Episode 20 of the We Hack Purple podcast has host Tanya Janca Learns what it's like to be an Information Security Officer\Service Delivery and Operations Manager, with Brian Anderson! In Brian's own words: "I'm an InfoSec Manager who straddles both Security and pure IT roles. I've been in IT and InfoSec for almost 20 years. I fell into this by accident, couldn't dig my way out, so I decided to dig in." This episode was an absolute treat!
Follow Brian on Twitter!
Thank you to our sponsor Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter for free content and other goodness!
For corporate virtual training contact info@wehackpurple.com
Episode 20 of the We Hack Purple podcast has host Tanya Janca Learns what it's like to be an Information Security Officer\Service Delivery and Operations Manager, with Brian Anderson! In Brian's own words: "I'm an InfoSec Manager who straddles both Security and pure IT roles. I've been in IT and InfoSec for almost 20 years. I fell into this by accident, couldn't dig my way out, so I decided to dig in." This episode was an absolute treat!
Follow Brian on Twitter!
Thank you to our sponsor Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter for free content and other goodness!
For corporate virtual training contact info@wehackpurple.com
welcome to the we hack purple podcast
where each week
we interview someone from the
information security
industry about their super interesting
job
we hack purple is a training academy an
online community
plus this awesome podcast this week's
episode
is sponsored by thread fix which is
powered by denim group
and our guest this week is brian
anderson and he's going to tell us
all about what's like to be an
information security officer
as well as a service delivery and
operations manager
and i know what you're waiting for
you're like tanya just bring the guest
out
oh yeah i'm tanya janca i forgot i'm
your host and here
is brian anderson welcome brian hey
thank you for having me oh i'm so glad
that you could come on the show
and you might have noticed that we have
very different lighting this is because
i have twilight turned on to
take all the blue out of my screen but
brian has the opposite where he is in
80s tv land i was born in 80s tv land
i grew up on mtv so here we are awesome
so could you tell us a little bit like
you know what your title is and then
what is it like
what is your job like i guess so
i have an interesting job that has
changed quite a bit
over the last couple of years so i i
started
as a systems admin
for a luxury brand in new york
and uh it turned into
becoming the information security
officer information security manager
and now i've kind of come full circle
i've added service delivery and
operations manager to my title which
makes me
both the head of the
it infrastructure team all the sysadmins
the help desk and all of them
and i manage the security side of things
which makes life complicated
would be the best word for it sometimes
i feel just a little bit schizophrenic
i'm not sure which answer to give uh the
the sysadmin engineer answer or the
security answer
but i try to give both that's usually my
job
okay i love it um yeah so you kind of
have
almost like a conflict of interest with
yourself
just a little um the way i tried to
describe it was i was given advice when
i became
when i really got into security which
was buy
the operations manager lunch and so i
took it quite literally
and i do it every day now um
it is sometimes very difficult to know
where to draw the line
um but at the same time i think the
rewarding and positive part is i'm
able to bridge the gap that often
happens between infosec pure infosec
and i.t uh you know i try to
i try to tell myself all the things that
really bothered me
when i was in security do the opposite
of that
uh and and then you know i try to do the
same thing for the other side so i sort
of meet in the middle
and i try to treat both of the teams
with some independents i try to make
sure
that they each have the power to
do what they need to do for their own uh
for their own success but i think you
know
the positive is usually a net win for
security
because i almost always will make sure
to ask
and involve you know what's the security
team think about this where are we going
with
our strategy uh my job is
a lot of talking
you know talking between teams and
talking to the business
about both subjects so
what would you say like a day in the
life
is like for you like when you go into
the office
because a lot of people were really
surprised when i explained
that an apsec engineer needs to be super
duper social but a pen tester
actually needs to spend a lot of time by
themselves
i i have um you know i think
the the the the thing i wake up to
every day and then have to kind of
really get ready for is i'm a mix
um a lot of my job is
in front of the business being the
information security
manager and an officer i'm generally the
management face
of the security team so i'm the one who
is talking to
the business about security risk i'm the
one who
uh helped develop the security awareness
program
if there is an incident generally i'm
the one who's trying to relate it
to the business outside of what the an
analyst team and what the
incident handlers are doing so i'm sort
of doing the translation for them
um on the operations side it's a lot of
project management and making sure
everybody is getting things done
day-to-day but also trying to make sure
that i've got enough resources to focus
on
some of the things that security really
gets bugged about
like patching and you know
i i i'm glad that i have the ability to
say you know security guys
i got this we're gonna go patch we're
gonna go do these things
because that's you know part of the job
so it's so it's a win
but it's wearing a lot of hats it's you
know being able to do a little bit of
everything
i don't always want to be social but i
kind of have to sometimes
and then there are times where i have to
push everybody away and say okay now i
have to focus on
you know the behind the scenes you know
let me sit down with
you know an analyst and figure out
what's going on with this packet capture
kind of thing so
it's a little bit of everything when you
start doing two jobs
because i've had this happen to me
before so they're like oh like this
person left and now you're gonna do all
of their work did you start getting two
paychecks
i asked
yeah that was certainly a a concern
and you know i would not turn it down
today
if i if i had both ryan's open if you
want to send more money
like he is okay with that yes
absolutely absolutely um but i i guess
to be fair
the opposite uh was when they
offered me the position it was
i i i can't go into detail about all of
the the planning behind it but i
remember the call i was on the way
into the office and so it was really
early in the morning
and i get this call and they say can you
stop by
hr and you know as soon as you get in
and so i had the opposite feeling it was
not
you're going to get offered a new
position it was oh god i've been fired i
gotta call my wife
everything that you've done recently
it's like that didn't seem that bad
what did i do wrong it's like oh no we
just want you to do more work oh
wow um okay good work
rewarded with more work uh but you know
it's it is rewarding um it's sort of
getting told that i've been doing a good
job on two fronts
because like i said my background coming
into tech
was you know started on a help desk i
don't know
20 years ago um and
it was becoming an engineer becoming an
exchange
admin and then getting into security
getting into networking
so i've come full circle and it feels a
little bit like
they're saying hey way back when you
started this
you had a good idea we kind of want you
to keep doing it and so it does it does
feel pretty good sometimes
have you worked there a long time it
sounds like it
yes um i've been there um
i've been there for a long time
a long time but it wasn't really the
beginning of my tech career
uh before that i was in chicago
i did some consulting work that i
started on a help desk for an insurance
company
a lot of my experiences with small
companies which i really specialize in
and my company despite the brand is
still it acts like a small company and i
like that
yeah okay so i have more questions
so what types of personality traits do
you think
someone needs to be good at your job
like a good listener
or like lots of leadership or maybe they
need to be good at punching just kidding
i'm not good at that so i i would fail
miserable
uh miserably i i think
uh one is communication uh
really being able to translate
really complicated concepts uh
and break them down into something
that's digestible it never gets simple
uh because when you try to get too
simple people really kind of miss it
uh and and they want to boil it down to
incompetence or what went wrong and it's
not that it's not that simple
uh i think for me a lot of it is i look
for
a good communication skill
which includes listening um
it requires a lot of multitasking um
you know it's it's never the same thing
every day um and
you know even early on before i became a
security manager
i was often working in environments
where
you were doing multiple tasks you were
both the analysts and the incident
handler
and you were trying to develop something
on
uh you know for some sort of educational
benefit and you're trying to teach a
little bit and you're trying to do this
and you're trying to do that
uh so you know i i really look
for uh the ability to multitask to take
off one hat you know take a deep breath
and say okay i'm gonna switch gears and
do something
really uh different uh than what i was
doing just a few minutes ago
um and i try to take advantage of being
able to learn
quickly you don't have to know it all
but you do have to pick up
from others especially new concepts or
new ideas or new ways of doing things in
a really
short period of time because there's not
a lot of leeway when things go wrong
seriously oh my gosh it feel it feels
like
um you have to be able to handle a lot
of
different things at the same time well
be
organized and also you must have to make
a lot of decisions
yes decision making is
important i think the biggest decision
to make
that i advise and and i've been really
talking a lot to some of my team members
to try and
empower them to make decisions is the
decision
is when to delegate to someone else
a task that i don't either don't do well
or that i just simply don't have time to
do and
i'll be honest it's not easy to do i
i know i'm the kind of person yeah i
kind of if it's mine it's i'm i'm going
to hold it kind of close to my vest
but it want it's been kind of beaten out
of me in in
at times where you know either
deadlines slip which is not good um
or the opposite really that you know
people don't feel like you trust them
and i i think that's really really
important trust
is critical with a team uh
insecurity especially yeah we have to
trust each other
yes and so in in
french so i speak english and french
because i'm canadian and some of us do
that
and in french we say i take a decision
but in english we say i make a decision
and sometimes
i feel like to be a leader you have to
take
the decision if that makes sense because
you have to be
especially if you're doing incident
management sometimes like you have to be
like
this is the decision now let's go do it
and some people just can't
you know like those people where they
spend 10 weeks buying a pair of pants
you're like you can't lead a security
team because you can't
do that with security yes yes
yes um i think yeah i i think you're
absolutely right
um i i i think one of the most
important parts especially with the
security teams a little different with
operations
uh you want to sort of foster that
creativity
and let people debate endlessly until
you come to the right decision
with security time is a factor and so at
a certain point
you know you let everyone talk you want
everybody's voice to be heard
you want that diversity but at a certain
point one of you is going to have to say
okay here's what we're going to do next
and it's you know you can always go back
and
ask more questions about other ideas you
don't want to throw anything
out um but there is there's a certain
point
of authoritativeness that's really
important
um and and you know afterwards i tend to
have to go back to my team and say hey
i'm sorry i didn't mean to cut you off
it wasn't
that wasn't you know i want to hear more
about that idea when we're not doing
this
because there may be some value uh so
it's it's
uh yeah that's that is a big challenge
oh i love
it okay so we have a bunch of people
watching and i want all of you to know
that you should click the thumbs up if
you're enjoying this i did
just kidding i will after because i'm
busy talking to brian
um but also if you want to ask brian a
question you can put it in the chat
and i follow brian on twitter that's how
we met basically i was just like it's
like brian says everything
on twitter that i'm too afraid to say
like my
thoughts like i'll have a thought in my
head i'm like oh brian just tweeted that
yep and then i'm gonna like it but then
be too afraid to retweet it but i'm like
oh he's so spot on so often
i i i feel a lot of pressure now
no but like you say a lot of really good
security things you say
a lot of things about politics so
because i'm canadian i tend to only
comment on canadian politics
but our countries are neighbors and you
know i look across
the way and wonder what's happening
sometimes
um but i try not to comment because i
know that when other people from other
countries make
comment about our politics i'm like back
off you don't understand blah blah blah
like someone that i like made
yeah someone was making some comments
about gun control in canada and i almost
lost my crap on him
i was just like actually and he's like
it's a right i'm like no
that's in your country go go home you're
drunk
um and we're still friends but
um so i know i can feel like very like
we have a different culture right and i
shouldn't comment on their culture but
i like reading brian's comments and so
i'm going to say his twitter handle
out loud for people that are listening
so it's at
b like brian t like tanya
anderson and then 72. so
also you could just like tweet at me and
say yo how do i follow brian
or you could go to our podcast show
notes which are at wehackpurple.com
[Music]
podcast.html we're getting a new website
soon so it'll probably be somewhere else
in a few weeks but for now it'll be
there
but that said i am supposed to promote
something on behalf of we hack purple
we are just like i am not in charge of
marketing now so someone else is in
charge of it and they have good ideas
and so we're giving away two
free email courses so basically like
for one week we'll teach you a thing for
free and the first one will be incident
response
and the second one will be scaling your
security team so the instant response
one will be about like
how to respond to like a software
security related incident
and then scaling your team like how to
do a security champions program like
what you should delegate
and what you should not delegate because
you're going to screw that up um and so
if you want to sign up for this
haha the trick's on you you have to join
our newsletter so the newsletter is
newsletter dot wehackpurple.com
pretty obvious right okay i'm done my
marketing now brian
for now then i'm gonna talk about thread
fix later so
when i have more comments and more
questions
so your job now
you might not think it's super technical
but you're able to make a lot of
decisions easier
probably because you're of your
extensive technical experience
what types of technical skills do you
feel someone needs to have or experience
that they would need to have
to be able to be good at and can you
explain it for like each different job
because you sort of have two jobs in one
would that be
okay sure no that that's absolutely
that's absolutely possible um i am
by nature a generalist um i love
all of it uh and
what i found from a technical level for
both jobs
is that understanding a little bit about
everything helps because especially
nowadays
all of our technical experience is
intertwined we're rarely
on a team of people who just do
one thing and uh so
you know i try to i try to encourage
people to have
the broadest base of technology that you
can
learn a little bit of coding learn a
little bit of engine network engineering
learn you know a little bit about
systems and
software and operating systems so that
you can be cross-functional
because i think it's very very difficult
now to find
a i.t department or a security
department where we're not crossing
boundaries
all the time my dev team
currently is very small and if i need
coding help i have to
you know either figure out how to do it
myself or go
to others to do it so
you know it helps me to have a little
bit of understanding of how to do python
and how to work with this and how to
work with that you know a lot of
uh integration so what i really
recommend
is grab it all
because you don't really know until
you're in the environment
and into the job which is going to be
the strongest part
of your skill set that you're going to
need for that particular
uh organization or operation you might
go in thinking
i went in thinking i was going to be an
exchange administrator and
now they don't let me touch email at all
except fishing
they let me do fishing that's it so you
click on the fishing emails
i you know i i set them forget that i
set them up
and then um and then i nearly clicked
them
and it's not but then
if you follow my twitter you know that i
don't find fishing tests to be all of
that
all that uh helpful um
in terms of education i have there are
some benefits to them
i really do believe that you can get
value out of it
just not you know i try not to punish
people for
oh no no positive reinforcement rather
than punishing for failing
faux show i mean for sure
no absolutely i mean you know that's i
think one of the other
skills that i really push for from
people is compassion
really understand that the people that
we work for
are just people they're good people
they're bad people uh they're competent
they're scared they're insecure they're
uh you know sometimes they're
sorry can i say that
but mostly you know you have to figure
out how to set up a program
that incorporates all of them uh and and
all of us
so there's not really a single skill or
a single technology that i would say
everybody
must learn uh something but i think
you know find something that you're
happy learning
about um because you're gonna have to do
it for the rest of your career
whether you want to or not that is so
true
i would like to note that i agree with
like basically everything brian said
uh and i really like the idea
of trying to get the broadest technical
experience you can
so that you can see things from the
other side but also so you can make the
absolute
best decisions for your organization
like
both so that the solution you find is
good
but also that you pro like the solution
you find
is secure because sometimes you have to
be super creative
and understand another way to do
something so it can actually be a good
solution and a secure solution
um someone was tweeting at me earlier
today tonya is reading your book
allison bob learn application security
you can get it on
amazon um but they're saying to me
oh like you said you know users don't
like captchas
and that we should use a cross-site
request forgery like an anti-sea surf
token
instead but that doesn't stop against
brute force attacks i'm like okay so
you're only on chapter two
if you keep reading we're going to talk
about like defense and depth and layered
security so you could do like a c-surf
token
but then you can also you know set up
resource quotas throttling
alerts and all these other things so
that you can catch the bots
so that you can slow them down and annoy
them and like just cut them off
also like you can block ips like there's
so many things you can do
but like captions still suck from a user
experience
perspective but if you don't know
there's these other options of things
you can do instead
you'll be that security person that says
you have to use a captcha
because brute force and you're like
actually there's like multiple ways
to solve this problem um and so like
what can we do that is a good
solution but also a secure solution yeah
i i 100 agree with you 100 agree i think
one of the things that
when i talk to my teams about
it is about user experience that uh
you know you know we've really started
trying to capture metrics about it like
how do we explain
what people are going through when
they're using the application or the
platform
and you know we asked the question
outright
how much multi-factor is too much
multi-factor
and we haven't gotten the answer yet but
we're getting there because we realized
yeah i mean the security answer is put
multi-factor on
everything and i do agree and so i look
at my phone and i've got
four different authenticators and i
can't remember which one is for which
one
and then i'm like struggling to find
which one is the one-time pass
and then it times out and i have to do
it again and then by the time i have to
do it that second time
i'm done i'm not using that application
and then it's like well yes it's secure
but
nobody's going to secure i can't do the
user
i don't want to use it and uh
you know and that's where you know i
think my job
having both the operations side and the
the security side
really is a benefit because i think i
now
have a lot more understanding of well
you know we're looking at perform system
performance on the operations team
and we're saying well how come nobody is
using our application
and then you turn and you look over and
there's the security team and we're all
proud
and we're like oh we're the ones that
are making this
you know not work so uh
so now we're really working to create
that balance to make
good solutions as opposed to just secure
ones
um and it's it's it's helping i think i
think you know as an industry we have to
look towards that what's the experience
yeah i believe that is the security
team's job to enable
everyone in the business to do their
jobs securely
yes and if we remember that like
oh i'm disabling this dev from doing
their job
by sending them a link to nist and
saying figure it out yourself
when they've asked for help and this is
when they roll their own encryption
or write their i'll just write my own
session management and authentication
and authorization
because i'm not aware that the one in my
framework is probably the best one for
me to use i'll definitely write my own i
know
better than all the people that designed
this framework right but
it will never work but we have to we
have to support
them because because they have a job to
do right they're like i need to
authenticate my users like i need to do
that
and i'm still gonna do it whether you
help me or not
and you might not like the way i do it
yes
that is absolutely true um one of the
things that i learned before i started
in this role
you know as a consultant a lot of the
clients that i was working with had no
security team at all
and so i was kind of doing security as a
value add
to the consulting job like i may not
have even been brought there to do it
uh but the thing that i i tried to do
with
you know and got from them was
a lot of people feeling like they
weren't getting
good security advice and it wasn't that
they weren't getting any
they were just getting to a point where
it was very frustrating you know they
were
and they were going to do what they
needed to do to do their job and i think
the thing i got from them
was they had a different risk matrix
than what they were putting on paper
when we talked to them about risk they
were thinking about
the organizational's risk uh you know
the
the the you know
loss of reputation the loss of income
and revenue
uh you know work stoppages and so on and
they were putting those
all in you know in the matrix and it
made sense what was missing
was the individual who was saying yeah
all those things are true
but if i don't do this i'm afraid i'm
going to get fired and that's a bigger
risk for me
and that was a real turning point you
know people were
going around security not because they
didn't believe in security
but because their risk was i don't want
to get fired i want to be productive i
want to do my job i want to get my
paycheck i want to go home
and if you make that hard
i i you know i get insecure and i get
nervous and once i started to see it
that way i
i start to see it that way you know i'm
a little worried when things take too
long and i'm not being as productive and
my bosses how you doing on that
well yeah yeah
i oh i was explaining um so i had like a
meeting with a client today and i was
explaining to them
you know if if they ask us for help and
then we
send them a pay like so i've i've seen
this where security teams
send a link to nist or they send a link
to the canadian equivalent which is
itsg33
or they will send a link to
owasp's asvs so application security
verification standard which is an 80
page excel spreadsheet for pen testers
and it totally kicks butt if you want to
do pen testing
um but i'm like it's the equivalent of
all of us gathering in a room
and then just putting up our middle
fingers and then taking a selfie
and then emailing it to them that's what
it feels like to receive that email
if you asked they asked us for help and
we were like
nah they know how to use google
they know
yes that is i i i
and and and what we don't want to admit
is that
we don't really like reading nist stuff
either i mean
i i love their guidance i i've read
through it
but not pleasurably no it's it's
it's a lot of of research and and
grinding and it's technical and it's
sometimes overly technical and
you know it's it's not fun and if it if
it's not fun it will not get done
uh i didn't mean to make that rhyme but
it it
it's it's not it's it's not fun if you
have to do it uh
do it that way and so we have to find
ways to
communicate in a in a way that makes
sense
uh to the business into the organization
that we're working with
so now that we are halfway through the
podcast i'm going to thank
our amazing sponsor threadfix they make
the most stupendous vulnerability
management system
this side of the galaxy and
they're extra wonderful because we just
signed a deal with them to sponsor
basically until we don't have guests
anymore for the podcast
and so next week is ubik security but
from then on it is just going to be us
and thread fix partying all the time on
the wehack purple podcast and i want to
thank threadfix for basically they're
completely unending
and generous support that they have had
if we hack purple they do so many nice
things for us like more than just
sponsor us
so thank you dan thank you sheridan and
all of you you're great
um and also uh i want to note that um
we just got swag so we now have a swag
shop
and uh i told brian that i would like
just like
pretend to like drink out of it i also
have t-shirts but i couldn't think of
like
a non-awkward way to just like jump up
and be like everyone look at my
chest because i i was wearing a superman
shirt one week
and then i was like everyone look at me
and then some male fans commented that
it they had conflicted feelings
about that and i was like oh i'm so
embarrassed
okay so note to self so i may like next
week i'll be like this i'll be like
yeah what's up from really far away so
that people could see my t-shirt
um but yes uh all of those things
i okay so brian let's say someone is
like
i want to try one day to be an
information security officer like i
would like to try to lead a security
team
and or they want to do because like
anyone can listen to this podcast it's
not necessarily just security people
and like maybe someone wants to be the
manager of operations
and they want to do service delivery and
they want to be good at it
and so they want to get training and
experience to lead up to that
what types of experience should they try
to get or training
might be good so that they could be
prepared and be excellent
at this job slash apply and not get
screened out
that is a really good question um i
i love it it's it's uh and and a few
years ago i probably would not have been
able to answer it because
i really didn't know i really didn't
know what it would take
uh to be a security officer so i
you know i'm i i i think
my experience has been um
the first i think is to never sell your
own experience short
i really like it you know particularly
in security
seeing people bring their non-security
experience to the table because
our job is to relate to the business and
most of the business is not security
unless you work for a security company
you're not doing that um you've got to
explain
and manage risk for people who are
worried about something else
um so uh you know the people that i look
for are looking for pragmatic solutions
and they're coming bringing those
solutions from somewhere else
um and and so if you have
experience in finance bring that
if you have experience in
marketing or shipping or
logistics bring those experiences
because the pragmatism
will really do you good in a role
as a security officer or a managing
operations team
it's a lot of pragmatism it's a lot of
what's the
simplest way to kind of get to a
solution because a you don't have time
and b you probably don't have the budget
to do something
that is going to be as extravagant as
you think it is when you had this great
idea
uh you're like i got this great idea and
then you go okay but you only have two
thousand dollars to do it with oh well
then let me come up with something very
pragmatic to work on it
so bring your bring your skills from
everywhere
um and i think it's really important for
diversity
bring everything that is in you to the
table if
you're only going to come in and talk
tech
you're going to struggle in a management
or an operations role
uh if there was something that i wish i
had
learned before i really was in the job
i would definitely recommend taking some
management courses
and non-tech management courses just how
to
relate to having a team underneath you
of sometimes very diverse
and sometimes very opposite
uh personalities um you know when you
deal with you know i i'm blessed with a
very
diverse team culturally
but sometimes i have to keep in mind
that those aren't always it sometimes is
a little push and pull
you know sometimes you have to recognize
that not everybody recognizes the same
holiday
so having some training in that
definitely helps yeah um
you know understanding business in
general
as opposed to you know the tech side of
business is also helpful so
i would say those are some of my top
hits of
things to learn things i wish i had
learned before i had the job
i definitely agree with you on that um
so i am in the weird situation where i
have only ever worked in tech
and i was a professional musician uh and
like i did like comedy and acting yeah
it's like if you look at me up on
spotify that's me um
but uh so i have like this weird
very concentrated like set of whatever
so then
as i got older and i was like trying to
move it like up the ranks in tech
i had to learn a lot of communication
skills because
i was used to either talking to really
drunk people who would come see me play
music
or um you know just being in my cubicle
coding by myself and it was like oh i
have to speak at
people and i have to like be a little
more graceful let's say than i was when
i was younger
um like not quite as direct as i could
be
at times yes brian is laughing because
we both
like to get to the point of things i yes
um i have sometimes said something and
it really wished i could pull that back
it's yeah
um no i i totally agree uh
communication is really important um and
and communicating a lot of times on
different levels um
when i am uh doing
in-person security awareness training um
i'm not
talking to you know i'm talking to
people who may very well have come from
very different
perspectives and you know their their
vocabulary their understanding of
technology may be very different from
mine
so i you know
and you know one of the things that i've
learned and i think i said it somewhere
once and it became kind of a mantra when
i look back at my presentations
is look for things that are true
but not helpful and then take them out
because
i'm notorious for it i have gone into
and given a presentation and gotten
really technical
and it's like when on a security you
know you know being from security i've
said things that were
absolutely true 100 true but absolutely
not helpful
and the faces glaze over and the eyes
glaze over and they're looking at you
and then they're like i hate this
oh my gosh brian i teach secure coding
and i i got hired to like plan a
training program and they're like oh
this is the training we gave last year
and there was six straight hours on
encryption and like asymmetric versus
symmetric
and it was like an intro to secure
coding for devs and like why are you
wasting their time for like almost
this is almost a day worth of wasted
time and my boss was like
but i'm like no they need to know it's
encrypted in transit it's encrypted at
rest these are
the settings i want your security
headers these are the settings i want
your cookies
and then that's it so go home next
because i have so much crap i need them
to know and you can't waste four to six
hours on this i have stuff to do
that i need to teach them and that's not
it and like i looked and it like um
so they had hired like this really high
paid consultant and then here i was like
coming in as a person that had been a
dev forever that had just switched to
security
and i was like no no just like throwing
away like we printed it out and i was
like tossing the stuff over my shoulder
no
no no and yes removing stuff
that is not helpful like like you might
want to dive down like a tiny bit of a
rabbit hole like if you
for instance you're like here's the
reasons why using https everywhere is
important like here's the risk
but like they all need to know the ins
and outs of asymmetric versus
like no one cares and like oh yeah like
diffy homan
this guy you know it's named after a
dude and no one gives a crap
they have stuff to do yes yes
absolutely um and i mean i i love
firewalls i do
i i have this weird love for them i you
know i started it was one of the first
my first introductions to security was
was working on firewalls and i'm the
same way i will talk your ear off
uh about all sorts of things you know
and
the differences between stateful and all
these extra add-ins that have been added
over the years and then
you realize somewhere about half hour
into the conversation that nobody's
following
you know they they don't care even the
security people are like yeah
okay it's it's
really important and i you know a lot of
times
especially in security your boss may not
be
very technical at all a lot of security
teams
actually come under finance um because
of
you know internal controls uh for that
organization
and if you want to talk to your cfo
about uh you know
jiffy hellman you have wasted your time
you need to drive you need to buy that
person a beer yes
uh they'll listen very comfortably
and they will walk away
my beer's done i have to go thank you
and then you'll wonder why you're not
invited to lunch as much anymore
no it's it's it's true that you know
communication is really important
knowing your audience is really
important
um you know translating risk into very
different
concepts for different people and coming
up with new analogies i think i spent a
lot of time coming up with a new analogy
for how i can explain
uh this bad thing that could happen uh
is is kind of like an exercise like i
should start setting time aside in my
calendar and say what's the new analogy
for how i can explain it because
it's a skill and it's not one that i i
think comes easily but when you find
someone who has it
they're like dynamic there are people i
think that we both follow on twitter
that when they
when they hit it it's like oh my god i
can't believe it they just made this so
simple for us
yes and then i saved that somewhere
yes because it is okay to use great
examples that other people gave
yes i i certainly hope so because i do
so now i have so this is the final
question and it is a two-parter and so
the first part super easy and the second
part super hard are you ready
i'm ready okay so what do you like best
about your job and what do you like
least wow
that is a very good question and you're
like the people
[Laughter]
honestly um the the thing that i
like best about uh
my job now is really almost
the cross-functional capability uh
i can i i feel like i have gotten people
who were not
into security into security and i've
gotten people who were
really security heads kind of looking at
the performance in the operational side
of things and that's where i feel like
i'm kind of a mad scientist and i'm
putting people together
and then seeing where they you know
seeing where they go
that's that's kind of a neat feeling uh
putting people together
in a way that maybe challenges them
and know that i'm doing it for
the good of my organization and for the
good of the industry because it's all
really we're an ecosystem now we're not
isolated anymore um so you know that's
probably
my favorite part of the job
my least favorite part meetings
lots and lots of meetings
i i i
i i don't like them very much
i'm trying to be diplomatic i'm not sure
i'm succeeding i
i it's not that i don't like
you know i like the socialization aspect
of
sharing of ideas but
i i feel like you know in my role now
sometimes there's so many meetings that
we never get to do the thing that was
discussed
in the meeting so we make all of these
commitments and we're gonna do this and
we're gonna do that that's a great idea
we should do this and i'm glad we had
this meeting and then it's like
when are we gonna do it i don't know i
got another meeting and then
we never get to do it and so i
you know if i could do my job and
maybe cut the number of meetings by like
65 i would be much happier
and i and i think anybody in this role
would just be
you know a chance to take a deep breath
and at least think about whether the
stuff that was in the meeting even made
sense because it
kind of one runs a meeting runs into the
next and the next
i'm not sure what i agreed to have you
have you noticed that since
we've all started working remotely then
a meeting
will end and you will literally the
exact minute later need to click to the
other meeting you're like i didn't even
get a pee
break i don't like i don't have enough
caffeine at my desk right now
yes absolutely um
in fact i've i've started maybe started
saying i need to
i i need you know i i close every
meeting with
sorry i have to jump off for another
call and i think i need to start saying
it maybe two or three minutes earlier
so i could go to the bathroom and get a
cup of coffee
like i was looking at my calendar one
day and i'm like
like explaining to my sweetheart like so
okay so i have like six hours of
meetings
and then the you know my sweetheart's
like were you going to eat today
and i was like oh yeah
and it's like there literally wasn't a
space to do that
and i really like eating so
eating is i found it to be a necessity
right
i do it every day
[Laughter]
i no i i totally agree and i think one
of the
you know on the flip side of the remote
work so both my wife and i
are both home i find it just a little
bit pleasurable
like if i'm not in a meeting in those
rare chances i'll pour a cup of coffee
and i'll just go up and put it on her
desk
and you know or she'll do the same for
me she sees i mean you know i've got my
headset on
and you know i look up and there's this
cup of coffee there and it's like
oh that's you know that's true because
yes true love i remember why i married
you
[Laughter]
that's because yeah otherwise i would
not remember
to eat or drink or you know you know
get from one thing to the next to the
next um and it's important
uh you know you have to keep your
strength up everybody take care of
yourselves
please um it's it's
it's hard work and meetings don't seem
like
a lot of effort but at the end of the
day you are
just as exhausted and it does take it
out of you and
i'm learning how to be better at that
myself
i am with brian on all of this
definitely
so i hope that all of you were like you
know what i should do
i should follow brian on twitter and i'm
going to repeat
his twitter handle and put it on the
screen but for people listening
it's be like brian t like tanya anderson
and then 72. but obviously
he was born way before then because he's
younger than me
and i was born before then so you can
like you can tell by
hit like don't let the 80s lighting fool
you
you know youth despite his 20-plus years
experience he's somehow in his 30s
the the technicolor was really to hide
the gray hairs
that i discovered that i had
and uh yeah i'm gonna keep doing it
i don't i don't know what it is but like
literally 20 20 i just start getting a
ton of gray hair
and like i don't know if it's the plague
i don't know if it's like
working from home it could be anything
yeah i
i'm i'm with you i'm i'm absolutely i
don't know when it started
i feel like i aged a decade in in just a
few months
um i'm i'm hoping 2021 is kind of retro
and i can go back to you know yeah
we'll all get big hair
[Laughter]
uh i i love 80s music so how i'll you
know go back to prince in 1984
and you know a little purple rain i
could do that yeah prince rules
by the way thank you so much for coming
on the show brian i really appreciate it
thanks so much for having me it's been a
pleasure i hope that every single person
goes and follows brian on twitter and
then if you're up for following someone
else you could follow we hack purple or
me
she hacks purple um yes it's similar
that's on purpose
and yes my hair is purple thank you so
much and we are going to wave goodbye
and then i'm going to do the outro
announcement thank you
uh and i pressed the wrong button but
don't worry i got the right button now
okay thank you so much for attending
today's
event and podcast and we love having you
here thank you so much for watching
thank you so much to brian anderson for
being a totally kick-ass guest
thank you to threadfix again for being
our sponsor we really appreciate it
this was the wehack purple podcast where
each week we interview a different
person from the information security
industry
to learn what it's like to do their job
because guess what we
at wehack purple want you to join our
industry if you're not already in it
we have tons and tons of different jobs
that need a unique person like you to do
them
and with that i would like to invite you
to join the we hack purple newsletter
you will get invites to this podcast you
will get free content
and if you sign up between now and i
believe next tuesday when we're sending
the invites
you will get a free online course
because my marketing people have decided
we're going to give away courses for
free
um and so go to
newsletter.wehackpurple.com and with
that thank you very much i am tanya
jenker your host and i will see you
next week
you