourself from the pack it's about going the extra effort it's about jumping the extra mile and doing those things I'm going to jump in with the story actually because there's something on this slide and the guy I'm about to talk about is in the room so sorry there's a lot on the bottom here about using your friends and peers copiously and I think we don't do enough of that we get together once or twice a year most of us have a couple of friends that we use but a great example of using friends and peers is really seeing I saw somebody do it in a job search once and it was incredible he was looking for a job and so was a couple of his friends so they got together every single day and compared notes on their interviews studied the same things worked on the same things I'm going to find a job club and I actually ended up hiring two of the four people in the club because they were so dedicated and they were such absolute they were so insanely intense about it that they just made it happen these were guys who I mean you guys didn't have the resumes that anybody in this room did but they got hired because they were so intense about it they came to interviews so prepared that I've never seen anything like it but we're running short on time so I'm going to jump through the rest of the slides a little bit more quickly so how do you know when it's time to change jobs there's really only three reasons to change jobs ever there's only three good ones the first one is your life changes for some reason you need more money for some reason you have to move personal happiness or life balance suddenly your boss starts asking you to work 80 hours a week and never take any time off and you never see your family anymore great reason to switch career changes you've reached the end of the road as far as challenging this particular job you know it's time to move on to the next thing you know this job isn't getting you to where you want to go you know that your next job you want to be I don't know a web application a security person and you're spending all your time reading logs it's really not prepping you for it the third thing is org changes you know I was just mentioning my example from my previous job where the org just completely changed out from under me I did make the best of it but as far as going back to career when the security team gets wiped out and you're a security person it doesn't so much you know lend to your career path in general those are really the only three reasons we've seen you know a lot of times when you know in recruiting and things that you think about when recruiting really becomes successful at the level that we deal with is that when the employer gets something that they need and the employee gets something that they want and that's really where that intersection kind of happens that's where people are happy that's where career where people take jobs and they stay for long periods of time which is ultimately how we're judged in my profession so it's ultimately the best offer anybody here is that to be matched with a job they're going to be able to maintain for a long time and continue to build, develop and make the most out of it so you realize it's time for a change you realize it's time I'm going to go somewhere else you know I'm not getting what I need I have to go somewhere else the job search process pretty simple have it professionally written if you want post it on every site out there you know apply to any job that you think is at all interesting and call everybody you know every headhunter you can find and just say hey are you hiring for anything and then just sit and wait what's wrong with that wrong list no I'm going to give you a list that was crap because that's what everybody does and it really doesn't work that's about the complete backwards way to go out and look for a job yeah I think everything I could have done wrong I put in that list because it really only works if you're lucky and I know people who have gotten good jobs that way I mean we all do I put my resume on Monster and some guy called me and gave me a $15,000 raise I know people who have hit 7s on slot machines too I mean it just doesn't work like that for most of us the truth is that as you develop your skill and one of the fortune things about information security is that we're not a keyword business we're just not a keyword search business they're different degrees I mean you know if I wanted to get a job to get called by every web based recruiter out there I could write a great resume I know all the right things to say and everybody would call me back but the truth of the matter is is that that's a lot of fluff it becomes a lot of fluff so what do you do I mean we sort of harped on this the whole time you got to know where you want to go and you got to know what the next step is and once you know what that next step is for you you got to start reaching out to people it's back to branding and networking you've got to get to know people you've got to get all of those people that you know and say alright this is what I want to do do you know anybody who's doing that do you know anybody who you think's doing that and start to get connected to people the truth is this is that when you're wind up looking for something for yourself you should be having this circle of people whether they're made up of peers that work at other companies whether they're made up of bosses and former bosses maybe a mentor, maybe a professor I will go out on the limb and say if I was going to be if I was a chef I would find the best chef recruiter I had created possible if I was the best real estate attorney I would find a real estate attorney I wouldn't find a general I wouldn't find an IT recruiter if I was a chef just like if I was an information security I wouldn't be trusting myself to a generalist it doesn't make any sense you guys pour so much work into everything that you do why would you trust your career to somebody who only does that a part of their time and that's the problem with internal recruitment functions and corporations because they're so tasked doing so many different things they can't possibly understand what's important to you information security professional so we're sort of getting the we're about to get the hook here but I wanted to wrap up and say there's a lot that we haven't talked about we and I could have talked for three or four hours on this and probably not run out of topics because there's so many different pieces to managing your own career we're going to we're going to go to the Q&A room as soon as this is over if you have questions we'd love to answer them before we go out I actually wrote a book when I was working at that company I got so frustrated with the way things were going for people I ended up writing a book I set up an email address anyone here who wants a copy of the e-book just fire off an email to defconnitforgettheparachute.com it'll send you a copy of the e-book I just thought it would be cool to give that to everybody in the industry it was written because I was so frustrated watching information security people be frustrated in their jobs so I figure you might get some use out of it hopefully you enjoy it our email addresses are up there I mean feel free to email me if you have questions you have I will do my best to answer I'm sure Lee wouldn't mind being emailed anytime also definitely thank you all very much for coming seriously thank you this has been fun