We Hack Purple Podcast

We Hack Purple Podcast Episode 41 with Alyssa Miller

June 11, 2021 tanya janca / Alyssa Miller Season 1 Episode 41
We Hack Purple Podcast
We Hack Purple Podcast Episode 41 with Alyssa Miller
Show Notes Transcript

 Host Tanya Janca learns what it’s like to be a BISO (Business Information Security Officer)! Alyssa Miller has had a very exciting career, and has a LOT to share with us on how to climb the career ladder in Cyber! https://twitter.com/AlyssaM_InfoSec

Thank you to our sponsor Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.

Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: [email protected]

Find us on Apple Podcast, Overcast + Pod 

[Music] [Music] hello and welcome to the we hack purple podcast where each week we meet a new and interesting person who is from the information security industry and they tell us all the secrets of how they got to where they are today and this week is sponsored by thread fix which is powered by denim group and our guest which i know a lot of you have been waiting for is alyssa miller i'm super excited um so i'm not going to go on and on and let's just bring her on out and say hi hi hey how are you i'm good how are you um i'm doing great uh really excited to be here this is cool thank you let's do this but yeah there is well you have a new ish job and i was excited that we can talk about it because we haven't had anyone on yet who's a biso and when you first told me like i'm getting a new job and i'm going to be a be so i'm like i am excited for you what does the b stand for um i was wondering if you could for people who are hiding under a rock if you could tell them who you are and kind of what you do um kind of a little bit about you maybe your book even i can plug all sorts of good stuff so yeah uh hey hey folks i'm melissa miller um as taiya mentioned i am the business information security officer that's what the p stands for for s p global ratings and we can talk about what that means but uh basically i've been in security for 16 years and before that i was a developer um you know lifelong hacker i mean i was breaking into prodigy when i was 12 years old um you know so i just yeah i you'll some of you i'm sure we've met before on the on the twitter verse or we've met each other at conferences i do a lot of public speaking as i'm sure some people know and yeah that that's really who i am um you know long walks on the beach yada yada you get it awesome um could you tell us kind of like what your job is about because a lot of people don't know and a lot of people watch this podcast so they can learn not necessarily their next job but a job they want to have some day sure so yeah i mean it's funny because i knew when i took the job i was going to get that same question that you had from so many people so actually i even wrote a blog about it um but yeah the business information security officer is kind of it means different things in different organizations quite honestly it's it's a fairly newer role um but you know in my case and what i think is the bulk of the cases um you know my role is similar to what a divisional ciso would do so a lot of companies larger organizations you have that like centralized security team but then you've got csos that sit at the top of each or over the top of each of the uh the divisions or business units so that's kind of what my role is one thing that's a little different though is that i report into the technology team within the division so the the cto divisional ctos uh you know uh organization and the focus of my role really is to kind of act as the bridge between our centralized security cso organization and the business so it's taking a lot of what you know the security is pushing things down to you all the time saying the owl must do this here's new standards here's new tools whatever taking that and applying it to the business in a way that makes business sense so you know that we're doing it as frictionlessly as possible and things like that and of course to do that requires a flow of information the other way and that is really bringing this business context to the security team so helping them understand okay yeah we need to reduce number of open vulnerabilities well let's talk about that let's talk about how we can do that and where that fits within you know our our pipeline and you know with our particular sdlc and how to make that work that sounds hard not easy um it's a reasonably large um you know division that i'm in so you know there's lots of people to talk to there's lots of things going on we're in the middle of a just a huge transformation um not just to devops and cicd but add in all the cloud native that goes with that add in a bunch of other strategic initiatives that have us working on things like applying blockchain in a practical way oh god you know everybody talks about when you're using it properly what actually using it for something other than you know cryptocurrency um aiml of course comes into play especially when you're in an analytics i said you know global ratings ratings being like a credit reporting agency um in our case large organizations and countries as opposed to consumer credit but um you know so aiml comes into play where there's a concerted effort to remove legacy applications all this stuff so there is a lot going on so it's really complex on the bright side compared to like a cso i don't have to worry about a lot of the operational uh security side of it so you know like things like endpoint protection and whatever on our workstations well that's handled at that corporate level there's not a lot that i have to do there are some things but you know because obviously some of that does impact how we do our business and so there are times where we you know if we're putting in you know some new dlp or something that might be something that i have to be involved in and help facilitate some of those discussions but um but yeah so it's definitely complex it's exciting it's challenging but it's also a heck of a lot of fun feel like um it would be kind of exciting to lead a team of professionals and like set goals and then go kind of smash those goals together like i'm imagining like braveheart a bit except for you look better on blue and all people are running behind you and they're like securing all the things am i imagining like is this like a regular day for you or no less i mean it's a little less of that because you know unlike a ciso i don't have like a dedicated security you know team within my division so it's it's really you know motivating it's actually kind of interesting so i came into this role and i thought like the bulk of my focus would be how do i really bring the security message in a credible way to the business right how do i get them motivated to do the security things and you know work on appsack and get them up to speed and whatever and there is definitely that part of it but surprisingly it's the other half of what i explained in my job that's taking up the majority of my time really is working with the security team and trying to help them understand you know how we need to structure their security initiatives to fit into what our business is doing how to make things you know here's this is a funny way to say it but more friction less um you know so um you know there is that's i'm spending a lot of time there as well which is not a bad thing um you know i mean because hey you know security people talking to security people but just trying to build that empathy from their side to really understand like look you know here's the business this is how we function here's you know our massive regulatory environment that we have to deal with and then on the flip side i do have you know this massive engineering organization that's going through and doing all these really cool things with a lot of exciting technologies and so being able to get in early with them on a lot of these projects where they're they're asking the questions i just had a meeting on on one of these yesterday kind of that architectural planning like we want to do this thing but we don't want security to yell at us and say we can't so how do we do this in a way that's going to work you know and that's where it's so it's a lot more of like that it's really collaborative it's a lot of fun because i'm getting to see a lot of really cool technologies and learn things that you know i never really got a lot of exposure to before that's cool what so what is the average day like because i find a lot of us are surprised when people tell us what the average day is like like we had someone on last week and she was saying she has to make a presentation almost every day and i was like what i didn't know that was a thing you'd have to do i was like that's a lot and it just it didn't occur to me before so like could you tell us what you know like an average day might be like in your job it's a lot of meetings quite honestly it's a lot of meetings um because there's a lot of stuff to be done that way and it's um you know so more than anything else i mean i don't have to do a lot of presenting a lot of what i'm doing is that consultative work um you know so we've got you know weekly scrum meetings that i'm involved in we of course have weekly planning meetings um you'll want some we have monthly board meetings that i need to be involved in um you know and those will start to become more presentations for me at certain times and there have been already you know some of those where i've had to present different topics to the board for one reason or another um you know it there's uh there's definitely like i said a lot of these meetings are just hey we're sitting down to plan something we're looking at the architecture of something we're updating a standard and we want to make sure that we get that standard or that that sop laid out properly um you know right now i'm working through just trying to build my roadmap for you know from a security perspective what is our security strategy going to be across this division and so a lot of that right now um when i'm not in meetings and things is really looking and even this turns into meetings sometimes but trying to build out like a real understanding of our current maturity and then okay how are we gonna build from that so um you know so there's a lot of tactical stuff because a lot of those meetings are also regulatory um you know there's generally two or three regulatory or audit reviews that are going on at any one time um just because we are so heavily regulated being a credit reporting agency um i mean i mean think about it honestly you know if we release a credit rating that's inaccurate we can screw up the economy of a significant country you know and so so there is a lot of you know we have to be regulated well and we have to do the right things and so it's you know it's interesting because no day is ever quite the same um because there's always something new and so it's a lot it's a good mix of those tactical things but then also really working on building out this strategy and just trying to hey you know connect with my organization let them know too like hey i'm here to help you you know i i can make life easier so you don't have to deal with the security people that you kind of have this combative relationship that always seems to show up let me take that i'll work with them and you know make this work between the two of you it almost feels like so i know i'm simplifying but it almost feels like you're a translator but also at the same time like a peacekeeper yeah there's some of both and it's funny i just um with my cto today had exactly that conversation about a situation like that where i was you know i was on a call with someone from our analytics team and i'm out and someone from our information security team and you know the information security team has kind of got is kind of saying like what we got to do things they got to be done this way and that this is how it has to be and on the other side the business is like yeah well it can't be that way and i'm going to escalate and you know what if you do that we're just going to find a way around it and i'm like whoa slow down you know and kind of talk to both sides like all right let's let's think about this you know let's understand you know security you need to understand here's the business concern but business you also understand your your business is enabled by more than just this situation you're thinking about and there's this bigger situation that security's trying to help with that you're not seeing you're missing the bigger picture right and so that's a lot of it it is that translation and a little bit of peacekeeping just to help people understand like look we're actually all on the same side here we all want to do the right thing it's just how do we get there and how do we make sure that you know we're we're doing things in a in a meaningful methodical way and for the right reasons um you know i mean security understands if the business can't do the business they might as well not have jobs right i mean yeah we're making money you guys don't work anymore so um you know they get that but it's just it's it's finding that nice balance we have a bunch of good questions in the chat sorry from dwayne we have do you have a direct line to the ceo in your position um as far as like can i pick up the phone and call him um if i really wanted to yes um i'm probably not that tight with the ceo um divisional president absolutely um you know anybody in my my executive committee at the divisional level most of the executive committee at the the organizational level to just honestly i just haven't had the opportunity to really build much of a relationship yet with the ceo so i probably wouldn't unless it was something really significant but you know in the situation or if i really needed that level of escalation yeah i would feel empowered to to reach out to the ceo as well cool we have another question from dwayne so how was or is your position received by it middle management and executives because i totally see people being like this huge sigh of relief like she's here so what what do you think thankfully i wasn't the first be so at smp um they're one of my uh one of my peers in a different division was the first and i know there was definitely some resistance um from the i.t side um there's still there's still some um but now that i'm here and then we another division just hired their first be so so we've got three of us now and it's it's starting to take shape where like we can unite and you know come with a collective vision of here's what we need from the business side and and we can have you know more productive productive conversations with security instead of security trying to have one conversation with one division then have another conversation with another and the other and so you know we've got those we've now established those weekly touch points where we bring all of the those besos together with the infosec team and we talk through things and and that's been really productive and i think it's helping with some of that concern of you know because there was some resistance my understanding you know as they were launching these be so positions was there there was some resistance um but i think from the executive level i think they they enjoy it i know within my division they do um you know my cto you know he's the one responsible for creating it in our division so he was you know very happy to to bring it on board but uh definitely working with like our cro um the you know the division president um and then cro stand for uh chief risk officer so i work a lot as you can imagine i work a lot with both our divisional cro and the uh the corporate cro as well um because yeah i mean a lot of anything security is generally going to tie to risk somehow and so there's a lot of connection and in fact our cso reports to that that corporate cro so again a lot of chance for that type of relationship building as well cool we have another again totally awesome question from dwayne so he was saying like what types of topics do like do you feel should be taught in like it courses or business courses for infosec majors and business majors right because risk is a part of business and infosec applies to every business now right and and what types of training programs might prepare someone so they could become a visa someday wow that's like three questions in one dwayne is hot tonight um so i mean from the i.t perspective you know if i'm thinking like networking courses or i'm thinking you know developer type things yeah it's just security basics like if we could just get into some of that coursework and just instill some of like those core concepts that we learned the things that they teach you like on the cissp right just get some of those like here understand the domains these these basic comp concepts of like least privilege or zero trust now um you know what is what do you know what is idm you know what does this even mean what is identity management even talking about how i why is that important you know what is a sim and what does that kind of thing do just you know it was just one course to give people that understanding and then you know from the dev side boy would that be great right like if we actually did some level of secure coding discussion i mean you're never going to teach them everything i mean i'm not saying take it down to here's how you prevent prototype pollution in your node.js app like let's let's not go there that might be a bit extreme but just again some of the basic concepts are we teaching them the olaf's top 10 for christ's sake um yeah yeah and then as far as a biso i think it's wide-ranging right um you know i mentioned cissp like you do i think have to have an understanding for all of those domains and definitely a particular focus most depending on the organization but most often probably around apsack because generally organizations that are launching besos as a role it's because they're doing some type of product development and so having that background of understanding application security and you know how how does that fit into a devsecops pipeline how does that how do we enable that in ci cd how does cloud native completely shift the discussion and what are the differences when we're dealing with that you know those are really important concepts when you're dealing with a product or software development organization oh yes okay so rob has followed up on that question so i like how they're asking the questions i was going to ask later in the interview it's good so rob's seen a lot of interest in cyber security from university students who are pursuing management information science or information management that's usually like how i've heard it heard in canada so people management information science degrees what are key skills that you might suggest for them um like to try to focus on so if it's someone that got an mis degree or is in an mis program and they want to get into security big thing is understanding the risk side right so you know i i i have a degree similar to mis a different name but basically the same thing and you know i remember when we talked risk it was organizational risk and that's all we talked about and it was very short-lived it we didn't spend a lot of time with it so if you can speak to technology risk and then business risk and relate the two together that's super critical because i mean that that's like 90 of the conversations i have is tying together okay here's this technology risk we understand hey there's this new you know vulnerability that microsoft patched on tuesday and so we got to get these patches applied but we've got these business things that are standing in the way so how do i balance that how do i take this technology risk translated to the business risk and make an informed decision or inform the executives and all the other folks that need to be making that decision you know at a higher level even than where i'm at and that's so i i think just gaining that knowledge and then it like any time you're in any role in security the more technical background you can have in different technologies great but i don't even feel like that's necessarily the primary thing yeah yeah i have i have spoken to a lot of people who work in infosec and they're like i have never written one line of code and look at me now i've got like this awesome job i do lots of stuff yeah i agree with you yeah there's more roles in here that don't require like hardcore technical knowledge of specific technologies yeah i was explaining to someone this week um how infosec tends to really try hard to attract veterans because they have all of this knowledge built into them from being in the military like they understand need to know and so many other important concepts that you don't need to learn because you already know them right and i'm just like yeah it's really ideal because veterans have theoretically left the army and probably would like employment and we're like yes come on over so there is another question someone says amen to that so we have another question from tcp dump 101 so as someone who works in a smaller company what challenges or solutions do you find regarding communication between the teams in a large or divisional org and ensuring you're all on the same page because it sounds like that's the biggest part of your job yeah so i'm trying to i want to make sure i understand this question so they work in a smaller company and yeah they want to understand larger level um so i'll try and try to compare and contrast a little bit um you know i mean because i've worked in both right i've worked in very small organizations i work in massive you know organizations where i got time but now and you know i think in a large organization it's there's usually just a lot of people that need to be involved in communication right i mean you're sending information out it's generally not going to one or two people it's going to 30 or 40 or 50 people and so that can be challenging sometimes to really get the right message across to everybody so they understand it in their context um that that can be a real challenge um there's also it's a little harder to understand the individual motivations of people when you're communicating at that broad scale whereas in a small organization it's it tends to be more ad hoc and less methodical um which can be challenging but you generally know the people a little bit better you you might be you're not dealing with large teams you're maybe reaching out there's that one person who's responsible for this thing and so maybe i that 40 50 person email goes to like maybe five people or less and so you know um that leads itself to more agility um which from a security perspective can be a double-edged sword right it means hey we can fix things really fast when there's a problem or there's something that we need to address but it also means that boy problems can get created really really fast um you know because when you're moving that quickly that's a problem now so one benefit of a large organization is that so much of that communication is methodical you probably have workflows that are built around it and make sure that you know in order for you know things to go from you know okay this is this is you know hit our definition of ready how do we get that deployed and you know the steps of change management and all those things that may not be there in a smaller organization you've got to do that in a large organization there's oftentimes the more mature ones have those workflows and things built in and if you're really good like where we're going right now in ratings is getting all of that automated in your pipeline that's like the i mean now you're talking like the holy grail right and so it's that's like the cool stuff that we're doing right now that like that's what gets me so jazzed up and excited in this role is we're doing all this really cool stuff that you know people have been talking about and i've seen him talk about it at conferences and stuff but it's just so nice to actually be hands-on doing it especially after being a consultant for a long time where you know i was telling other people how to do it but it was really up to them to do it now it's like cool i'm in the driver's seat a little bit i'm sitting next to her somebody else is driving and i'm sitting in the passenger seat riding along whatever you want to look at it and that's really cool yeah being able to make a big positive impact in the place where you work it's very satisfying it is and honestly you know the other thing and this is kind of a selfish almost maybe a little narcissistic but you know when you're in like consulting you're generally in a consulting practice you're in a team of all experts who do this every day so in the role i'm in now it's kind of interesting because i am the person with the security background right i mean not the only one that understands security by any stretch but i'm the one with the security background that people are counting on to really drive the security strategy and to to push this stuff forward so it's kind of a cool experience that way too not only do i get to own all of this you know security strategy but i've got people coming to me asking me what you know hey you know you're the one that we're trusting with all this it's not like you know trying to change the course when you're in a consulting organ everybody gets it and you know you don't have that opportunity to like to impart wisdom as much i guess yeah no it feels good okay i'm gonna take a very very brief moment to thank our sponsor thread fix thread fakes are the most stupendous vulnerability management system this side of the galaxy and i also want to invite everyone to come this saturday at noon pacific time to come hang out and talk about chapter 4 in my book alice and bob learn application security we are going to talk about secure coding um i know everyone's shocked about the subject matter obviously i need to be nerdy um and my friends are going to show up with me sharif kusa from the ottawa wasp chapter and my friend aaron lord from hella secure and so if you want to join us uh you can see below it's like alisonboblearn.com or just go to youtube and go to the she hacks purple page and we'll be there being nerds for at least an hour or two okay but back to alyssa let's talk to alyssa we did the thing okay so i have more questions as you might have imagined the audience did not guess all of them yet so um oh and someone says uh ahmed says alyssa you aren't being narcissistic being the head smee means you get to drive your vision and that is amazing that is very very true and that is absolutely one of the things that was most attractive about this particular role was having that that ability um quick here's a quick little secret when i got this job i also had an offer for a director of application security and that's why i chose this job over that one because that would have been amazing too it was you know director reporting directly to cso but it was still going to be the cso's kind of vision and you know like you know this is an opportunity for me to really be sitting at the top of that strategy and and to really shape things the way that i believe they need to be done so so yeah i'd be spot on as far as i'm concerned okay so i have more questions about how someone someday could kind of so they could try to steer themselves to get towards this goal so what kind of personality traits or maybe aptitudes does a person need to be good at being a biso okay are you ready for this here we go all right let's get started the first thing first and foremost is empathy if you are not an empathetic person it doesn't work because you need to have you need to be able to see both sides or all sides of these conversations so you've got to have the empathy to understand what is security thinking what's important to them in this moment why are they behaving the way they are why are my engineers acting the way they are behaving the way they are what what's pushing them right now what are they dealing with that's problematic what are my sres dealing with right now that's got them so flustered that they're they're torn up why is that why is the risk organization coming and pushing this thing so hard when it seems frivolous to me you know all of that that is so crucial first of all just having that empathy and being able to think take yourself out of yourself for a moment and just put yourself in their shoes and and really understand what's motivating them and how to speak to them in their language which goes to the second point you you actually use a term that i use which is that translator you need to be able to translate between the the language of say your executives and your engineering teams because that i mean you know security in general needs to be better at that because we don't do a good job of it but definitely in this role that's something you got to be able to do you know i mentioned i i have multiple board meetings every month because it's not just xco it's not just you know i've got regulatory boards i have to meet with i've we've got subsidiaries in organizations around the globe um you know some and in which case where i'm actually named as like the head of security for regulatory purposes in those organizations and so you know to do that you've got to have that ability to to speak at those different levels especially when you're dealing with regulators um and so i i think you know those are critical aspects um and then the last thing is just your own self-awareness like really being able to challenge your own biases and understand in a moment where you know you're trying to push something forward and it's not working take a step back and look at yourself and what is it that i might be doing wrong or what could i do different you know well i'm frustrated because i can't get budget to do this security thing well why what could i do better to sell them the reason why we need to spend that money and you know i think that self-awareness and that willingness to just self-analyze is something you don't see a lot of in security quite bluntly i don't think a lot of security people are willing to do that and so that can be problematic too a thing you said earlier and a word that has come up over and over and over again in this podcast is empathy i feel like if you don't have empathy you couldn't be a good be so i don't think you could i mean you're literally there to bridge that gap right to to you know make help people understand like you said before kind of that peacekeeper role that doesn't work if you don't have empathy for both sides of the discussion and it it's never going to work i mean i told you about that that uh situation before where you know i had a person from my analytics team and i had a person from the infosec team and i'm trying to bridge that the only reason it worked was because i could understand what infosec was trying to do and i knew what the challenges were i definitely understood why the business was upset and what they wanted to see and it was just all right now i'm gonna help the two of you see the bigger picture on both sides infosec don't tell me you can't do this thing because we need it and it does have to happen and there are ways to do it business understand that this isn't going to necessarily look exactly the way you want it to either and here's why and oh by the way you know all those regulators that you have to answer to we're helping you with that by doing it this way instead you know things like that that that's the kind of thing you need to be able to do as a be so yeah we we have some people in the chat asking if i have asked the cheese question yet and we're gonna get to it so questions so in the very first episode so one of the questions is is does your job pay well because in our industry a lot of people have been shocked to find out for instance a lot of people think bug bounty hunters make mad cash and no turns out they don't or you know that a journalist does not necessarily do that well versus security architects is where it's at from what i can tell so far like i am a startup founder we do not roll around in giant bundles of cash trying not to get paper cuts until our second year um no but like i think like a lot of people have been really confused about how much different roles pay not like as in how much money do you make but does it pay well and so to bridge the gap i talked about cheese because so i grew up poor and then i put myself through college working two jobs and then i got a software developer job yes and then one day i realized i went to the grocery store and i was like looking at two different types of cheese i'm like oh they both look so good i don't know which one to get and then i realized i made enough money that i could buy both and i didn't have to count every single penny at the grocery store anymore and i was like i've made it i'm rich i can buy both cheese and so that's when i realized in my opinion that i'd made it and so i guess yes someone is saying cheese cheese glorious cheese there are a bunch and um and there's an awesome question from kellen that i'm going to get to after but does being a biso pay well is it like you know a journalist or a bounty hunter or is it more like a security architect where i believe the one of the security architects we had on the show she said i have a pool boy i'm like do you have a pool she's like yes i have a pool because i was like maybe she just has a pool boy i don't know so so i mean again remember that be so it means different things in different organizations but you know in a role like mine given the responsibility yeah it does pay well i mean again think about it i am you know it's like executive junior or junior executive did they still use that term um but like you know so i'm not maybe necessarily a true executive but i i have that kind of purview right i mean that's what i'm doing i'm reporting into boards okay i'm going to executive committee meetings i'm you know i'm doing those things and i've got a division that makes billions of dollars a year and i'm responsible for making sure that that division is secure at the end of the day yeah i've got help from my corporate security team and they do a lot of the things that need to be done i've got engineers and architects within the you know our like our cloud architecture teams and whatnot who do a lot of the heavy lifting of the work but yeah i'm there to to really you know bring that so it it does pay what i consider well um you know and i think that you know that's it's a valid question and it's a it's a good one i mean it would be more toward i'm probably i'm in that architect range or higher quite bluntly um if i was gonna you know so yeah i mean and that's one of the really exciting things is you know holy cow here i am you know and i find myself in a great position um you know i've had a few of those cheese moments myself um where you know i realized like which one do i get well screw it i'll buy both you know and yeah so why not um you know it's good to be in those situations for sure and um but you know it's of course like you would expect or like people glorify it is the result of a long-term you know a long career i mean 25 26 years in tech now so yes get the cheddar and the gouda but make sure it's smoked cheddar and smoked gouda if you watched last night when i was on unicorn shelf we have a really interesting question in the chat but it's a hard one and it's from kellen i don't like easy questions so let's do it okay awesome so how do you refocus when you lose perspective or if you because you were talking about self-reflection which is a thing that a lot of adults just never do especially the ones that need it the most um but like how do you refocus um and realize when you need to analyze or readjust your approach or your biases so the i'll answer it in reverse order um so first of all it's just how do i catch it and really you usually catch it when you feel yourself getting frustrated you know if i'm like i feel like somebody's just not getting it i mean how many times do we say that to ourselves oh my boss just doesn't get it the executives just don't get it management just doesn't get it i mean i can't count the number of times i see tweets that say things like that that's a perfect time to take to catch yourself and be like okay what could i be doing that might be contributing to that and then it's really taking ownership so when you say that to yourself you're kind of now taking ownership of okay how can i take this situation and improve it what can i do to make it so that management does get it how can i present the argument or the discussion or whatever it is in a way that they're going to see it the way i want them to because that's what happens so often as we go in there we're preaching one thing because this is what speaks to us and this is why we're concerned but that doesn't mean that that's why your cio or why your ceo your cfo are going to be concerned so yeah think about what they need to hear that concerns them so that's the thing it's it's taking that step back first of all catching it when you get frustrated but then owning that and saying maybe this is my fault maybe there's something i can do better now sometimes that's not going to be the case right but that's how you get the self analysis started is by taking ownership and saying i want to figure this out i want to figure out what i could have done better uh a great example i'm going to keep i guess hearkening back to this discussion but where i had my ana my aunt analytics guy and i have the the infosec guy and i'm on the phone with these two you know afterwards i i reached out to say like all right what can i do reach out on the business side what can i do to help you guys understand my role better what can i do to build more trust with you that you'll let me you know defend you and have your back in these conversations and not feel like you have to you know get that you know aggressive with the security team how can i start to work with you guys more collaboratively that's how i brought it to them i could have just as easily gone and said you guys can't talk to security that way that's counterproductive you know don't do that this is awful but no it's hey help oh god here's the bad jerry mcguire quote help me help you right i mean that's really what it is how can i you know help me to help you guys here and do this a little better so that was a case where it's like i can see they're frustrated they don't want to deal with security they you know so let me do it just help me understand how i can get you to trust me so that's a that's a one example of how you can do that just turning it back on yourself this is really good um we have so many so we have more questions and i have more questions so i'm gonna ask one of duane's questions then i'm gonna ask one of my questions because the audience is having so many good questions i'm like oh that is a really good question awesome and kellen kellen says thank you that was very helpful good okay so from dwayne excellent question what resources do you use to stay up to date on what's going on in industry or new trends or threat intel sources are like what do you do to stay up to date because there's so much out there twitter i'm kidding no actually i'm not totally kidding though because twitter is a useful tool for that right i mean it is really good to hear some of the conversations that are going on out there even when it's you know the the usual dumpster fire that twitter turns into there's still some things you can take from that um you know i definitely i have my news feeds that i you know i enjoy sites that i like to read um you know like dark reading is one of my favorites um techcrunch has their security section which is hit or miss but you know they have some things that i like to read um you know so i've got all that sort of thing um some of it is just playing around with technologies you know i asked a question about postgres the other day on twitter and didn't really get the answer i wanted so finally i yeah i spun up a virtual box environment and i i installed postgres and i set up another box with nmap and i figured out what was going on and confirmed that it was what you know a couple people had speculated on and that i thought it might be but you know confirmed it so sometimes it's just stuff like that like i haven't played with postgres in years um so you know just even sitting down with that and having a reason to do that um you know i never gonna be aware of all of it um you know of course i get like threat feeds and stuff at work uh so that's helpful with like emerging threats and stuff um you know we like many large organizations subscribe to multiple threat feeds and so we've actually got a really cool uh communications team that collates all that together and and gets it all sent out so uh you know that's really helpful too because i don't have to read like then you know 10 different threat posts or something to to try to figure it out it's just right there and a nice uh summarized set of points but you know so things like that are all helpful cool okay now my question so it's a two-parter and it's really hard so the first part it's easy and the second part's hard so the first part is what do you like best about your job and then the second part the hard part is what do you like the least because there's usually a thing where it's like yeah and i i hate the fact that i have to do blah or all these report writing etc so best and worst parts of the job all right so yeah let's um so the best part by far uh is just all the cool technologies and cool people that are experts in these technologies that i get to work with every day seriously i mean again like i'm talking about the fact that we're doing we're making actual practical use of blockchain that to me is super exciting um the work that we're doing on ai and ml and how that's going to play into uh you know a lot of what will ultimately make our analysts lives easier i i love that i mean i just i love what we're doing um the thing honestly that i dislike the most is probably not gonna surprise anybody and that that's just the level of regulatory review that we have to deal with um you know and that's just that that's a product of being in you know hundreds of countries and you know each many of them at least not all but many of them have their own regulating bodies and so you know you've gotta you gotta deal with them whether it's the sec here in the us uh esma over in the eu uh uk just spun up their new fca you know so they got theirs and singapore it's maz i mean i i can go on and on and on right i've got regulators in russia and china hong kong you name it and and we have to deal with all of these and of course all their regulations look different plus you're dealing with you know third-party audits and things like that like you would in any organization too so like i said before there's there's like two or three reviews going active at any one time you know it's just it's a lot to have to continually respond to these things and of course that's one of the things i would like to improve upon is how could we be better and more proactive and maybe not automate this necessarily but you know have easier ways of gathering and supplying the evidence that these these different organizations need to see from us oh that's cool because i i feel like um so to get slightly off topic so in the cloud like there's a bunch of kind of new cool things where you can choose certain regulations and say like apply this policy and it's not it's never complete it's never all of the checks but some of the checks and i bet that you could make your own custom policy first you know we've looked at some of that i mean there's you know obviously yeah there are um whether you're in aws or azure or um i'm sure gcp probably has one too i don't know what theirs would be but you know there are different policy orchestrators and things like that where you can manage a lot of that and yeah they do have the problem is i mean i i fear that would turn into a bit of trying to boil the ocean almost because again there are so many regulations and they are you know so varied from one country to the next um you know and then you know on top of that there's there's weird dynamics when you get into the regulatory environment too like yo you like to assume that a privacy regulation in russia is all about the consumer but it's russia why would russia care that all the data is stored in russia i wonder probably not just about protecting consumer privacy anymore now is it and so you have to be aware of those kinds of things too because when you're dealing with these regulators and stuff even if like i grabbed a policy and it and you know i apply it it if it doesn't hit all the things there might be that thing that's like really important to that regulator because of who's behind the scenes and so you know and and those motivations are everywhere again that's kind of that empathy thing or just being able to analyze the situation at a higher level and understand that like okay there's more at play here than just me having to demonstrate that we're protecting private data they want to know that it's stored on their shores so that it's subject to all of the legalities and you know everything that comes with it by it being in those in systems that are you know within russia and not you know somewhere else this is good we have another question from dwayne then i have a question then we have to wrap up because somehow time has fast forwarded very quickly i know right so dwayne's question is really good and it also like aligns up with um one of my questions that i didn't have time to ask so i i think it's the best question that's in the chat um so he said based on your example with nmap and postgres and being able to do your own testing do you feel someone would make a better beso uh if they have a technical background like a hands-on type of technical background so i guess it's a hard question because i almost like better than what um i mean i do i think it would it's a good asset to have yes um absolutely being able to understand the technical pieces of it you know i mentioned that pure of mine who's been in her role for almost three years now um you know she's really super technical and amazing when it comes to cloud technology way way better than i am and i'm learning so much from her and i see where it pays off in certain situations because when you're dealing with the people who manage those environments or you know they're telling you certain things it's good to be able to quite honestly to call bs at times you know and to say no or to be able to competently understand it enough that you can propose an alternative solution so maybe even what they're telling you is truthful and but it's just they see the world one way and you can you can look at it and say well i happen to know there's this other way to do it what do you think about doing this and those become really productive discussions so that's important but you know if you have that skill but you lack the you know the what i would call executive presence you hear that term tossed around a lot but that ability to be able to take technical and speak up to the executive level then i don't know that it gains you so much right so you know i can't say that it's better it's a good asset but at the same time somebody who's really good at executive presence and can understand the tech even without being hands-on with it might also be better it hard to say so yeah okay now i get to ask my question if you're gonna give someone so let's say someone's watching the show or they're listening later and um and they are wanting to become a be so someday what would you suggest as a first actionable step to try to kind of go towards that first actionable step so they're starting new is that the hypothetical let's say they're in some other area of infosec and they're like i think i want to be abuso someday i i think just boy how do i put this into something really actionable though that that's a tough one right because i could give lots of advice but i think you know the the way to step into that probably the most actionable way is to really start to pay attention when you have those opportunities to be in a meeting or a conversation with someone from outside the technology organization because those are the people you really need to be able to communicate with effectively and that's that i i used that term and i cringed when i said it executive presence but that's what we're talking about it's you know can you communicate it it ties back all the other stuff like i said you know empathy and this and then all the other things you know it ties into that because do you can you understand what's on their mind and then be able to communicate to them in a way that speaks to them and just use the language that's important to them and that makes sense to them too when you're talking about business risk you know what is you know if you don't understand you know terms like residual risk versus inherent risk okay you know those are things that at a business level they understand and they want to hear things in that way um the other thing i would say you could start to do is really work on building your ideas for how to quantify things um i know it sounds kind of rudimentary and weird and like okay metrics or something is that what you're saying well yeah but providing anything in a quantifiable way it doesn't necessarily have to be numbers but what your executives are looking for is to be able to quantify risk to be able to quantify business value all of these things just so they can compare them and make an educated decision and so when i say that to start practicing that it's take a look at things where normally you just say like okay this is yo this is bad this is good you know whatever how can you start to really develop a way to communicate that in a sense that says okay this is at this level this is at this level this is at this level therefore xyz because that's what's equipping your management with the decision-making factors they need and when you can do that now you establish yourself as a leader you're going to accelerate quick like they're going to see that and that's what they want to hear that's going to accelerate you up the ladder if you will if that's what you're trying to do just by the fact that you're going to be communicating and by the way it's going to make your life easier because you're going to have less of those frustrating moments where you're saying to yourself they just don't get it because you've already given it to them in the way that they do get it that's such good advice oh no i hope it's useful thank you no it is useful okay so we have to wrap up but i'm going to ask one more question so let's say someone wants to know more about you they want to follow you they want to see what's coming up with you other things you may want to vlog please tell us so um easiest way to follow me is on twitter i know we've had my uh my twitter handle up there a few times um always saying out loud for those who are listening so it is at alyssa aly ssa at alyssa m underscore infosec um that's the easiest way to get in touch with me you can also go to my website which is alyssasec.com so aly ssasec um you know there you'll find like my speaking engagements and different stuff you can contact me with a contact form there um and then you know as far as other things to check out i've got a book coming up it's available for early purchase and by purchasing it early my publisher does something really cool you get immediate electronic access to a draft copy of what's available so far so i think we've got five five chapters available right now that if you buy the book you can buy you can you know pre-purchase either the print copy or the electronic copy but you get access to it now as i'm still finishing up the book as we're still making edits so you can start reading it now and what's really cool about that is if you want to send me feedback you can send me feedback and say you know what alyssa you totally missed it in chapter two that was the worst chapter i have ever read if you can make it a little more constructive than that so i can make it better that'd be great but you have that opportunity so um you know definitely check that out too um but yeah it you know happy to um i guess i should tell you it's from manning publications um and it's the cyber defenders career guide cyber defenders career guide that's awesome oh and there have been some comments about how your guitars are awesome and i concur i'd like they keep me happy that's why they're in here when i get really really frustrated you know just grab a guitar for a while yes and i'm just going to quickly show your book link um but we also put in the chat so people could copy it but in case someone else later is like how do i find the cyber defender's career guide this is how there you go thank you the other way you can do it actually easier if you go to alyssa dot link slash book that one's even easier to remember so alyssa dot link slash book no no yeah but that was a really good try though i appreciate that we would have had to make her up differently and get ready for that it's not fair to spring this on her but oh my gosh can you imagine i'm like i'll go get one of mine it'll be great i mean i've actually got the rig here i could almost do it if i was ready to go but yeah yeah melissa.link slash book i see that up there just a warning it's slash book but yeah okay so dot link is the tld okay thank you thank you so much for being on the show yeah thanks for having me this was a lot of fun i knew it was gonna get a little goofy there it is that's the one so yeah if you go to that um that'll actually forward you right to where you can make a pre-purchase for the book so nice i gotta get a better link that seems very wise it does it makes it a little easier to get there so yeah so there are lots of thank yous in the chat thank you and um let's wave goodbye thank you for coming to this week's edition of the we hack purple podcast with special guest alyssa miller who told us all about what it is like to be a be so and the b stands for business this episode just like many episodes before it was sponsored by thread fix which is powered by denim group and in case you did not get the message throughout this podcast i am doing my book live stream on saturday yes that's right this saturday so soon june 12th and we're going to talk about secure coding aaron lord with um from hella secure and sharif kusa from oasp ottawa and the company reshift and i'm pretty excited to have my friends on and just the chance to be a nerd thank you so much for tuning in and i will see you next week