Site icon Easy Prey Podcast

Hacker to CISO with Alyssa Miller

Easy Prey
“Hackers want to understand how things work. That mindset is what I take into a board meeting. It still comes back to that same core desire to understand the inner workings of something.” - Alyssa Miller Click To Tweet

Utilizing hacking skills cannot only make it easier to work with management, but helps translate technical information for non-technical staff. Today’s guest is Alyssa Miller. Alyssa is a lifelong hacker and cybersecurity leader. She is the CISO for Epiq Global and has over 16 years experience in security. She is an internationally recognized speaker, author, and researcher. She has also been featured in Tribe of Hackers blue team, Cybercrime magazine, and many other media.

“One of the things I’ve been advocating for is for businesses to have a plan on handling misinformation.” - Alyssa Miller Click To Tweet

Show Notes:

“The line between physical and digital becomes more and more blurred.” - Alyssa Miller Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Alyssa, thank you so much for coming on the Easy Prey Podcast today.

Hey, thanks for having me, Chris. I appreciate it.

Let's talk about your journey. Normally, I’d have the person tell me about their bio and how they got where they are, but I think a lot of this episode is going to be about how you got where you are today. How in the world did you go from hacker to CISO? What was that journey?

First of all, it's always weird to me even to say that hacker to CISO because it hasn't changed. I'm still a hacker. I'm just a hacker who is a CISO. The way I look at it is I've been a hacker all my life. Being a hacker to me is an identity. It's just who I am, because it's just core and central to everything about me. 

At four years old, I was one of those kids who was super curious about technology, so what did I do? I took apart all my toys and figured out how they work. I took apart my parents' VCRs and things like that. They didn't really appreciate it all the time, but usually, when I put it all back together, it worked and I didn't typically have too many parts left over most of the time. 

It's that kind of energy that drives the hacker identity, that curiosity, passion, and willingness to play with things, take them apart, and figure out how they work. Not everyone has that.

I just had a conversation last week with somebody who was like, “Yeah, I'm the opposite. I don't care how this stuff works inside. I just want to use it for what I’ve got to use it for.” 

Anyway, fast forward and I'm 12. Like the dorky, bullied kid I was, I got […], saved up money, and bought my first computer.

This is an eerily familiar story here.

Yeah. I saved up $1000-ish and went to Best Buy. We're talking late ‘80s, early ‘90s here before computers in the home are definitely not ubiquitous like they seem to be today. I bought the computer, brought it home, and learned how to install an operating system after I screwed up.

What computer was it?

It was an Epson Equity+ or something like that. It was an 8086, 10-meg hard drive. I think it got a single five-and-a-quarter floppy. 

By the way, I didn't know back then that they pre-loaded the operating system and all the apps on the computer, but they give you the manual for DOS. It came with DOS 3.31. I looked in the manual. It says, “Step one: Run fdisk.” It wiped all the partitions, and then I couldn't figure out how to get the partition created, bootable, and everything, so I ended up having to call the store, and the guy is like, “You did what?”

I started at the beginning of the manual.

Right. I read the manual. How many people ever actually RTFM? I learned really quickly. Again, that hacker spirit. 

I didn't take it back. He offered. He’s like, “You could bring it in and we can see if we can get it reloaded for you.” I was like, “No.” I figured it out. It took some trial and error, but finally, I figured out what I was missing enough just to create a bootable partition. Then from there, it was easy. 

Anyway, that went down a rabbit hole already. It didn't take long. Originally, the computer didn't have a mouse, didn't have a modem, and Internet wasn't a thing yet. I bought a modem because I started getting these discs in the mail from Prodigy, America Online, and CompuServe. Names we haven't heard in a while, right? 

I booted up Prodigy, loaded it, bought a 2400 baud modem, got connected, and started playing around. You get 23 hours. After that, they want a credit card. I'm 12 years old. I'm not subscribed with a credit card, so I started digging around and went through a library of books on UART, serial comm, asynchronous modem communications, and a few other things.

I ended up finding my way through the software and was able to break into Prodigy without having to authenticate, so I was able to play the games I wanted to play. That was literally all. I was 12 years old. I just wanted to play the games. I didn't care about any of the rest of the stuff, news, sports, and all the others. I just want to play games.

Then, the Internet came along a number of years later. IRC was a thing. Again, a dorky, misfit, bullied kid found IRC and ultimately found my way into some of the hacker rooms on the Internet. That was where I really started to associate myself a little bit with the term hacker.

I didn't see it as a career move. Again, in the early Internet days, the idea of a hacker being a career, no. I actually started in pre-med. I'll tell you what, three semesters of college chemistry will tell you really fast if you actually want to be in pre-med or not. I didn't—spoiler alert. I had to find a new major.

At this point, I had already been writing code. Mostly I'm basic, but I've been starting to learn C. I saw they had a computer science degree, so I'm like, “Oh, that'll be easy. I already know how to program.” 

Boom, I got into computer science. I was still in school. It's the dot-com era now. Everything's booming. Everybody wants programmers. Sure enough, 19 years old and still in school, I got my first full-time salary job and grown-up job in tech as a software developer for a financial services company.

All we did was we wrote and hosted the software, but today, we would call it SaaS. Back then, we called it application service provider or service bureau. Even growing older, I remember that term.

I did programming for nine years before I was approached by someone from the security team who came over and wanted to know if I would join her security testing. That was where the start of my cybersecurity career came in. I told them. I was like, “I don't know how to do that.” She's like, “You're smart. You'll figure it out.” I got there, and I figured it was just hacking. “I can do this.”

I was leading that team. They were responsible for vulnerability management and security testing for a 5000-person, 6000-person Fortune 500 financial services company. We got bought out. Now, I'm in charge of the same department for a company of 35,000, Fortune 200.

I turned 30 at that point. I'm 30 years old. I'm going to board meetings and talking to the executive leadership team. This is crazy, but it prepared me well. After 15 years at that company, I wanted to see something else. Enough financial services. Let's see what the rest of the world is doing. 

I got into consulting, and they put me on their financial services clients mostly. I did some healthcare. Healthcare is important too and other things. We worked with some power companies and other stuff. K-12, I got involved throughout that process too. It started first in the application security pen-testing in space and it kept growing and moving up. The consulting gig that I left got to the point where I was leading a security practice that was focused on building programs. Now, I'm working with CISOs and senior leadership teams who are the sponsors for these projects and doing presentations to their boards.

I stepped through. I spent a little time in a consulting role at a reseller, and then I actually worked for a product company for a little while. That was right at the start of COVID. It was supposed to be a job where I was going to travel internationally and all this cool, fun stuff.

That didn't quite work out.

No, it got ruined. That transition ended up serendipitously. This happened a lot in my career. These weird opportunities would just pop in. I can't even count how many jobs I've had where I didn't go looking for the job. It found me.

I can't even count how many jobs I've had where I didn't go looking for the job. It found me. -Alyssa Miller Click To Tweet

This was one of those. It was as a business information security officer for a big, historic Wall Street firm and leading cybersecurity as essentially a divisional CISO for a $4-billion-a-year revenue division. 

The minute I got that job, I was looking at it and I'm like, “OK, this is my stepping stone. This is the one that's going to get me all the way to CISO.” Like some of us, that was my goal for my career. I love management. I love being in those roles. That's a skill set that I feel like I have. Sure enough, life faster than I thought, I was only in that BISO role for 18 months when again, serendipitously, this job came looking for me.

It came up through a social media colleague and another colleague who was actually the incumbent and was leaving to take on a bigger, more responsible role. I did the thing, went through the whole search process, ended up getting an offer, and now I work for about 6500-person strong, multibillion-dollar-a-year business leading cybersecurity as a CISO.

I'm curious about this. Let's talk about just the generic sales industry and sales place. You get people that are salespeople. They become good salespeople, they promote them to manager, and they're an absolutely crappy manager because leading is a fundamentally different skill set than doing.

It's interesting that that hacking mindset skill set is so fundamentally different than a leadership skill set. How did you make that transition with, “I like getting in the weeds and taking things apart” to “I want to lead people”?

It's interesting because it almost isn't different. It is, but it isn't. I want to acknowledge first of all that a lot of times, people end up in management positions. I separate management and leadership just because you don't have to be a manager to be a leader. To be in a true management position, as you noted, is a completely different skill set in the sense that you're not going to be typically hands-on in the tech and you're definitely going to be removing farther and farther the more levels of management you move through. You have to expect that. 

I separate management and leadership just because you don't have to be a manager to be a leader. -Alyssa Miller Click To Tweet

What you have to embrace is to understand that you're going to be responsible for different things. For me, going back even when I was a programmer—and I remember this really clearly—I had a manager way, way back in the very early days that I was doing that who called me the translator because we would go into meetings and we had to describe something.

There were more senior people in that room than me. There were more senior programmers, but they were all talking about functions and all this stuff. I was the one who just always seemed to emerge as the person who could translate it so that our VP understood what the heck we were telling him. It was my manager who saw that happening, and he started to joke about it that, “OK, you're just the translator here,” but I think that's a skill set that is required. It's a great skill set to have as an engineer. It's a necessary skill set to have as a manager. 

Understanding first and foremost that that's your job, you have to have that right mindset. There are just too many people who see management as the next step. That's the natural progression. It doesn't have to be. Unfortunately, it shouldn't be if that's not a skill set that you're interested in exercising and you don't feel you have.

Where I say it's not different, I actually have given this conference talk a couple of times now about hacking the board. What I've learned is a lot of the things I do to hack a system are actually the same things in a metaphorical way to what I do when I'm going to go in front of the board. Obviously, you could point to things like social engineering that come into play there in a very practical sense, but on a higher level, my goals are the same. I'm looking to establish persistence. I want them to keep bringing me back. I need to do reconnaissance on that target, the know-your-audience thing. 

I researched my boards. I want to know who these people are and where they come from because I've had board members ask me, “What's a CISO?” And you’re like, “Wait, what?” because you just assume everybody knows. But then you look at their background and you see, “Oh, OK, I can see where you came from. It makes sense to me. It's just something you've never been exposed to.”

I've been able at least—and I’m trying to help others see this—to look at it through that lens, take some of the lessons from what we do as hackers, and just apply that. For me, my interest in being a CISO is I wanted to see how that stuff works. I want to understand it. There are all those people out there doing this stuff in those ELT meetings and board meetings. I want to understand how that all works because they're telling me I’ve got to do my job a certain way, or I’ve got to manage my budget in a certain way. I want to understand how that's functioning. 

It still comes back to that same core desire to understand the inner workings of something and why it works the way it does, and then figure out how I can make it work different.

How does the board tick? How do the board members tick? What are their backgrounds? Why do they view things through a particular lens? That seems to be a common theme with particularly cybersecurity and information security these days hitting board members that are in their 60s and 70s, who 10 years ago, or maybe 15 years ago, cybersecurity wasn't even a thought for anybody.

Right. Now, you have the SEC who is mandating that board conversations have to include a discussion of cybersecurity risks. I love that. But as I also tell people, I think we've been clamoring in cybersecurity as far back as I can remember to get CISOs in the boardroom. There are millions of articles I can think of reading all the time about when will we get our place at the table, blah, blah, blah? We're getting in our place at the table, but unfortunately, there are a lot of CISOs out there who just aren't really ready for it.

Is that because in a sense, it's a new field? Maybe now we do, but there aren't people that have a lifetime of experience doing information security.

I think you have to look at where the people come from, but that is a big part of it. We forget, too, that the CISO as a role is only 25 or 30 years in existence. We'd have to go back. I think it's close to 30 years now that the first CISO was created.

That is relatively very young compared to some of the other traditional positions. How long have CEOs existed? A long, long time, right? I think that does play into it. A lot of the people who end up in CISO positions don't have that exposure. 

There's also a natural tendency from a lot of organizations to still downplay the CISO. They look at it as an executive junior.

I saw a talk a little while back, and I wish I could remember who the person was because it was even in his book. One of the stats he threw up there was the percentage of CISOs who fall into different job categories, how many were directors, senior directors, et cetera. When you get to that SVP level—senior vice president—it was 4% and the CISO always reports to another C-level executive. Most often, they're not part of the official executive leadership team, which we still see today. I think that hinders it too. How do you build that knowledge if you're not being entrusted that way?

Is some of it because the security is not a profit center, therefore, as a corporation, we don't think of it in the same way we would as product development, sales, or engineering?

We've got CIOs and CTOs who are typically cost centers too. I think it’s just relative youth of the role. It's that a lot of the people that ended up in these roles typically are technologists and aren't prepared to talk to non-technologists about technology. I see CIOs and CTOs who have the same problem sometimes too.

One of the things I've been trying to change as I talk about this hacking-the-board idea is understanding how to communicate. I've been in those meetings where the technologists start talking. They start going into the weeds on some of this stuff. They're using terminology and things that the board doesn't understand. What are the board members doing? Even if it's the executive committee or the ELT, what are they doing? They're like this, heads down, looking at their phones.

Their eyes glaze over as these tech terms come out.

They get bored quickly because they don't understand what's being said. It's meaningless to them. I think that that fostered that too, and then there are a little bit of ways just to always connect security with technology. That's why you see so many CISOs, myself included, who report to the technology organization. I report to the CIO. 

That can be problematic in some cases. In my case, thankfully, it's not. I have a very good CIO who buys into the security message. In fact, sometimes, he's more gung-ho about it than I am. I have to call him out like, “Hey, we’ve got to keep the business running too, though. We can't just tell them no.” 

That's the thing. That plays into it, but where you see the problems really forming is related to that. I'm hoping businesses are starting to see this because the discussion is where should the CISO report to. If they report to the CIO, there's a chance of some conflict of interest or whatever. That's what people complain about there. Certainly, there could be, and I've seen that play out.

Then, they say, “Well, they should report into risk.” Security is broader than risk management, so reporting to the CRO doesn't make any sense. It doesn't make a lot of sense either because it does include technology and non-technology, and it's way bigger than just managing risks. 

But what about legal? That's got its own nightmares, because legal has a very specific focus that, again, can create some conflict. Not conflicts of interest necessarily but other conflicts that can tie the hands of the CISO a little bit.

The whole point of this is what we're starting to see is that the CISO was broad enough in responsibility that there's only one logical place they should be reporting to. It's the same place the CFO, CIO, and CLO are all reporting to, and that's the CEO. I hope organizations are starting to see that. I think that's the progression. We'll get there sooner or later, but I believe it's incumbent on us as security leaders to show that we're ready for that challenge.

I think now that the rules have been around 25 years, I don't know if there's any business that doesn't have information security exposure somewhere or other business.

Of course. We all know that managing risk is a part of this. It's not the only thing we do, but it's an important part of what we do. Something that the smarter security leaders or I guess the more advanced security leaders—however you want to term it—are starting to realize is that there is no perfect scenario. As much as it may frustrate us at times, we have to keep the business going.

I cannot stop the business, so how do I design my security controls in a way that allows the business to keep functioning the way it needs to? Even if it's not the ideal way, how do I allow them to continue to innovate and use new technology? I come from a day and age when info security says, “No, you can't implement that new technology.” They fought us for years on implementing Windows servers. Now, someone might argue that they probably were right, but no. Look at any environment. 

We just had this argument on Twitter a few weeks ago. You're not going to find many organizations here that aren't running a Windows server somewhere in their environment. Back in the day, it was, well, no, you have to either be on the mainframe, or we had some SunOS stuff running around, so lots of SPARC centers and things.

Obviously, that world has changed completely. I think we need to continue to evolve and understand that our role is ultimately—and people say this—to enable the business, but we have to understand what that really means.

I think a lot of people in more junior roles and sometimes even in more senior roles have a really hard time making that balancing act of—whether you're compliance, legal, or CISO—not being the department of no but the department of, “Well, OK. Let’s see how we can accomplish the same goals but reduce legal liability, compliance liability, or security liability.”

That's the key. I've heard this phrase. We're not the department of no. Instead, we replace no with, “Well, let's see how we can make that happen,” or something like that because that's really what we’ve got to be there to do.

What we also have to recognize is that at some point, there's always going to be that threshold where we say, “You know what? This creates a very significant security risk for us. I understand your business says you need to do this. Therefore, risk acceptance is a thing, but you have to understand what you're doing.”

As a security professional then, I'm looking at, “OK, if you're going to put this in your environment, risk-accept it.” And say the benefit to the business is greater than the risk of cybersecurity issue here. Well, I'm probably going to look at how do I isolate that?

You can do your thing. You can have whatever you want and whatever it is that you're saying functionality is going to require over here—this technology that doesn't have the right security measures built into it—but I'm going to look at how do I then wall that off from the rest of the environment so we can at least limit that risk to your business?

If you sign off and your business gets destroyed because you got breached through that thing that I told you was bad, well, you accepted that risk and understood it. My job was to make sure you actually understood what the risk was before you just said, “Yeah, let's accept that.”

My job was to make sure you actually understood what the risk was before you just said, “Yeah, let's accept that.” -Alyssa Miller Click To Tweet

As you've grown more in your leadership role, being further and further away from the practical day-to-day in the way he’s looking at the code and being able to understand what the risks and vulnerabilities are.

In some ways, it is tough, but I still try to stay as active as I can in things that interest me, which is actually one of the cool things because it did free me up that now when I've got free time and I want to mess around, I'm digging into stuff that I find interesting. Over COVID, I got deep into TensorFlow and deepfakes and started playing around with FaceApp and a few others to generate deepfakes. That was cool.

From that side of it, I still do get my hands in, but it's not necessarily being dictated by what's in my environment and what I'm going to have to learn. But you do also have to just accept that you're going to get pulled away from that. 

I actually kind of like it because what it allows me to do is look at the bigger picture, which I really like. I get to see how all of those individual pieces come together. I can formulate a strategy, lay that out in a roadmap, and build that. 

Especially for people who are probably earlier in their career, these probably sound like management buzzwords, which they are, but they are actually necessary valuable things. That's another message I try to bring. Some of these things sound really annoying. You hear managers talk and it’s manager-speak, but there's a reason that manager-speak exists. Because these things work.

What do you see as the future risks of security on the Internet? What do you see coming down the pike as we get to start watching out for this? To me, in the scam space, I think of deepfakes five years down the line becoming a real problem of someone being able to real-time video chat looking like your favorite celebrity. They think they're in a relationship with this favorite celebrity because of well-crafted, real-time deepfakes.

Misinformation in general. I don't know if deepfakes necessarily are going to be the thing, but we see them used in a lot of places. The core tenant of phishing is the spreading of some level of misinformation on a very micro level. I think macro dissemination of misinformation is something we're going to see more and more of that security is going to get drawn into. Certainly, we can talk about what happened in politics and the level of discourse that turned into just complete misinformation campaigns, but it's not just in politics.

One of the things I have started advocating for is that for organizations, a part of their incident response really needs to be how are we going to respond if it's misinformation? How do you deal with that? How do you handle the crisis comes around that? It's an edge that doesn't necessarily fit cybersecurity, but it's getting leveraged for the purpose of conducting cybersecurity attacks. 

With deepfakes, I don't know if that's ever going to land. I thought it was a couple of years ago. It had some real promise. It looked like it, but what happened was we did actually get a lot of awareness out there that they exist. Thankfully, a lot of that awareness came because people were creating and disseminating deepfakes that were easy enough to ultimately determine were fake. That educated the mainstream that these things exist, and now we’ve got things like this person doesn't exist or all of those types of things where people in the mainstream are seeing this, and they're understanding the capabilities.

What that's done is it's made people more skeptical of the information that they take in. On the flip side, we have some people who—especially when it comes to political discourse—seem to just be willing to believe whatever, but we can talk about propaganda and how that all works another time.

I see that being a thing. Privacy concerns are going to spill more into the cybersecurity realm as well. We still treat those as cousins, I guess. There's definitely a spillover. We are doing things to try to protect privacy but more on the policy side and the practices side of it is where we're going to start to see cybersecurity have to be a part of it.

A colleague of mine, Amber Welch, was doing a talk series two years or three years ago. She was pointing out the potential for how you can basically in the physical realm DDoS a company by just initiating a bunch of subject access requests under GDPR because you have all these organizations who are subject to GDPR who have to be able to provide that information when it's requested or delete that information if that's the request. They don't even know what it is. How long does it take them to catalog it, find it all, and respond? Now, do they need gigantic teams to do that?

I think that you're going to start to see things like that. It's going to evolve a bit where the line between physical and digital just keeps getting blurred more and more. As that continues, you're going to see that cybersecurity has to become more aware of some of those things that traditionally, we said, yeah, that's not technology, that's not us.

That's physical security. That's a different department.

We still do that. You can argue if that's legit or not, but we do definitely have those blurring lines too. How do we control access to physical environments? We use a bunch of IT to do it. Who's responsible for that?

That leads to education. I'm one of those people who thinks why are we not talking to high schoolers and requiring them to take a course on how a 401k works, how compound interest works, and explaining basic accounting and basic finances to kids in high school? 

Do you think there's going to be a point where we're going to start seeing almost cybersecurity and privacy being taught at a younger age in terms of this is how you frame, interact, or interface with the world?

The cool thing is it's already happening. I have seen and been involved in at least two programs where they are doing exactly that. They are teaching kids how to be safe online, which sounds like such a ‘90s thing to say, but that's the reality. How to deal with this digital world because it is very different.

For the kids growing up in it now, it's a little different for Gen Z. Gen Z is the all-digital generation. These are the kids who probably never had a corded phone in their house.

They don't even know what a corded phone is, let alone a […] phone.

Yeah, what's a landline? Doesn't everybody just have a phone on their hip? To that end, it's a case where the problem is the instructional side. We have instructors who grew up in that world who are trying to catch up now and understand how to communicate to the kids that here are the risks of your own world because sometimes they don't understand it.

I have been involved in a couple of programs already where they're doing that. In one case, they asked me to come speak to a class. In another case, they actually asked me to consult on how they were building this out, which I think is incredible. Then, you see people in our industry who are creating great material that when I was asked to consult, I said, “Hey, a perfect example is go take a look at what Rachel Tobac's putting out there. She's got some really great materials that kids can understand. She's doing some of this stuff in songs. 

I think that that's really key. We're starting to see it. I think we're going to see more of it. Even that is going to evolve a bit as Gen Z turns into whatever the next gen is. Please don't call them next-gen kids. I will throw things.

I've heard that phrase.

I heard that come out of my mouth. I went, “No, that can't happen.”

You didn't create it, so you're not responsible for it.

But whatever we call them, they're going to have a new perspective too because they're growing up with all of this. They're seeing things. Now, Meta is pushing this metaverse thing. This was another conversation, which is why it's fresh in my head. How much have they misplayed their hand on that? Eventually, will that actually be something where people will want to operate in that way? It could be.

Or are we going to have a Ready Player One world?

Right. That's a whole new set of challenges that lives there. Right now, it's helping kids even from the privacy perspective understand that we're just now, as an industry, really understanding the implications of Facebook, Twitter, Instagram, and TikTok and how they market with advertisers. If it's free, you are the product sort of thing. We're still wrapping our hands around that. How do we start educating kids to understand it? The response for most people right now is to abandon it. I don't do social media.

That's not a reasonable option for Gen Z.

It's not going to be able to do. Where are companies moving all of their marketing efforts? Where's everything happening this day? The news cycle is disseminated via social media more than in any other place. It used to be disconnect from social media and get connected to reality, but the reality now is starting to live in social media.

We have to look at this and embrace it as this is a thing. We can't say no to it, so how do we learn and put the controls on our own lives to protect us to a level that we're comfortable with? Those answers won't even always be the same for every person.

Do you see the same issue with even cybersecurity education at the college level? By the time someone can write a course to teach on something, is it now just not relevant anymore?

Yeah. That's been the struggle when colleges try to teach to a technology. This is something that is evolving too. I can go back to early in my security career when I was in that pen-testing world. We were talking about it then, like, well, we need colleges to start teaching cybersecurity in school, but the problem was there was this weird balance change where all of a sudden now, schools are teaching it, but businesses wanted schools to teach it all, like teach them how to use Splunk, Rapid7, Arctic Wolf, or whatever. Pick whatever technology you want. 

No, that's on you as the organization. That's got to be your responsibility. What they need to be teaching is what schools have always focused on, which are the concepts.

Leverage technology that we've got available, but how do we teach conceptually what we're trying to do here? How do you turn your cybersecurity program effectively into a glorified CISSP? You look at the CISSP. All the domains of cybersecurity are very conceptual, and then they get into weird stuff like fire extinguishers.

Ultimately, it's very conceptual. I think that's where we need that. We need to keep looking at, where does that balance lie? Right now, the problem is you've got the industry saying, “No, we're not teaching that. They need to come ready for that. All our job descriptions ask for is all this very specific technology experience.”

You got the other side in academics saying, “We can't keep up with that. Are you kidding us?” Then, who gets stuck in the middle? It's the labor folks who end up having to foot the bill for a lot of this extra training. They're expected to build labs at home and do all this stuff in their “free time” that everybody has so much of these days.

That has its own problems. That has driven what we call now this talent gap or skills shortage. We did it to ourselves because we thought of hiring. We claim to want to invest in our people, but all too often, we don't.

Do you get better talent coming out of educational institutions or people that are self-taught?

I don't think there's a hard-and-fast answer to that. I've seen both. I've seen people come out of some really impressive graduate programs. There are graduate programs out there that I've worked with through a previous employer that is doing open-source vulnerability research. They're actually out there discovering open-source vulnerabilities. Creating CBEs and everything is part of a graduate research lab.

That's wonderful, and you get really good people out of that. I've also hired those people. I hired someone from a previous job who had never worked in tech or cybersecurity ever. The person had worked at a retailer. I brought them in. They had done all this self-study, and they were an incredible resource. They've gone on and done amazing things. In fact, I can't believe some of the stuff they're doing right now. 

You can find them in both. This is where we return to some of that's a little cliche, but how do you focus on people who have the core skills, core tenets of that curiosity, and willingness to dig in and figure out why something is doing what it does? I'm going to use this word and I'm going to cringe as I say it, but that passion for understanding the way things work, dissecting it, and figuring out how to change its behavior, or how to wrap its behavior with something else because those are the things that lead to cybersecurity concepts and so forth.

The hard thing is to teach people how to have that desire to dig in and ask why.

Yeah, because the struggle we have right now is this is a hot industry. Salaries are accelerating like crazy. People know they can get really good jobs with plenty of job security for the foreseeable future, so there are a lot of people who want to get into this industry for that reason. That, in and of itself, isn't a bad thing, but not all of the people who want to get into this industry are really cut out for the technical roles within this industry.

That's what they see and they go chasing it. They have skill sets that could be used elsewhere in the cybersecurity space. I feel like cybersecurity’s got space for everybody, but the key is how do you connect your skills, your interests, and where you have strengths to the roles that are going to be right for you? There's a lot of struggle around that right now. Sometimes, it's just because people don't even understand the breadth of what's available as roles in cybersecurity.

I suppose that's a good problem to have, that it is such a wide field that you can find. If someone has some true talent, there's a place where you can plug them in somewhere. It's just a matter of leadership figuring out, “Well, where can I plug this person in?”

Yeah. Here’s a shameless plug. I wrote a book on this legitimately, The Cybersecurity Career Guide, I published earlier this year. One of the key facets of that book is there are actual practical exercises in there to help the job seeker figure out what is it about cybersecurity that I actually enjoy and what skills, knowledge, or experience do I have? What are my core skill sets?

When I say core skills, I'm talking about those things that are across all industries. They’re not specific to an industry. They're universal skills. Then, how do I match that to the right roles? Just being able to do that is so important. It's a conversation I have. 

I get a lot of people to this day who will reach out to me on social media or whatever and want help finding a job. I ask them, “What do you want to do in cybersecurity?” “I don't care. I want to do anything.” I'll help you the best I can, but understand that that's a really broad answer. That doesn't really give me much to go on to give you actionable advice on how to get where you want to go.

Where can people find the book?

The book was published through Manning Publications. The easiest and actually cheapest way to get it is to go directly to Manning. A really easy link for you is alyssa.link/book. So alyssa.link/book will take you right to the page where you can order the book directly from the publisher. You can get it in an ebook or you can get it in physical form.

You can also get it from many of your typical resellers: Amazon, Barnes & Noble, and Target. I'm trying to think where else I've seen it. It's so funny because people tell me, “Yeah, I bought your book here.” I’m like, “It's there too? Wow, cool. I like that.”

Everywhere good books are sold.

Perfect, yeah. Where fine books are sold.

It's almost like it comes from a commercial somewhere.

Everywhere fine books are sold.

I'll make sure to include that in the show notes. That way, people don't have to write it down. They can go to the website and click on it. 

If people want to find out more about you, follow you, and see what you're up to, where can they find you? Do you want them to find you?

Yes. Every conference talk I ever give, I end with let's continue the conversation. Here are all my social media: @alyssam_infosec. You can find me on Twitter as long as it sticks around. Also infosec.exchange on Mastodon, same handle. 

I’m @alyssam-infosec on LinkedIn. I will warn you now, I do not spend much time on LinkedIn. Pro-tip: the minute you put the word CISO in your job title, your DM spam explodes. Too late, I'm screwed. I don't spend a lot of time on LinkedIn at this point, but you can probably get me there too. 

Otherwise, my website, alyssasec.com. There's a web form there if you want to contact me. You can read my blog, although I will warn you, my blog is not very active. You can also find links to some of the videos of recent conferences or not-so-recent conference talks and that sort of stuff. Any of those is cool, but Twitter and Mastodon are probably the two easiest.

Awesome. We'll link to those to make it easier for people to find it so they don't have to figure out all the underscores and all that themselves. 

Alyssa, thank you so much for coming on the Easy Prey Podcast today.

I appreciate it. Thanks, Chris. It's been a blast.

Exit mobile version