MENTORING FUNDAMENTALS

Building Up Security Professionals

2

Jeff Silver, CISSP

Senior Security Engineer, Fraud and Risk Intelligence RSA Corporation

INTRODUCTION Why it Matters

-Positive Professional Development [both Mentor and Mentee]

-Retention

-Team Culture

Parameters of this class

-Key ‘Topics’ for Discussion -Handling sensitive situations -Process and Procedure [Time Permitting]

*Mentoring Technical Personnel is NOT technical training!

WHAT IS A MENTOR? The term mentor probably sprang from Greek mythology.

In Homer's The Odyssey, Ulysses requested that a wise man named ‘Mentor’ care for his son, Telemachus, while Ulysses was involved in the Trojan War. Mentor taught Telemachus "not only book learning ...but also in the wiles of the world.“ It encompasses modeling, supervision on special projects and individualized help, encouragement, correction, confrontation and to an extent…accountability.

TRUST and TRANSPARENCY GETTING PERSONAL: One of the most difficult things to do MUST be accomplished at the

first meeting. This is to get personal and share about yourselves. --Depending on personalities, this can be difficult for some, and not so much for others. --As the Mentor, you should always share first. --Your goal is to honestly share about your key values and life experiences that make you who you are.

TRUST and TRANSPARENCY What if I don’t want to share about my personal life? You should reconsider being a mentor.

Why does this matter? If you are not willing to go deep and share at a personal level with your mentee, you simply will not develop the foundation for TRUST and TRANSPARENCY. What happens if we discover that we are at total opposites in our world views? It is usually OK. Remember, the concept is to be open with each other…not that you have to agree with each other.

BUILDING BRAND This is one of the most important and impactful topics a mentor can cover with their mentee. Building brand should be an exploratory topic in which you listen to the mentee’s career aspirations and their current situation as a security professional. I will mention it a few times in this presentation, but assigning small homework assignments for your mentee is encouraged. This helps stretch the engineer that you are helping, and later in life they will thank you for it.

BUILDING BRAND Typical Examples of brand building sub-topics that you can cover on your calls. --Professional Organizations [Infragard, HTCIA, ISSA, etc.] --Certifications [Security+, CISSP, CEH, etc.] --Reading Rhythm [SC Magazine, books, blogs, etc.] --Exotics [coming slides!] Building brand is a broad topic of discussion, and the examples above are merely a handful of solid and valuable talking points.

EXOTICS Exotics are one of the most important elements of building brand in any organization. They are a hallmark of the most successful security practitioners in the business, and as a mentor this is a topic that should be thoroughly covered. What is an exotic? This is any aspect of the Engineer’s job function that is not part of his/her core duties. It is the ‘Above and Beyond’. Persistent vs non-persistent exotics Internal vs External exotics

EXOTICS Exotics are crucial to brand building because it establishes your knowledge, abilities and willingness to help others inside and outside the company. Examples of exotics for the Engineer include:

--Field Documentation for the broader company team --Post Sales Customer work --Internal or External technical teaching --Mentoring --Guest Speaker at an Industry Event [i.e. Annual Conference] --Creating Internal Training Videos --Acting as a Product Lead --Performing Competitive Analysis --Building and Maintaining a ‘Product Lab’ --Studying for and gaining a new certification

EXOTICS EXOTICS and RISK:

Every exotic has some element of risk, and it needs to be analyzed before moving forward.

Mentors should never focus on the risk, but it is important that the he/she covers the risk and that it is discussed for understanding.

+Some exotics have very low risk [creating a technical document for your team to use]

+Some have very high risk [Teaching an internal class to multiple departments. If your class is poor because you did not prepare right, it brings significant damage to your brand.]

*We should never discourage a mentee from an exotic, but instead lay out what we believe is prudent based on risk. Especially if this is a new Engineer to the company.

EXOTICS -As a mentor, one of the successes you can have through discussion is determining what exotics may be best suited for your mentee based on his/her current situation, strengths and where they aspire to go. -Remember, nothing establishes brand in a company as quickly as successful exotics, so helping your mentee in this area is a key part of success.

CORPORATE RELATIONSHIPS Their Boss: This is one of the most important relationships in your mentee’s life. A mentor can truly help their mentee develop this relationship in a strong and constructive manner. If ever there was an area in which a good mentor can help someone grow…it is here. Compile a list of thoughtful, probing questions:

--How often do you speak with your boss?

--How often do you meet him face to face?

--Rating from 1 to 10, what would you rate your relationship at?

--What do you have in common with your boss?

These are merely a sampling of questions you can ask. Give homework to your mentee. Something like, “On our next call tell me two new things you have learned about your boss”.

CORPORATE RELATIONSHIPS Your Peers: This can be an area that gets overlooked, but team culture is powerful, and ensuring that your mentee understand not just this, but where they stand amongst their peers is essential to growth [Self Awareness]. Typical discussion points are:

--Tell me about the dynamics of your team?

--Who do you feel ‘tightest’ with on your team?

--Who is the biggest ‘complainer’ on your team?

--Who is the newest member of your team?

--From 1 to 10, what would you say your team cohesiveness level is?

*By having these frank conversations with your mentee, they can begin to truly recognize where they stand amongst their peers and how to better act/react with them.

CONFIDENTIALITY Now is probably a good time to cover the issue of confidentiality and how the mentor should handle himself in tough situations. How to handle issues told to you in confidence: -Unless it is illegal, immoral, unethical and/or physically dangerous you have a moral responsibility as a mentor to maintain the confidentiality you have agreed to. -Why does this matter and why can this be difficult? If the mentee becomes a flight risk but has asked you to not share details to his/her manager, you are in a difficult situation. If a specific project/company initiative is in jeopardy, and you need to get others involved quickly, afterwards the mentee can feel that confidence was broken.

CONFIDENTIALITY How to handle issues told to you in confidence:

-Help the mentee navigate the situation [share various positive options] Have them COMMIT to you a ‘positive option’ that you two agreed upon!

-Strongly encourage them to talk to their manager [affirm that you will not violate their trust and confidence either way] -Confirm with them after a suitable time period [i.e.24hrs] if they have in fact talked with their Manager about this. -If not, and you feel they will not, tell your mentee that you are going to have the manager call him/her and you expect them to tell the manager all the details. Force the conversation forward!

*That last option is not a cop out. You are not violating details, but merely forcing the conversation to happen between the Manager and the Engineer. This is almost always a step in a positive direction.

HANDLING AUTHORITY AS A MENTOR Yes…you are an authority figure Formal or informal…this is a reality. “A laid back leader results in laid out soldiers!” Quote from a training officer speaking to ROTC Cadets

You are not trying to be cool and ‘liked’ by your apprentice. This should not be an objective of yours. [You are the thermostat….NOT a thermometer!]

You should be trying to make him into a world class security professional…and in the process of all this, you will most likely develop a good relationship. Junior eyes are on you! Use this ‘opportunity to mentor’ as an opportunity to tighten your own work habits. [Lead by Example]

TECHNOLOGY NAVIGATION Knowing what technology to focus on: As you work with your mentee determine if they love the products/services they directly support as an Engineer. Your company may utilize a lot of products/services, and it is important that we ensure that Engineers are tied to the products/services they are not just passionate about, but have solid aptitude for. If your practitioner is new to the business, help them understand ‘life cycles’ of products and services at your company. Use real life examples versus hypothetical.

TECHNOLOGY NAVIGATION A good surfer does not just swim out and grab the first wave he comes upon. He sits out there and watches the waves come in…analyzing them. As a Security Practitioner, we want to analyze the products/services out there, and determine which one is right for me.

-Am I passionate about the technology I work with every day? -Do I believe it is at the right place, at the right time, to solve real business problems? -Do I believe my company is behind it financially? -Do I have the aptitude and skill set to master it, and be credible?

CAREER PATH DECISIONS Career Subway: You have a tremendous opportunity to help guide an Engineer to truly understand their next career steps here, and how to get there.

Discussing with your mentee what their manager expects of them to be a Senior Security Engineer [assuming they are a Security Engineer].

Your conversation on this topic with them should be thought provoking.

+Are you aware of the various Engineer ‘titles/levels’? +Do you know the exact steps you need to take to gain a promotion to the next level? +Have you developed a strategic career plan with your Manager? +Who do you feel is most responsible for your career growth? +Do you have a timeline or expectations for your next promotion?

HEADQUARTERS Working with and at the Mother Ship: Talk to your mentee about any plans they have regarding the Corporate Office.

Discussion points to cover with your mentee:

-Find reasons to get there [training classes, appointments, etc.]

-’Clothe’ the trip with meetings during an extra day there.

-Encourage your mentee to set up meetings with people in departments that they don’t normally work with. [Certainly you want to meet the Product Manager of your product, but have you met your

HR person? How about your commissions analyst?]

MENTORING THE MENTOR You need to leverage your mentor as well. Sometimes situations are complex, and the career of a young Security Professional is in the balance of your decisions and guidance. That is a sobering reality and hopefully any Mentor takes serious. Mentors should have the common sense to bounce complex situations off of a mentor, peer mentor or their manager for validation.

23