Skip to content


Measuring Your Offensive Security Maturity: Prioritize Your People

Any effort to level up an offensive security program must begin with people. Your human resources are your greatest asset — and can also be your biggest challenge — in maturing your program and its capabilities.

Category: Informational Series



Alright, well, let’s get rocking. We got several folks in and excited to be joining everybody today. As I mentioned, kind of at the top of the hour, we’re in episode two of our series with PlexTrac, Echelon Cyber and Risk and Cyber. Sorry. Measuring your offensive security maturity. So we’re walking through what does it look to have a mature offensive security program, both from a consulting perspective as well as an internal enterprise team perspective. So excited to kind of continue to share on this landscape.

Today we’re going to be talking about the most important thing, which is prioritizing your people. When we talk about hands on keyboards, Pen Testers and thread emulators and everything related to an effective security exercise comes down to the folks doing the work and you can only operate so much.

The mental capital that goes into a quality offensive security engagement really comes down to the operators. And so with that, I’m excited to let everybody introduce themselves because we have some high quality operators on the call in the webinar series with us. So I will jump, I got to jump to the next slide here. So I’m founder and CEO of PlexTrac. I am a former Pen tester and did a lot of work in the App sect space, application security space, and then started PlexTrac to help bring together all of the proactive engagements that are happening in environments both on the consulting side and the enterprise side to really be able to provide better collaboration on an assessment that’s a little bit about PlexTrac. If you’re not familiar with us, but I’m the founder, CEO and then I’ll hand it over to Dan. Yeah.

Thank you, Dan. I’m Dan Desko. founder, managing partner CEO of Echelon Risk and Cyber. We do a ton of offensive security work, so on a consultative basis, working with clients of various industries and sizes all over the world, we’re happy to be here. We’re big time users of Text Track. It makes our reporting process so much more streamlined and simpler. Our clients love it, but we love to share some of our stories. And for me, this is my favorite topic is the people.

Because in the consulting world, our people are everything. So if we don’t have great people, we don’t have a firm. So this for us is front and center every day and one of the biggest things that we’re always thinking about. So really happy to be here talking about this topic.

Awesome. Nick. Nick, you’re up. Hey. Yeah, I’m Nick Popovic. So I’m the hacker in residence at PlexTrac, and my background is I’ve gotten to play in a lot of different places. I was a soldier in the Signal Corps, came out and spent a time in the enterprise and moved into security.

And I spent about eleven to twelve years in a consultative security role as a Pen Tester, net Pen, and eventually moved into practice leadership as a practice director, and then I got the opportunity to see what it was like being on an internal Red Team. So I’ve really worn a lot of different hats, especially in the offensive security space. And now I’m working over with PlexTrac, kind of providing that hackers perspective. And since I’ve got that varied experience, I can have a lot of different voices with a lot of different perspectives. Yeah, awesome. Thanks, Nick. And then tod everyone.

My name is Dahvid. I’m the managing lead for offensive security at Echelon. I think the fun elevator pitch I like to tell everyone I’m the Emulated mob boss of a group of Emulated criminals right similar to Nick. My previous employment came from the military, where I initially started off as a radio operator, similar in the signal core kind of realm. And then I transitioned into a special operations cyber unit where I got to do this stuff for real. Had a lot of good times doing that and seeing how APts actually function.

Took that kind of leadership mentality that I learned from the military and brought it into the civilian world when I left work as, like, a big four Red Teamer for their global Red Team operations. Had a lot of fun red teaming companies and corporations that are outside the United States as well and left that job, came here and now work for Dan Pittsburgh. Dan, who’s in Belize and haven’t looked back since. It’s been fun. This is definitely a topic that we enjoy talking about internally as well. So looking forward to kind of chatting with you guys and seeing how we can help our attendees. Yeah, awesome.

And thanks. For those of you that are in attendance, this is always meant to be interactive. We’re going to kind of run through our agenda of the topics, but please do use the Q and A function of the webinar to insert any questions that you have. We’ll be monitoring those and try to either answer them in line or we’ll also have some time at the end of the webinar to have a Q and A. And I will say this, we’re almost at the end of October, which means we’re almost to the beginning of November, or I guess kind of the middle portion of November, which represents Veterans Day. And so I just always like to extend a gratitude to those that have served, including Nick and David. Appreciate all of the service that you’ve done to our country.

And it’s always exciting to be in this realm because I think especially in penetration testing and offensive security, you do encounter a lot of former military or folks that have a service background. So I’ll just extend that on behalf of PlexTrac and then as well, for our attendees. All right, so today we’re going to really talk about these kind of key topics around what is the key makeup of a good operator within offensive security and what makes a good team? And then how do you go about recruiting and hiring good talent and then getting them on board and making sure everybody is on the same page? I think what we’ve experienced at PlexTrac, when you have moments of high growth, is really having a capability for quality on boarding and good experience from just treating your people well is the first time they step foot on the door, because you are spending a lot of effort and time and resources and money to bring these people to your company. So making sure you have a good onboarding experience and getting them engaged in your culture and then keeping them right, the retaining aspects of you found really high quality people, how do you keep them engaged and keep them motivated? And I think we talk a lot about, especially in the cyber realm, around your mental health and staying engaged in the balance of work and life and everything that goes on. And so how do you invest in your people and helping them grow and stay motivated, but also avoiding burnout? So these are the key topics going to talk about today. I think it’s fantastic. I’m excited to hear about these perspectives.

So let’s go ahead and just dive straight into the first topic. This is all around recruiting and hiring, right? And I would say especially during a talent shortage, which I think that cyber itself is probably always going to have some form of a talent shortage. Let’s start with what does it mean to actually have a talent shortage? And then when we’re talking about an offensive security capability within your team, your consulting firm, what are we looking for and how do we go about finding that talent? Yeah, I think the fun thing to mention too about this is, yeah, we’re in a shortage. It’s quite obvious that we’re in a talent shortage, but a lot of times we still get the impression that there’s always going to be a candidate that fits our perfect description for a role. Right? So I don’t know why we do this as cyber people. Maybe it’s just the fact that we’re optimistic, but it’s like, oh yeah, there’s always going to be the next guy, there’s always going to be the next guy, and we hold out and we wait for just that perfect unicorn that’s probably not going to be coming along the route. So I think this is very important to highlight the fact that we are in, like, what is it? Two and a half million jobs worldwide that need to get filled in cybersecurity in general.

So sometimes it doesn’t make sense to find just that perfect unicorn, but that doesn’t mean that you can’t find the perfect individual for that position, right. Especially when we look at who’s in the job market, who’s looking to break into this kind of job, we have to look at things that aren’t really translatable via paper, whether that be passion or interest or whatever you want to call it, right? Like when you have a conversation with somebody who really enjoys this job and really wants to get into offensive security, you can tell you’re like, hey, talk to me about malware or talk to me about network pen testing. And if they’re getting hyped up on the phone, I guarantee you they’ll turn into that unicorn individual that you’ve been looking for, right? That perfect candidate for the role. They may need a little bit to grow into it, but ultimately that passion, that drive that’s put them into getting into this field, that’s what we have to be looking for. I think it’s a little hard though, to find through paper. It’s kind of like when you were looking to buy a house, you kind of have to have your set of expectations, but then there’s some malleability within there you’re like, you know what, I can give up having the rumor on this side if it makes sense from my perspective too. And I agree with all those points.

There’s also something we, when I was in practice, leadership as leaders in organizations, security organizations that are trying to fill slots, there’s really proactive steps we have to take with the HR when setting the expectation. Like you said, David, getting past the paper, talent acquisition and recruiting live and die by their systems and by the algorithms that sort resumes and put them right by keywords and those types of things. So what I struggled with was making sure because there’s a deluge when you’re hiring for pen testing roles, you’re going to get many times a day lough of applicants and you don’t want to miss out on you have to find this balance. And I don’t have the answers. Maybe I can get perspective from you folks, but I know that you have to strike this beautiful balance with HR of trying to vet folks, but you don’t want to lose out on the folks who could be growing to that role. But then you don’t want to have a deluge because you’re operational, you’re having trouble. Now, you’re not having trouble, but you’re executing work as well.

Everything doesn’t stop now. It’s hiring season, I can take a break for three months and hire all my people. And so striking that balance and really working with your partners in talent acquisition, in HR, all those types of roles to really try and grind smooth, some sort of paradigm that allows them to vet without throwing out, but then doesn’t get you overwhelmed as leadership, trying to run through interviews because you can’t do your work because you have nine interviews a day.

Yeah, I mean, I agree. I think there’s that notion we kind of talk about from the HR front and especially in large organizations, right. Bigger practices or bigger companies where there is that kind of I would say that bureaucratic step of you’ve got the HR recruiting angle that is doing that initial screening. So really educating those folks on here’s, the actual kind of candidates that we’re looking for, they don’t have to meet all these check boxes. You’re looking for that ingenuity and that creativity first and foremost. Right? And I think it’s kind of interesting. I don’t know about you all, but when I was growing up, you kind of hear that adage of like, hey, getting a degree.

I mean, there’s a whole conversation around certifications and degrees, but when I was going to college, that was the mindset was that, hey, if you have getting a degree, it gets you that foot in the door and they’ll teach you what they need you to know, right? And I think there’s some notion of that in cyber, but there’s definitely like a baseline set of knowledge, right, and skills, skills that you’re kind of looking for. And then everything else, like you said, is malleable and being able to say, like, hey, these are the things that we can really help train the person up, but you’re looking for some of those intangibles in terms of their drive. And I think within pen testing specifically, there’s definitely more of a lifestyle around it. Right.

These tend to be the individuals that are doing this in their off hours and treat it as a hobby more than anything. Upfront so there’s that notion, I think, as well, in terms of being able to balance how you find those folks and really discern where’s that balance of do they have the right knowledge versus do they have the ability to pick it up quickly and adapt.

I would add on to that. I think there’s such a shortage in some of the core skills that we need in this particular field that aren’t being taught in most normal computer science programs or cyber programs. Right. So if you think about traditional networking skills, and I don’t mean networking as in like, go out and have cocktails, I mean like a Windows network and how team operates. Yeah, 100%. That’s not being taught in most computer science schools or secure software development skills and what that looks like and or how to hack web applications. It’s not being taught in school.

So a lot of those foundational things, those are things that have to be sort of taught through mentorship from early stages in the career. Unless you pull someone in that maybe was a former network administrator, that turns into an offensive security operator, things along those lines. So I think that’s a big, big problem and I think a lot of us are attacking it through really solid mentorship, but that’s not being taught as widely as it should be.

Go ahead. I think all of us have something to say on this side. I’ll keep it short. I’ll be uncharacteristically brief on my spot, but it’s this thing that we actually were on a webinar in February of this year, or it was an early on webinar and this idea that we as a community can continue. And I’m seeing grassroot campaigns in workshops, in nonforprofits and for profoit training boot camps and in some schools, but there’s to Dan desko’s point in that they’re teaching certain things and theory and some valuable lessons. There’s a way to marry it with the idea of manufacturing comprehension. And I love this idea, but one of the things that I got to do in my career is I got to set up an associate program.

I got to sit there and hire six people who were cell phone kiosk salespeople, who were passionate CTF ers, who didn’t have the requisite knowledge and spend a year and a half, two years mentoring them through a program. And through that program we learned that they can go through structured training and there’s actual value in structured training and receiving degree or bootcamp and structured training. But manufacturing the comprehension that comes from the fog of knowledge, from troubleshooting, from the experiential stuff and we just don’t have time for them to take five years as a systems operator. We need to manufacture clone troops now or the empire is going to win on that’s conflating so many different things. So on that note. I think from education providers. Higher academia.

US as leaders in the information security community. And folks who are trying to look. When you’re choosing training. When you’re choosing education. When you’re choosing things that are going to refine you. Look at opportunities that are going to manufacture and give you scenarios that can build your comprehension of the core fundamentals and adding in scenarios and then that is what creates this great holistic operator and practitioner.

Everybody, we’re waiting each other out. Everyone’s like we all agree. Yeah, I think we’ve echoed all the same sentiment and I think the notion I really do believe that it’s not just a talent shortage in terms of bodies. Right. I mean, people having a desire. There genuinely is a baseline understanding of technology that has to be there and that curiosity’s mindset of being able to break this stuff. Right.

I’ll never forget I had two degrees in computer science and I came up through the ranks of being able to hack and write exploits and all these things and I started working in an application security program for an internal enterprise team, right? And so you’re working with software engineers and developers and whether they’ve been formally educated through the college system or they’ve kind of learned on their own, it amazed me and maybe it’s gotten better, but I don’t know. But like, it amazed me how many just software engineers didn’t understand basic networking, right. When I submit a web request, how are those bits traversing to the server and what is going on there? Right. DNS and all these things. So there’s definitely some of those things that from a security perspective you would imply as basic core knowledge that you have to have. And so I think what’s hard is really balancing kind of what you have the privilege. I would say that was a huge privilege, Nick, is to have the resources and time to have an associate program where you can actually train people, because most of the time everybody is overwhelmed.

You need to find somebody that can hit the ground running and really get going because there’s so much work to do. Right. And it’s hard to balance how much time and effort you can put into like an internship or an associate level program.

I was just going to say really quick, it’s not just training the person too on, well, here’s how to do this nuanced thing in a network to pone this thing. That’s cool. Someone could learn that technique, right, or that tactic. But the real value is in how they explain how the remediation for that works, how that impacts the network, or how that impacts the application you’re working with and how to make that change. So that’s the tough part, right. Like, you could teach someone how to run a technique, how to execute a technique in certain situations, and how that goes down. I think where the real rub happens is how you then work with the stakeholders to actually improve from there and make it meaningful in a way that they understand.

Yeah, I mean, bring it back to the whole recruiting and hiring portion, right.

Cyber changes daily. We all know this. So ultimately, something I took from the military and more specifically Special Operations, which I really liked, was you have to answer the three questions when bringing somebody new into a team. Can they do the job? Will they do the job and will they fit in? And I know will they fit in? Is not necessarily as important when you’re in an environment that’s like a corporation. Will you fit in is really important for Red Team teams where everyone has to trust each other and work together, or in Special Operations. But will you do the job? And can you do the job? Need to be answered first and foremost, and I think almost everyone will do the job. Right.

If you’re applying to have a position, you would hope that that individual is actually there to work. The can portion, I think, is the hard part to answer. But ultimately, let’s say the person isn’t as technical as what you were hoping. You’re hoping for a senior with five years of experience and you’re getting maybe a person who has two or three. Can they explain things in an understandable and colloquial manner? Right? Like, hey, can you explain to me what DNS is? Or can you explain to me what Http is and how it works? Sure, they may not have a grasp on the OSI model or the TCP IP model, but if they can explain things colloquially, right, because we as cyber individuals or as communicators, whatever you want to call us. We’re terrible at communicating. We use all the fancy jargon.

Right, but if you can translate that fancy jargon into plain speak, the likelihood is that individual will be able to understand things in a much deeper level because they’re able to bring it away from the technical comfort and push it into more of the everyday speaking kind of thought process. Like, they’ll be fine. So I think we need to stop looking at it is like, you know, what do they have? Where are they at? And more of like, how do we have them? Or how do we figure out that somebody can actually do this job well by explaining basic concepts in a normal sense. Yeah, I think folks listening could really take part then and realize that. I think a good method to prepare yourself for interviewing would be to make sure that you have a firm grasp on significant portions of core technology tenants and really start to test yourself. If you don’t let academia feed you, don’t let your nine to five feed you. You feed yourself so that you can help manufacture that experience.

And when you get the opportunity to interview. Maybe you don’t have the resume shops. But when I was interviewing people. I’ve interviewed dozens upon dozens upon dozens of pen testers and associate pen testers and whatnot folks who could speak and could talk the talk and answer some of those questions. Even if they didn’t have the experience on the resume. I could tell that they had tee that up. So my, I guess advice would be to test yourself, to go through and try and learn as much as you can about core functionality and be able to answer those questions.

Like what happens when a DNS request happened? One of my favorite questions to ask that was kind of open ended because people could take it as technical or as light as they wanted to. And that helped me gauge, I would say. So you open up a browser, you go to the address bar and you type in http internet address and you hit Enter. What happens? Folks in the Sysadmin background are going to talk about different things than folks with an app check background. We’re going to talk about sockets versus get requests. We’re going to talk about different things, DNS request versus not how encryption works. Somebody’s going to say, well, the temporal key exchange happens at this point and somebody’s going to say math happens and it’s protected.

But being able to talk through those core fundamental questions is going to give me as a hiring manager, more understanding of where you are. So that’s some advice too, hopefully some encouragement too for folks who are looking at those cyber jobs. Yeah, absolutely. And I think we could probably talk a lot just around.

I think it’s always fascinating to me how hard it can be to get into cyber. Right. I remember trying to get in early on finding cyber jobs and then feeling like you’re not qualified for them or whatever. But then once you’re in, it’s a matter of just continuing to maintain your skills and grow and in the world, your oyster really is with the way I feel like if you’re capable and you’ve proven yourself, you’ve got a great opportunity. But yeah, getting in that first step is hard. And I think that’s also an important aspect for hiring managers and hiring leaders to know, like, hey, we may have this unicorn expectation, but here’s really the profile of the person that we’re looking for, regardless of what role. There’s a book by Pat Lynchioni.

It’s called The Ideal Team Player, and it talks about hiring the folks that are hungry, humble, and smart. Right. Similar to kind of your analogy, David. But, like, those are some of the key characteristics that you really should look for in any kind of hire. And so let’s move on because I think we could keep talking about just finding and hiring talent, but hopefully this was kind of a good overview of our opinions for the audience, right? Okay. So now let’s say we’ve actually gotten we’ve gotten those folks that we actually want on our team.

What have you guys learned as key elements to the onboarding process and even both from your experience as being a new employee and also bringing on new employees on both sides of the fence, too, whether it’s a consulting firm or an internal enterprise team, don’t hire during Q Four.

That’s tongue in cheek, let’s be real.

Well, what I’ve heard, too, is in the old days, Q Four was your gearing up for Q Four because everybody’s going to try and get their tests done at the time. It’s going to be bananas. And what I mean by that, too, now, I’ve heard that there is no more Q Four. It’s just Q. I had somebody tell me I’m in Q Eight. He’s like, It never stopped. It went from Q Four to Q One, and he was like, that was five six.

Everybody’s so busy. And that goes back to there’s just a constant need for security services, security products, et cetera, most of security services and products. But the point being, if you’re going to go through the process of taking the time to interview folks, if you’re going to get them interviewed, processed and all that jazz, you need to make sure that you take the time to have a plan. If you hire them on it’s, like, now what? And you just throw them as another duty as assigned to some other consultant with no plan, you’re not going to be teed up for success. So onboarding a team member needs to be a process that you have put some thought through and you’re prepared for. So the idea of hiring at Q Four means everyone’s going to be busy and you don’t want to set down your new employee be like, hey, we’ll get to you in January when you hire them in November.

Yeah, I mean, that’s always my fear, right? I think that’s Dan’s fear as well.

Pittsburgh Dan. I always have to remember we have to discern the difference between the two.

You’re scared that as you bring these guys in in a busy time that it’s like, okay, what can I do to make sure that they feel like the organization cares about me? Because ultimately, as cybersecurity professionals, we do live in a little bit of a different realm, especially in offensive security where teamwork and problem solving isn’t a solo activity. Right. So you don’t want to feel like you’re being left out there to top that off. In offensive security especially, we all have our unique ways of doing things right. Some offset teams are going to be running out of azure. And if you come from the environment where you knew nothing but azure and now you’re going into a new attack infrastructure that’s hosted entirely out of AWS, sure, the core principle is the same, but the command, the process, all that jazz is still a little bit different on the leadership side.

This is something that we as cyber leaders just need to make sure that we’re not dropping the ball and bringing in our new people, because I think that’s true for any job, but for us especially, it can make or break that individual’s career at the organization.

Yeah, I think there’s nothing like a first impression. Right? And so you’ve spent a lot of time recruiting these folks, identifying and getting them through the interview process and whatever that process looks like. So they’re excited to be there. Right. And you want to maintain that excitement. You want them to come back from that first day of work and think, man, I made the best decision ever. I am so jazzed that I made the right call.

So that’s one aspect. Right? And so that really speaks to the culture of the organization. And then I think really setting up a plan for how are they going to be engaged in the culture? And then also what are the key elements for success in their first set of weeks so that everybody’s on the same page. It’s like, here’s what success looks like in our organization. And this is true of any role, but then kind of bringing it down to the offensive security side of the house. Understanding the methodology I think is really important. Is there a standard methodology for how this organization, whether it’s a consulting firm or an enterprise team, how you conduct exercises and what’s the engagement philosophy and how do you go about executing tests and your communication styles and who are the right folks to be talking to? All of those things can be drastically important, especially if you’re a more political organization as a whole, because certainly larger organizations can have a lot of politics, right.

You as an individual team may not have that level of politics and kind of that corporate, annoying corporate culture, but understanding who are important people would be talking to and have as advocates versus those that you need to kind of treat with white gloves or to walk on a shelves a little bit. I think understanding the culture of the organization is really important and then your communication styles to those individuals and that’s more from the enterprise perspective. Right. And I’ll let Devida or Dan Pine on kind of like the consulting aspect of I think shadowing is always really important aspect for any even if it’s a seasoned veteran from a pentesting perspective or security perspective. Shadowing those exercises and those engagements is really important just to understand like. Okay. This is kind of the general feel of how we do things here.

Right? Yeah, 100% agree. I think one of the things you don’t want is someone to come in and you just throw them on an engagement all by themselves.

I can’t tell you how many times I’ve heard that a lot of companies operate that way where they come in and they’re like, hey, I sold this project, guess what, it’s your problem now. Right? And that’s not the right way to do things that alienates people and it doesn’t give them a good experience. And some people are up for that challenge, rightly, but that’s not the right way to do it. So the mentorship, the buddy system, getting them involved in engagements where they can shadow and work alongside a veteran of that organization to see exactly how you operate is definitely the way to go. 100%.

Any other thoughts? Yeah, I’m getting a lot of value from a very purely technical perspective. Just some advice from just some advice for folks who are maybe looking at onboarding teams and then folks who are working through this process of what you might be able to expect and be prepared for. I think some of the best things that I’ve seen in both consultancies and enterprises is dan Desko earlier mentioned the understanding of being able to articulate how to fix things. I think so many folks get so focused on how to hack things and using frameworks and even then understanding the manual methods and mechanics of taking and exploiting flaws. But then being a true security professional doesn’t mean you just knock it down with a hammer. You talk about how you can fix it, build it up, patch it, etc. And so one of my favorite things to do with newer consultants is work on either the retesting or validation.

There are places that have engagements where you have to go through and validate findings from automated tools and then find manual stuff. Being able to manually go through and take advantage of a flaw that a scanner found is a huge way to level up your understanding and comprehension of vulnerabilities and flaws. And so it also teaches you not just to rely on automated tooling. We don’t besmirch automated tooling. We use it where it makes the most sense on your own. You know what you can do? You can take community versions of software that is meant to find flaws and you can go through and run scans and start being able to articulate that. Then when you’re talking about onboarding team members, giving them shattering capabilities for sure, giving them old artifacts to review valuable, but having them get operational and maybe even go behind flaws and be able to be able to articulate specifically what’s happening and how to fix them is a fantastic way to get them busy, get them working, but also level up their ability.

Because a lot of folks, even I’ve had, even seasoned folks who come in and I’m like, can you manually exploit this type of flaw without the resource of a tooling? And they can if given the opportunity, but they never thought to. And that has helped them grow as individuals. So that’s just some little nugget to think through. We have to think about the inverse of that situation too. So as security programs are maturing, we find ourselves running into more especially on retests things that the company or the client or the people are doing right that are now fording our attempts to do things. And I think so often as the offense security professional and those that I’ve worked with over my career, they see that as sort of failure because they’re not able to do X, Y or Z when in all reality.

I think we need to get used to the idea of pointing out the fact that half of what our job should be at that stage is validating what that organization is doing right and validating the investments that they’ve been making in their security program over the course of that maturation.

Ed SCOTUS a decade ago, shout out to him, said, hey, whenever you find yourself in a pentest and you’re in a situation where you’re really light on findings, double down on write down everything that you did that was unsuccessful, and talk about why. Because that’s where real value starts to come in. That’s where people understand, okay, I’ve got a big security budget and hey, something worked, right? And they could point to that specifically because a lot of times it’s hard in the security realm, you’re paying for things and in the absence of something going wrong means that it’s working. So if all’s quiet, that means things are doing their job, which is sometimes hard to validate or say, hey, we need to keep spending a couple of million bucks on this, right? So when you do that exercise where you do get the simulated offensive attack, it’s good to point out when things work and why.

Yeah, I think that’s great analysis too. We’ve identified a key component of being what I would say is a top tier security professional is being able to communicate effectively, right? Not everybody’s going to do that. They’re not always high quality or at least comfortable in more public settings or on that readout call. But if you’re good at a minimum being good at just documenting and writing out, here’s the risk. Because we’re all risk management professionals, at the end of the day, we’re helping companies identify key risks in their environment and then being able to help them show the trends that they’re getting better. Right. There’s nothing more encouraging to me as a pen tester when from an app set perspective, I’ve tested an app and I found a lot of things and then I come back six months to a year later and I don’t find those things and maybe I find a few more.

But over on the whole, the app, you can tell, is progressing to be more secure. And I’m sure it’s the same way from a network environment perspective. We did have one question that I think is a good one to answer in this section. We know companies have an onboarding process, but what can someone just entering the team do to smooth out that process? David, what are your thoughts there? It’s all about managing upwards, right? In this case, what do they say? The best leaders are also the best followers, right? Like, we all got here in this position, not just because we put our foot forward and said, I want to leave, but also because we followed the whole process of understanding what a good leader looks like. So I say all that just because that’s really what this comes down to. Smoothing out your own process for a company is just putting that expectation forward to the management staff, right, going, hey, look, this kind of sucked, or this was really good, right. Think of it as if you were given a pen test, but to the process itself.

So when it comes down to when it comes down to smoothing, you just have to be honest before you’re not insulting anyone, you’re only making it easier for the people who are coming after you. Yeah, I agree. And we’ll move on to the next section because I realize we’re getting low on time here. We got some other great topics to cover. But I think being good at just comfortable asking questions and just saying, hey, what does the success look like? What are the things I need to know? And I always encourage someone starting a new job, like if there’s ever a time to maybe kind of could just consider it, hey, I’m going to put in the 60 to 70 hours, weeks early on is then, right? It just helps at least framing your mind. Like, I’ve got a lot to kind of pick up on. Not saying that’s a must, but when I’ve taken new jobs, I’ve kind of always just prepared myself like, hey, if there’s ever a time I’m going to put in a lot of extra effort.

Not that I ever wanted to slack off, but it’s like I’m going to just make sure I’m dedicating that time to really understand am I getting up to speed as quickly as possible. Which does require, in my opinion, some time outside of normal operating hours. That may be a little bit of a controversial statement, but that’s just how I’ve approached it. It’s not what I put in my expectations of my people. Right. I don’t want to say that. All right, let’s move on because we got a lot of luck.

Okay, so we’ve got people onboarded, we’ve got them in, we’ve got them ramped now and they’re really firing on all cylinders. How do you continue to invest in the growth of your people? I think this is an important topic. So I’d be curious Nick, maybe what has been your experience on continuing to grow people? So I think finding there’s a whole slew of really great training now. Back in my day when it was all just Peach Field, the training opportunities are vast and with that comes overwhelmed. There’s an overwhelming sense of which training do I take with training for my people cost point. I think understanding that people are going to want to take structured training but also offering experiential training opportunities. I’ve been in environments that offer both.

We would have our own more seasoned people along with some more junior people build out training that was right from the field. Very experiential training and virtual lab environments. Kind of creating your own CTF in that culture. There’s so much value in that. But in the same token, realizing that some of the bleeding edge newest stuff and just to satisfy your folks that there should be a training budget associated with heads of humans and they’re going to want to train and then encouraging folks to maybe take a wide breath of training. You know, maybe somebody is really into apps and they want to take the latest web app training and they do it. And then maybe encouraging them, you know what, get them some cloud stuff, get exposed to some other I think just making sure that you are that there is because it gets really hard, especially when you’ve got a lot of work to do, finding time to train.

And that’s the other thing. I think investing and it’s a price tag, I get it, I get it managers. But getting time for training is as important as the training itself. I’ve had that held over my head as well when I was building training budgets. You understand that non billable time is costing the company money, but after understanding it, they realize that that is an investment in people. So making sure you’re investing in the training, structured courses of it, building it and giving people time, incentivizing it and then really generating a community. Because if you can have your team who are interested in creating sessions and training each other that not only is it cheaper, but it’s valuable.

It’s building trust in the team. Finding that happy mix is there. And I know it sounds like I’m seeing a lot of magic things that could never happen. I’ve seen it. I’ve seen organizations who have done this well, both consultative and enterprise and provider space. There are people who realize that this is how you get bleeding edge, this is how you keep people happy, and this is how you keep people technically proficient.

Yeah, like I said before, right, cyber change is by the minute. This isn’t something that we can just hire somebody and just walk away from.

I won’t badmouth any corporations out there that do, but ultimately, that’s why there’s a high turnover. When it comes down to this, the largest complaint I hear from a lot of my mentor ease is I just feel like I’m not being invested in my own company. And that kind of sucks, right? Because ultimately a lot of this that Nick and I and yourself, Dan, have learned, we learned on our own. Like, I learned malware dev by just finding random articles or hacker forums that would explain the process or the idea and then trying to extrapolate from there where I wanted to go with it. But today there’s so many different resources, so many good practical resources to test and understand the what do you want to call it? Like, section of offensive security. That we have the ability to pay into this. We should be paying into it.

No one should feel like they’re not being invested in their own company. Yeah. As a leader, I think it’s important to make it be a two way conversation. Like, hey, we want to invest in you. What are some areas that you want to learn and grow? And then also here are some areas where I see you have opportunity for growth and I want to invest in you that way. Right. So like you said, it might not be every conventional piece of training.

It may be like, hey, I’m going to send you to Toastmasters because you want to be a speaker on the circuit. Right. Some people want to go and speak at conferences and be involved. So that requires some skills, and maybe you don’t have those. So those are some other non technical things to look at from the training perspective and just know that, like, hey, I am engaged in who you are as a whole person, not just the technical aspects. And so making sure that two way conversation, here’s what I’m really interested in growing and learning, here’s what I as a leader also see opportunities and then let’s figure out a kind of a training plan.

Sometimes when budgets just aren’t there.

When I was in an enterprise team, you could say, hey, especially in some of those economic downturns where training budgets are like first things to get cut, you could still say like, hey, but I’m going to give you the next two days, or I’m going to give you this next week. I’m going to give you time to actually train on your own, do those free resources, or here’s some things that I’ve done, handson, kind of labs and stuff like that. So like you said, Nick is at least having the time to be able to do that because knowledge is the power, right? I mean, you don’t want to go into a training or things like that just to get a certification. Not that those are bad, but it’s definitely like, what are you doing with the knowledge? Right? And there’s a good point that I saw too. And it’s true. I got the most energized going to conferences, maybe even not taking the training conferences, being a part of the community, seeing the researches, being down there talking to like minded It folks. I always left conferences like, I’m going to write everything.

I’ll write new tools and write new techniques. And this is amazing. You feed yourself. And so if you give the opportunity to have training plans as well as allowing and sending your people into those conferences, it’s good for all around.

Yeah, all right, I’ll move on. I know Dan didn’t necessarily get a chance, but I’m sure he’s in alignment with everything that we’ve been saying.

The last one, I think, is also super important. I kind of alluded to it at the beginning of the session, but how do we make sure that we keep the mental health up to par with our employees and ourselves? Right? And then it’s an important aspect of our industry, specifically, and I caveat this a lot. Like, I’ve been in cyber my whole career. I don’t have a lot of perspective of like, hey, what’s the burnout rate of the finance industry? Or something like that. I do know that the burnout rate in cyber is high, and that’s why you see a lot of turnover or even people just leaving the space as many people are wanting to try and get into it. There’s a lot of people just ready to get out of it. And so what are your guys’thoughts on? How do we avoid burnout? How do we retain the talent? I could toss some ideas there.

We recently had Eschaton, which is our annual get together as a team, and we brought in a speaker that talks about the concept of the five balls of life. So you’ve got family, you’ve got friends, you’ve got your mental health, your physical health, and you have work. And for those balls are made of glass. One is made of rubber. And we got the point that the work is the rubber ball. The other ones that are glass, you can’t drop those because they’ll shatter, they’ll break. It will be impossible to fix those easily.

Right? So for us. It’s all about making sure that people understand. Hey. When things get tough in your life or when you’ve got a lot going on outside of work. Know that you can pass the ball.

Not necessarily drop the ball or throw the ball away. But you can pass the ball to someone else and there’s a team here to support you. And it’s perfectly appropriate to bounce that ball over to me or over to David or whomever else because you can’t drop those other balls. Right. That’s irreparable. So we try to instill that line of thinking so, you know, everybody knows from the get go that but if they ever find themselves in that situation and start to feel that a lot of times it’s not only just because of work, it’s because of what everybody has going on in their life. Right.

Yeah. It’s everything in addition to it. So that’s one thing that I would say I think resonates with us.

Yeah. Fantastic.

It’s that knowing that you have resources available to have vulnerable conversations. Right. And there’s always that notion of like, hey, HR, you’ve got to be kind of cautious around certain things. I think as a leader, knowing, hey, I care about you as a person first and foremost. Right. We’re here to do a job, but not at the expense of your livelihood in terms of like, there’s going to be people that are dealing with some very serious things and knowing that you can have those conversations and work with the resources that your HR team and your benefits program may also provide. When we’re talking strictly kind of around mental health and those kinds of things, that it’s okay to have those conversations and be vulnerable in the perspective of, hey, we’re working together and viewing you as an entire person and not just your work product.

Right. And I like that analogy, Dan, of like, there are certain things that will break, but the rubber ball, as long as you don’t drop it, we’re here to help, right. And also potentially have some grace if something does get dropped in an emergency or something like that. But I think we’re in a different age as professionals. I think some of us that might be a little older grew up in that notion of like, you know, you must have a strong work ethic and you don’t share personal sides of your life at work. And therapy and counseling are considered kind of taboo. We’re just not in that world anymore.

And I think everybody recognizes that it’s important. Like being able to talk to a counselor or therapist is cathartic. Right. And so whether that’s a professional person or you have some other mentors in your life that you can share those kinds of things. And I’ve personally found that in some of my bosses. Right.

I don’t want to break any gaps of what’s appropriate at work in HR stuff, but I definitely have found that to be helpful from just like, hey, boss, you know what? I am really tired when I was doing a lot of pentesting. Sometimes you get double booked and you’re like, yeah, this is pretty intense, I can’t sustain this. And then you work together to figure out like, OK, where’s the balance and making sure you’re taking time off, those are all important aspects. But I couldn’t agree more. I don’t know if David or Nick any thoughts there? Yeah, just because you had mentioned the strong work ethic thing, something my dad told me that kind of just stuck with me. Right. And this guy was pretty successful, came from a poor family in Chile to the United States, started his own company and then became an executive at Hitachi for some time.

A strong work ethic requires a strong rest ethic.

You cannot be at the top of your game if you do not take care of yourself and relax.

Many of you guys are probably like me, right? We do this in our spare time because it’s enjoyable and we don’t see it as a job. It’s almost just like this fun problem solving.

Right now I’m on a cell phone hacking kick. So it’s like, how do I get the JTAG information from a Samsung S Three and understand that, right. To me, that’s a problem that I have to solve, like a puzzle. And I find it so much fun that I just want to do it all the time. But the moment it starts to feel cumbersome or the moment it starts to feel like it’s a little bit more than just a puzzle to solve on my time or to enjoy with it, I have to take a break. And recognizing that at work, especially in the consulting life, like, sure, we have a nine to five, we have a work hour time frame, but it doesn’t mean that you can’t just like, step away from the computer for an hour, right, for lunch, go eat lunch somewhere else or go enjoy a nice little walk, right? Just these small little things can help you avoid that burnout. And as leaders, we need to be making sure that we’re watching our own team members and going, hey, this person is acting a little bit different.

Let me make sure they’re feeling good. Hey, man, you feeling okay? Go take a walk or take the rest of the day off, right? There’s no shame in having like an early Friday mental health, early Friday. Leave it one, leave it too. Especially if all the work is done and there isn’t anything pressing like finding ways to give back to your team for all the hard work that they’ve been doing is enough to make it feel like, hey, you actually care because you do actually care. Your top talent is going to feel that you have their best interests in mind. So they’re not going to be thinking like, oh, I need to split out of here because nobody wants to take my concerns to heart from a leadership perspective too. I think they can marry together.

We talk about talent retention and burnout and how integral they are connected. I think when you set expectations and there’s a clear path for progression. But also you set expectations for the job. Then you can come in and say. Listen. You don’t have to be so stressed out about. You know.

A lot of newer folks. Especially in pen testing where every report they were going to get fired. Every report that where they didn’t find enough. Every report where the impostor syndrome we understand it runs deep. So setting those expectations, but putting in the thought and effort as a leader to establish career path, career progression, they can see light at it. They can see where they’re going to be, what they can attain for. There’s goals they can reach.

And they can you can also say, look, you’re doing fine. Stop freaking out. Stop. And then also encouraging folks to stop gauging their success off of their peers. I remember telling people when folks would release a new tool, we had Tool Tip Tuesday sometimes. Or somebody would release a new tool, you could tell the people that were not excited for the person to release a tool, they were like, this makes me look bad because I’m not releasing tools. It’s like, stop.

Focus on yourself. Focus on your own personal goals. I’ll work with you to make those goals and you have a clear path. And then you can be happy. You can be genuinely happy. When smart people do smart things, you don’t have to gauge your success off of the fact that they’re smarter than you. You can appreciate that.

But what I can tell you that’s the opposite is there is just you hired a consultant and they’re a consultant and like, what’s the next step? What’s my roadmap? And it’s just you’re going to pen test and you’re going to pen test and you’re going to pen test. There’s going to be this mental barrier. They’re like, what’s this? And then when it’s grind and when it’s grind, time avoiding burnout gets harder. When you haven’t set expectations and had those calms. Yes. No, I agree. And I think one aspect that maybe I’ll kind of close the thought and we’ll see if we have time for maybe one or two questions before we have to drop.

But someone is also saying, don’t compare yourself to John Hammond or Apt Big Daddy. I’m not even sure who that is, but is that David? Okay, I’m never going to compare myself to David. Just woefully short. But I think being able to say like, hey, am I making progress? Compare yourself to yourself. And that’s the kind of the notion of a growth mindset.

Compare yourself to yourself. Am I better today than I was yesterday? What goes into that is actually taking time for yourself and balancing.

I know my limits and I need to be able to communicate those effectively to my leadership and also my team to say, hey, if you start seeing me do this, call me out on it too. Right. I mean, if you see me just like staying up till three in the morning every night doing stuff and working, that’s not healthy. Right. And so I think building that sense of community to watch out for each other is a good notion from a teamwork perspective and being able to be vulnerable enough to share, like, hey, I need to take a break, or this is going on in my life, and let’s rally around each other to help out. Right. Well, as always, the time has gone so fast with our friends.

I want to open up. We got maybe 1 minute to share if there’s any questions that the audience would have. We had some come in on the Q and A side. Any other questions that anybody might have before we convene for this session? It’s been fantastic going twice.

All right, well, that means we either dazzled them or board them to death, so I’m going to choose the former, but appreciate everybody that was able to join. We will stay tuned for our session three coming up here shortly, but it’s a pleasure to spend time with you, David and Dan, and also, as always, Nick, thanks for all your guys’expertise and look forward to joining you on part three. Have a great rest of your afternoon and we will reconvene shortly. Hack the planet. That’s right. Thank you so much, everybody. Good to see you.

Thank you. Have a good one. I’ll be hacking.