We Hack Purple Podcast

We Hack Purple Podcast 20 with Brian Anderson

January 15, 2021 Season 1 Episode 20
We Hack Purple Podcast
We Hack Purple Podcast 20 with Brian Anderson
Chapters
We Hack Purple Podcast
We Hack Purple Podcast 20 with Brian Anderson
Jan 15, 2021 Season 1 Episode 20

Episode 20 of the We Hack Purple podcast has host Tanya Janca Learns what it's like to be an Information Security Officer\Service Delivery and Operations Manager, with Brian Anderson! In Brian's own words: "I'm an InfoSec Manager who straddles both Security and pure IT roles. I've been in IT and InfoSec for almost 20 years. I fell into this by accident, couldn't dig my way out, so I decided to dig in." This episode was an absolute treat!

Follow Brian on Twitter!

Thank you to our sponsor Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security 

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter for free content and other goodness!

For corporate virtual training contact [email protected] 

Show Notes Transcript

Episode 20 of the We Hack Purple podcast has host Tanya Janca Learns what it's like to be an Information Security Officer\Service Delivery and Operations Manager, with Brian Anderson! In Brian's own words: "I'm an InfoSec Manager who straddles both Security and pure IT roles. I've been in IT and InfoSec for almost 20 years. I fell into this by accident, couldn't dig my way out, so I decided to dig in." This episode was an absolute treat!

Follow Brian on Twitter!

Thank you to our sponsor Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security 

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter for free content and other goodness!

For corporate virtual training contact [email protected] 

 welcome to the we hack purple podcast 

 where each week 

 we interview someone from the 

 information security 

 industry about their super interesting 

 job 

 we hack purple is a training academy an 

 online community 

 plus this awesome podcast this week's 

 episode 

 is sponsored by thread fix which is 

 powered by denim group 

 and our guest this week is brian 

 anderson and he's going to tell us 

 all about what's like to be an 

 information security officer 

 as well as a service delivery and 

 operations manager 

 and i know what you're waiting for 

 you're like tanya just bring the guest 

 out 

 oh yeah i'm tanya janca i forgot i'm 

 your host and here 

 is brian anderson welcome brian hey 

 thank you for having me oh i'm so glad 

 that you could come on the show 

 and you might have noticed that we have 

 very different lighting this is because 

 i have twilight turned on to 

 take all the blue out of my screen but 

 brian has the opposite where he is in 

 80s tv land i was born in 80s tv land 

 i grew up on mtv so here we are awesome 

 so could you tell us a little bit like 

 you know what your title is and then 

 what is it like 

 what is your job like i guess so 

 i have an interesting job that has 

 changed quite a bit 

 over the last couple of years so i i 

 started 

 as a systems admin 

 for a luxury brand in new york 

 and uh it turned into 

 becoming the information security 

 officer information security manager 

 and now i've kind of come full circle 

 i've added service delivery and 

 operations manager to my title which 

 makes me 

 both the head of the 

 it infrastructure team all the sysadmins 

 the help desk and all of them 

 and i manage the security side of things 

 which makes life complicated 

 would be the best word for it sometimes 

 i feel just a little bit schizophrenic 

 i'm not sure which answer to give uh the 

 the sysadmin engineer answer or the 

 security answer 

 but i try to give both that's usually my 

 job 

 okay i love it um yeah so you kind of 

 have 

 almost like a conflict of interest with 

 yourself 

 just a little um the way i tried to 

 describe it was i was given advice when 

 i became 

 when i really got into security which 

 was buy 

 the operations manager lunch and so i 

 took it quite literally 

 and i do it every day now um 

 it is sometimes very difficult to know 

 where to draw the line 

 um but at the same time i think the 

 rewarding and positive part is i'm 

 able to bridge the gap that often 

 happens between infosec pure infosec 

 and i.t uh you know i try to 

 i try to tell myself all the things that 

 really bothered me 

 when i was in security do the opposite 

 of that 

 uh and and then you know i try to do the 

 same thing for the other side so i sort 

 of meet in the middle 

 and i try to treat both of the teams 

 with some independents i try to make 

 sure 

 that they each have the power to 

 do what they need to do for their own uh 

 for their own success but i think you 

 know 

 the positive is usually a net win for 

 security 

 because i almost always will make sure 

 to ask 

 and involve you know what's the security 

 team think about this where are we going 

 with 

 our strategy uh my job is 

 a lot of talking 

 you know talking between teams and 

 talking to the business 

 about both subjects so 

 what would you say like a day in the 

 life 

 is like for you like when you go into 

 the office 

 because a lot of people were really 

 surprised when i explained 

 that an apsec engineer needs to be super 

 duper social but a pen tester 

 actually needs to spend a lot of time by 

 themselves 

 i i have um you know i think 

 the the the the thing i wake up to 

 every day and then have to kind of 

 really get ready for is i'm a mix 

 um a lot of my job is 

 in front of the business being the 

 information security 

 manager and an officer i'm generally the 

 management face 

 of the security team so i'm the one who 

 is talking to 

 the business about security risk i'm the 

 one who 

 uh helped develop the security awareness 

 program 

 if there is an incident generally i'm 

 the one who's trying to relate it 

 to the business outside of what the an 

 analyst team and what the 

 incident handlers are doing so i'm sort 

 of doing the translation for them 

 um on the operations side it's a lot of 

 project management and making sure 

 everybody is getting things done 

 day-to-day but also trying to make sure 

 that i've got enough resources to focus 

 on 

 some of the things that security really 

 gets bugged about 

 like patching and you know 

 i i i'm glad that i have the ability to 

 say you know security guys 

 i got this we're gonna go patch we're 

 gonna go do these things 

 because that's you know part of the job 

 so it's so it's a win 

 but it's wearing a lot of hats it's you 

 know being able to do a little bit of 

 everything 

 i don't always want to be social but i 

 kind of have to sometimes 

 and then there are times where i have to 

 push everybody away and say okay now i 

 have to focus on 

 you know the behind the scenes you know 

 let me sit down with 

 you know an analyst and figure out 

 what's going on with this packet capture 

 kind of thing so 

 it's a little bit of everything when you 

 start doing two jobs 

 because i've had this happen to me 

 before so they're like oh like this 

 person left and now you're gonna do all 

 of their work did you start getting two 

 paychecks 

 i asked 

 yeah that was certainly a a concern 

 and you know i would not turn it down 

 today 

 if i if i had both ryan's open if you 

 want to send more money 

 like he is okay with that yes 

 absolutely absolutely um but i i guess 

 to be fair 

 the opposite uh was when they 

 offered me the position it was 

 i i i can't go into detail about all of 

 the the planning behind it but i 

 remember the call i was on the way 

 into the office and so it was really 

 early in the morning 

 and i get this call and they say can you 

 stop by 

 hr and you know as soon as you get in 

 and so i had the opposite feeling it was 

 not 

 you're going to get offered a new 

 position it was oh god i've been fired i 

 gotta call my wife 

 everything that you've done recently 

 it's like that didn't seem that bad 

 what did i do wrong it's like oh no we 

 just want you to do more work oh 

 wow um okay good work 

 rewarded with more work uh but you know 

 it's it is rewarding um it's sort of 

 getting told that i've been doing a good 

 job on two fronts 

 because like i said my background coming 

 into tech 

 was you know started on a help desk i 

 don't know 

 20 years ago um and 

 it was becoming an engineer becoming an 

 exchange 

 admin and then getting into security 

 getting into networking 

 so i've come full circle and it feels a 

 little bit like 

 they're saying hey way back when you 

 started this 

 you had a good idea we kind of want you 

 to keep doing it and so it does it does 

 feel pretty good sometimes 

 have you worked there a long time it 

 sounds like it 

 yes um i've been there um 

 i've been there for a long time 

 a long time but it wasn't really the 

 beginning of my tech career 

 uh before that i was in chicago 

 i did some consulting work that i 

 started on a help desk for an insurance 

 company 

 a lot of my experiences with small 

 companies which i really specialize in 

 and my company despite the brand is 

 still it acts like a small company and i 

 like that 

 yeah okay so i have more questions 

 so what types of personality traits do 

 you think 

 someone needs to be good at your job 

 like a good listener 

 or like lots of leadership or maybe they 

 need to be good at punching just kidding 

 i'm not good at that so i i would fail 

 miserable 

 uh miserably i i think 

 uh one is communication uh 

 really being able to translate 

 really complicated concepts uh 

 and break them down into something 

 that's digestible it never gets simple 

 uh because when you try to get too 

 simple people really kind of miss it 

 uh and and they want to boil it down to 

 incompetence or what went wrong and it's 

 not that it's not that simple 

 uh i think for me a lot of it is i look 

 for 

 a good communication skill 

 which includes listening um 

 it requires a lot of multitasking um 

 you know it's it's never the same thing 

 every day um and 

 you know even early on before i became a 

 security manager 

 i was often working in environments 

 where 

 you were doing multiple tasks you were 

 both the analysts and the incident 

 handler 

 and you were trying to develop something 

 on 

 uh you know for some sort of educational 

 benefit and you're trying to teach a 

 little bit and you're trying to do this 

 and you're trying to do that 

 uh so you know i i really look 

 for uh the ability to multitask to take 

 off one hat you know take a deep breath 

 and say okay i'm gonna switch gears and 

 do something 

 really uh different uh than what i was 

 doing just a few minutes ago 

 um and i try to take advantage of being 

 able to learn 

 quickly you don't have to know it all 

 but you do have to pick up 

 from others especially new concepts or 

 new ideas or new ways of doing things in 

 a really 

 short period of time because there's not 

 a lot of leeway when things go wrong 

 seriously oh my gosh it feel it feels 

 like 

 um you have to be able to handle a lot 

 of 

 different things at the same time well 

 be 

 organized and also you must have to make 

 a lot of decisions 

 yes decision making is 

 important i think the biggest decision 

 to make 

 that i advise and and i've been really 

 talking a lot to some of my team members 

 to try and 

 empower them to make decisions is the 

 decision 

 is when to delegate to someone else 

 a task that i don't either don't do well 

 or that i just simply don't have time to 

 do and 

 i'll be honest it's not easy to do i 

 i know i'm the kind of person yeah i 

 kind of if it's mine it's i'm i'm going 

 to hold it kind of close to my vest 

 but it want it's been kind of beaten out 

 of me in in 

 at times where you know either 

 deadlines slip which is not good um 

 or the opposite really that you know 

 people don't feel like you trust them 

 and i i think that's really really 

 important trust 

 is critical with a team uh 

 insecurity especially yeah we have to 

 trust each other 

 yes and so in in 

 french so i speak english and french 

 because i'm canadian and some of us do 

 that 

 and in french we say i take a decision 

 but in english we say i make a decision 

 and sometimes 

 i feel like to be a leader you have to 

 take 

 the decision if that makes sense because 

 you have to be 

 especially if you're doing incident 

 management sometimes like you have to be 

 like 

 this is the decision now let's go do it 

 and some people just can't 

 you know like those people where they 

 spend 10 weeks buying a pair of pants 

 you're like you can't lead a security 

 team because you can't 

 do that with security yes yes 

 yes um i think yeah i i think you're 

 absolutely right 

 um i i i think one of the most 

 important parts especially with the 

 security teams a little different with 

 operations 

 uh you want to sort of foster that 

 creativity 

 and let people debate endlessly until 

 you come to the right decision 

 with security time is a factor and so at 

 a certain point 

 you know you let everyone talk you want 

 everybody's voice to be heard 

 you want that diversity but at a certain 

 point one of you is going to have to say 

 okay here's what we're going to do next 

 and it's you know you can always go back 

 and 

 ask more questions about other ideas you 

 don't want to throw anything 

 out um but there is there's a certain 

 point 

 of authoritativeness that's really 

 important 

 um and and you know afterwards i tend to 

 have to go back to my team and say hey 

 i'm sorry i didn't mean to cut you off 

 it wasn't 

 that wasn't you know i want to hear more 

 about that idea when we're not doing 

 this 

 because there may be some value uh so 

 it's it's 

 uh yeah that's that is a big challenge 

 oh i love 

 it okay so we have a bunch of people 

 watching and i want all of you to know 

 that you should click the thumbs up if 

 you're enjoying this i did 

 just kidding i will after because i'm 

 busy talking to brian 

 um but also if you want to ask brian a 

 question you can put it in the chat 

 and i follow brian on twitter that's how 

 we met basically i was just like it's 

 like brian says everything 

 on twitter that i'm too afraid to say 

 like my 

 thoughts like i'll have a thought in my 

 head i'm like oh brian just tweeted that 

 yep and then i'm gonna like it but then 

 be too afraid to retweet it but i'm like 

 oh he's so spot on so often 

 i i i feel a lot of pressure now 

 no but like you say a lot of really good 

 security things you say 

 a lot of things about politics so 

 because i'm canadian i tend to only 

 comment on canadian politics 

 but our countries are neighbors and you 

 know i look across 

 the way and wonder what's happening 

 sometimes 

 um but i try not to comment because i 

 know that when other people from other 

 countries make 

 comment about our politics i'm like back 

 off you don't understand blah blah blah 

 like someone that i like made 

 yeah someone was making some comments 

 about gun control in canada and i almost 

 lost my crap on him 

 i was just like actually and he's like 

 it's a right i'm like no 

 that's in your country go go home you're 

 drunk 

 um and we're still friends but 

 um so i know i can feel like very like 

 we have a different culture right and i 

 shouldn't comment on their culture but 

 i like reading brian's comments and so 

 i'm going to say his twitter handle 

 out loud for people that are listening 

 so it's at 

 b like brian t like tanya 

 anderson and then 72. so 

 also you could just like tweet at me and 

 say yo how do i follow brian 

 or you could go to our podcast show 

 notes which are at wehackpurple.com 

 [Music] 

 podcast.html we're getting a new website 

 soon so it'll probably be somewhere else 

 in a few weeks but for now it'll be 

 there 

 but that said i am supposed to promote 

 something on behalf of we hack purple 

 we are just like i am not in charge of 

 marketing now so someone else is in 

 charge of it and they have good ideas 

 and so we're giving away two 

 free email courses so basically like 

 for one week we'll teach you a thing for 

 free and the first one will be incident 

 response 

 and the second one will be scaling your 

 security team so the instant response 

 one will be about like 

 how to respond to like a software 

 security related incident 

 and then scaling your team like how to 

 do a security champions program like 

 what you should delegate 

 and what you should not delegate because 

 you're going to screw that up um and so 

 if you want to sign up for this 

 haha the trick's on you you have to join 

 our newsletter so the newsletter is 

 newsletter dot wehackpurple.com 

 pretty obvious right okay i'm done my 

 marketing now brian 

 for now then i'm gonna talk about thread 

 fix later so 

 when i have more comments and more 

 questions 

 so your job now 

 you might not think it's super technical 

 but you're able to make a lot of 

 decisions easier 

 probably because you're of your 

 extensive technical experience 

 what types of technical skills do you 

 feel someone needs to have or experience 

 that they would need to have 

 to be able to be good at and can you 

 explain it for like each different job 

 because you sort of have two jobs in one 

 would that be 

 okay sure no that that's absolutely 

 that's absolutely possible um i am 

 by nature a generalist um i love 

 all of it uh and 

 what i found from a technical level for 

 both jobs 

 is that understanding a little bit about 

 everything helps because especially 

 nowadays 

 all of our technical experience is 

 intertwined we're rarely 

 on a team of people who just do 

 one thing and uh so 

 you know i try to i try to encourage 

 people to have 

 the broadest base of technology that you 

 can 

 learn a little bit of coding learn a 

 little bit of engine network engineering 

 learn you know a little bit about 

 systems and 

 software and operating systems so that 

 you can be cross-functional 

 because i think it's very very difficult 

 now to find 

 a i.t department or a security 

 department where we're not crossing 

 boundaries 

 all the time my dev team 

 currently is very small and if i need 

 coding help i have to 

 you know either figure out how to do it 

 myself or go 

 to others to do it so 

 you know it helps me to have a little 

 bit of understanding of how to do python 

 and how to work with this and how to 

 work with that you know a lot of 

 uh integration so what i really 

 recommend 

 is grab it all 

 because you don't really know until 

 you're in the environment 

 and into the job which is going to be 

 the strongest part 

 of your skill set that you're going to 

 need for that particular 

 uh organization or operation you might 

 go in thinking 

 i went in thinking i was going to be an 

 exchange administrator and 

 now they don't let me touch email at all 

 except fishing 

 they let me do fishing that's it so you 

 click on the fishing emails 

 i you know i i set them forget that i 

 set them up 

 and then um and then i nearly clicked 

 them 

 and it's not but then 

 if you follow my twitter you know that i 

 don't find fishing tests to be all of 

 that 

 all that uh helpful um 

 in terms of education i have there are 

 some benefits to them 

 i really do believe that you can get 

 value out of it 

 just not you know i try not to punish 

 people for 

 oh no no positive reinforcement rather 

 than punishing for failing 

 faux show i mean for sure 

 no absolutely i mean you know that's i 

 think one of the other 

 skills that i really push for from 

 people is compassion 

 really understand that the people that 

 we work for 

 are just people they're good people 

 they're bad people uh they're competent 

 they're scared they're insecure they're 

 uh you know sometimes they're 

 sorry can i say that 

 but mostly you know you have to figure 

 out how to set up a program 

 that incorporates all of them uh and and 

 all of us 

 so there's not really a single skill or 

 a single technology that i would say 

 everybody 

 must learn uh something but i think 

 you know find something that you're 

 happy learning 

 about um because you're gonna have to do 

 it for the rest of your career 

 whether you want to or not that is so 

 true 

 i would like to note that i agree with 

 like basically everything brian said 

 uh and i really like the idea 

 of trying to get the broadest technical 

 experience you can 

 so that you can see things from the 

 other side but also so you can make the 

 absolute 

 best decisions for your organization 

 like 

 both so that the solution you find is 

 good 

 but also that you pro like the solution 

 you find 

 is secure because sometimes you have to 

 be super creative 

 and understand another way to do 

 something so it can actually be a good 

 solution and a secure solution 

 um someone was tweeting at me earlier 

 today tonya is reading your book 

 allison bob learn application security 

 you can get it on 

 amazon um but they're saying to me 

 oh like you said you know users don't 

 like captchas 

 and that we should use a cross-site 

 request forgery like an anti-sea surf 

 token 

 instead but that doesn't stop against 

 brute force attacks i'm like okay so 

 you're only on chapter two 

 if you keep reading we're going to talk 

 about like defense and depth and layered 

 security so you could do like a c-surf 

 token 

 but then you can also you know set up 

 resource quotas throttling 

 alerts and all these other things so 

 that you can catch the bots 

 so that you can slow them down and annoy 

 them and like just cut them off 

 also like you can block ips like there's 

 so many things you can do 

 but like captions still suck from a user 

 experience 

 perspective but if you don't know 

 there's these other options of things 

 you can do instead 

 you'll be that security person that says 

 you have to use a captcha 

 because brute force and you're like 

 actually there's like multiple ways 

 to solve this problem um and so like 

 what can we do that is a good 

 solution but also a secure solution yeah 

 i i 100 agree with you 100 agree i think 

 one of the things that 

 when i talk to my teams about 

 it is about user experience that uh 

 you know you know we've really started 

 trying to capture metrics about it like 

 how do we explain 

 what people are going through when 

 they're using the application or the 

 platform 

 and you know we asked the question 

 outright 

 how much multi-factor is too much 

 multi-factor 

 and we haven't gotten the answer yet but 

 we're getting there because we realized 

 yeah i mean the security answer is put 

 multi-factor on 

 everything and i do agree and so i look 

 at my phone and i've got 

 four different authenticators and i 

 can't remember which one is for which 

 one 

 and then i'm like struggling to find 

 which one is the one-time pass 

 and then it times out and i have to do 

 it again and then by the time i have to 

 do it that second time 

 i'm done i'm not using that application 

 and then it's like well yes it's secure 

 but 

 nobody's going to secure i can't do the 

 user 

 i don't want to use it and uh 

 you know and that's where you know i 

 think my job 

 having both the operations side and the 

 the security side 

 really is a benefit because i think i 

 now 

 have a lot more understanding of well 

 you know we're looking at perform system 

 performance on the operations team 

 and we're saying well how come nobody is 

 using our application 

 and then you turn and you look over and 

 there's the security team and we're all 

 proud 

 and we're like oh we're the ones that 

 are making this 

 you know not work so uh 

 so now we're really working to create 

 that balance to make 

 good solutions as opposed to just secure 

 ones 

 um and it's it's it's helping i think i 

 think you know as an industry we have to 

 look towards that what's the experience 

 yeah i believe that is the security 

 team's job to enable 

 everyone in the business to do their 

 jobs securely 

 yes and if we remember that like 

 oh i'm disabling this dev from doing 

 their job 

 by sending them a link to nist and 

 saying figure it out yourself 

 when they've asked for help and this is 

 when they roll their own encryption 

 or write their i'll just write my own 

 session management and authentication 

 and authorization 

 because i'm not aware that the one in my 

 framework is probably the best one for 

 me to use i'll definitely write my own i 

 know 

 better than all the people that designed 

 this framework right but 

 it will never work but we have to we 

 have to support 

 them because because they have a job to 

 do right they're like i need to 

 authenticate my users like i need to do 

 that 

 and i'm still gonna do it whether you 

 help me or not 

 and you might not like the way i do it 

 yes 

 that is absolutely true um one of the 

 things that i learned before i started 

 in this role 

 you know as a consultant a lot of the 

 clients that i was working with had no 

 security team at all 

 and so i was kind of doing security as a 

 value add 

 to the consulting job like i may not 

 have even been brought there to do it 

 uh but the thing that i i tried to do 

 with 

 you know and got from them was 

 a lot of people feeling like they 

 weren't getting 

 good security advice and it wasn't that 

 they weren't getting any 

 they were just getting to a point where 

 it was very frustrating you know they 

 were 

 and they were going to do what they 

 needed to do to do their job and i think 

 the thing i got from them 

 was they had a different risk matrix 

 than what they were putting on paper 

 when we talked to them about risk they 

 were thinking about 

 the organizational's risk uh you know 

 the 

 the the you know 

 loss of reputation the loss of income 

 and revenue 

 uh you know work stoppages and so on and 

 they were putting those 

 all in you know in the matrix and it 

 made sense what was missing 

 was the individual who was saying yeah 

 all those things are true 

 but if i don't do this i'm afraid i'm 

 going to get fired and that's a bigger 

 risk for me 

 and that was a real turning point you 

 know people were 

 going around security not because they 

 didn't believe in security 

 but because their risk was i don't want 

 to get fired i want to be productive i 

 want to do my job i want to get my 

 paycheck i want to go home 

 and if you make that hard 

 i i you know i get insecure and i get 

 nervous and once i started to see it 

 that way i 

 i start to see it that way you know i'm 

 a little worried when things take too 

 long and i'm not being as productive and 

 my bosses how you doing on that 

 well yeah yeah 

 i oh i was explaining um so i had like a 

 meeting with a client today and i was 

 explaining to them 

 you know if if they ask us for help and 

 then we 

 send them a pay like so i've i've seen 

 this where security teams 

 send a link to nist or they send a link 

 to the canadian equivalent which is 

 itsg33 

 or they will send a link to 

 owasp's asvs so application security 

 verification standard which is an 80 

 page excel spreadsheet for pen testers 

 and it totally kicks butt if you want to 

 do pen testing 

 um but i'm like it's the equivalent of 

 all of us gathering in a room 

 and then just putting up our middle 

 fingers and then taking a selfie 

 and then emailing it to them that's what 

 it feels like to receive that email 

 if you asked they asked us for help and 

 we were like 

 nah they know how to use google 

 they know 

 yes that is i i i 

 and and and what we don't want to admit 

 is that 

 we don't really like reading nist stuff 

 either i mean 

 i i love their guidance i i've read 

 through it 

 but not pleasurably no it's it's 

 it's a lot of of research and and 

 grinding and it's technical and it's 

 sometimes overly technical and 

 you know it's it's not fun and if it if 

 it's not fun it will not get done 

 uh i didn't mean to make that rhyme but 

 it it 

 it's it's not it's it's not fun if you 

 have to do it uh 

 do it that way and so we have to find 

 ways to 

 communicate in a in a way that makes 

 sense 

 uh to the business into the organization 

 that we're working with 

 so now that we are halfway through the 

 podcast i'm going to thank 

 our amazing sponsor threadfix they make 

 the most stupendous vulnerability 

 management system 

 this side of the galaxy and 

 they're extra wonderful because we just 

 signed a deal with them to sponsor 

 basically until we don't have guests 

 anymore for the podcast 

 and so next week is ubik security but 

 from then on it is just going to be us 

 and thread fix partying all the time on 

 the wehack purple podcast and i want to 

 thank threadfix for basically they're 

 completely unending 

 and generous support that they have had 

 if we hack purple they do so many nice 

 things for us like more than just 

 sponsor us 

 so thank you dan thank you sheridan and 

 all of you you're great 

 um and also uh i want to note that um 

 we just got swag so we now have a swag 

 shop 

 and uh i told brian that i would like 

 just like 

 pretend to like drink out of it i also 

 have t-shirts but i couldn't think of 

 like 

 a non-awkward way to just like jump up 

 and be like everyone look at my 

 chest because i i was wearing a superman 

 shirt one week 

 and then i was like everyone look at me 

 and then some male fans commented that 

 it they had conflicted feelings 

 about that and i was like oh i'm so 

 embarrassed 

 okay so note to self so i may like next 

 week i'll be like this i'll be like 

 yeah what's up from really far away so 

 that people could see my t-shirt 

 um but yes uh all of those things 

 i okay so brian let's say someone is 

 like 

 i want to try one day to be an 

 information security officer like i 

 would like to try to lead a security 

 team 

 and or they want to do because like 

 anyone can listen to this podcast it's 

 not necessarily just security people 

 and like maybe someone wants to be the 

 manager of operations 

 and they want to do service delivery and 

 they want to be good at it 

 and so they want to get training and 

 experience to lead up to that 

 what types of experience should they try 

 to get or training 

 might be good so that they could be 

 prepared and be excellent 

 at this job slash apply and not get 

 screened out 

 that is a really good question um i 

 i love it it's it's uh and and a few 

 years ago i probably would not have been 

 able to answer it because 

 i really didn't know i really didn't 

 know what it would take 

 uh to be a security officer so i 

 you know i'm i i i think 

 my experience has been um 

 the first i think is to never sell your 

 own experience short 

 i really like it you know particularly 

 in security 

 seeing people bring their non-security 

 experience to the table because 

 our job is to relate to the business and 

 most of the business is not security 

 unless you work for a security company 

 you're not doing that um you've got to 

 explain 

 and manage risk for people who are 

 worried about something else 

 um so uh you know the people that i look 

 for are looking for pragmatic solutions 

 and they're coming bringing those 

 solutions from somewhere else 

 um and and so if you have 

 experience in finance bring that 

 if you have experience in 

 marketing or shipping or 

 logistics bring those experiences 

 because the pragmatism 

 will really do you good in a role 

 as a security officer or a managing 

 operations team 

 it's a lot of pragmatism it's a lot of 

 what's the 

 simplest way to kind of get to a 

 solution because a you don't have time 

 and b you probably don't have the budget 

 to do something 

 that is going to be as extravagant as 

 you think it is when you had this great 

 idea 

 uh you're like i got this great idea and 

 then you go okay but you only have two 

 thousand dollars to do it with oh well 

 then let me come up with something very 

 pragmatic to work on it 

 so bring your bring your skills from 

 everywhere 

 um and i think it's really important for 

 diversity 

 bring everything that is in you to the 

 table if 

 you're only going to come in and talk 

 tech 

 you're going to struggle in a management 

 or an operations role 

 uh if there was something that i wish i 

 had 

 learned before i really was in the job 

 i would definitely recommend taking some 

 management courses 

 and non-tech management courses just how 

 to 

 relate to having a team underneath you 

 of sometimes very diverse 

 and sometimes very opposite 

 uh personalities um you know when you 

 deal with you know i i'm blessed with a 

 very 

 diverse team culturally 

 but sometimes i have to keep in mind 

 that those aren't always it sometimes is 

 a little push and pull 

 you know sometimes you have to recognize 

 that not everybody recognizes the same 

 holiday 

 so having some training in that 

 definitely helps yeah um 

 you know understanding business in 

 general 

 as opposed to you know the tech side of 

 business is also helpful so 

 i would say those are some of my top 

 hits of 

 things to learn things i wish i had 

 learned before i had the job 

 i definitely agree with you on that um 

 so i am in the weird situation where i 

 have only ever worked in tech 

 and i was a professional musician uh and 

 like i did like comedy and acting yeah 

 it's like if you look at me up on 

 spotify that's me um 

 but uh so i have like this weird 

 very concentrated like set of whatever 

 so then 

 as i got older and i was like trying to 

 move it like up the ranks in tech 

 i had to learn a lot of communication 

 skills because 

 i was used to either talking to really 

 drunk people who would come see me play 

 music 

 or um you know just being in my cubicle 

 coding by myself and it was like oh i 

 have to speak at 

 people and i have to like be a little 

 more graceful let's say than i was when 

 i was younger 

 um like not quite as direct as i could 

 be 

 at times yes brian is laughing because 

 we both 

 like to get to the point of things i yes 

 um i have sometimes said something and 

 it really wished i could pull that back 

 it's yeah 

 um no i i totally agree uh 

 communication is really important um and 

 and communicating a lot of times on 

 different levels um 

 when i am uh doing 

 in-person security awareness training um 

 i'm not 

 talking to you know i'm talking to 

 people who may very well have come from 

 very different 

 perspectives and you know their their 

 vocabulary their understanding of 

 technology may be very different from 

 mine 

 so i you know 

 and you know one of the things that i've 

 learned and i think i said it somewhere 

 once and it became kind of a mantra when 

 i look back at my presentations 

 is look for things that are true 

 but not helpful and then take them out 

 because 

 i'm notorious for it i have gone into 

 and given a presentation and gotten 

 really technical 

 and it's like when on a security you 

 know you know being from security i've 

 said things that were 

 absolutely true 100 true but absolutely 

 not helpful 

 and the faces glaze over and the eyes 

 glaze over and they're looking at you 

 and then they're like i hate this 

 oh my gosh brian i teach secure coding 

 and i i got hired to like plan a 

 training program and they're like oh 

 this is the training we gave last year 

 and there was six straight hours on 

 encryption and like asymmetric versus 

 symmetric 

 and it was like an intro to secure 

 coding for devs and like why are you 

 wasting their time for like almost 

 this is almost a day worth of wasted 

 time and my boss was like 

 but i'm like no they need to know it's 

 encrypted in transit it's encrypted at 

 rest these are 

 the settings i want your security 

 headers these are the settings i want 

 your cookies 

 and then that's it so go home next 

 because i have so much crap i need them 

 to know and you can't waste four to six 

 hours on this i have stuff to do 

 that i need to teach them and that's not 

 it and like i looked and it like um 

 so they had hired like this really high 

 paid consultant and then here i was like 

 coming in as a person that had been a 

 dev forever that had just switched to 

 security 

 and i was like no no just like throwing 

 away like we printed it out and i was 

 like tossing the stuff over my shoulder 

 no 

 no no and yes removing stuff 

 that is not helpful like like you might 

 want to dive down like a tiny bit of a 

 rabbit hole like if you 

 for instance you're like here's the 

 reasons why using https everywhere is 

 important like here's the risk 

 but like they all need to know the ins 

 and outs of asymmetric versus 

 like no one cares and like oh yeah like 

 diffy homan 

 this guy you know it's named after a 

 dude and no one gives a crap 

 they have stuff to do yes yes 

 absolutely um and i mean i i love 

 firewalls i do 

 i i have this weird love for them i you 

 know i started it was one of the first 

 my first introductions to security was 

 was working on firewalls and i'm the 

 same way i will talk your ear off 

 uh about all sorts of things you know 

 and 

 the differences between stateful and all 

 these extra add-ins that have been added 

 over the years and then 

 you realize somewhere about half hour 

 into the conversation that nobody's 

 following 

 you know they they don't care even the 

 security people are like yeah 

 okay it's it's 

 really important and i you know a lot of 

 times 

 especially in security your boss may not 

 be 

 very technical at all a lot of security 

 teams 

 actually come under finance um because 

 of 

 you know internal controls uh for that 

 organization 

 and if you want to talk to your cfo 

 about uh you know 

 jiffy hellman you have wasted your time 

 you need to drive you need to buy that 

 person a beer yes 

 uh they'll listen very comfortably 

 and they will walk away 

 my beer's done i have to go thank you 

 and then you'll wonder why you're not 

 invited to lunch as much anymore 

 no it's it's it's true that you know 

 communication is really important 

 knowing your audience is really 

 important 

 um you know translating risk into very 

 different 

 concepts for different people and coming 

 up with new analogies i think i spent a 

 lot of time coming up with a new analogy 

 for how i can explain 

 uh this bad thing that could happen uh 

 is is kind of like an exercise like i 

 should start setting time aside in my 

 calendar and say what's the new analogy 

 for how i can explain it because 

 it's a skill and it's not one that i i 

 think comes easily but when you find 

 someone who has it 

 they're like dynamic there are people i 

 think that we both follow on twitter 

 that when they 

 when they hit it it's like oh my god i 

 can't believe it they just made this so 

 simple for us 

 yes and then i saved that somewhere 

 yes because it is okay to use great 

 examples that other people gave 

 yes i i certainly hope so because i do 

 so now i have so this is the final 

 question and it is a two-parter and so 

 the first part super easy and the second 

 part super hard are you ready 

 i'm ready okay so what do you like best 

 about your job and what do you like 

 least wow 

 that is a very good question and you're 

 like the people 

 [Laughter] 

 honestly um the the thing that i 

 like best about uh 

 my job now is really almost 

 the cross-functional capability uh 

 i can i i feel like i have gotten people 

 who were not 

 into security into security and i've 

 gotten people who were 

 really security heads kind of looking at 

 the performance in the operational side 

 of things and that's where i feel like 

 i'm kind of a mad scientist and i'm 

 putting people together 

 and then seeing where they you know 

 seeing where they go 

 that's that's kind of a neat feeling uh 

 putting people together 

 in a way that maybe challenges them 

 and know that i'm doing it for 

 the good of my organization and for the 

 good of the industry because it's all 

 really we're an ecosystem now we're not 

 isolated anymore um so you know that's 

 probably 

 my favorite part of the job 

 my least favorite part meetings 

 lots and lots of meetings 

 i i i 

 i i don't like them very much 

 i'm trying to be diplomatic i'm not sure 

 i'm succeeding i 

 i it's not that i don't like 

 you know i like the socialization aspect 

 of 

 sharing of ideas but 

 i i feel like you know in my role now 

 sometimes there's so many meetings that 

 we never get to do the thing that was 

 discussed 

 in the meeting so we make all of these 

 commitments and we're gonna do this and 

 we're gonna do that that's a great idea 

 we should do this and i'm glad we had 

 this meeting and then it's like 

 when are we gonna do it i don't know i 

 got another meeting and then 

 we never get to do it and so i 

 you know if i could do my job and 

 maybe cut the number of meetings by like 

 65 i would be much happier 

 and i and i think anybody in this role 

 would just be 

 you know a chance to take a deep breath 

 and at least think about whether the 

 stuff that was in the meeting even made 

 sense because it 

 kind of one runs a meeting runs into the 

 next and the next 

 i'm not sure what i agreed to have you 

 have you noticed that since 

 we've all started working remotely then 

 a meeting 

 will end and you will literally the 

 exact minute later need to click to the 

 other meeting you're like i didn't even 

 get a pee 

 break i don't like i don't have enough 

 caffeine at my desk right now 

 yes absolutely um 

 in fact i've i've started maybe started 

 saying i need to 

 i i need you know i i close every 

 meeting with 

 sorry i have to jump off for another 

 call and i think i need to start saying 

 it maybe two or three minutes earlier 

 so i could go to the bathroom and get a 

 cup of coffee 

 like i was looking at my calendar one 

 day and i'm like 

 like explaining to my sweetheart like so 

 okay so i have like six hours of 

 meetings 

 and then the you know my sweetheart's 

 like were you going to eat today 

 and i was like oh yeah 

 and it's like there literally wasn't a 

 space to do that 

 and i really like eating so 

 eating is i found it to be a necessity 

 right 

 i do it every day 

 [Laughter] 

 i no i i totally agree and i think one 

 of the 

 you know on the flip side of the remote 

 work so both my wife and i 

 are both home i find it just a little 

 bit pleasurable 

 like if i'm not in a meeting in those 

 rare chances i'll pour a cup of coffee 

 and i'll just go up and put it on her 

 desk 

 and you know or she'll do the same for 

 me she sees i mean you know i've got my 

 headset on 

 and you know i look up and there's this 

 cup of coffee there and it's like 

 oh that's you know that's true because 

 yes true love i remember why i married 

 you 

 [Laughter] 

 that's because yeah otherwise i would 

 not remember 

 to eat or drink or you know you know 

 get from one thing to the next to the 

 next um and it's important 

 uh you know you have to keep your 

 strength up everybody take care of 

 yourselves 

 please um it's it's 

 it's hard work and meetings don't seem 

 like 

 a lot of effort but at the end of the 

 day you are 

 just as exhausted and it does take it 

 out of you and 

 i'm learning how to be better at that 

 myself 

 i am with brian on all of this 

 definitely 

 so i hope that all of you were like you 

 know what i should do 

 i should follow brian on twitter and i'm 

 going to repeat 

 his twitter handle and put it on the 

 screen but for people listening 

 it's be like brian t like tanya anderson 

 and then 72. but obviously 

 he was born way before then because he's 

 younger than me 

 and i was born before then so you can 

 like you can tell by 

 hit like don't let the 80s lighting fool 

 you 

 you know youth despite his 20-plus years 

 experience he's somehow in his 30s 

 the the technicolor was really to hide 

 the gray hairs 

 that i discovered that i had 

 and uh yeah i'm gonna keep doing it 

 i don't i don't know what it is but like 

 literally 20 20 i just start getting a 

 ton of gray hair 

 and like i don't know if it's the plague 

 i don't know if it's like 

 working from home it could be anything 

 yeah i 

 i'm i'm with you i'm i'm absolutely i 

 don't know when it started 

 i feel like i aged a decade in in just a 

 few months 

 um i'm i'm hoping 2021 is kind of retro 

 and i can go back to you know yeah 

 we'll all get big hair 

 [Laughter] 

 uh i i love 80s music so how i'll you 

 know go back to prince in 1984 

 and you know a little purple rain i 

 could do that yeah prince rules 

 by the way thank you so much for coming 

 on the show brian i really appreciate it 

 thanks so much for having me it's been a 

 pleasure i hope that every single person 

 goes and follows brian on twitter and 

 then if you're up for following someone 

 else you could follow we hack purple or 

 me 

 she hacks purple um yes it's similar 

 that's on purpose 

 and yes my hair is purple thank you so 

 much and we are going to wave goodbye 

 and then i'm going to do the outro 

 announcement thank you 

 uh and i pressed the wrong button but 

 don't worry i got the right button now 

 okay thank you so much for attending 

 today's 

 event and podcast and we love having you 

 here thank you so much for watching 

 thank you so much to brian anderson for 

 being a totally kick-ass guest 

 thank you to threadfix again for being 

 our sponsor we really appreciate it 

 this was the wehack purple podcast where 

 each week we interview a different 

 person from the information security 

 industry 

 to learn what it's like to do their job 

 because guess what we 

 at wehack purple want you to join our 

 industry if you're not already in it 

 we have tons and tons of different jobs 

 that need a unique person like you to do 

 them 

 and with that i would like to invite you 

 to join the we hack purple newsletter 

 you will get invites to this podcast you 

 will get free content 

 and if you sign up between now and i 

 believe next tuesday when we're sending 

 the invites 

 you will get a free online course 

 because my marketing people have decided 

 we're going to give away courses for 

 free 

 um and so go to 

 newsletter.wehackpurple.com and with 

 that thank you very much i am tanya 

 jenker your host and i will see you 

 next week 

 you