How to Get a Better Job in IT
April 18, 2019
Phil Richards | Chief Security Officer | Ivanti
Paul Underwood | Chief Operations Officer | Emagined Security
Are you dreaming of moving up the corporate ladder within your IT department? Do you want to develop your skills to make you a top choice for a promotion, but you’re not sure where to start? Tune into this non-salesy webinar, where Ivanti CISO Phil Richards and COO of Emagined Security Paul Underwood discuss IT recruitment and give invaluable advice to help you progress in your career. We’ll discuss:
- How the IT industry is changing
- Tips to progress your career in IT
- Practical advice to breaking into IT
- IT skills gaps
- What executives are looking for in an IT hire
- And more!
Erica: Hi, everyone. Welcome to our webinar today. We've got a great topic and a awesome line-up that I think... So, I think this is gonna be a really applicable webinar to everyone, hopefully. So we're excited about that. My name is Erica and I'm the marketing communications manager at Ivanti and I will be hosting today's discussion.
Now, before we get started, I wanted to mention that today's webinar is actually part of a three-part series all about IT career development. Our first webinar was earlier this month and we tackled some of the challenges and opportunities of being a woman in tech and a woman in IT, specifically. And I'm actually noticing in our attendees' list today that we have a few attendees who were on that webinar back here today. So welcome back to you.
And then we have the last part of this series that's happening in May, on May 23rd. And in that webinar, we're going to be discussing mental health in the IT industry, which is an interesting one, for sure, of users increasingly expecting that immediate response to IT issues 24/7. That's a lot of pressure, right? So we wanted to bring in experts in IT and HR to discuss some ways to manage that pressure, yourself, and as an organization.
Anyway, I think it's a really cool series and, hopefully, it's helpful for you and provide some career value. And one thing that we're not gonna do in this series, we're not pushing a product or trying to sell you anything. There's not gonna be a demo at the end.
Ivanti, as many of you know, is an IT software company. Our whole vision is to unify IT processes across your organization, but this series is to help you out. And our hope is if you use Ivanti products and unify IT in your organization, you'll be a superstar and consequentially get a better job in IT. But that's kind of the only pitch that we have today.
So, we're going to get started. Before we introduce our panel, I'd love to get more of an idea of who's out there in our audience and this will get you familiarized with the Q&A and Chat function as well. So, if you open up the Chat function in Webex, you can send me a message. And if you don't mind, let's just have everyone at... Let me know where you're dialing in from today and feel free to use that chat function if you have questions or thoughts throughout the webinar. And we really want this to be valuable like I said.
So any questions you have about career development or specific career questions, I'd love to kind of hear that. And you have a great audience and our IT panelists today to answer them, hopefully. So, as you guys are sending those answers in on where you're dialing in from, let's do our introductions. So first off, we have Phil Richards, who is the CISO at Ivanti. Hi, Phil.
Phil: Hello, Erica. How are you doing?
Erica: I'm good. How are you?
Phil: Doing great, thanks.
Erica: So, Phil, can you tell us a little bit about yourself and about Ivanti for those who don't know?
Phil: Sure. I'm the chief security officer for Ivanti. That means that I'm responsible for all the operational security activities that take place within the organization. I also have responsibilities within our security product line. As you're aware, we do sell patch and management solutions that focus on security. And so I provide quite a bit of insight and help into those, mostly as somebody who uses those tools in my regular job. I can help provide some of that expertise, I guess.
Erica: Awesome. Well, thanks for joining us today, Phil. And then we also have Paul Underwood. And Paul is the chief operating officer at Emagined Security. Hi, Paul.
Paul: Hi. How are you doing today?
Erica: I'm good. Thank you. So, Paul, tell us a little bit about yourself and what you do and about Emagined Security.
Paul: Sure. Not a problem. So, my job as the chief operating officer of Emagined Security is a very interesting job for me, a little bit different than a lot of chief operating officers. I interface with our customers, our vendors, our employees, and our different practice leads. And my job is to kind of make sure that there's cohesiveness between what our customers need, what our vendors are providing, and what our employees are able to perform for those clients.
So underneath Emagined Security, we have several different practices. At Emagined Security, we focus a lot on penetration testing. We have a security operations center. We do a lot of security architecture, policy and program reviews, and help customers figure out where their gaps are in their IT information security within their organizations.
Erica: Awesome. Thanks for joining us. A bunch of messages in the chat, hearing about where everyone is calling in from. It looks like we have a lot of people from the Midwest. So shout out to the Midwest with some career development today. And one message I really like was from David. He says he's calling in from St. Louis, 20-plus years in IT and always trying to prove himself. So, we love the attitude, really excited to just be on this webinar today.
So, now that everyone kinda knows how to use the chat, feel free to send in those questions as you have them and we'll try to address everything at the end of the session.
So, let's get started. And before we talk about how to progress, I thought it might be helpful to get an idea of where we're at in the IT industry now and what's changing. So, I wanted to open that up to Phil and Paul. You know, what are some notable changes in the IT industry? How is the industry changing?
Phil: Well, this is Phil. And I think one of the big things that's really changing in this industry is the term "IT Transformation." That's just actually a big term that means that the IT organization is changing and evolving and becoming different.
It used to be, years ago, that IT transformation was a project that the IT team would undertake and they would kind of go away and transform themselves and then come back a year and a half later and become a different organization for the company. Today, transformation is not a project work that has a beginning, a middle, and an end. It's a continuous process that is really built into the IT organization as a fundamental concept of what they do.
Today's IT organization now has to be seen as a partner with business. And in order to do that, they have to continually evolve and adapt just as the same activities that happen in business. The business has to continue to evolve and adapt. So the IT organization keeps changing and keeps modifying itself because of that need to stay in lockstep with the business.
Paul: So, this is Paul. And I'll focus on that business need thing first. So, a lot of times, years ago, you would find that IT was putting together a process, a network, an architecture, a solution, and they were trying to make the business funnel itself into what they created. Now, as we work with more collaboration nowadays, as people are more remote, as we work security into DevOps, we're starting to look more at the business' needs first.
So, one of the important things for security…again, since I focus most of my time in security, I'll focus on security a lot. But one of the biggest things we have in security is we have to figure out how do we enable business. So, it used to be we would say, "Okay, we've got our security swim lane, let's lock everybody down and then let's make them ask for permission to be able to do a function." So, now, we're trying to figure out what those functions are ahead of time so that we're not causing problems with the business, but we're enabling them more.
Phil: Exactly. In security, especially, but also throughout the rest of the IT organization, we can't afford to be kind of dedicated to our own lifestyle and our own...the activities that we wanna pursue. We have to be more focused on what the business needs are and we're trying to adapt, and improve, and focus the security requirements into those business realities.
So, that way, it's kind of a mesh. And the IT professionals and the security professionals need to be constantly aware of what those business realities are. And that's really one of the biggest changes, I think, in the IT industry now and going forward.
Paul: So, one of the other things I'll add to that as well, and, of course, on this Webex alone, right, where I see Dubai, we've got the Midwest, we're in Salt Lake City, Utah. Erica is in Europe?
Phil: In the UK. She's in London.
Paul: In the UK.
Paul: So, we have a very distributed workforce. So, when it comes down to working in the 9:00 to 5:00 job, again, I'll be on the next webinar, just in general, because I wanna know how to fix my mental health when it comes to some of the time zones I work in.
Phil: You really need it. That, I'm sure.
Paul: Yeah. But there are days I can work in 12 time zones. So, I can have meetings in 12 different time zones. So it is important that we know how to work with remote employees and we know how to collaborate with people that aren't sitting at our desk.
Phil: Exactly. And the technology in this space really enables that kind of collaboration. It's not just a nice-to-have anymore. It's fundamental. It's a must-have.
Paul: It's a necessity.
Erica: So, one thing I wanted to kind of ask about, I'm always seeing those, like, clickbait-type articles that are saying AI is gonna take over your job in 5 years, in 10 years. So it's a big part of the conversation. I wanted to ask you both with how the IT industry is changing, where do AI and automation fall in this?
Phil: So, a couple of different things. First of all, I think AI and automation are really better described as processes or activities that help, kind of, enable or automate, I guess, existing business processes. The real focus on this, still, is in the business process space.
Automation is the key to... The key, I guess, is really to understand your business processes first and then be able to use AI and automation tools to be able to create a faster, better way of building your mouse trap or whatever your process is. Again, the focus is on business rather than on the technology.
And just, almost as a side note, at Ivanti, we happen to have enabling technology that really helps out in this space. Our Ivanti service manager platform is a workflow product and the whole reason for its existence is to take those business processes, document them through the technology, and then be able to automate them using integrations to align business applications so that your processes can get done faster.
The whole idea behind this is to enable business to accomplish its tasking faster. The big thing behind AI is really to make sure that you're getting more out of your data and more out of the types of processes that are taking place so that the business can make better decisions more rapidly. Again, there are tools to be able to provide insight to the organization and to the business rather than just an end in and of itself.
Paul: Imagine security uses AI and we use process automation as well. So we have a security operations center. So if people aren't familiar with what a security operations center does, we will find alerts, we will wanna figure out what the alert is about, what type of technology it's touching, what type of systems or processes it's touching, and then we wanna figure out what the next step is on how to deal with that.
So do we shut it off? Do we allow it through? Is it a false positive? So we use AI and we use process automation to help us determine what we should be focusing our time and effort on. Because if we focus our time and effort on just trying to figure out some of those baseline things, we don't get the time to focus our time on what the more important items are on the list.
Phil: Right. And I think that, Paul, is a really important point. There's so much information coming into an organization like yours where you're an operations center, that there's no way for you to be able to separate the wheat from the chaff on a personal basis. You have to have automated tools in order to be able to effectively do that, and like you said, focus on the things that really matter to the business.
Erica: So with all of the changes that are happening in IT, there are kind of two ways that we're gonna...to break this up, our conversation today. And first is for those who are looking to really break into IT. And then we'll talk to people who are already in IT and looking to improve themselves from there.
So, we talked a little bit about, you know, where the industry is going in that direction. But just to kind of get people started, for those who are looking to work in IT, where should they begin? What do you guys recommend that they start with?
Phil: Well, this is a good question. And I'm just gonna... Both of us, we've kind of talked about this a little bit before. We're gonna kind of speak for ourselves in terms of what we're looking for. And I'm gonna give you a little bit of a caveat because it isn't necessarily the same thing that everyone is looking for.
When I look to hire folks, one of the first things where I want them to begin, quite honestly, is at college. I want a university degree. I think people need to have a degree from an accredited school with an IT program. This kind of education background trains individuals in the basics.
After they get a degree, there's a lot of different kinds of certifications and accreditations that you can look into to help you get specific skills that you need after the job based on what your own desires are. So, that's where you kind of get into a little bit more specialization. That can include things such as security, network administration, server administration, database stuff, business applications, all that kind of stuff. There's a reason why, and Paul is gonna elaborate on this a little bit more. There's a big reason why I think that that college experience is so critical, though, Paul, if you wanna take that…
Paul: Yeah. One of the things that I've learned over my career is that if I had to go back and do it all over again, I would focus more on English and writing. So, IT is not all about sitting at a terminal and typing in commands, doing things with technology every day where nobody knows what you're doing.
Because of collaboration, because of documentation, because of our processes, how we run DevOps, we put processes together for how we do things. We write documents on how technology integrates with other technology. We write manuals, processes, procedures.
So you really have to understand some of those fundamentals that you get out of college, right? I mean, when it comes down to it, I might not have liked the English classes or the communications classes I took in college. They weren't my focus. And at the time when I was, you know, a teenager in my early 20s, I didn't feel that they were very important back then. But they were extremely important. And today, if I had to go back again, I would focus more on those.
Phil: Absolutely. That's very true. I am saying the same thing to the family members and friends all the time. You need to focus on reading and writing because that's what we do a big part of.
Paul: Yeah. One of my best technologists in my company went back and got a Master's in English.
Paul: And it suits him well and it suits the company well. So I would tell you this, though. Besides the college education, the college education doesn't really get you... When you graduate from college in information technology, you also have to figure out where you wanna be as well.
So technology isn't just... Again, when I started in technology almost 30 years ago, you kind of went into technology and it was just you were in technology and then you did whatever it is that needed to be done. Nowadays, there's a lot more specialization in IT.
And even in... You break it down to security. Again, 27 years ago when I started in security, there was a security department and it consisted of one person or two people and you did everything in security. Now, with 11 different domains in security, somebody can go into a domain, specialize in it, and do their entire career in it.
But, again, it doesn't mean you're gonna be pigeonholed into that domain. And we'll kind of talk about this a little bit later, but there are ways to change and there are opportunities to change. And if you're not satisfied with what you're currently doing in IT, figure out what is gonna make you happy and figure out what the best option is for you in the future.
Phil: Yeah. That said, I think one of the most [Inaudible 00:17:49] messages that can come out of this, however, is if you're coming out of college, you need to have some ideas about where you want to specialize. It will be extremely difficult for a manager, a hiring manager, to see you solving their problems, which is the reason why they wanna hire you if you don't have some sort of specialty skills coming out of college that indicate to them that you actually know how to solve some of their problems.
If your resume just says, "I do a lot of general things and everything is kind of cool, and I can do whatever you need," what they're assuming is "You can't do anything that I need." And you do need to get some of that specialization. So the general education is real important in the beginning, but then as Paul mentioned, you need to dive down into the things that you think are most important.
Paul: So, there are some colleges that also take some of those certifications and they use them for credit as well. So Western Governors University…
Phil: Western Governors in the west does that…
Paul: And what's the other one?
Phil: Well, that's the one that I know of.
Paul: Yeah. Western Governors is one that I'm aware of too. So, of course, one of the nice things about them is if you go off and you get your CEH, your Certified Ethical Hacking certification, that counts as credit towards your degree. So you're also not only getting your degree, but you're also getting a specialization as well.
Phil: Similarly, on network side, you can get your Certified Network Engineer and Certified Network Administrator and have those count as credits as well, so the same kind of thing. You can get those certifications as part of your formal education process. And again, you're diving down into a little bit more specialty to do what you want you want to do, and that shows up on your resume as something that you're a problem solver in some specific areas.
Erica: So, when you're looking at someone's resume and there's… Talk about specialization. You said that's important. What other tips do you have for how IT applicants can stand out during an interview process? I'm sure you've both interviewed many people. What are standout skills that you see?
Phil: Well, for me, when I look at IT applicants, I'm looking for individuals, somebody who, first of all, is engaged in helping me solve my problems. I'm looking for… Candidates stand out, I guess, when they've done their homework, when they know about the industry, when they know a little bit about Ivanti, if, you know, if I'm hiring for Ivanti, of course. And they also know what they can offer to the position.
So when I create a job description, I actually write a fairly long and thorough job description. And one of the reasons why I do that is to help applicants review that, look at it, and find specific areas where they can help me solve my problems. Basically, a job description is a problem statement and you're trying to find areas where you and your skills align with the problem statement.
When I find that a candidate has done that, when they've done some homework and they know a little bit about the company, they know a little bit about what they're looking for, and they're engaged, and they're active, and they're interested in learning, that's the magic recipe for me. That's the stuff that I really look for in an interview and in a candidate.
Paul: So now, I'll routinely have several job positions where I'll be posting for either ourselves or to fill a position at one of our clients. One of the things that I am definitely not looking for is somebody that says, "Well, I'm willing to do anything. I will do anything." And when you go and you have a conversation with them about what are they good at, what do they wanna do when they move on in their career, they don't have an answer for what's their objective of where they wanna work.
So I'll be looking for a candidate in our security operations center and they'll say, "Well, but I wanna pen test." "Well, you're applying for a position in the security operations center. Tell me about your skills that would help in a security operations center, not skills..."
Phi: Right, "Because that's what I'm hiring for."
Paul: Yeah, "Because that's what I'm hiring for, not what you'd like to do in three years." So we want you to focus on those kinds of things. So the other thing I'd also kind of throw in there is when I'm interviewing somebody, one of the biggest things that I wanna see is I wanna see responsibility. I wanna see that they are willing to take responsibility for things, you know?
Things go wrong in IT sometimes. So we can't always... I mean, if I make a mistake on something, I can't push that off and always have an excuse that it's somebody else's fault. We want people that are willing to take responsibility and figure out how do they solve that problem and how do they fix it so it doesn't happen again?
Phil: Exactly. Even security, as in a lot of professions, mistakes happen and bad things happen. And sometimes they have some fairly severe consequences. That being said, what I'm looking for and what I need is somebody who is willing to make adjustments to the way they work and make changes to the way they handle things so that they can get better. I'm less concerned about an initial mistake, more concerned about not learning from that mistake.
Paul: How do you take it? How do you move on?
Phil: That's where the value is. We all make mistakes. I'm not [Inaudible 00:22:57] I'm more concerned about the learning that takes place from it.
Erica: Okay. I think that's some fantastic advice for anyone who's kind of looking into breaking in or even for people who are already there, just, you know, who might be potentially interviewing.
So, let's kind of move on to those people, specifically, who are maybe already in the IT industry and maybe you feel like you've plateaued or just kind of looking for a new challenge, something new. What's their next step? What do you recommend for them?
Phil: Well, I'll start with a personal story, I guess. I spent a number of years at a financial services company and it turned out that after several years, I kind of got pigeonholed as a very specific kind of a person. I was competent. I could do a good job. But there was no real ability, I didn't feel, for me to move on and make a change because I was kind of pigeonholed as a specific type of a person.
As a result of that, I went through a process where I got a couple of different security certifications on my own. One of them I ended up paying for myself, spent nights and weekends making sure that I could get some of that capability. That led to some additional changes at the current employer at the time. Over the course of another couple of years, I decided that that wasn't moving me in the direction that I wanted to go as quickly as I wanted to. So I ended up taking a risk, leaving that job, and moving into a different job.
Sometimes, you know, depending on what you wanna do with your career, it does require you to leave even a large organization, let alone a small organization, and you have to take some risks. You have to be willing to do some things, put yourself out there, you know, leave the comfortable job sometimes in order for something that's a little bit more aligned with where you think you wanna go long-term. You know, investing in yourself, taking some risks, ends up being sometimes what you need to do to break in to some of those opportunities.
Paul: So risk is something in security you never wanna hear, right? But, again, I interview a lot of people that are looking to change careers and are looking to go into IT security where they've worked in. Maybe they've been a web developer or maybe they've been a network administrator and they've decided they wanna change careers.
I've been in security a long time. I've actually been doing this for quite a bit of time and working with vendors for over... I'm sorry, with vendors, partners, and customers for about 25 years now. And in that 25 years that I've been doing that, I've seen a lot of people that want to make the change but aren't willing to take the risk to do it.
So you've got to understand if you want to make that change and you're looking for something new and interesting and maybe something that is more appeasable to you, something that you're looking more into to doing, you've got to figure out how that is.
So, I will tell you. The other thing you wanna do is you wanna know what you're good at or what you could potentially be good at. I have looked at resumes. I've interviewed people that on their resumes, they might have every single certification I'm looking for. But if they don't understand the job that they're interviewing for, if they don't understand the type of work they'll be doing, those certifications really don't help in a lot of ways because you've got somebody that maybe was very good at getting a certification but they weren't able to go in and figure out how the job was supposed to be done.
Phil: Yeah. That understanding, I think, is another point that's really important. One of the things that we do is oftentimes, we get so kind of moribund by the procedures, or the process, of doing IT security or some sort of an IT function that we lose track of why it is we're doing some of those things.
And oftentimes, in an interview, I'll ask somebody… You know, they'll say that they're really good at doing role-based access controls. And then I'll say, "Okay, well, why do we do those?" And that question tends to stump a lot of people. That's, to me, one of the more foundational questions. That's, you know, why we do it, is, you know, that's the answer. That's the reason why I wanna hire somebody, not so that they can do it, but so they know when they're supposed to do it and why they're doing it.
Paul: Yeah. We don't wanna make decisions based on "We know how to perform the end results. We wanna make decisions based on what the necessity is."
Phil: Right. We understand the problem. We understand how to solve it.
Paul: So, you know, one of the other things I'll bring up there too is you really also have to know, again, where you wanna be, not only what are you good at, but where do you wanna be? Where do you see yourself in five years? I kind of always have a five-year plan ahead of me. I'm always looking at where do I wanna be in five years? Am I on track for that? Am I getting the right skills for that?
And, again, as Phil mentioned, he's went off and gotten certifications on his own, paid for them. I've done the same as well. So over the course of my career, there have been times where I've wanted to increase my skills because I wanted a different job and I've had to go off and get those on my own. Put the effort in. Are you willing to put the effort in? Again, if you want that change of career, if you want to increase your skills, you also have to be willing to put that effort in.
Phil: Yeah. Part of that really means that you have to make an assumption that nobody is going to just give you the perfect job. You have to go in and earn it. You have to go in and take it. And well, obviously, somebody, eventually, is going to, you know, look at you for that position. You have to decide that it's your responsibility to do everything that you can in order to make yourself the most favorite candidate for that role.
And sometimes that means you're gonna have to do some sacrifice. You have to, you know, take some time away and try to figure out how you're going to get whatever certification it is you need or whatever training or skill you need in order to do it, whether that's a soft skill or a hard skill. You have to decide that this is important enough for you that you're willing to put in that kind of investment into yourself and the time that it takes in order to do it.
Erica: So, you guys are saying... I'm wondering what about people who maybe work on really small teams and see less opportunity to move up in a company? Is their only option to find a new company or…? Well, what do you recommend for people in that sort of situation?
Phil: That's a good question. I would say 90% of preparing for that is exactly the same, whether you're planning to leave the company, or whether you're planning to stay at the company. And that is getting ready, getting yourself positioned so that you can get whatever other opportunity there might be.
It's just at the very end that, you know, a decision has to be made whether or not you're leaving, whether or not you need to take that somewhere else, or whether you can apply those skills to your current company.
Really good, smart employers will look at what you're doing and that you're…you know, the strides that you're making to improve yourself and to get more certifications and they will help you make sure that you're getting some of those opportunities because as an employer, that's the person who provides value to your organization. That's the person that's gonna drive you into the next five years.
So as a manager, that's the kind of what I'm looking for in an employee, somebody who's willing to do…you know, to take those risks and do those things so that they're bettering themselves and improving themselves.
Improving yourself doesn't just mean sitting at your chair and doing the same job over and over and over again. Paul and I talked about this earlier. When I promote somebody, I never promote them to a job that they haven't already done. I usually promote them to a job they've been doing for the past year or so. And so, that way, I know I'm confident that they can do that job.
So what that means is you have to have those skills to do the new job, before, sometimes before you get the job. Because if you don't have those skills, then, you know, then as far as I'm concerned, you're likely not to get the opportunity.
Paul: So, now, small teams can only be a pigeonhole for somebody if they believe that it's a pigeonhole. So you can learn a lot from people on a small team, but if you are looking to move up, move out, transition to something else, find other areas in that company where you think you might, again, be able to work in someday.
So we have a good example, right? We have our security operations center. We have a lot of people that that's where they start off in our company. Well, if they are doing a great job on the security operations center and they're spending some of their time and energy learning other things within our organization, whether it's security architecture, whether it's better writing skills, whether it's penetration testing, when they get those certifications and they put their time in, it becomes one of those logical progressions for them to move teams.
Now, another thing that a lot of people don't think of…and, again, Emagined Security, we're not a huge company. We're a smaller company, a medium-sized company. But, again, we're always looking for business opportunities for where we can help provide value to our customers. So one of the things that we're always looking for is new ideas.
So there are plenty of times where we have employees come to us with new ideas that, "Hey, why don't we do this kind of service as well?" And we're always happy to hear those out, and that might be a great logical progression for somebody to be able to take those opportunities of working on a small team and open up an opportunity for themselves.
So show them what you can do. Show your employer what you can do. Find opportunities where you can increase the corporation's bottom line, where you can expand skills within the organization, where you can provide a gap of something that's currently not being done in that company.
Phil: In addition to that, the value. We've mentioned it a couple of times. But there's huge value in getting some of these after-college certifications. If you plan to or want to work in a service desk environment, for example, you should get your ITIL certification. If you wanna move into a security…there's a couple of dozen different kinds of certifications. We mentioned Certified Ethical Hacker. There's a CISSP, which is a more broad, general, kind of security...
Paul: Yeah, OSCP.
Phil: …OSCP. There's dozens of really good certifications in the security area. Similarly, in the network administration area, there's great certifications and in the database administration area. Different business applications have very specific and valuable certifications.
If you are a certified SAP developer, IBM wants to hire you yesterday. I mean, it's just... There's a lot of opportunities out there. A lot of those gateways, though, do go through certification and that's not necessarily an easy process, but it's definitely worth it.
Paul: Okay. Speaking of kind of things like being a certified SAP developer, I wanna talk a little bit about skill gaps. I mean, what IT skill gaps are you both seeing in the industry? And kind of the reverse of that is where are the most opportunities in IT right now?
Phil: A lot of the skill gaps that I'm seeing is in a couple of different areas. One of them is a business gap. So individuals come in and they don't know how to tie the IT processes that they're good at to business objectives and they don't really know why they're doing what they're doing from a business perspective. So I think that's one of the major gaps.
Another one is an understanding gap. We have a lot of processes in place at our organization, you know, regardless of the technical environment that you're working in. And having an understanding of the theory or the reasons behind what you're doing, I think, is extremely important. Quite often, that's where a lot of the certifications do come in to help because they provide some of that foundational knowledge, I guess, for why it is you're doing, you know, what it is you're doing, I guess.
Paul: We're gonna kinda hit to the next question kinda in general, because, of course, considering I work in IT security, one of the biggest areas I find that we are lacking skills is we lack individuals in the IT security space: so people that know how to penetration-test, people that know how to work on a security operations center, people that understand how to set up a security architecture, micro-segmentation.
The move to the cloud is one of the biggest things that we see in the industry nowadays. Now, being an IT security professional for quite a few years, IT security people have resisted that for a long time, you know. It's something we're embracing. It's something we're trying to figure out how do we ensure that the cloud is secure?
So we really need people in IT security. But now, with that in mind, you have to be a security-minded person to fit in IT security. That is a real challenge in some cases. So understanding why you are making decisions to allow or block something sometimes is difficult for some individuals. We need to make sure that people that come into the field really know how to make those decisions.
Phil: Paul, it's been my experience that a lot of times I'll interview individuals who have a lot of skills in a security area, but they don't yet understand how to think like a security person. The way you said it, I think, is good. They don't look at a logic progression from a security perspective, which is different.
So if I'm a developer, you know, I might look at some sort of a, you know, web form that has a bunch of state codes in it or something like that and not think anything about it. From a security perspective, though, I know that there's a possibility that the developer didn't validate that state code and I can, all of a sudden, you know, put some injection into that value. It's thinking about things a little bit differently, I think, that, oftentimes, is a struggle for a lot of security folks.
Paul: Yeah. So security can start out as a highway, but in the reality, we wanna get it down to a single-lane road in a lot of cases. So we wanna make people to understand we want you to be creative. We want people to be able to build a good product, put together a good network. But if I go to an employee and I say, "We have an alert, please block this," they should understand what they're blocking and why they're blocking it.
Phil: Yeah, and how big the block should be.
Paul: And how big the block should be. And are we doing this for a certain time period? What is the reason for that block? They should understand those things. I shouldn't necessarily be explaining all of that to them. They should be able to look at it and be able to go, "Oh, I see this and this is why, and therefore."
Phil: But you brought up another good point, which is one of curiosity. We want an individual who's administering that firewall rule to ask those questions. If he doesn't understand, we want him to say, "So, wait a minute. Should I be blocking this, you know… Should I be blocking this port for every IP in the company or just this one IP?" I mean, we want somebody to be thinking about those kinds of things and be curious about it. And learn. I mean, that's how you learn. That's how you grow and you gain experience.
Paul: Very true. Yeah. When we're doing penetration testing, there's a lot of times where we're working with developers and they might not understand why we're doing a pen test. Well, I've put all the security checks in there that I'm required to put in there and they don't understand exactly why we are doing a penetration test to validate the security of that item.
So there's a lot of times where those explanations need to happen. So we want people to understand our jobs and why we do our jobs. But, again, the biggest thing I can say is it's gotta be a collaborative effort. So that is one of the biggest things. I can't say enough about being collaborative.
Phil: Right. And Paul is bringing up a really good point. A lot of times, the security professional can be a little bit at odds with either a developer or a system administrator or something like that. And it's real important to be able to clarify, provide insight, and provide meaning to the discussion without giving offence.
One of the things that will shut down a security program faster than anything else is a flippant security administrator. So that's just one thing that, you know, we really can't afford on either one of our teams.
Paul: Yeah. So denied is something of the past. We used to see requests come to security councils for approvals and the security person wanted to deny everything. Deny, deny, deny. Well, the goal now...
Phil: You can't do that anymore.
Paul: Yeah, we can't do that. We have to figure out, "How do we allow it? Can we make modifications to the request?" And so, again, and we as security professionals have to help make those modifications.
Phil: Yeah. Which means we have to be creative.
Paul: We have to be creative. Exactly. So we can't expect that a developer or an IT administrator understands where we're trying to go with it. We're the ones that are security people. We have to figure out how do we explain that and help and enable them to give us the right answers so that we can prove it.
Erica: So, what kind of that communication, you know, you need to have someone who can, you know, speak a little bit better? We talked a bit about soft skills earlier, but I wanted to ask more about that. Are you guys seeing those soft skills, like communication, creativity, stuff like that, writing, are you seeing that as a gap in IT right now?
Phil: Yeah. That's definitely a big part of the gap. What I interview for when I'm looking for someone is I look for engagement. I look for some kind of excitement, some kind of creativity and a desire to learn as some of the major things that I look for. Paul mentioned the fact that in our job, we do more reading and writing than anything technical in terms of time. So those are the soft skills, I think, that I look for.
Paul and I talked about this a little bit before, so he's gonna talk a little bit about some of the more personal skills that are in there as well. But to your point, I think people disqualify themselves from these jobs because of some of these soft skills more frequently than the tech skills. The way I look at it, I can train a lot of the technology skills. If somebody is intelligent, and engaged, and willing to learn some of the soft skills, they're either there or they're not there, and you can't really train them.
Paul: Yeah. One of the things that I notice a lot is, especially in my job where I'm dealing with a lot of employees, a lot of customers, a lot of vendors, is people will send emails and they will send chat messages and they will try the nonverbal contact skills. Well, that is great for communications in certain reasons, but there are times where, again, we have to pick up the phone and make a phone call.
I have seen issues in the past that have gone over a day or two trying to get access to something, get a product to work, get an answer to a specific question where you're not getting the right questions. Ninety-nine out of 100 times, when we put all those people on a phone call, we have the answer in 5 minutes and sometimes it takes two days to get the answer back and forth with the nonverbal communications.
So we need people that understand when to send an email, when to send a chat message or a text message, and when to pick up the phone, because... And you probably can tell, Phil and I do a lot of talking.
Phil: Yeah. Well, this is a difficult skill. But the reality is we both spend a large amount of our time training our staff to pick up the phone sometimes. An issue will go on for two, three, four days and I'll walk out there and I'll say, "Pick up the phone," or, "Walk over, you know, across the hallway and go talk to the person," because that's a much better means of getting to a resolution on some of these issues.
Paul: So one of the other things too there is... And, again, you know, I'll plug Erica's next webinar because I'm actually really interested in that one as well. IT is not a 40-hour a week job. In fact, I know.
Phil: It's not?
Paul: No. I don't know the... I think I've worked 40 hours when I've been on vacation. And no, I don't advocate that for everybody, but it's my obsessive-compulsive…trying to make sure that I am...
Paul: Yeah. It's my lifestyle. But if you enjoy your job, and you're good at your job, and you are providing value to your company and to yourself and everything there, the 50 hours maybe, that you end up spending working in IT or the 45 hours you spend working in IT or in your job every week, it doesn't seem like 40 hours. It doesn't seem like 45 hours or 50 hours, I mean.
But, you know, those are things we have to…you know, we've undertaken as part of the job. But then again, we're not advocating the 12 hours, 6-day a week work week that we've got some people advocating for nowadays.
Phil: No. Yeah. That's true. One of the things that Paul is talking about is why you have to discover what it is you're passionate about within IT. There's a lot of subspecialties and finding what you really enjoy is gonna be something that's important because you're gonna be doing it on Saturdays sometimes. You're gonna be doing it late nights sometimes.
Paul: It happens.
Phil: You want to and need to make sure that whatever it is you're doing, you're enjoying it because you're gonna spend a lot of time doing it.
Paul: Very true.
Erica: So, really quick, I have a question submitted in the chat from Jim that I wanted to ask because it kind of fits in with what we're talking about now.
Erica: He mentions that communication, maybe, isn't his strong suit, it sounds like, and he is asking for tips to improve that. Do you guys have any ideas on that?
Paul: Well, if you are having a challenge with the verbal communication skills, I will tell you that when I was younger, when I was a teenager, I was a very quiet individual. It took me years of learning to get to the point now where I am now where I can go into a room, pick somebody I need to talk to, and go up and talk to them.
Phil: It's practice. It absolutely is practice.
Paul: It's practice. It is complete practice. If you have an opportunity to, in your personal life, focus on that… And here's the other thing too. If you're good at it in your personal life, you can be good at it in the job. Have your confidence level of what it is that your job is. And if your job is an IT security administrator, be the best IT security administrator. And if you are the best IT security administrator, you will find it easier to talk about it.
If you're uncomfortable with your skills, and that's why you're having trouble with those verbal communications, work on your skills until you're comfortable and you know you are really good at it. Now, there are organizations like Toastmasters out there that you can join that will actually give you some of those abilities or...
Phil: The opportunities to practice it.
Paul: …opportunities to practice it. Exactly.
Phil: And that's one of the things that's really key. Paul mentioned being able to be in command of the knowledge domain. I think that's an essential part of being a good communicator in that space. But another part of it is absolutely practicing. You will get better the more time you spend with your brain engaged and working at communication and public speaking, if it's a public speaking kind of communication that you're worried about.
If it's writing, same kind of thing. Spend time writing. You know, spend time writing good emails. Take the time, not just to write a two-sentence or a two-word answer, but spend the time to actually craft an email and then write something that [crosstalk 00:47:21].
Paul: Understand what you're responding to as well.
Phil: Yeah, exactly.
Paul: So, yeah. For the first 20 years of my life, I was very introverted. I wouldn't talk to anybody. I didn't talk to lot of people. Once I realized that I was good at something and I was passionate about it, I found it easier to talk about it.
And even after that, the first time I got on stage in front of an audience, I was paranoid. I was petrified. I thought I was gonna pass out, but I got through it and the next time it was easier. The next time it was easier. And now, I'll walk over to the stage while somebody else is speaking and I have no problems doing that.
Erica: Okay. Awesome. Thanks for answering that. Hopefully, that was helpful, Jim. Okay. So we are going to go over a few practical tips for career self-improvement and then we'll dive more into Q&A. I've been seeing a couple more get submitted. So we'll try to answer everyone's questions.
I wanted to ask you both, are there any publications, or conferences, or websites that you recommend for IT professionals to keep up-to-date the industry or just to keep in the know for their own career development?
Phil: Sure. So for those that are looking to expand their skills in security, I would say that Black Hat and DEF CON are really good places to start. And not just the conference itself, there are a lot of very good talks. There are very interesting presenters as well. But there are training classes that happen at the beginning and the end of DEF CON and Black Hat, and I would say to look at those opportunities and attend those.
I have senior-level pen testers that have been pen testing for 15 years that I still send to one or two weeks of training every year because they need that to engage and build their skills.
Phil: I send all of my team to training every year for that very same reason because it's important to keep up. Security is one of the few fields, I think, where if you take a vacation for a week and a half, you might be...
Paul: Something might change.
Phil: ...incredibly behind. Yeah. So you definitely do wanna do that. I agree with Black Hat and DEF CON. The SANS events are also fantastic events. They tend to be a little bit more expensive, but they're good events.
Paul: And for those that might not be able to be sponsored by their company, there is MIS and CSI training institutes that are a little less expensive, a little smaller groups together, and you might not only learn more, but be able to build those interpersonal relationships with other people in your field.
Phil: Staying current in the security field. Also, there's a few different news feeds that end up being very valuable. Krebs on Security is a good example of that. There's a blog from a company called White Hat which provides quite a bit. Ivanti has a very good blog around the security space and CSO Online also does.
Paul: I'll also bring up as well, and a lot of people might not necessarily be out there surfing the internet looking for security blogs, but join…if you're on LinkedIn, and that's probably the only social media you'll find me on, but if you're on LinkedIn, join the groups that interests you. Join the groups where you think you're gonna learn something from.
If you are looking for a job in penetration testing, there is an OSCP grew about there. There's a CEH group out there. There's a web application testing group out there. There's lots of groups out there that you can join that you will get security feeds in general where people will maybe repost some of those articles that you might not have seen.
Phil: Following along with the LinkedIn thing also, just in general, cultivate a network of professionals in your field as friends, or sponsors, or any of that kind of thing. They can help you stay current as well. I can't tell you how often it's happened to me, and I know it's happened to you at least more than once, where you'll get an email post from somebody either in your company or some other organization that says, "Hey, have you heard about the latest blahdy, blahdy, blah," and you hadn't heard about it yet.
Paul: It happens because I'm not sitting there reading it 24 hours a day.
Phil: Exactly. So having that network is real helpful.
Erica: Speaking of that network, I wanted to ask what ideas do you guys have on how to go about finding yourself a professional mentor? You know, mentors are kind of really popular now, right, and a great way to help you with your own career. What ideas do you guys have?
Phil: So, I kind of have a love/hate relationship with the mentors. The love part is when the mentorship is very informal. I think that that's a very valuable kind of a relationship and can be valuable for years at a time. When somebody approaches me and says, "Will you be my mentor?" I find that awkward. And I struggle with that kind of a relationship. I mean, I mentor a couple of different people informally, but I really don't do the formal mentorship kind of kind of thing.
Paul: Well, I'll throw one in there about that, Phil. So, I find that the people that I want to mentor have also been an individual that has mentored other people before, as well. So if you are not willing to mentor other people that are trying to move up into your position, find a way that you can do that and then you will find people that want to mentor you maybe without even asking. So, keep those things in mind. Again, if you wanna be mentored, mentor somebody else as well. So it's a good way to give back.
Phil: Paul, what you're talking about is a belief in the fact that folks, as you gain skills, and knowledge, and experience, tend to move in an organization to different positions. And if you have that belief, then you should have no concern or fear about mentoring somebody to take over your job sometime because that's actually a good thing. Having somebody to take over for you when you move up is an important part of being able to move up.
Paul: Yeah. And in fact, in my job, I am always looking for people that are capable of doing part of my job. Because if I can train somebody to do a part of my job and they are good at it, that gives me one less thing to worry about. Again, as the chief operating officer of my company, there is always something new I am having to do, and very rarely, do I get to hand something off. So it's always really good to have that opportunity as well.
Erica: Awesome. All right. So, before we get to the Q&A, I just wanted to open it up to you guys. Any final advice for… Kind of going back to our initial question and the title of the webinar, how do you get a better job in IT?
Phil: So, I got a couple of different thoughts on this. The first one is that you need to be a problem solver, not a roadblock-thrower. And it's a slight difference on the exact same thing.
Throwing up a roadblock just means what you're doing is saying, "You can't do this because of X." Solving a problem says, "Well, there's X in the way, let's figure out how we can get around it or how we can, you know, how we can make sure that that doesn't become a reason why we can't solve the problem." It's a perspective change and it's a critical skill. You need to be problem solvers, not just somebody who throws up roadblocks.
Paul: This is something Phil and I deal with on a daily basis. People bring us problems all the time. Bringing me a problem does not help you and it doesn't help me. Bringing me a solution to a problem helps us both. So, keep those kinds of things in mind.
The other thing that I'll kind of throw out there is be the best. And if you're not the best at what you're doing now, try to be the best. One of the funniest commercials I've seen on... And yes, every once in a while, I still see a commercial, right? And they're talking about being the best at the job and somebody goes, "Well, I'm okay." Well, nobody wants to hear that you're okay. They wanna hear that you're trying to be the best.
The other thing I will tell you is be careful, okay? Be careful on social media. It is great to go out there and put yourself out there and put articles on LinkedIn, blog something out there, put yourself out there in the social media environment of your job, but make sure that you're doing it in a professional manner. Do not go out there trying to belittle somebody else's opinion or trying to prove them wrong. Find solutions. Don't be the problem.
Phil: Both Paul and I have had experiences where individuals have not been hired for positions because of things that have been left on social media. It's a risk that you can't take.
The other thing I would say is play nice with others. It is real important that you cultivate that relationship with folks, especially in security. Sometimes security is in a little bit of an adversarial role with a lot of different organizations within the company. And it is real important for you to downplay the hammer that you have insecurity because you always have the hammer. But that's a problem, right?
As soon as you throw out that hammer, you lose political currency. You lose political capital by doing that. And so it's not anywhere near as valuable as it might seem to be. It's much better to gain acceptance with your peers in the organization. Make sure that they understand that you know what the business problem is and that you're working together to solve a problem, not they're working against you and they see you as an obstacle they have to overcome to get their work done.
Paul: Yeah. Learn some humility. Don't take offense. If people don't agree with you, find a way for a resolution. Don't get in the way. Don't let something else get in your way. But again, don't take offense. There are too many people that take offense when somebody disagrees with them. So find a way to work together.
Erica: Okay. Awesome. Thank you so much, both of you for your insights. We have a few minutes left. So I'm gonna try to cover as many questions as we can. This one from Brian, I really wanted to get to. Brian asked, "How do you overcome burnout in IT?
Phil: That is a really good question. Burnout, from my experiences, and I've had burnout…
Paul: I have too.
Phil: Burnout comes from a couple of different things. First of all, for me, personally, it comes when you're pigeonholed into a job or a role and you feel like you could be doing more than you're currently being asked to do. And that's when you need to start to trigger, get some additional certifications, start looking for additional opportunities, whether they're inside the company or outside the company.
Change your environment. Burnout happens because oftentimes, our environment is stagnant. So you need to change your environment. You're in control of your environment. You do need to make a change to it, but it's up to you. Burnout is not gonna resolve itself because somebody else gives you a job. It's gonna happen because you change your focus and approach and kind of the things that you wanna do at work.
Paul: I will tell you that... The two things I will tell people, especially my employees, when I feel that they're getting burnt out, and I noticed it and I try to take action when I notice they're getting burnout. But find time to unplug. There are times where... And set the expectation that you're unplugging. When you're on vacation, you're on vacation. You should not be answering emails.
I don't believe that there's very many jobs in IT where we all have to be plugged in all the time. I might choose to not be unplugged sometimes while on vacation, and I can get in trouble for that from my wife or my kids, but in general, I try to unplug when I'm on vacation. I try to unplug on the weekends. I try to set that expectation. If one of my employees is trying to reach me on a Sunday, I am not gonna be available.
Phil: Yeah. And along with what Paul said, you need to decide what's important to you in terms of your free time and your non-working hours and be true to that part of yourself. That took me actually a number of years to figure out, but it's really important. You become a better employee when you are actually unplugged on the weekend, or on vacation, or something like that. You come back refreshed and you're ready to go. You're ready to do things better. And it does kinda help with the burnout.
Erica: So, we have a question from Jacob and he is a system admin and looking to kind of get more on the business and planning side as maybe a manager. What advice do you have for him to kinda go through that process?
Paul: Yeah. Well, one of the first things, if you're looking to be a project manager, go out and take a project management course. Look at the PMP. If you're not looking at the PMP and you expect somebody as, again, as Phil mentioned, right? He wants to put somebody in a position that they've already been doing.
If you wanna be a project manager, go get your PMP. If your company won't work with you on that, find a way to do it on your own. There are plenty of self-study courses that will get you through your PMP. But get out there. Get that certification.
Phil: Yeah. Those certifications should demonstrate to your boss that you're willing to do what it takes in order to move into that new space. Also, and almost as an aside, it actually provides you skills and capabilities where you can talk about things that you just weren't able to talk about before and you sound more like a project manager or a manager...
Paul: Very true.
Phil: ...when you're doing that kind of stuff.
Erica: Okay. Awesome. And then one other question I thought was kind of interesting. I know we talked a bit about specialization. We had one question asking, for having more opportunities, are you looking for someone who is a generalist who has a certain knowledge on a broad category of skills or do you prefer maybe a specialist who has knowledge on one or two but more in-depth?
Phil: So, I'm looking for somebody who can fix my wagon. I'm looking for somebody who can solve the problems that I happen to have. So what that means is that person, the person who I'm gonna hire, needs to have the specific skills that I'm looking for. Having general skills is a qualifier, but, usually, isn't sufficient by itself to make me get really excited about a candidate.
Paul: So, in my career, and, again, starting my career over 30 years ago, one of the things I had to learn was how to do a bunch of different things. As the years went by, I tended to specialize, but those generalist skills helped me to specialize. So it helped me be very good at my specialties.
So if you are a generalist now and you do not have a specialty, find one that interests you, find one that's gonna keep you in control, find one that you're not gonna get burnt out of, and start working towards that specialty.
Phil: Absolutely. Yeah.
Erica: Cool. We have a few more questions. I don't think we're gonna have time to get to them today, but what we'll do is we'll write a follow-up blog post and make sure we include those questions in there so we can get all of those answers in.
Thank you both again so much. I think there was a ton of awesome career advice in this. And thank you all to everyone who attended. Hopefully, this was helpful to you and valuable to you. And if it was, please join our next webinar about mental health in IT. I know you've plugged in a couple of times already. Thanks again, Phil and Paul, for joining.
Phil: Thank you.
Paul: Thank you, Erica.
Erica: Yup. Okay, everyone. Have a great day and good luck getting a better job in IT, hopefully after this. Bye, everyone.