BSidesROC 2023 Keynote - Alyssa Miller

[Music] w [Music] [Applause] [Music] [Applause] [Music] all right besides Rochester how are you guys sweet they're awake it is like crazy early in the morning or at least it is for me cuz I've been on the the road all week I did the West Coast I did the East Coast I've been everywhere so I I actually had the experience of waking up the other day where I had 3 clocks that all said three different things and I didn't know what day it was I didn't know what time it was I didn't know where I was but I'm here and you're here and it is awesome I'm so excited to be here this is super cool so let's dive in

right away I got a question for you show a hands how many of you were that kid you know what I'm talking about right every toy got taken apart we wanted to figure out how it worked everything had super cool technology in it that we wanted to know how it worked I was no different you know I got my first exposure to computers when I was four so my father was an accountant he had a they were converting an accounting system blah blah blah blah blah long story short he brought home his computer over the holidays so that he didn't have to sit in an empty office by himself closing the books converting the system

doing all this stuff so 1981 I I'm going to say my father pioneered working from home you can argue that but you know I'm sure someone probably did it before then but that got me started and it was that Curiosity I always wanted to know how did this stuff work you know it's why I took apart all my toys it's why I took apart much to my parents frustration you know things like the VCR uh the TV people in here do know what VCRs are right yeah I can't I can't even make that reference anymore but we're going to get even better I haven't I haven't ended yet uh dating myself here so but yeah so

that's where my world started that to me is the core of a hacker identity right and this is why I tell people like i' I've been a hacker my entire life it's not something I became it's not something I wanted to be it's just who I was so 12 years old let's fast forward a few years I'm 12 I wanted money to spend I went and got a paper route now by this point I had already been you know like I said I got my first experience with computers I was fortunate enough to be in a school where we actually had a computer lab started off with trash 80s that didn't have any dis drives so they were

completely useless for anything except typing practice and programming because when you turn them on since there was no operating system they just opened up to a basic programming prompt sweet okay but so I me 12 years old I want to get a paper route now there's another reference that a lot of people now don't even understand anymore but think about this odity of child labor like we send a bunch of kids running around in the we hours of the morning to throw newspapers on people's doorsteps but it paid and I worked hard and it paid a lot so I saved up about a thousand a little over $1,000 and this 12-year-old took a you know

thousand some dollars and went to Best Buy and bought a computer okay now maybe by today's standards it's a little more normal this was the 80s when like we didn't all have these things in our homes right thousand can you imagine being 12 years old having $1,000 burning a hole in your pocket and the thing you go buy as a computer but that's what I wanted that's what I was into that is the computer I bought Epson equity something something that's the computer and a little while later I bought a modem oh the world gets started now right how many of you remember this screen yes you got the disc it came with the computer or in my case I think it

actually came with the modem hey 23 hours just sign up and go cool little 12-year-old me pops it in you know loads it up fires up the program whoops I Jump Ahead come on come back to me there's Prodigy so 12-year-old me you know I I set this thing up and whatever I use up my 20 hours now news flash most 12-year-olds in the 80s didn't have credit cards probably still don't today so 20 hours ran out what am I going to do I I I was playing games I liked Prodigy I was talking to people it was really really cool but my 20 hours is gone my parents weren't going to pay for that

yeah I went to the library I got books on uart and serial comms and modem control languages I learned the haze instruction set I got into all sorts of stuff found this cool little thing that today we would call client side validation that's where the authentication happened all right there was nothing on the server side to stop you if you had the flag in in the client you dialed up you were in I had free access to Prodigy I did that for two years they never fixed it I mean today oh my God I I'm sure I would get busted right I mean there's no way they wouldn't catch that like they what you know they probably have reports that run

at everything you'd see something like that but back then no one knew it was great and see I can say this now cuz the statute of limitations on the cfaa is passed I trust me made sure of that too like can't admit to this stuff so that was 89 90 91 is maybe but something really cool happened in 1991 anyone know what happened in 1991 the internet came to us it was made public to us to use so now I'm this crazy teenager who is the complete geek completely just you know I'm the bullied one knowing understands who I am what what is this stuff that I'm doing I found this how many of you slapped somebody with a

trout IRC yes yes oh my God I found my family there I got on the internet I found IRC I found my way into Undernet and I started to find some really cool rooms in Undernet where people were doing the same kinds of things I was doing it was incredible I found these people it was like you actually get me no one at school does they all think I'm insane they got me my family was there through those those years of high school age where everything you're learning how to be you and you're trying to figure out who the heck you even is I was in there with those folks again shaping my identity as a

hacker just from the very beginning it it is always something that's been there with me but then I had to do the adult thing I had to start adulting I had to get a job oh my God I had to go to school I went to high I went to college thought I was going to be a doctor by the way quick side note three semesters of college level chemistry will tell you very fast if you are actually cut out to be a doctor that wasn't happening I'm telling you these people oh my God it was I realized I was not ready for this I'm I'm on a Friday night I'm like okay where's the party everybody else in

their room's on it's Friday night where's our study room it's Friday night come on y'all let's go party nope no so I found out really fast that was not for me I got into a computer science degree program at Marquette University okay cool I know how to program I've been doing this for a while this should be super easy right yeah okay um maybe not but it worked out but I was still in that degree program now think about this we are in this is now the late '90s all right there was a big thing going on then anyone hear this we call it the com boom man if you could write hello world they were hiring you okay I mean like

they needed programmers so fast no one knew what this internet thing was going to be if you could do it they wanted you so while I was still working there I got my first job at m& data services I was a programmer I was a programmer there for nine years before somebody came to me from the information security team and said hey I want you to come join our information security team we've got a security test team I want you to be a part of the hell is a security test team oh you're going to do penetration testing what the I don't know what that is this is the this is the like the first real life-changing moment I would

say in my career was she says to me you're smart you'll figure it out that's why I want you you hear that come at you like that's a that tells you I don't care how scary it is that this you know to jump off this Cliff like oh my God someone Believes In Me that much I'm there I did it joined the security test team within a year I was leading the security test team we were responsible for penetration testing vulnerability management all the way across that entire organization at the time we were about 6,500 people we were now named medavante few years later we got bought out by a big company you might still

know today FIS any of you that work in financial services you've definitely heard of these folks largest financial services provider and by services provider I mean they are like sass apps these days for banks for insurance companies for mutual funds you name it they do all of that and I'm 29 years old leading vulnerability management and penetration testing for this Fortune 200 company all because someone said you're smart you'll figure it out never even knew this could be a job so my you know 15 years and I spent Financial Services I'm I'm I'm out I I need to see something else the there's more to the world than financial services I'm tired of banking I went and

I started working at fishnet well want to guess who they put me on for clients Financial services but I did get to see some other really cool stuff before they merged with aiant and I said yep Optive see you bye uh went to aspect security took a leap here because they said hey we want you to be the leader for our program Services practice okay here I am again what the hell does that mean come on and they tell me okay you're going to work with you know high level Security leaders you're going to work with CEOs C cios you're going to help them build application Security Programs in their massive financial services companies man that just never went away

but you know again I'm like wait wait I've been you know leading a pendas team at fishnet you you you want me to to to work with like these executive people are you crazy have you met me you you want me to talk to them okay fine so here we go so I I take that on right they great like again they believed in me and that went really super cool another thing I was really scary about that was 50 people company I had never worked for a company that small super cool it end up being a great experience right up until they got bought by Anderson young talk about culture shock holy crap I went from 50 people where I

knew everybody I worked with to 250,000 no one knew who the hell I was so I got out of that pretty fast I went to CDW there's a name I'm sure you all heard walking to CDW and I'm sitting there thinking you know the number of times I have complained and moaned and groan about our our vars our resellers I'm going to the enemy yay all right so I did that I got in there and and you know things went it ended up being a really good experience that's that's when I really started getting into this coming and sharing time with all you being here you know standing in front of rooms of people mostly because

it was a great way to meet people at conferences I didn't stand around awkwardly in the hall anymore now I could like meet people that was cool but so did it was another step then I decided okay I haven't worked for enough of the enemy yet I'm actually going to go work for a vendor and I joined sneak all right cool first time with a startup that was an exciting experience but again a leap of faith because I had never worked for a vendor I had never worked in a startup I'd heard all sorts of horror stories about working for startups turns out sneak is pretty pretty kind of cool you know I like them so I was at CDW for 18 months then

I went to sneak I worked for sneak for exactly to the day one year why exactly one year because that's when my stock vested um I didn't actually intend to leave though don't get me wrong I wasn't like I planned this out no it was I got another serendipitous opportunity colleague of mine worked at S&P Global she was the ceso she said hey you know we need a boo a business information security officer so here's Alyssa once again what the hell is AO all right dig in find out this sounds really cool wait okay so I'm going to lead cyber security program for a division of the company not the whole company all I got that that makes sense

I can do that hopped in there and I'm I'm thinking oh this is this is going to be cool I'm going to work in this business and I'm going to I'm going to you know work with the development teams and tell them all about security and whatever you know what I spent most of my time doing telling that freaking ceso organization you all are idiots and you're screwing up the business you need to do this different but it was exciting it was fun it was a new challenge I learned a ton by doing that but I was there 18 months because then I got another serendipitous opportunity another colleague to me another colleague of mine came to me and said hey I'm leaving

my position at Epic I'm going to go join a big financial services company of course they're doing a search if you have any interest just you know shoot this your resume to this email and I'm sure somebody will be in touch couple months later I'm sitting at RSA I get a phone call yeah uh we'd like to we're going to send you an offer letter but here let's talk it through I stand here now 8 months later I've been in ciso for8 months for me that was kind of like the culmination like that was the goal that was the thing I looked to for all my career but the theme Here is I hopefully you've picked up on a couple things that

uncertainty that desire that willingness to jump and and take a chance to do something I didn't think I could do to do something I didn't even know what it was but it was that Curiosity to see something new to learn how it worked to see what does AO do what what is program Services what does it mean to build an application security program all of these things it was all new and different and there were so many Lessons Learned in this process let me tell you so let's talk about some of these Lessons Learned because these are the things I think for you as you go through your career whether your desire is to get to a SEO whether your desire is hey

I'm a hacker today and I just want to get into you know more of a corporate job yeah I know Shivers and chills and cringes I get it but these are going to be important lessons for you to understand because if you want to build a career here I think these are things are going to be helpful so let's start at the beginning first and foremost mistakes will happen see this query here okay some of you that know SQL are already laughing because you know what what the next part of this story is two point .4 million rows affected and that was a look on my face this ran in production this code was supposed to

have been commented it was not I also did something and I I I tried to go back and remember what it was there was something else about the way I wrote out this whole this PL seq block that it bypassed the two stage commit so there was no roll back two and a half million payment instructions because at FIS what I worked on was their bill payment system but you know what no one yelled at me no one told me I was an idiot we dug in we fixed it you know why because everybody in this industry has the story like this it happens to all of us we spent three days recovering from this because you know again this is

early mid 90s late '90s I guess no 2000s but still we didn't have systems like we have today where we can immediately mirror stuff in the cloud and do all sorts of really cool stuff for backups right no no no this was we had one backup a day so the solution was you take the backup recover to that point then you take the application logs from the eight application servers across this mid this multi-tier application you take all those logs and you replay them so we had to replay like gigabytes worth of log in order to get the database back to the point where it was when I deleted all those payments everybody has done this if you

haven't had a story like this yet you're going to have one the thing to remember is this happens to everybody it does not mean that you're a screw up it does not mean that you're just not cut out for this stay the course because these things happen it is this is how we learn I will guarant guarantee you I never again had a query that ran with a without a very very controllable two-stage commit I also approached these things a little different when I was building this I also didn't run things in production but you know that's another story so the second lesson this is one I think we in security are starting to learn but I need toess it fear is not a

motivator there's a lot of conversation in the cyber security industry about the use of fud and how ineffective it is fud fear uncertainty and doubt if you're not familiar we love for as long as I've been in security we have loved to go to people and tell them well if you do this the whole world is going to explode but the world never explodes Neuroscience tells us when you try to lead with fear you're going to try to motivate somebody with fear it does not work and here's why it's really simple because what does Fear do fear elicits a flight or fight or flight response let's get that right but the reality is our default as

humans part of the human condition is in a fight ORF flight scenario our default even for you know the the crazy crazy you aggressive folks out there our default still is flight first we try to avoid it you tell tell a child hey if you go in that Lake you're going to drown they kind of stay away from the the water sometimes I mean kids are kind of dumb too so I've got three of my own but you know you tell them you're going to get burned if you touch that hot stove they stay away you start telling an executive you start telling your seil you start telling your manager hey this really horrible thing is going to happen if we

do this they they avoid you and that's what ends up happening so this is where we get surveys done in the UK where they tell us that you know 75% of the Executive Suite looks at the ciso as the the Doom and Gloom mongers right I mean that that's not how we as cyber security people get what we're looking for we're trying to get them to invest in us we want them to take positive action we want them to make changes in the organization but when we lead with fear they just avoid us they say get out of here I don't want you in my boardroom go away now that's becoming less and less common because they kind of getting

forced to have us in the boardroom but that's another story but that fear leads to my next lesson and that is infosec advice is very nuanced how many of you have heard this never let a good crisis go to waste right sounds great and the meaning behind it makes sense but here's the [Music] problem a lot of times we think never let a good crisis go to waste that means yeah yeah yeah we we we had a breach so now I've got an open checkbook well maybe you do and I can speak from experience that yes that happens right and we see it you know companies spend more on cyber security in the 18 months following a breach than

they do at any other time it's astronomically different but there comes a reckoning to that because if you're spending money hand over fist and you're not making progress you're not making demonstrable progress or you're not helping them understand how cyber security is a process what happens when you get breached again and now they're asking about that open checkbook they gave

you the value in a breach is building a culture of security awareness I work in an organization that had a breach in 2020 and I can tell you this because it was widely publicized our our competitors up until recently now that they're all suddenly getting breached um have been using it against us and the when I say breach I don't even mean data breach I mean we had a ransomware event they actually didn't lose any data no nothing got exposed but they had systems that were down for days and weeks cuz they were completely unprepared my predecessor was was basically given that open checkbook but the important thing is that we have a solid culture

because everybody remembers this you get on boarded to this organization and I just went through it it's like palpable it it's the first thing you hear about it this Infamous event of 2020 by the way our fishing tests yeah we do fishing test I know but there's still a tool 2% click rate do you know what the industry average is it's 10% we sent out an email I kid you not this is the most amazing thing just has happened this week we sent out an email from the security team big bold letters across the top it says this is not spam you need to follow these instructions I got five emails from people saying is this really

legit Bravo to you thank you for emailing me that because that's amazing yeah yes that's how I want people thinking that is how you make value out of a crisis it's not about fear but it's about saying hey we experienced this thing we don't want to go back to that here's some things we can do here's how we can help you protect yourselves we're proactive we you know this whole thing with svb came up this week right I think you might have heard something about this a little Bank out in California had some problems they got shut down holy crap can't remember last time I Bank was taken over by the FDI C there you go okay she knows 2008 I

love it um oh my friend's awamu yeah um but no so we sent out proactive communication but the communication wasn't just hey you know we might get this email at work it was hey you might see spam at home you might get fishing attempts at home here's what you need to educate your family on helping people really understand see how this connects with their life that's where you find value in a crisis all right next lesson we say incredibly dumb things in this industry incredibly dumb things how many of you have said this it's okay because I have two right the there's only two types of companies those have been breached and those that don't know

they've been breached yet or you know it's not if you get hacked but [Music] when the thing is okay so not picking on Robert meller I mean okay former FBI director we can argue all day about that dude but the reality is this is kind of back to that Nuance thing too right like the meaning behind this is right like we understand it right like the the point here is we're saying we can't technology is always evolving for us to say that we're going to be breach proof actual words seen at black hat just not going to happen right so so I mean let me tell you how dumb this is and I say dumb because it

is because it's counterproductive to you as a cyber security person you're going to go to your cyber security leader or you're going to go to your Executives you're going to go to the board and you're going to walk into that room and you're going to say well it's not if we get breached but when now spend $10,000 or $10 million or $100 million on the solution so we don't get breached you just told me you can't stop it so the the idea here is right but man is that not the right way to go about it you're trying to help them understand that hey you know what we're technology is always evolving so we have to always

be evolving with it we're building a program here we're building this out so I can't stop you we're going to focus on resiliency instead we're going to try to stop them we're going to do everything we can but the key is we need to be resilient when they do break through now let's start talking about you in your career moving at your own pace is super important now the cardinal sin of like you know presentation is putting in an animated gift because I can already see all the eyes are like glued to her which is cool but I did this because I wanted to catch the whole phrase it's not just your own pace listen to your breath in

your body body and get started and what I mean by this is there's going to be two forces that will impact you in the development of your career one force is going to be the pressure that you're going to feel probably from up here in yourself but you will get it from other people too to move as fast as you can you got to keep going you got to keep progressing you got to set another goal you got to go get that goal and then you got to achieve that and you got to set another goal you got to get there you got to set up a one year three year five year 10 year

plan it's just exhausting to even say it find your pace you there's nothing that says you have to get there tomorrow enjoy this ride because you're going to have a lot of fun with it on the flip side you're going to get pressure from people are going to tell you you're trying to move too fast slow down just you work that job for a while why did I tell you that I spent one 18 months then one year then 18 months at jobs because what did people tell you oh that's horrible you're job hopping what are you doing don't do that I wouldn't be a ceso right now if IID listen to that advice so find what's meaningful to you

don't let artificial outside influences like that tell you what the right thing is for you to do I didn't seek out to spend 18 months then one year then 18 months and jump and jump and jump they were opportunities that came my way but they were opportunities I knew I could take advantage of they were opportunities I knew I could be good at or I was pretty sure I could be anyway so I did it and it worked out so find your pace and that pace may change it's going to EB and flow but don't let those outside voices or the voices in your own head stop you from going at the pace that fits and

makes you comfortable here's another one this is really [Music] important titles don't matter how many of you have said that huh I have and I can tell you it hurt my career what I found so titles don't matter until they do what do I mean by that nobody wants to be that person that's seen as like just you know all about the title right and I get that right like I mean comparing titles and being like Oh I you're a manager but I'm a senior manager therefore I am better than you yeah kiss off you know I mean [ __ ] shut up we're all here together in fact my teams know that they're not allowed to

call me boss they don't work for me I work with them they work for the company like you know that's like the first thing I tell any team like use that word boss we're going to have problems no you're the smart people titles don't matter in that sense but where titles do matter is in the development of your career okay titles matter titles are an Insidious thing that companies will use to hold you back I've taken titles that I knew were quote unquote beneath me and by that I just simply mean I was overqualified for them okay went to a company I'm not going to tell you which one of the many that you saw up there you can guess I

was interviewing for a director role they said oh well we're going to fill a director role with somebody else it's an internal candidate okay fine great no no no wait wait wait but we're going to create a job for you we want to bring you in as a manager I'm a manager already yeah but you're going to build a team okay cool I'll do it well it was great I mean I I really had a good time I built an amazing team they were incredibly powerful set of Consultants uh oh now I just kind of getting closer exposing who that it was um but no seriously I mean wonderful I learned a ton but then when it came time to go to

the next job they're looking at my resume they say oh you're a manager you're not a manager managers and that kept me from getting a director position son of a [ __ ] so titles do matter okay and it is important that you keep progressing your titles if that's your goal if you want to continue to move that up now you may get to a point in your career where your pace says hey you know what I'm actually cool just being a manager I'm going to make more of a lateral move but make sure you're doing that for you make sure you're not being pressured and told that you're not enough to be that next level

up all right let's have a word vendors now we have some really amazing sponsors who are really amazing vendors so I I'm going to disclaimer the living crap out of this first of all I love vendors I do I actually mean that because vendors make my life easier as a cyber security person if if if I as the cyber security person understand what vendors do and what they don't do the fact of the matter is vendors are chaotic neutral what do I mean by that they don't mean bad they don't mean to do bad things I believe there are vendors some of them are very Mission focused I actually had someone from Mandan come up to me yesterday when

she saw a similar slide to this and said I take issue with that and I said yes I understand why because mandant is very Mission focused but they are still there to make money okay at the end of the day while they may care and they don't want to see you get breached when does mania make the most money when you get freaking breached okay like that's that's what these people do that is their job that's how they exist we live for better or worse in a capitalist Society where that's how everything is driven by the want to make money so just understand that about your venders they may be the nicest people they will guide you they will give you

great information but they are still going to throw some really weird marketing stuff at you every new Blinky box they bring you of course is not going to be the magical wonderful thing but the biggest thing is when you see this this $200 billion dollar a year business understand that you don't have to fill every one of these boxes your job as a cyber security professional is to figure out what out of these boxes are the things that your organization needs or your program needs or your program is ready to adopt because well yeah you know what I may want to bring in a full Cloud security program I might want to bring in casby

and all that crazy stuff if my organization isn't ready to implement that I'm just going to waste a lot of money and it's never going to get implemented and let me tell you that is a mess I'm cleaning up right now back to that whole you know blank check thing all right my favorite slide in this whole deck the board board members will ask you dumb questions but they're not dumb these people are incredibly smart there may be some cronyism involved there sure but these people do not get these jobs by accident they are insanely smart people they know how to build businesses they done it they've got a track record of it it's why people that

know them want them on their boards the whole point of a board is to advise it's to be there to help make sure the company stays focused on what they need to be doing that's that fiduciary responsibility right that's what a board's for so when you start getting this opportunity even if you're Executives the same story like these people that don't work in cyber security a lot of times we like to look at them and say man they're dumb they just don't get this well whose job is it to educate them again all of us that's our job we're there to educate them I will true story from a company you know well walk into a board meeting start

talking about blah blah blah ceso blah blah blah ceso blah blah blah wait wait wait can you stop for a second what's a ceso you're on the board of this massive organization you don't know what a ciso is why well you look at their background and you see why you see what companies they work for you see where they came from they were working in companies that were very successful but also weren't in a space at that point in time where cesos were really a thing yet okay you're there to educate what a great opportunity to be able to explain to somebody what a ceso is because now I able to take that out of the context of

my ciso Who full disclosure I wasn't particularly thrilled with at the time and I could express it in idealistic terms this is what a ceso should be doing think about the power of that for a minute I can tell you what ISO is supposed to be doing so that when you go and look at ouro that I don't like you'll see what they're doing wrong oh I like that opportunity that's great when you're talking to a board if you have that opportunity to really condition how they're going to govern the company great so what I'm telling you is know your audience here know where they come from know what their motivations are going to be that's how

you start to accelerate because when people see that you can understand that part of it and you can talk to them that matters all right back to your career for a minute let's talk about cyber security job descriptions we suck at hiring in this industry this is a job description one job description this is three pages of you know full 1920 x 1080 that I had to screenshot one at a time name who's this unicorn that has I mean you can't I can't even read these because the the the projector can't even do it right like the there's not even enough resolution as projector to actually render this that's how bad this is so when you're looking for jobs

what I tell people see that big block of text over there it tells you what the company is about and what the job is about read that throw the rest of that crap out all right there's studies out there that have talked about how women you know feel the need to match 70 or 80% of the bullets before they'll apply where men it's like 30% blah blah blah I don't even care about anyway throw that out the window the fact is I don't care who you are look at those paragraphs if that sounds like something you think you can do that sounds like something you think you can step into make a meaningful commitment to maybe you don't

know at all but you can learn it as you go apply because they are not going to find the Unicorn that matches all of those bullet points so be the person that sends in the resume that surprises them and says wow this person really looks like they could probably do this job yeah they don't have 10 years of kubernetes experience they don't have 30 years of AWS wait you know what I'm talking about you've seen these so you know be the person that says hey you know what that's okay your job description sucks but I'm here anyway and I want to take on this job because your next stck analyst is probably a barista right

now and I can justify this so yesterday I news flash I gave a very similar talk to this yesterday a little bit different but they laughed when I threw this up I'm like wait wait wait don't laugh I mean this so if you take a barista for a minute take all the context of cyber security or coffee rather out of this cyber security too and just focus on to you know let's describe their job in terms where it's not obvious what industry we're talking about all right what do they do they take lots of inputs from multiple sources they take those inputs they translate them into tasks they prioritize those tasks and execute them they execute them with quality all

while at the same time they're also executing maintenance tasks as well doesn't that sound kind of like what I want a sock analyst doing core transferable skills that transcend Industries if you don't have the experience to back up what they're ask asking for show them where you've got the skills from other jobs and apply that and apply it in those terms take all the industry stuff out of it and just say hey this is stuff I've done and that's the reality all right this is obvious but it's not this is the source of so much impostor syndrome for folks we have this huge domain of cyber security and I apologize for the the lack of contrast

here but we have this huge domain of cyber security at no one not Dave Kennedy and his company who I think is here not you know um not Robert Wagner as smart as he is um I keep looking at you so I got to pick on you now not odd job up here you know I mean he runs a conference but he doesn't know it all either certainly not me we all have our little clouds of knowledge and you notice how these clouds overlap that's the power in cyber security when we each come with our own set of knowledge and we can tie that all together in meaningful ways that's how we get there there is nobody that knows

all this you know it's funny I mean I I picked on Dave Kennedy a second ago he and I were talking months ago I said I brought up some application security topics he's like yeah that's really not my gig I'm like good point you know because you just you see these big names in the industry and you're like you just assume they know it all because they always seem to be talking I always have opinions on it right but that's the reality that's where our power comes from and it's because diversity is not about feelings when we talk about diversity it's not about making people feel good we could argue inclusion might be something about that yes but diversity

is a business value because I don't care how much you want to say that a room full of 10 white men are going to think about every possible eventuality they're not because they don't have the broader diversity of the entire Human Experience they have their diverse knowledge amongst them yes they all have different experiences but the reality is not one of them knows what it's like to be a black woman in this world not one of them so I did that again so we have to understand a diversity whether it's visual things in terms of race and gender and that sort of thing or if if it's less visual things like neurodiversity and so forth

bringing all those experiences all those different perspectives all those different ways of viewing the world together into those clouds that's what matters that's why diversity is a business value and then the last one I want to throw in here and this one's really actually very important which is why I saved it to the end I said being a ciso is my goal I think being a ciso is a goal for a lot of people in cyber security but not everybody but I also know from personal experience that there are people who have goals of being high level management and cyber security who have actually no interest in being in management at all the reason is because another thing

we're not really good at in cyber security yet is building a good career path for people who don't want to be in management so management just becomes kind of the def facto way you keep accelerating your career so understand that the decision to get into management is the decision to take on a completely different skill set the things required of you to be in a management position you could be a leader without being in management being in management is a very specific set of skills it requires knowledge of things like the topics they teach you in an MBA course right you have to be able to understand the business you're not going to be you're not going to be pushing all

the buttons I mean you know we kind of joke about that I think that's a pretty cliche set of knowledge that okay yeah you know managers you kind of you start to lose your tech jobs it happens could I go out tomorrow and write a bunch of terraform and AWS to spin up a whole bunch of no no I couldn't I understand how that works I understand what it means could I write it hell no that's why I have a team of individuals who do who know that stuff who can write that could I hop in tomorrow on a Palo Alto firewall and start you know writing rules I might be able to feel my way

through it eventually but am I probably going to break something yes that's what being man management is about thinking strategically building strategic Visions all the things that you know a lot of times we kind of look at like o that's all that corporate stuff yeah being a manager means you take on all that corporate stuff so make sure that's something that you want to do and for many of you it may very well be but understand the difference all right anybody know this guy some of you do and Mudge We Trust yes that's Mudge do you know this guy that's also [Laughter] Mudge that is that is holy [ __ ] Twitter's a [ __ ] show um but it doesn't

have to look like this either okay so you know you stand up here you look look at Mudge oh wow that was Mudge but that's Mudge like he's in a suit with a tie and he looks all professional cuz he's sitting in front of Congress right now talking okay yeah and that's probably he probably had to wear that a lot at Twitter maybe not I don't know but we that's what we think about when we think about going from being a hacker to being a ciso it's like oh well I'm going to have to start wearing suits and yeah okay I was in an SLT meeting this week and yes I had to put on a suit it

happens you know CEO of the company's going to be there sometimes you you do that but the important thing is that's not every day and that's not how it has to be because what gets you there is this what is that weird ass thing about you that makes you unique what is your weird what is that thing what is it because when you Embrace that and you take that and you make that who you are and you own it and you say I don't give a crap who you are this is who I am and you're not going to change it and you use that to your advantage that Exel Ates your career I will tell you for the large

portion of my career I thought I had to hide the hacker side I thought that was something even when I was ringing a fish n and I'm you know I'm doing application pen test I thought you know well I have to be I have to be you know uh white hat will I say God I hate that term but you know I I got to be a good guy I got to be one of the I got to be a good hacker an ethical hacker oh God I said that one too um I hit it I didn't want to talk about it I thought that that would be a bad thing you know when my career really

accelerated when I started hitting those one and 18 month stin it's because I embraced it said the hell with you I'm a hacker that's who I am you got a problem with that tough now granted I got to see things along the way like Mudge getting that job at Twitter other hackers who were you know I mean Katie m is another great example you know worked at Microsoft for years and started her own company I mean that girl is incredible right I mean there's so many examples of that hackers who became respected like hackers aren't respected well maybe we're not but that's the reality so find your weird and embrace that so I'm getting the signs that it's

time for me to wrap up my clock is also telling me that it's time for me to wrap up so I'm going to wrap up but here's the thing if you are looking for a job you're trying to build your cyber security career or you know somebody if you didn't know I wrote a book called cyber security career guide but I took the contents of that book and I turned it into a 28 day get H higher challenge on YouTube completely free I don't monetize the channel none of that it is there to help people out so if you know somebody who's looking who's trying to launch their career please Point them to that alyssa. linke

hired all right last thing I'm going to leave you with well not the last thing but quick quote from Barack Obama I just I really appreciate this quote so much it's not about avoiding failure failure it's about what you do with it when you fail how do you learn from it each failure is an opportunity to learn grow and become better we don't learn if we're successful all the time then we're just successful you learn when you fail and you have to do something different all right love to keep the conversation going with you folks but I can't do it from up here so hit me up on social media there they all are masted

on Twitter LinkedIn yeah um just don't don't DM me on LinkedIn cuz I'll admit I my DMs there are complete disaster and thank all of you for being here it has been wonderful I hope you enjoy the entire day we've got lots of great stuff coming up Kathy already told you about a bunch of it so get out there have fun and we'll see you around the conference the rest of the day take [Applause] care couple quick announcements before you fly