BSidesATL 2020 - Connect: Yvette Johnson - We All Have Choices

good morning everybody and thank you for your time and attention we really appreciate this as a 'besides organizer this is huge for us and having to quickly shift and do this all virtual has been taxing and we've had some choice words with each other but in the end it's all worked out so thank you guys for showing up my talk is called we all have choices and I may be size organizer and adult day care and I'll explain that later and I'm the Managing Partner of passport security so we all have choices what are our choices every day we have choices when we want to wake up what we're gonna eat who detects who to call what email to answer very simple

choices every day and then we have life of choices life choices are the biggest and didn't excuse me most difficult to make and they likely change our lives forever and sometimes choices are made that choices are made for you and they impact your life and change your life forever the phrase we all have choices was said to me very early in my Information Security career by a director that I worked with when I was at the airline so I will actually excuse me so sorry I will actually get to all of that next so it was I'm sure everybody is familiar with what we call hacker summer camp right it's blackhat and b-sides Las Vegas and Def Con all back to back in

the summertime and we affectionately started calling it hacker summer camp and so this last summer I was at hacker summer camp and I had already attended the first day of besides Las Vegas and it was day two and I got a text from my boss that morning that said can you hop on quick call at 8:30 year time and it was pretty early it was you know 6:30 Vegas time if memory serves but I was up and you know getting ready and wanted to get to be size on time and so I texted him back and said yes either's fine and then I went checked my calendar to see if he was going to add a meeting to

my calendar and I wasn't seeing it pop on him to my calendar and then 703 he said can I call you now and I said yes and a few minutes later my phone rang from a number that was not his and from what I recognized was a one of our conference room numbers so I answered the phone and it was my boss telling me that I was being laid off and you know there was a lot of things going on that were out of you know our control financially and whatnot and I was being let go the blow was that I was in Vegas at a conference you know on behalf of the company I was working for at the

time and you know it's difficult to be told that you're being laid off you take it very personally which I did at the time and it was just hard to hear so you know I kind of tried to catch myself and figure out what I needed to do next and my first thought was you know go to b-sides you know immediately start talking to all of her careers they're connecting with them you know you got this I just wasn't feeling it at the time and I just didn't feel like I could have a a thoughtful conversation about what had just happened to me a couple of hours earlier and and then you know shift and try to go quickly find another

job so I ended up decided to fly home early and leave hacker summer camp I just didn't feel like I could spend any more time there I'm Vegas is hard as it is so I ended up jumping on a plane came home but before I'd left I sent how to tweet and my Twitter is that jet-setting bet and I set that up very long ago when I was traveling all the time for business and it just I have no idea how I come up with anyways and so I sent out a tweet and my tweet said here's a blow go to Vegas for hacker summer camp and get laid off while you're out there yes it

happened to me and four of my colleagues within minutes I had new followers I had retweets I had DMS my DMS were so full that I couldn't answer fast enough people were retweeting people were messaging me they were finding me on LinkedIn very quickly there was offers you know people asking me are you still here in Vegas let me meet you come meet me for coffee meet me for a drink meet me at b-sides let's talk how can I help you it was an incredible change and what had just happened and people I didn't really know in person were offering to help we're saying send me your resume and half you know what can I do

who can I connect you with can you meet it was just an incredible response and that was a huge relief to me because you know his hearing that you just got laid off and then having this response from you know this community was an amazing thing for me and kind of set things in motion from that point forward so where did this all start I didn't go to college to get a CS degree or an electrical engineering degree my degrees in psychology which actually fits me perfectly but when I got out of college I wanted to join the FBI and at the time they were not hiring so I moved to Washington DC or I knew

one person and started working some temp jobs and kind of stumbled into a government contractor where I had the opportunity to I was doing database entry and the director of IT came to me and said you see McMartin what you're doing in this database entry stuff if I got you some training would you be interested in joining my team so I said yes and he threw me into Novell 3x training I don't know if anyone remembers that Lotus Notes Windows I mean this is early Windows so tells you that I'm old but yeah I started working and learning all about networks and networking and email which was very new at the time and Windows 95 I remember

the first time I saw Windows 95 and it was really interesting and cool and you know I was clicking around and thought what am I doing here anyway so I spent four years learning networking I'm looking at my slide it says cabling and stockings I worked for a government contractor and we were required to wear business dress every day and I remember crawling around on the data center floor and a skirt and stockings and heels pulling cables and connecting servers I mean it was horrible and I have no idea why I thought it was a good idea to wear skirts and stockings but it was you know part of how we had to dress when I was

at this government contractor but living in DC was cold and expensive and I decided I needed to live somewhere else so I moved to Atlanta in 97 so post Olympics and started working for what I only call the airline so I'm sure everybody can guess where I was working and I was doing lots of tech support lots of software testing you know learning everything about the which was an amazing thing at the time because I learned a ton about working at the airline and I spoke to pilots and flight attendants and people who worked at the gates and reservations and you know people who worked in the general office I was really you know invested in

in what I was doing at the airline and what I was learning and I got to see really cool things you know Delta made a huge shift what they called Airport renewal and they were getting off with at the time what they call green screens and moving to Windows workstations and that was a massive shift for the airline industry at the time and it was actually very cool to be a part of it to see and I got to go out to the gates and you know they would shed a gate down at night and we would walk up and just immediately yank all the equipment out and start cabling up all of the new

workstations which were Windows machines you know getting that ready we would call it gate renewal and then the next day when that gate came up you know it was on all new machines all new software and just a very big shift for the airline and so I did that until about 2006 and then I decided well a big event happened in 2006 I had my daughter and that's her one of her first baby pictures her name is Regan and I'm sure if anybody has had children you realize very quickly how much your life changes when you have a child and your priority shift and you want to do big things with all you know you have another human that

you're responsible for and I decided I was you know I had a lot of security friends and I decided I wanted to shift a little bit more out of IT and jump into security so I went to my boss at the time and he said you know what do you want to do and I said I think I want to do IT project management I'm a natural organized so I thought it would be a great fit for me and he said perfect I've got the airline has to get PCI compliant and so how about you go manage that and at the time I didn't know what pci was and I didn't really know what that meant for

the airline so I jumped into the deep the deep part of the pool and I said let's do this and in the end it was the smartest and best thing I did with my career because it shifted me away from just being an IT but to security and you know for better for worse you know about PCI you know people hate it and it gets just a checkbox but I learned a ton and you know we were responsible there's a ton of credit cards floating through an airline system and I had a huge responsibility and I had to you know quickly learn when I was walked talking to the networking team what they were talking about when it came to firewalls

and to the routers and how to you know what those changes meant and so you know I spent a lot of time listening and going back to people and asking for their you know input and saying you know teach me this how can I learn this and I don't do well with just reading books I am learned you so I you know ask people to show me and to kind of guide me and it just all started clicking and making sense and I just decided you know this is what I'm going to do I am going to really stick with this and not necessarily just PCI but I really wanted to broaden in security and it's what I

did and I had a you know a lot of opportunities from people who really just you know pulled me up and gave me an opportunity so I was you know got the airline PCI compliant which is huge and then went into you know steady state and still continuing what I was doing but when I was there you know we brought in a lot of consultants to help us with the project and I got very close with them because we travel together we had to go to all the airports and see how each airport was functioning differently and how they were managing credit cards and all this stuff so I got very close with all of the consultants I

was working with to the point where they asked me if I was ever interested in leaving the airline and the thought of jumping and to consulting had never crossed my mind I didn't think that it was something I was geared for and being at the airline was a fairly safe I mean you know there's lots of ups and downs in the airline obviously there's a lot right now but it was a fairly stable position for me and I was proud of what I had accomplished and but the opportunity was just too enticing and so in 2010 I left and went to work for one of my mentors who I respect incredibly his name is Brandon Williams and I went

and worked at EMC and RSA RSA had just joined forces with EMC at the time and I was going to be a security consultant and honestly I didn't really know what that meant and I remember going into my first client which was in Minneapolis and I had read the statement of work and I knew the RSA tools that were going to get deployed but I was coming in ahead of the RSA jewelz they were about to get DLP and I needed to prepare the organization to get DLP before they just flipped the switch and I thought what am I doing here what am I talking about what do I need to do I needed a plan I

needed a playlist of what I was going to do and I was there and it just wasn't obvious to me so I called another one of my mentors and I said I have no idea what I'm doing and I'm gonna get fired and they're gonna think I'm a fraud and he said no no you know exactly what you're doing you were fully prepared for this you are going to walk in and you're going to do what you do Yvette he said you are personable and you're smart and you know what you're doing you just feel like you don't know what doing but you're gonna go in and you're gonna set some meetings and you're gonna

listen and you're going to figure it out and he said I promise you within 24 hours you're gonna feel much more safe about what you're doing than you did before and he was absolutely right I followed that instruction and I did and it was my first engagement and I believe it was fairly successful but it gave me the confidence to continue growing in that space and learning and you know realizing that I can trust what I'm doing and you know I'm not gonna know everything right away and that's what you do when you first go in as a consultant you are sucking from the firehose and you're learning everything about that network and about teams and

about politics in the organization and how they run and I quickly figured that out out so what a consulting you know technically consultants advice they pull from their experience industry understanding problem solving abilities and offer valuable advice what people have told me in a joking way what consultants really do is they borrow your watch and tell you the time and charge you for it which that's why I call this adult daycare because it just seems funny for me to go into organizations and tell people what to do and how to do it and sometimes I still think you know you could learn this you know this why are you bringing me in why are you paying me to come in and and I

feel like tell you what you already know but you know not everybody does know what I know and or you know they don't have the same experience that I do and so you know I've grabbed onto that and really hung clung to it and you know reminded myself that the information I have an experience I have is very valuable I you know was a qsa for a while and I hated every second of it I didn't I loved the work and I loved what I was learning I didn't love writing reports and I certainly didn't feel comfortable signing my name to a report when I didn't feel comfortable that you know the next day there

wouldn't be a breach and somebody would come to me and say hey of it you said they were compliant and now this is happening that was very scary for me but I loved the work and I ended up that was a short stint for my life and I ended up maintaining the qsa and going to PwC which was an incredible opportunity for me because I respected PwC a lot and I had worked with their consultants before and it was a huge opportunity and I decided I was going to jump in and even though I had a small child at the time I knew it was going to be taxing on my time on my life and that

but I knew I would learn a lot in a very short period of time and I did I learned a ton and you know I traveled and I got to go to cool places and then I got to go to not so cool places when it was you know freezing cold outside I had great clients and I saw very cool things I did reach response and you know when people's hair is on fire and they're just trying to stop the bleeding I got to participate in in you know opportunities like that engagements like that and I got to work with some of the smartest people I've ever worked for and that was an incredible opportunity for

me and you know very thrilling I also got to join a podcast so if immitating is the southern-fried security podcast which here's our here's our sticker I found these yesterday I joined that and again that was another thing that I thought I have no idea what I'm doing and probably the first few podcasts that I was on I didn't talk very much because I just didn't know how to podcast or what to say or where to jump in and it took me a few podcasts in before I finally found my footing and to the point where you know there was times where not everybody could join the podcast and I was doing it you know by

myself or with nobody else joining me and leading these podcasts but it was actually very cool and I loved it so I joined the executive Weiser II board for an Issa that was awkward that was given to me as an opportunity and I I'm sorry it's the editorial advisory board so we review all the submissions for the journal before the journal comes out and that is a really cool thing because I get to read all these different articles and and read about what people are doing and their opinion and facts and very cool thing then I left PwC for very personal reasons it was just time and I had some personal things going on in my life that

I needed to change and shift so I left and went to work for a start-up which was really cool I didn't you know what I knew about the cloud was probably you know this much and when I left you know I know this much and it you know working at a start-up everything was very cutting edge and moved really quickly and there was no red tape you just did things and I didn't have to go through you know 20 different people to get approval and things had to go quickly and I had to learn quickly and so that was an opportunity for me to learn you know more about the cloud and AWS and how security works in AWS and yes I know

the cloud is still a computer but you know things are very different in the cloud and I got to learn about you know kubernetes and you know docker and containerization and github and putting your code in github and I just another opportunity where I learned a ton in a very short period of time and you know when I was there I was focusing on you know everything security so I was responsible for everything GRC so you know I did all of you know the risks that came through I was working on privacy they decided they wanted to get one of the solutions PCI compliant so I had to figure out how to take a clouds

through pci we worked on a lot of compliance initiatives I was responsible for security awareness I launched phishing campaigns I met with again some of the smartest people I've ever worked with before and learned a ton in a very short period of time you know everybody was very helpful and rolled their sleeves a sleeves up to get stuff done and we were there and that was a huge help to me and I actually loved every minute of it and then so it was 2017 and the picture that you see on the right I'm a huge soccer fan specifically Manchester United and Lady United and I don't love this picture because it's a picture of me I

love this picture because of the guy in the background my friend took this picture of me actually my friends a daughter took this picture of she and I and it kind of captures me perfectly you know with a smile on my face and you know love being with my friends and loved being in Atlanta United matches but the guy in the background who's chugging the beer I just think this picture is hilarious because we just happened to capture it and he's chugging that beer and I don't even know that guy but I just thought it was a funny picture anyway so 2017 a very dear friend at the time a dear person in my life came to me and said you know do you

know any pen testers do you know anyone who can write an information security policy do you know anything about you know the the New York the my DFS cybersecurity guidelines and I said yeah me I can write an information security policy I do know pen testers these are all my friends these are the people I hang out with these are the people I go to B sides with yes I do know pen testers yes I knew I do know about these guidelines and it was been said you know you should start a company and my first thought was what no I'm I'm not starting a company what are you talking about and I thought you know what maybe I'll crank

out some policies and maybe we'll do a couple pen tests you know this will be great vacation money and so I kind of just stumbled into this I started a company and you know we came up with a name and we register it with a state and this was supposed to be part time and and it was for a long time you know I was doing this after hours I focused on my my day job and was doing that and then would come home and do some work on my own company and um but my company was building and it was getting traction and I was juggling a lot I was spending you know long nights

and part of my weekend and early mornings and my lunch time you know jumping on calls with clients and it was becoming a lot and I was beginning to think that there was going to be a time either I needed to make a choice and either I needed to jump into my company and do it full-time or I needed to step away and hand it over until I was maybe fully ready to do that and so um you know then as things happen things happen so you know then back to September 19 are September of 2019 you know I had lost you know I lost my job in August and my first part my first thinking was you know one of the

smartest things I ever do is I always have my resume current I was able to quickly send out my resume and talk with recruiters and have calls and do interviews and I had offers and but in the back of my mind I thought maybe this is you know the universe giving me this push that I need and maybe you should just do your company um I had just been in Vegas with my business partners and you know we'd had a very poignant conversation to say which one of us is gonna leave our full-time job first and it ended up being me and it was a push that was uncomfortable and scary at the time and I took very personally but in

the end it was the right thing and I decided you know I'm gonna do this I'm gonna make this work I'm going to I'm gonna do this company I you know I started this let's let's do this let's jump in and so I did you know I started reaching out to Mike on clients I started you know in the past I'd been saying no to engagements because I couldn't travel I couldn't you know I didn't have full-time hours I could only offer you know very limited hours a week and I started going back to those clients and saying I have time I have bandwidth I have availability let's go and that's what I did so today I am the Managing

Partner of password security we have two security practices security testing which is what I call the hackers and then consulting which has grown exponentially in the last year where you know I have full time resources and you know we're all heads down especially now we're getting tons of requests from people wanting to do a business continuity planning specifically pandemic and so that's all that's all coming through and my company is thriving and it's growing and I'm doing it full-time and my business partners are doing it full-time and it is a tremendous opportunity and I am grateful you know how did I get here it's people it's people in this industry in people in the community and you know everybody

at B sides mister we all have choices you know he got me here Martin Fisher he's a huge mentor in my life and has really helped me along the way and somebody I trust and continue to work with today Brendan Williams and James Addison Adamson I both I worked with both of them at RSA and I've kept in touch with them and you know they have been tremendous mentors in my life all my colleagues at PCC especially a Brandon Clark who I still work with today my family my daughter all the engineering teams at Penn drop they were very huge in helping me learn more about cloud security about like I said docker communities everything they were huge in

my career and I'm grateful you know my business partner is that past point and all my colleagues my Taylor and Matt Grantham and Matt Gambrell I work closely with all of them and they are smart and helpful and I appreciate you know all of their hard work and helping again me get here and then you know the partner my in the love of my life who said you should start a company and so he he's a huge part of my life and I appreciate everything he's done uh thank you so thank you besides organizers thanks to all the attendees I know this is hard and quirky and weird but we have really appreciate you guys joining us in this

virtual con I have my cucumber melon antibacterial stuff and thank you sponsors you know we couldn't do this without any of you and we are grateful for people you know volunteering and you know giving us money and you know trusting us to do this we are incredibly lucky and I personally as an organism organism incredibly grateful so thank you and that is my talk so I'm gonna stop the share and I'm going to see I purposely got off slack let me go back on slack to see if there's any questions or if anybody wants to let's see let me go to my chat okay is there any questions or comments that awesome well thank you this is good feedback I

appreciate it all right well I don't see any questions but I see lots of great comments thank you I appreciate all the really nice things that everybody is saying that you know about my presentations it's very nice with that I think major surprising lessons learned starting a company you know I don't I didn't know you know how do how do you set up billing how do you how do you I I'm I have a tendency to want to give away my I give away my time and just because I love what I do so much and so you know I had to learn that my time is valuable and I'm not gonna you know just give it

away and how to build people for it and how to actually collect money from people that is a difficult thing to do that's not something I knew how to do and so I learned a lot and just how to you know run a business and and how do you know figure it out along the way and I've made mistakes but I bounced back and I made it work so those are one of my biggest lessons learned okay I don't see any more questions but I see lots of great comments and oh tell me how you would get your foot in the door with a security company being fresh out of school that is difficult because in this

industry they want you to it's hard to prove yourself and I am very lucky you know I I have a a good resume and so you know like I said I don't have any degree or CS degree but you know keep reaching out to people in in that company and you know see if there's an opportunity to just meet with anybody who works on the team that you want to work with and just grab a coffee or grab a drink and connect with them you have to be able to prove that you you know what you know and it's hard to do that without being able to get your foot in the door or get

past a recruiter so you know try to find ways to connect with them show a bit of b-sides you know you're you never know who you're going to meet at a b-sides and you know reach out to you know find mentors in this industry people are always wanting to mentor you know find a mentor who can help you and who can support your growing let's see any other questions yep have you had an uptick in the work yes yes there has been so we have lots of requests to do a business continuity planning and almost nobody's plan has included pandemic response and so we have gotten an uptick in obviously backs you know everybody wants to include

pandemic response in their plan now and wants to include pandemic and their tabletop and so we're getting a ton of requests for that a lot of my projects have stopped and paused simply because everybody's just trying to get their arms around getting their employees remote and working and getting out a schedule but you know now everybody's coming back around and saying now what how do we respond to this pandemic response or you know we need to include this in our plan or now we're really thinking about security because you know breaches are happy continuing to happen and bad things are continue to happen so you know we're how did help us now we need a policy and you know now so yes

there's been a huge uptick in my business and everybody works very remotely which is awesome so I can work wherever I want to yeah I get out there and volunteer for sure it's it's the it's the right way to go and you never know who you're gonna meet and who's hiring a lot of its relationships and you know you you're gonna have to prove you know what you know don't just throw things on your resume if you spent five minutes but please you know connect with those people and you know make sure that you have those relationships that's gonna continue to help you grow your career