I was starting to wonder if Cat was just sitting down there for moral support or...?
That's because we're really excited to have this, this bench here, for a panel discussion.
This was the exact setup I asked Mike Gessman for.
I said, you know what, Mike, can we stand for an hour?
And Mike was like, I got you, bro.
It's perfect.
So let's go ahead and get started here.
This is the CypherCon Career Award panel.
Thank you, everybody, for joining.
It is tough out there.
But not to worry, I have with me some of the most fantastic people in InfoSec here to give advice about InfoSec.
So I'll start on my right here.
Let's do a brief introduction.
I thought you were introducing the cool, amazing people.
They're over there.
Disagree?
All right, well, I'll introduce myself anyway.
Hey, everybody, I'm Melissa Miller.
I don't know, what are we giving them here?
Name, title, whatever you want to give.
Oh, we're going to do the corporate-y thing.
So I'm Melissa Miller.
I'm the Chief Information Security Officer for Epic Global.
That's not the healthcare company.
It's not the gaming company.
We do legal crap.
My name is Chris Merkle.
I'm the Senior Director for Cyber Defense at Northwestern Mutual here in Milwaukee.
Hey.
Is this thing on?
Should be.
I didn't test it.
All right, nice and close.
Do it live in production.
Up to your mouth.
Up to my mouth.
There we go.
Yes, yes, yes.
I'm going to put all these other people's germs next to my face.
I'm super comfortable with that.
I'm Kimber Amos.
I'm a Principal Consultant at Red Siege.
I founded Sonar Security.
October will be my 20th year in security.
Hi, I'm Leslie Carhart, otherwise known as Hacks for Pancakes.
I am a Technical Director of Incident Response at a company called Dragos.
I do industrial cybersecurity.
I've been doing this forever, like everybody else in this panel.
And I guess the thing that we didn't mention is that all of us do career counseling, career coaching, mentorship, et cetera.
We are all heavily involved in the Midwestern career space for cybersecurity.
We see a lot of mentees.
We see a lot of students.
We see a lot of people who are trying to find jobs in the field of all different ages, backgrounds, et cetera.
So, that's kind of why we're up here.
We do this all the time.
Thanks.
Thanks, everybody.
So, here's how this is going to work.
For any of you who were with me at 11 o'clock for the Nerd Trivia, I had game shows on my mind when I was thinking about what we put together for the conference.
I'm borrowing an idea from John Lovett from the Lovett or Leave It podcast.
He has this great segment called the Rant Wheel.
And so, this is what we're going to do.
Instead of your typical panel discussion where, you know, people sit around in comfortable chairs and casually throw questions, we are not going to do that.
It is too late in the afternoon to bore you with that.
So, instead, we are going to spin the wheel, and it's going to land on a topic, and one of our panel members here is going to pick up the topic and rant about it, all right?
And after about 40 minutes of ranting, I'm going to open up for audience Q&A.
Now, I want to point out that this talk is being recorded, but when it comes time to Q&A, we're going to cut the recording to protect everybody's privacy and, you know, ensure that you can ask candid questions.
So, you know, we just ask that everybody in here, you know, be mindful of the fact that the job market's difficult.
There may be difficult questions, and please be respectful of that.
So, with that, I'm going to spin the wheel.
Are we going to talk about who's going first?
Who are you spinning on behalf of?
Well, I guess it's a question of when it lands, who wants to pick the topic?
Or should I give them out?
Oh, I thought we were totally, like, this was random.
It is random.
Ready?
Don't worry, we're professional.
Am I losing my mind here?
Like...
I am a little crazy.
Here we go.
Ready?
Sure.
I think...
Oh, we're high tech.
Whoa.
Oh, and I am sorry that it just sprayed confetti on handling layoffs.
That couldn't be more appropriate, actually.
This is going well.
I think I may have been through the most recent one.
So, I'll just tell you how I handled it.
I was with VMware.
I took a job with VMware in between consultancies because benefits.
Honestly, let's be real.
$10.99 hits you where it hurts.
So, I took a job with VMware knowing that there was a Broadcom acquisition coming.
So, I went into that with eyes wide open as a security engineering lead for the Tanzu platform.
So, we got through all the things, desperately trying to save as many divisions as we could.
But, unfortunately, VMware, the acquisition did go through, and it was the Wednesday before Thanksgiving.
So, we all got emails that said, when you come in Monday morning, if you're being laid off, you'll get an email.
So, that's how we all spend our Thanksgiving weekend.
That could happen to you or may have happened to you that you have to sit over a holiday weekend knowing that something's coming for you.
You don't know what.
Just, you know, advice there, unsolicited.
But, please don't let it ruin your time off with your family and just do your thing.
So, Monday morning, 5,000 security people across VMware worldwide got the email.
And we were all laid off because VMware was moving to a subscription model under Broadcom.
And they didn't need security people anymore.
So, that brings you to the point where I wake up the next day and I don't have a job.
But, I do have this thing called 60 day of garden leave.
Some of you may experience that also.
You have 60 days in which you are actually still employed with your company, but you're not allowed to work anywhere else.
And you're not actually working there.
You're just getting paid like big head on Silicon Valley, right, to sit on the roof and eat pizza.
And if you take a job somewhere else, depending on how your company handles it, I hope none of you have to go through it.
In my case, had I taken another job, then my severance would have been revoked.
Because, technically, I would have been left voluntarily at that point.
So, the day after my last day, officially, and garden leave was over, I treated finding a job like it was a job.
So, I started with a spreadsheet and I listed, no kidding, 100 companies with when I reached out, when I applied, when I sent the follow-up email, if I got an interview, did I send my thank you email for that interview.
I know there's controversy around that.
I'm a person who thanks people for their time.
And , just statistically for mine, I'm hitting 20 years.
I've had a pretty extensive security career with a lot of the big sevens.
Out of 100 places that I applied, I got called back for four interviews.
Out of those, I got two offers, and I declined both of them.
Because I was not as desperate as they treated me in their offer.
So, that's all to say... and the market isn't even... oh, sorry, y'all.
It's worse now than it was two years ago, three years ago.
So, you have to treat finding a job like a job.
You gotta grind.
You have to get up every day.
You have to set a quota for yourself.
I'm gonna apply to five places today.
Or reach out to five contacts.
Do not rely on your contacts.
You still have to pound the pavement and apply for jobs.
And I'll hang up now, because that's been long.
But I'm gonna tell you straight out, applying through these bulk services, LinkedIn, whatever, that's not your friend.
It's not gonna help you.
They're there to promote their companies.
They don't... I'm gonna say 95% of the time, your application will never even get reviewed.
So, if you find a job on LinkedIn that is interest of you, go to that company's website on their careers page and do a custom cover letter for that job.
That's just, like, tangentially advice for you.
But I landed somewhere great, so, you know, happy ending.
But, like, good luck.
And I hope you don't have to go through that.
Budgets are getting cut everywhere.
So, there you go.
Excellent introductory rant.
Can I get a round of applause for the introductory rant for the person who goes first?
Thank you.
Is that a rant?
I don't know.
I don't know.
Like, we're expansive on the definition of what constitutes a rant.
Do you mind if I hop in with a couple thoughts?
Please do.
From the unfortunate person who's been on the other side of that equation.
I've been on both sides of that equation, by the way.
But the other side of that equation is the asshole who has to deliver the message, right?
A couple things just to be aware of.
Because we are talking about handling layoffs, how you handle it as someone getting laid off, I think, is the intention here.
Understand, first of all, when they hand you that, oh, God, they call it a million different things.
I'll just call it your severance agreement because that's really what it is.
You don't have to sign it.
That's what they want you to do.
They want you to sign it as quickly as possible.
But they are not going to revoke it because you say, I would like my lawyer to look at this first.
And I would encourage you to do that.
Now, yes, your severance package is going to be contingent upon your signature.
But make sure that the terms are something that you can agree with.
You do actually have leverage in this situation to negotiate.
And that's something a lot of people don't realize.
So please be aware of that.
The other thing is understand that someone you may have dealt with for a long time, you may have been very close with, is probably the one delivering you this message.
It's probably your direct leader.
And this is not a woe is me.
Fuck that.
This is the job I picked, right?
But understand, it is a hard message for them to deliver.
And they are very limited in the things they can say to you.
So the reason I'm telling you that is not to say, oh, my God, my job is so hard when I have to let somebody go.
Yes, it is.
But that's not your problem.
The thing I want you to understand from that is don't let that come at you as like, wow, I thought they were really on my side.
And they just they were so cold to me.
They were awful.
You know, don't let that impact you and how you see yourself.
Understand that they're in those scenarios.
They are working with H.R.
and H.R.
is telling them you can say this.
You can't say this.
They're giving them sometimes they give them a flat out script because there's a lot of legalities and stuff.
Right.
So they won't be able to say the things to you that they probably want to is what I'm telling you.
So I'm just going to leave it at that.
But I just want to get those couple of things in there.
Thanks.
Great advice.
All right.
Let's spin again.
That's actually the heaviest topic on this entire.
Yeah, like, like, like, yeah.
Thanks for staying.
We don't know.
Yeah.
If you if you're still with us.
That was like delivering the bad news first.
It's important.
Yeah.
Yeah.
Well, if it repeats, I'll just I'll just spin
it .
The second heaviest topic.
We have an expert on our list here.
Hi, I'm moving to Melbourne, Australia in two weeks.
Things are getting a little strange here.
I'm sorry if nobody's noticed that in the audience right now, things are getting kind of strange and I'm moving to Australia.
So some reality checks about if you're thinking about getting a career, a cybersecurity career in another country.
It's hard.
I have.
Let's see.
I was in the military for 21 years, been through two wars.
I have two fourth degree black belts and moving abroad in a career has been the hardest thing I've done in my entire life.
If you are thinking about doing it, you need to be ruthlessly organized.
So some things to understand ways that you can potentially as a working person work in another country.
You can find a country that allows you to digital nomad and digital nomad needs.
You have remote work.
It can't be W2 work.
It has to be 1099, et cetera, for a U.S.
employer.
And you can do that remotely in another country.
There are some countries that offer temporary, not permanent, digital nomad visas where if you're making a certain amount of provable income for a company outside of that border, you can continue to do that for a certain amount of time, get an apartment,
et cetera, and stay relatively midterm to long term.
Temporary, though.
If you want to stay in a country, some things you need to know if you want to stay in another country.
Every country that allows skilled work, immigration, essentially, has a website out there on their immigration website usually that says what jobs they want.
It is not like, oh, I have cybersecurity skills so I can go.
They tell you exactly which jobs they're short on, that they can't fill inside their borders, and what qualifications and levels of experience and academics they require for people to come in with those skills.
So you need to go to every country.
It's not like, what country am I picking?
It's like, what countries will take me?
I have a Wikipedia.
I have lifetime achievement awards.
And it was like three.
You have to do serious homework.
You need to go look at countries' websites for skilled immigration and see what their skill shortages are this year.
And it's going to be different per country.
And you need to look at the qualifications they're looking for.
Usually they're looking for related degrees as well as work experience.
Usually they test that work experience.
They look at your resume.
They look at reference letters, et cetera, to actually ensure you have that experience.
So there are barriers there.
They cost money and they're different per country.
You need to do a ton of homework, build spreadsheets, et cetera.
There are other limitations.
Understand that most countries that people in this room probably are interested in moving to, other than like retirement visas, will cut off immigration around age 45, especially if you want to get permanent residency.
So if you're getting towards that age and you're thinking about maybe wishy-washy doing this, you need to get on it because they will cut you off by age.
You'll start losing points for skilled immigration.
And eventually you'll just get totally cut off.
So understand what those age cutoffs and health cutoffs are as well.
So lots and lots of research.
This is serious business.
It's not a matter of what country sounds cool unless you are a multimillionaire.
We're talking multimillionaire.
It's where can I go?
Where can I find employment?
It's much easier to move with a sponsorship from employers.
So working for an international company and getting moved is much easier than trying to find work.
Keep in mind you have those digital nomad options and always look at things like heritage visas as well.
Anybody else?
So I'm trying to move to Canada.
I too have a big old spreadsheet full of things.
A lot of these countries are going to have requirements you have to fulfill before you can even set up an entry profile to start the application process.
So one of those is your language test, a credentials review.
The English language test is not easy.
The IELTS, the PTE, they are not easy tests.
And if you're neuro-spicy, forget about it.
You've got to write everything down for the listening part.
What would the guy in the yellow shirt have thought?
There was somebody in a yellow shirt?
What are you talking about?
So just keep in mind, if it's even remotely on your radar of things you want to investigate, look at what requirements you need to fulfill before you can even create a profile to start the application process.
And be aware that things are getting a lot... rules have changed in my process in the last 30 days based on the state of things here and retaliatory requirements.
You can do it.
Serious business.
Serious homework.
Six months of hard work for me.
Yeah, you've got to treat it like a job.
And thousands and thousands of dollars.
Yeah.
Thank you, everybody.
All right, on to the next topic.
Okay, we're not doing this.
We're not doing this.
I know the confetti is the worst part.
Oh, no, no, it's going to go over.
It's going to go over.
His computer is super excited for this next chapter in your life.
All right.
So that means it's landed on the skills shortage.
Oh, I thought you were going to spin it again.
No, no, I'm not going to spin it again.
Shake it.
So I'm going to talk real briefly about the skills shortage and why I have it in quotes, okay?
So you've probably heard some CISO somewhere say some quote like they're... I'm not holding anybody out here.
None of the CISO is present.
No.
Some CISO somewhere has said in a print publication that they probably paid to be in that there are upwards of 750,000 unfilled cybersecurity jobs in the United States.
I want to say to you when those quotes were coming out ten years ago, they were nonsense.
They continue to be nonsense, okay?
You've got a whole lot of things going on in this space.
First and foremost, you have organizations who simply are terrible at recruiting people, okay?
Organizations do not know how to find and foster talent, much less find and foster diverse talent, okay?
This is whatever shortage exists is artificial and it's inflated.
And it is absolutely self-inflicted on us as an industry.
That's my part of the rant.
I don't even know where to begin with all that.
No, it's bullshit.
It's just absolute bullshit.
It's a hiring disconnect, as you said.
So 2020, I actually did some research on this.
I ended up writing a book called Cybersecurity Career Guide.
There's my shameless plug.
One time I have to get it in.
I think my publisher contractually said I have to.
No, seriously, though.
So I did write a book.
I did this study, and what I found was originally I thought when I was going to write the book, it was going to be about, okay, I'm going to give all the job seekers that are out there who can't find jobs pointers on how to find jobs.
And as I started looking at the results of this, that's when I realized or I got proof that it was...
No, the problem is we suck at hiring.
And it's organizations.
It's hiring managers.
It's people who are actually for some reason willing to write a 10,000-word job description detailing every specific technology they want you to have or whatever.
If you doubt that there's...
You think that we're off on this, the last job posting I had for a cybersecurity analyst had over 600 applicants.
There's not a talent shortage.
All right?
There's a disconnect.
Oh, sorry.
Oh, yeah, there's totally a disconnect.
There's a disconnect in education.
So this is like a vicious cycle thing of like, you know, like they say 95% of statistics without anything to back them are made up.
So this number was floated around from a lot of sources, and it got expanded on and things about this massive skill shortage in cybersecurity.
And it was...
I mean, if you ask us if we need more people in cybersecurity, yeah, we need more diverse people.
We need people in specific niches.
Like, yeah, we need people who are retiring.
There's spaces, there's new challenges we're facing, new adversaries we're facing.
So if you ask practitioners and like mid-level managers about do you need more people or even government people, do you need more people in cybersecurity?
Yes, we need more people.
We especially need people who look different and think differently.
So there's that.
And then we got these studies that have ludicrous numbers.
But then the universities and the boot camps, they all latched on to those numbers.
And they were like, here's a well-paying job where they need a bunch of people.
And we can sell that to young people.
And then underprivileged groups of people, like veterans and things like that.
And that is exactly what a lot of those groups did.
And they all aimed towards two job roles.
They aimed towards pen testers and sock analysts.
And so what happened?
Those programs all got spun up, especially at shady universities and skeevy boot camps.
And they all got spun up in the last...
Oh, spicy.
Spicy.
It's true.
I'm trying to not laugh.
God help me.
Okay.
So yeah, they all got spun up.
And they all got spun up in the last ten years or so.
And in the last six, five, six years, they really marketed well.
Tons of people got into those programs.
And they all just graduated in two niches of cybersecurity.
And they are so saturated.
I'm seeing the same numbers, like hundreds of applicants for jobs.
Are there other jobs that we can't fill?
Yes, there actually are.
Mid-tier, specialist, legacy, things like that.
Not at those numbers.
Not at those levels.
Nowhere near that.
But, like, everybody graduated in, like, two jobs.
And there's so many people that only know how to use those skills because their degree programs were horrible.
So I want to make sure I give you more than just a rant.
I mentioned the book.
I will also say, if you don't want to buy the book, which is totally fine by me.
I'm really actually not asking you to buy it.
If you do a search on YouTube for the 28-Day Get Hired Challenge, I actually go through a lot of stuff in there.
And the reason I'm mentioning this, again, is not to, like, self-promote.
But I don't have time to go through the exercises here.
But there are things that I talk about in the book that I cover in those videos, which are free and not sponsored and I'm not monetized, about just how to know yourself.
So to Leslie's point, as you're looking at the jobs, and you're looking at how do I get in, what do I want to, you know, especially if you're coming in new to the industry, like, where do I want to go?
Take a look at what you've already got in the way of skill sets.
Take a look, and I know that Leslie will share my frustration with this, but understand what part of cybersecurity it is that you're actually interested in, okay?
Because you get it, I'm sure, Kat, you probably get this too, you probably get it too.
People come to you and say, I want to get into cybersecurity.
Well, what part?
Well, I want to learn all of it.
Okay, well, you'll be 80 by the time I teach you all of it, and if I'm teaching it to you, you're not going to know jack.
But, so those exercises will give you, they give you very tangible ways to do exactly that type of discovery.
And then to quantify it so that when you go out and you're going to apply to a job, you can do it in a way that makes sense, stands out, and gets you past the infamous applicant tracking system that exists out there, which may be an automated response that you get because it just scores you and kicks you out.
Even if they're not using that automation, understand that when I get 600 resumes, they're all scored.
They all have a rating.
And so my recruiters, of course, are going to look at the ones that are rated the highest.
So you do want to have some understanding of how those systems work, how you match keywords without just, here, let me say the same word 700 times in my resume.
Don't do that.
That doesn't help.
But understanding, take some time to actually understand how those applicant tracking systems work, the ATS.
That's important.
The other thing I do want to suggest is, and this one I am going to call out specifically, I know it's hard, especially when you hear Kat and Leslie very specifically make this recommendation, which is a good one, to get 5, 10 out a day.
Don't just pepper the same resume everywhere.
If there's one nugget I could give you, it is look at that job description, look at what they're asking for, and make sure that your resume speaks to it in some fashion.
Because that's how you're going to start to rank higher in that ATS.
The final thing, if you are looking at, hey, I'm coming maybe from a tech-adjacent field, and I want to get into cybersecurity, look at what's hot right now.
There is such a dearth of people with true, demonstrable cloud security experience right now.
So if you want something that's hot, that's my tip for you.
Start looking at those things.
Obviously, AI is getting a bunch of buzz, so if you've been doing something with AI, I doubt you're actually in this room, because most people have been doing anything there.
AI is going to crash, though, just like cybersecurity in a couple years.
But so understand, the reason I bring AI up is because, when we're talking cloud, those two are starting to already become sort of synonymous with each other, the way DevOps and CICD and cloud all sort of are stuck together.
So if you actually have experience working in some of the Azure Security Center technologies, if you've worked with Defender, if you've worked with Sentinel, all those things, that's really good experience to have and sets you up for more of a cloud security-type role.
So just something to think about.
I might rant for like 30 seconds about on the SOC pen tester, the cohorts that are coming out in mass, and then being unable to find positions, and also those of you with experience in those roles competing with that.
So here's my conspiracy theory.
I'm just going to wear my tinfoil hat.
But I think that the cybersecurity insurance field has a role in this.
And I think there are organizations who have leveraged signing up for cybersecurity insurance policies because that was cheaper than hiring full-time SOC analysts or pen testers.
And pretty soon, just like it did with home, just like it did with auto, the payouts are going to catch up, and that industry is not going to be as profitable now.
Those margins are going to shift the more they have to pay out.
And then we'll see people begging for SOC analysts and begging for pen testers and internal security roles again.
So we kind of have to ride that wave, but I have issues with that.
I think that's true.
I mean, it's not going to come back to where it was.
The bubble has burst.
The pay is not going to be where it was, and the jobs aren't going to be where we thought they were.
But yeah, I mean, after this mass exodus of people out of universities passes, things will get a little better.
But the minimum qualifications I'm seeing for people getting callbacks on SOC analyst jobs right now is a four-year degree.
Usually in computer science, it's getting preferred over cybersecurity degrees.
Plus two years of help desk, plus a second-tier certification like CYSA or Cisco Cyber Ops, plus something like CTFs or volunteerism on the outside.
That's the minimum baseline I'm seeing right now for getting calls.
So if you're not in that camp, if you've got a non-traditional background, what I really recommend is find what I call janitorial work in cybersecurity.
I mean, if you can get a help desk job and just get a start doing something like help desk, that's great.
But, you know, after that, look for the jobs that have to be done and usually have to be done on-site in cybersecurity that aren't sexy and not advertised by those programs.
SOC analysts and Pentester are getting totally oversaturated, and they will be for a while.
But things like making old SIMs work, dealing with legacy stuff, dealing with cloud and all the tech debt in cloud right now.
Look for the spaces that are around you that mostly are in-sourced and in local offices that are security tasks that are considered boring and not cool and not sexy and not DEF CON talks.
GRC is another one.
Privacy.
Like, find weird spaces that are less cool and less advertised by universities and by boot camps and things like that, and you'll have a better shot.
I got one real quick one.
All right.
I don't know who needs to hear this, and this is the one thing I do want you to repeat to anybody who's looking for a job.
Don't use chat GPT in the middle of your interview.
Also, if you're wearing glasses during that interview, I can see the text moving on screen in the reflection.
Okay?
Don't do it.
So all your college student friends, they are going to do this.
We're going to take Q&A at the end.
Don't use it to write your resume either.
We know.
We know.
And it's not getting you through ATS.
And I was just going to add to Leslie's amazing description of all those things.
When you're looking at jobs, don't rely exclusively on job titles.
Don't just search security when you're looking for roles.
And don't sleep on sysadmin roles, because you'll pull them up, and if you see sysadmin 1, 2, 3, and you read the description, like, oh, wait, that's server-side security jobs.
Managing users in Entra.
Yeah.
Hey, that's security.
So look past the job title and really dive into those descriptions.
And utilize, like was mentioned before on the panel, I think by Kimber and by Alyssa, like , please utilize your existing experience.
Like, if you worked in another field or got a degree in something else, find tangential ways to bring in that experience, especially if you're moving laterally.
Like, it's vital right now.
You do not want to be competing with all the master's students who just graduated for those SOC analyst roles.
Try to come in somewhere else.
I think I've got two videos in that series on just that topic alone, how to do it.
All right, we're going to spin again?
We're going to spin it again.
Whee!
I think we need to eliminate a couple of those here.
All right, spin again, and we'll land on the same one we just talked about.
It's almost like I'm using a free tool I found on the Internet yesterday.
Mentoring.
All right.
So we have a whole slurry of opinions here.
I'm going to jump in quick and then get the hell out of the way, because these two specialize in this way more than I do.
Mentoring is a great thing, and it is also a trap.
No, and I don't say that.
I mean, first of all, understanding.
It is actually a great thing.
And my two wonderful humans over here, who I love dearly, do this a lot, okay?
But they do it right.
The problem is there's a lot of mentors out there.
First of all, if someone's asking you for money for a mentorship, goodbye.
Goodbye.
No.
No, no, no, no.
If someone is asking to get paid to do mentorship, I don't give a shit if they're the queen of Sheba.
They do not get paid to mentor.
And if they are, they're doing it for the wrong reasons.
But the other thing I've run into with mentorship, and I'm just going to share this, is understand mentorship can take a lot of different forms.
Okay?
I think there are very, for a lot of us, a very formal, you know, we're going to meet once a week, once a month, works.
Great.
If that's what works for you.
But understand that if that doesn't work for you, if you're like me, and that's just not how you like to have a mentor, that's okay too.
Find somebody, find the right mentor.
Someone you can talk to.
Say, hey, you know, I don't want to meet every week, but what I would like to have is somebody who, you know, we can get together every so often and just kind of talk about the things.
I'm not coming to you with, you know, maybe specific goals and tasks, but instead just to talk through what my challenges are.
My favorite mentors, and this is just me personally, again, the best mentor I ever had was somebody who wasn't even really, I never would have called her a mentor.
I do now because I realize that's what she was, but it was just, it was an executive who I respected, and this was well before I was in the executive levels, who just simply was someone I could call when I needed to, very ad hoc, but just say, hey, I'm experiencing this challenge.
Can you give me something?
And we'd have a half hour, an hour talk, right?
So I'm going to get out of the way because I want them to give you way more than I did, but just my quick thoughts.
So I'm a fan of formal mentoring for a reason that sometimes, like, they can, it's like any other project.
If you're kind of a little bit on the spectrum, sometimes they can drop off and just not get done.
I definitely, if you're in a mental, physical state where you can do ad hoc mentorship, that's wonderful.
If you don't know for sure, if you kind of lose track of things as a mentor or a mentee, having that formal project plan for what you're trying to accomplish can help a lot.
Like, we're going to meet twice a month.
Our goal in six months is to get, let's say, you want to get in a specific position.
You want to become a forensic analyst in the next six months from being a SOC analyst.
Okay, that gives you an achievable goal, and you make, you can make sure in every meeting with your mentor that you are making the correct progress towards that goal.
So that can be very, very helpful, just to keep you on track, to keep you accountable.
And then if things aren't working out, then you can say, maybe this isn't the right mentor-mentee relationship because I'm not making progress towards my goal.
So it can be very, very helpful to build a very formalized relationship on when you're going to meet and what you're trying to accomplish.
That's not the case for everybody, but that's why I advocate that typically as something a little bit more formal.
For mentees, though, let's talk about for mentees, for the young people and for the career transitioners in here who are thinking about moving into cybersecurity or moving up in their career, the most important thing that you can tell a mentor is what you want to do specifically.
We get, I think all of four of us, get so many young people, especially young people, but also some career transitioners later in life, who are like, I want to do some stuff in cybersecurity, can you be my mentor?
And that just doesn't help us.
There are so many roles.
There are so many niches.
There is so much specificity in what you do in cybersecurity in terms of what we're doing, what our career paths were, what training you need, what certifications you need.
You need to find the right mentor for you based on their background and their personality and also their education and their job role.
So know what you're asking for.
That's really, really important.
If you're going to go try to find a mentor at a con or at your work or at a local meetup, be prepared with what you're trying to accomplish, what help you need.
And it can be, I really can't pick a niche and I need help picking a niche.
That's fine.
But if it's like, I want to get a job in cybersecurity, you've got to give us more to work with there.
Okay.
So from my experience, I tend to use a less formal model.
You know, it's just kind of the way that I work with my mentee.
So I like to give assignments like, hey, can you really explain to me what DNS is?
Okay.
So I need you to go like prepare a five-slide slideshow, explain to me what DNS is, and then what the meme means it was DNS.
And when you're done with that, shoot me an email and then we'll meet back up.
Like I need the mentee to do their part.
Otherwise, it's a waste of my time and it's a waste of their time too.
I'm more of a... I need more of a like symbiotic relationship.
And whether the way that I do it works or the way that we all probably do it a little bit differently, I can tell you that the way that I do it, though, along with having my home and my crazy animals and, you know, family life and full-time job and volunteer work and on and on,
I can only handle like mentoring one person maybe every six months, but really a year is probably the thing.
So for folks out there who with open hearts and open minds really are looking for a mentor, and you find yourself disappointed that the person you've asked can't help you, keep in mind all the things you do every day and then imagine you as a mentee are probably still going to have to do half the work that your mentor will do for you just to kind of set you on the right path that you need to be on.
So show some grace there, but for heaven's sakes, if you luck out and you land the mentor you really wanted, the onus is really on you to do your part and keep up with what they ask you.
And if they give you assignments, I call them assignments, but if they give you things to go research and to go do, please understand that that's a gift to you because they're sharing probably an experience that they had themselves that helped them take that next step.
And they can't give you the answer.
Their job is really to help you find the answer on your own and guide you along the way.
So there you go.
Alright, so my last bit on mentoring is to recognize that mentoring relationships have an end.
If you are a mentor, a mentee, it's not going to go on forever.
There should be a time in which you meet, you identify your goals, you work on your goals, and then after that, it's kind of time to be done.
So what I've seen a lot of times is mentor-mentee relationships that just kind of fizzle out and fade away, and that's not fun for anybody.
So make sure when you start as a mentee or a mentor that you have a clear understanding of about how long we're going to go, how long we're going to meet, and those kinds of things.
So with that, that ends the rant wheel part of this panel.
We're going to shift into Q&A, and with that, we are going to go ahead and stop recording.