Pushing Boundaries: Journeys to the top of Security Engineering

all right welcome everybody to beastside San Francisco 2024 we have two amazing presenters today we have Lee kidding it's a it's a funny it's it's something between it's an inside joke okay Snider and then we have deina um hold on let me see if Ian all right okay got that down so a couple quick announcements before they start um we would love if would participate and ask questions at the end we're doing it on slido sli.do now there's a QR code on the entrance of every theater or what you can do is log on to bides sf.org slq n a that's Quebec nicolina that's me Alpha so you no Ampersand is actually the letter N so we go ahead and fill

that out we're going to leave room for asking questions towards the end if we don't get to all of your questions during the speaking time these lovely ladies have offered to be up in City View to answer in-person questions after their presentation all right ladies looking forward to it take it away thank you do you want go first sure hi everybody how's everybody doing welcome to bsides thank you all so much for coming and talking with us um we want this to be interactive so please make sure you write down your questions for the slido um so who am I hi my name is DAV davan I live in Chicago Illinois and I'm a staff

security engineer I worked at companies like Etsy Shopify Hulu um pretty much if you interact with the internet you've probably interacted with some of my security stuff that I've done and I'm also the founder and CEO of Davy Labs Davy Labs is a nonprofit that teaches women and gender non-conforming people how to code every single day in Chicago we're going to be doing online classes as well this year here so if you want um follow us on Instagram and that's where you'll find all of that information you can follow me on LinkedIn and ask any questions about your career or things like that I love mentoring people so you can always message me uh my LinkedIn is

posted and me and Lee actually had the honor of working on a project with tldr sex so we've linked it here um and you can go check it out for like more about our story and advice and things like that that we didn't get to today and then I also wrote a chapter for something called the security path has anyone heard of the security path raise your hand it's a brand new book um written by a few awesome security people that includes a lot of great information about how to go through security and different people's path through security so really honored for that as well Lee yeah hey everybody my name is Lee I'm a

principal security engineer at Microsoft I work in the intra organization that's our identity and network access organ organization um as din said we both were super honored to be interviewed for a tldr sec about our Journeys I also recently was on the blue hat podcast which is an msrc podcast it's relatively new where I also talked a bit more about my journey and my unique like background so feel free to check it out all right we're going to get going so it's odd some of the DAT is not showing up that's cool um so do you want to go over some of the points that you added yeah so some of the things that I hear a

lot when it comes to security when it comes to engineering and computer science roles is around pipeline issues meaning you know there's of course pipeline problems not enough women and GNC are going into uh the Cs field which is what I'm actually seeing at my local University where I'm in alumna and what we're seeing here is there's people who are coming into the programs but they're not staying into the programs and we're going to talk about retention when it comes to like college level but also like work level but that's why I've included it here a lot of people don't get the support that they need especially after becoming moms and things like that um

going through really significant life changes and so we really want to talk about retaining women in cyber security Fields retaining women in engineering fields and just really helping them grow and Thrive and how we can do that um 57% of women in TMT accept that anticipate that they're going to leave their jobs people don't feel like oh I have the support that I need in order to stay in my current role and we don't want that um CU it took so long to get you here to you know go through the pipeline um we also want to talk about women in cyber security teams oops I'm sorry we want to talk about women and cyber security

teams can I get a raise of hand just so I have an understanding are you a woman on a cyber security Team Awesome can I get keep your hands up and keep them up if you are one of two or three women on that team okay we got a lot of hands up meaning that we have such small diversity in our teams that we feel so lonely so we're going to talk about that today too do you know if there's like a transition to the other data oh there we go there she look at so the other thing we thought was really interesting and let me actually go back a second because I don't know why

animation's being weird um so I got I was on LinkedIn connecting with people and I got this announcement that principal security engineer jobs recently increased by 45% and I was like I would love to know what the X and the Y was like I was really fascinated by this and I was like can I click on something and get more it turns out you can't um but there's obviously a high demand for people at our level and I thought it was really interesting but then I justed it against like okay so this is age it's not a great stat but like typically women and actually anyone that's at the higher levels you're going to be a bit older you need a b a bunch

of experience right and what you can see is that it just kind of drops off a cliff right like women who oh I cannot read my own slide are under 30 I mean we're doing pretty well and like even until like 39 you're doing pretty well and then it just Falls off a cliff and this is why women end up feeling like they're literally the only woman in the room like that I would actually how often does that happened to folks in the audience that you are literally the only woman in the room do you want to raise your hand like and how does that make you feel right like it's it's kind of shocking and what I thought was really

interesting about this data point at least for me is I remember not being the only woman in the room I remember being with other women and then suddenly I found myself at the principal level and there are no other women most of the time not all the time thank God but most of the time so I thought that was really interesting all right so we're going to talk a little bit about what it takes to climb up the security engineering ladder do you want to go first sure so everybody as you'll read in the security path or in the tldr SEC which is just like a great culmination of paths you'll see different realities Lee and I are going to talk about our

story how we got into security um how our path has been so for me I was one of three women in my graduating class when I graduated with a degree in computer science and a minor in math in 2014 so in 2014 out of 200 students I was one of three women that's 1% 1.5% okay and as the years went on I continued to ask for that statistic I contined to ask like how many women are graduating and year before last the percentage that was given to me was 7% we had 700 people graduating and 49 of them were women in the College of Engineering that's awful because where I'm from I'm from India originally yay

Indians um if there's any in the crowd um and where I'm from the classrooms are filled with 5050 50% women 50% men so when I would talk to my dad about like oh why why is it why is there no one in the room he's like d not don't worry about it just keep going because in India it's 50/50 don't worry about the gender thing so when I started working and I was still the only female in every security team I ever worked on for eight years uh up until I worked at Shopify um for two years where I had a group of four ladies on my team up until then I was still the only girl so that really

sucks it's very lonely and I have to do extra work I have to create Community where Community is not there and that's a lot of extra work to like get people together and do these things that I need in order to thrive I'm sure you've de dealt with some of that as well yeah so um I come from a pretty unconventional background I have a degree in economics I also have an MBA I went and got an MBA just because I was like I don't know business let me go get an MBA if you if you're thinking of going down that path please come talk to me later and I can tell you why you may

want to consider and may maybe not um so I'm entirely self-taught in Tech like I've never actually taken a computer science course um I don't consider myself a decent coder at all I can script really well um I came up through your very traditional IT background I was in the help desk and then I did desktop engineering then I became an Sr and I was looking I was literally at a conference and I was looking in this room of a thousand some odd people and on one hand I could count the number of women I was in this like 400 level technical talk and I was like where where what field has more women was literally my thought process

and I happened to go to a bsides um in Boston and there were a bunch of women there and I was like okay these are my people I'm going to figure out how I get there it took me a while to be honest um the funny thing is I said I was an Sr and I just mentioned I don't know how to code and my first job in security was actually on an application security team which I think is hilarious because I'm like not infrastructure not Cloud no appc um today I actually work across all domains so I feel really like lucky that I've been exposed to so many things and one of the things that we want to make

sure folks know is that you know as you want to climb that security engineering ladder which I'm not saying everybody wants to but let's say I'm going to assume that at least some people in the room want to do that right you have to have deep technical skills but you also have to have breath and then you have to have leadership skills and that's where actually see a lot of people fail and a lot of people come and talk to me about how you gain those skills and so there's so many ways you can gain leadership skills you can volunteer at a conference right especially if you take on like a lead volunteer role cool you've just

demonstrated how you can lead others ask to run a project right like just ask like go for it um you set up a nonprofit like you you could do management I'm not saying you actually have to but you could do that path so there's a lot of ways to gain leadership but we see often is that women are pushed to do much more technical things and they forget to do the leadership and you cannot do our roles if you can't be a leader that is really we have to model the behavior that we expect to see every day and we cannot do that unless we're leaders so I just I really wanted to stress that so I

wanted to ask you what do you think about AI yeah it's such a complex topic um I think is anyone familiar with KH Academy yeah I love KH Academy so I taught at girls who code for seven years uh we use KH Academy a lot um I teach for my nonprofit Davy Labs now and we um use KH Academy a lot for that too and um the person who runs KH Academy has done a lot of really great talks about how we can use artificial intelligence in conjunction with mentorship and tutoring um in order to like move education forward and really bring education to the masses in a way that we as humans have never really

thought about um so there's like a lot of really great positives to it you know like there will be positives to it but in my opinion I think that when it comes to AI every single one of us has the responsibility to learn about this thing now um and continue learning coding continue to learn the like in like how systems integrate with one another because at the end of the day security people are going to be the ones that are called when there's like a rogue AI or something and we have to like turn it off um and they're going to be like turn the networks off do this do that in order to like bring down the size of an

issue and it's just going to suck really bad when we have to be the call of action for that like we've had to do for cloud systems in the past um which are also like brand new systems um I have a little bit more of like a positive view on things so I try to always include the positive but this conference is also called dystopia cannot be spelled without AI so I know that a lot of security folks also have that um I'll ask you the same question so this is really hard for me like I'm a natural born skeptic like that's probably why I work in security I'm both paranoid and skeptical all um I

think it has the power to be amazing but we have to remember that to your point that we need responsible AI I'm such a huge proponent of that and we all have a role to play in that um so that's that's my very basic SP on AI I'm super skeptical but I am totally excited to see where it goes but please remember all of us have this big responsibility to make sure it goes well and that we don't end up with like really terrible videos on the internet that just make us all cringe because we're like why did you take a celebrity and do that like what's what's wrong with humans like this was literally my reaction to that

one and just so that's my call to action for everybody in this room please use it responsibly please help us use it responsibly it could be awesome and it could also be terrifying I have another question for you before change the SL okay so my question for you is what is one project that you worked on in your career that you would would credit like a um like a switch to like a promotion to like one project that you think that you worked on that was so impactful yeah so when I was at um a performer company I actually was very interested in the fact that we kept seeing the same kind of vulnerabilities over and over I spent

three months doing a deep dive into the data to try to understand why as I said we kept seeing these same vulnerabilities over and over and over again and I ran this very very large program at this very large company to basically just eradicate them what we did is we did root cause analysis and I worked with the engineers at the time was actually a technical program manager and we would go through and analyze the data and be like pick it apart and we actually successfully eradicated two the largest vulnerabilities we were seeing at the company the like in a matter of months and it was the most like powerful and inspiring project that I think I've

ever done and I was just super excited to see the impact and and what I think I was most excited by is that we made developers lives way easier and like that's what we're all here to right we're here to support the people that need us and that was my favorite project how about you yeah I just love that question because I just want everyone to understand that those big scary projects that make you feel like I don't know what I'm doing are going to be the thing that make up the next portion of your career so I had joined a company where we were going to be implementing me and my manager hiring manager were going to

implement Vault Secrets management has anyone heard of Vault Yeah by Hashi yeah super cool tool except it's like so hard man um I think that was one of the most challenging things ever I went into the interview process I gave a really good interview told them exactly how I thought Vault would be stood up all in theory but then the actual implementation made me realize that hashy Corp lies to us um when they sell us this thing and it's so complicated and doing everything in terraform in such a like production ready way where I only had four months to do it I was so scared I was so scared all the time I didn't I was working on this project by

myself this was the first time I was a remote employee at a company that didn't really support remotes like there was no one else that was remote except for me on my specific sub team and things would change on me all the time like people who are working at the company itself at head headquarters would make hallway conversations and then change the infrastructure on me so that was super fun um to manage and how do you deal with that right it's not a like I'm a woman and they're you know discriminating against me and doing these things it's not about that they're discriminating against me because I'm a remote and so this was all pre pandemic

um they did eventually realize how life as a remote is at that company after you know that um the pandemic happened but it was kind of too late for that but how did I do it well first of all you have to go in with some sort of idea of the problem and who you're going to be impacting your stakeholders so you want to work very heavily with your stakeholders on what is the problem statement that you're working on and then you have to figure out what are all of the little infrastructure pieces so I started at this company as a senior engineer and within a year and a half I was promoted to security architect and that's only

because I created this Vault system in such a good and production ready way that it could be handed over to another team completely to manage without my involvement after a one-hour meeting I was able to pass this entire gigantic package thing beautiful thing to another team and they were able to go and run with it and continue to support it so as a good engineer I just want you to know like it's not just about the work that you're doing and how impactful it is but how can it live past you and how can it continue to grow without you um and be nurtured without you that's like that's what's going to get you promoted um and

we want that for you get that coin all right so I think the flip side question is have you ever had a project that failed yeah you want to talk about it oh my god um I wouldn't say failed I would say that this resulted from I was working at a cryptocurrency exchange and we were going to be redefining access okay and how Services interacted with each other like what kind of jump boxes we were going to use all these things but before I even join the company they decided to buy octet oag without any like somebody did a POC I guess and then they like spent a bunch of money on it and it was like really

bad you couldn't automate it you couldn't do anything um so I think like the only time I've had a project fa this project eventually took two another two years in order to finalize it just recently went into full production um and that's so terrible you know so make sure you work with your management and push back on tools at the POC stage if you think they're not going to work well it's extremely important cuz then someone's going to spend like four years trying to work through it and then at the end of the day just throw it away and build something else so do you have any projects that failed oh yeah I mean I actually think like the failure

is one of the best projects you can have because you're going to learn so much from it about yourself about why it failed so I was trying to revamp the security view process I actually had a really great idea like I'm still very proud that of the document I wrote to this day I still think it was one of the best documents I ever wrote and basically my development team was like cool no I mean literally that was the response like this looks really neat but we don't want to build this we're going to go build the thing we want to build and it was very frustrating I was like but but you agreed to build my

thing like what do I do and I think for me the the really interesting lesson I got out of that one that I still kind of reflect back on because I'm still not super awesome at this is the importance of escalation um it's a learn skill as I said I'm still don't think I'm awesome at it but I wish I had told my leadership much earlier and were going off the rails instead I was like I can fix this I can make everything awesome turns out I couldn't fix it I couldn't make it awesome the funny thing is I left the company and then I went somewhere else then I boomeranged back to the company and they were still

working off my original project Dock and they were still implementing it so I said it was a great idea I just did not build the right support for it and luckily it was getting off the ground I think but then I left the company again so I don't I don't actually know how it landed and honestly like I'm good with that all right we're going to talk about the IC ladder and getting ratted out all right so how many people in here are ic's trying to see how many people have been told that you should do something like management how do people actually want to do management all right that's good like I appreciate that there are people

that are want to do it um I think both of us have been pivoted out of by I see more times than we can count um that is the I I will say like if you show up and you show up well and you got great leadership skills people are be like manager and I'm like but I'm not but you're so organized you're so organized you're so great at mentoring you make the team better great guess what I can't do when I become a manager everything you just listed um so I I think you know I mean you had this experience like how did you get out of it I mean I just quit I mean

I literally was like I'm not going to do this job so I'm going to go to a different job instead like that is a cop out I'll be really honest but um I was how did you get out of it did you quit too no okay uh I I wanted to quit for different reasons cuz I was remote and I just wanted to work in the office with humans again um but basically what was happening to I had been kind of forewarned about this because my dad told me he works in technology he told me that after about five or six years in working in Tech that I can expect to become a manager and my immediate

response to him was I don't want to be a manager like that sounds lame I would have to fire people I don't want to do that I have too much empathy for that and so you know I was also very immature at the time so be it but when I had become an architect my manager had come to me and said I want to talk to you about your growth and he was somebody who to this day I can't say that somebody hasn't like this person did everything for me like they went out of their way to explain things to me they really thought the best of me when I quit the company and I had you know of

course repeatedly told this person I did not want to be a manager um he was like they know you don't have to necessarily go into leadership but I can one day see you being the CEO of the Red Cross and I was like I can't believe you said that to me like that's how much you believe in me and so a lot of people who come to you and tell you I want you to be a man manager they're coming in with that you know they they see something in you that's really great however I have learned from a lot of women in engineering that the more you go into management earlier in your career the

harder it becomes for you to become a CTO later that's just something I've heard I don't know if I'm perpetuating some sorry but I don't know what I'm doing right but I'm going to do my best to do more technical work early on in my career so I kept pushing back on my manager but I continued to learn about what leadership means um there's a really great book called who what you do is who you are it's by Ben Horowitz and includes a lot of really great leadership examples that don't require you to be a manager and the best thing I've learned about being a staff engineer and a security architect is you can do

leadership while doing IC work and doing really really really cool work that's going toow grow you technically have you seen that oh yeah that that's why I'm in ic yeah like and to be clear you should try management I always believe you should try it just go into it with open eyes and if it's not for you make sure you have an exit path that is not literally just quitting though I mean you can do that like I'm telling you it's one way out it's not my recommended path though I have a quick thing that I wanted to mention go for it um can you go back to the last slide so two things I wanted to say one if you're

deciding to become a manager here's some advice for you if you can possibly become a manager outside of the team that you are like currently on that would be like ideal and the reason is because you would be so surprised at how much ego comes out when you are now the manager of your peers before you guys used to like complain together about your manager and all of these different things but now you've become the manager and even if you're a kind and empathetic person and like a really great manager people are still going to have some way to feel about it so starting a new role as a manager or growing with some kind

of like management um what's it called like training that would be really helpful and then you can maybe join another team okay um the other thing I wanted to say is please take a picture of this IC ladder if you've never seen it before so a lot of people get confused when they're not in engineering or haven't gone up the ladder like how to have conversations with your manager about growth you can't like know where to grow to if you don't know like what the words are called right and like how you get there or at what point can you switch so this is a really good representation of you start off at the company as a junior engineer maybe

you're an intern then you become an engineer maybe you're a security engineer network engineer network security engineer then you become a senior engineer and let's say you decide you want to go from inter infrastructure security to application security you need to talk to your manager about something like that as soon as possible so you can start getting trained so you don't lose your um promotion potentially but sometimes you're going to have to Del in order to move to a different segment um that only happens sometimes so definitely talk to your manager about it but once you get to senior you will become a security architect or a staff engineer um and that's the point where

things start to diverge into either management or IC leadership which is like your beginning stages of becoming a manager then going in directing and VP and all those things versus staff engineering senior staff principal but all these things have like different names at different companies um there's a really great I had a great picture on a slide no I don't know where it went but it doesn't matter the basically the thing that happens as you go down the ladder is your scope changes so have you seen that in your career that the scope is changing like as you go up yeah I think that's what's always it's always funny cuz I try to describe my job to people

and often fail miserably um I mostly focus on strategic work today and I wouldn't be able to do that if I wasn't a principal level right but I work across all the security domains of my team so yeah I as I mentioned my first job was ABAC I obviously still work with the absc team but I also work with incident response and I work with GRC and I work what else is there uh with detections and threat like I work with everybody and so that's what I think is really interesting about the scope instead of being super hyperfocused on one thing I have to do everything and I think that's been a really um hard thing

to describe to people like people always like what's a day in the life like I'm like oh my God I have I don't know how to answer that question anymore like it's not I don't have a typical day do you have a typical day um I think I described this really well in the security path like the percentages and stuff where it's like including operations work automation work so there's some technical parts to my role um there's some like Discovery parts to my role and then of course mentorship and things like that but it's a lot of like creating design and infrastructure for the rest of the company to be on the same page when it

comes to your security concept and like convincing other people that this is the route you should go down and like why they should believe you um and like I think a lot of where I'm at right now where my scope as the entire company impacts the entire developer base is it's also talking to developers and the stakeholders who I'm impacting so building relationships is huge so you did a really good Segway to mentorship what do you want to talk about when it comes to mentorship um I think the biggest thing that me and Leah have talked about is there's a huge difference between mentorship and sponsorship and as we go through our careers we're really figuring out why

one is more important than the other um so like whenever I join a company I always think that my mentor my biggest Mentor is going to be who my manager right so who can I you know complain to who can I tell what's on my mind who can I tell everything to and you know 100% trust it's this person you know and just like two days ago I figured out I was doing it all wrong just like literally two days ago I took a little workshop I wasn't even thinking to do it and I learned something extremely important the difference between mentorship and sponsorship is the your sponsor is going to be the person who is advocating for

your promotion for your raise for you to get a new project and so on and so forth so what the sponsor should be hearing is the good the good and the good the best stuff what are you how are you mentoring and helping others what projects are you working on what do you need help with but you got it you got it under control that's who you tell your sponsor that stuff your Mentor they get to hear the good bad the ugly all the stuff you're suffering through all the help that you need the you know the support that you need but your manager is actually your sponsor they're the one person that you have that's your ticket into your

promotion and into your raises so you want to be making sure that you're treating them like a sponsor have a dock share it with your manager go over it on a weekly or bi-weekly basis when you have your one-on ones with them make sure you're advocating for yourself and why you're doing a good job because that mentorship that's not helping us anymore Lee has a really great quote that she heard recently yeah so someone actually asked a question around this but they said women are over mentored and unders sponsored I kind of wallowed in that statement for a while and I reflected on the fact that I'm curious how many people have been assigned a

mentor okay has that how many people then for th those who raise their hands did that actually work for I feel like I see no hands yeah um that kept happening to me over and over and over in my career and I think it was really well intentioned it was like oh we have this really smart intelligent woman we wanted her to grow as an I see we're going to give her the next level like mentor to help her and it always falls flat like I I obviously don't ask the right question questions I obviously don't know how to engage with a mentor um you have to pick your own like I can't stress that enough what I still

haven't figured out is how you get a sponsor so we're still trying to figure out like how like sometimes it just happens naturally but like if you feel like it isn't happening I do think you're right go to your manager have that conversation so since we only have 10 minutes left I'm going to go to the next slide well maybe I obviously can't use PowerPoint in case anyone's wondering no you're doing it just right this is how it's supposed to be used like I came from a a culture that never used PowerPoint so like every time I use PowerPoint I'm like I I try to do the animation thing and I just fail I'm going to stop all right so weet turning

to success so we talked earlier about being isolated so like what are your thoughts on getting more women and GNC into the room yeah so as I mentioned usually I'm like the one person in the room the one lady in the room and so the difficulty for me is always finding the rest of the people um I know in our industry and in Tech in general and working in general a lot of people talk about impostor syndrome and I really had to sit with that right because I didn't really feel an impostor I'm an Indian person working in technology I clearly belong here so um you know but why did I still feel a certain way when I was working at the

company and I realized it was loneliness I felt like there were not other people who look like me or behav like me or thought like me so I felt insecure about it and I felt lonely even if I know I'm a smart person you know whatever um but creating community so usually whenever I go into a new company I always like go for like the women in Tech rooms and I'm like joining them and I'm like super active and I say good morning all the time um because I just love it and I love that interaction on slack and then if there's not already an infrastructure and security women and GNC group I create one so if there's not already a

little Collective I make it happen um I create a brand new channel and I bring all the infro ladies in and I bring all the security ladies in because I think they work so well together maybe some developers who are interested in security and then I meet with them on a by like maybe a monthly basis and what I found is this is an extremely effective way to grow engineers and people in cyber security in general locally because you can create use these meetings to do little presentations like 10 15 minute long presentations that can get PE people really into like public speaking and stuff like that right so that's something that I've used a lot to

create community of course I started my own nonprofit too um and through mentorship you know we've seen so many women and girls grow into Engineers this is one of my mentees who just graduated yesterday um she just graduate yeah please give her Round of Applause she's amazing um you know went from a 1.9 GPA to like literally a 3.5 Plus in electrical engineering um one of the hardest workloads and uh Urban studies minor so really killing it um so if you really support people and Mentor people they can go far I was just going to say like everybody in this room has something to offer to other folks and so I really do encourage that every time you can mentor

someone to do it and every time you can sponsor someone to do it I am constantly talking up my colleagues both male and female to be very clear I don't I try to talk up everybody but if someone really goes out of their way like I I literally said to a manager the other day he was asking what I thought of one of the women on his team and I was like I actually got really embarrassed I'm like I use colloquialisms and I don't ever know if they're appropriate or not and so I was like is this appropriate to say and he's like cuz I said oh she's punched above her weight and like I

literally don't know like to the St if that's appropriate to say so if someone does know and it's bad please tell me afterwards um but I was just so impressed I mean she's a really Junior engineer and she is absolutely blowing me away and I just wanted to make sure that he heard that from someone outside to say like hey this this person's a rock star because every day you can sponsor someone else is amazing I also obviously participate in a lot of like like the ergs um and I do I join the Wiis Western Washington board to focus on mentorship that's how important I think it is but I'm really passionate about getting the right connection and

not assigning people so we've got like seven minutes am I doing time right we would love to take questions so what do do we have do we have some from the audience oh a lot we will also be upstairs please come find us or connect with us on LinkedIn yeah all the things all of those so you actually have quite a few questions um so the first question that got the most likes or question is did you ever feel like you didn't know enough in the security field if so how did you overcome that do you want to go first you sure um yeah so of course we're not going to get to all your questions so

we're going to be at the Microsoft area me and her so you can come find us over there um a 100% And to be honest chase that high because signing up for stuff you don't understand is literally your employer paying you to get an education and I have signed up for projects like for example when I went to Etsy they were like oh we have a cloud environment but we don't know much about it um and we bought this thing that tells us how secure it is theya do you want to do it and literally nobody wanted to touch this project with a 10-ft pull and I was like yeah for sure sure like that sounds

cool I didn't know anything about Cloud security period I had set up one ec2 instance in my life um and I rocked that project to the point where this company did not know that much about Cloud I started introducing these Concepts eventually there was a little bit of a you know whatever happens at company's political stuff the C new CTO decided they wanted to go to cloud and who is this like more Junior engineer who knows everything about cloud who's showing up at staff engineering meetings that's me okay so like I was literally in a room full of Architects and staff engineers and principles trying to figure out how we're going to move to the cloud and I'm the one who's

telling them that stuff so always sign up for stuff that scares you um it's going to feel really frustrating but that's where the mentorship comes in you need your mentor to basically back you and tell you repeatedly you can do this remember that other hard thing you did you can do this hard thing too so that's going to be my suggestion so I often make this joke and I'm I'm just waiting for the day that one of my hir managers gets really mad at me for it um I actually never apply for anything I'm qualified for like full up I look at the job description and go well I don't know how to do that but

that sounds amazing and I want to do that and that's how I've chased work I don't actually Chase titles I don't chase money I don't chase companies I chase work that looks really cool and is completely outside of my comfort zone the last role I took was all on breach preparedness hey fun fact I'd never done incident response when I signed up to do that job I didn't really know what all was involved so I just talked to a bunch of people I just kept asking questions and just letting them tell me things and so I don't care that I'm supposed to know everything I'm like do I know 50% of like what's being listed here cool I'm applying I'm going

to do what the guys do and I'm going to get that role I am not going to hold myself back and only apply for the jobs where I'm like yeah I can do all that like why would I want that how am I going to grow so I'm super selfish when I apply to jobs if I can't grow I'm not applying and that's I I really stress this you got to do that it's okay to get out of your comfort zone and you 100% got to embrace it I love it so another question as female leaders in the security industry what initial steps would you recommend that a new cyber security graduate female should

take okay hi um so you just graduated is that right okay just now um yeah have you ever heard of so are has this person started working at all or they're like into it we don't know okay if you haven't started working yet download The Juice Shop go on google.com look at Juice Shop oasp and like that's what you should Google and set it up there's like awesome um like everything is really detailed and then they also have a really great answer sheet so you can basically participate in a capture the flags with very low stakes okay very low stakes it's all on your system and you're just kind of hacking yourself and um that's that's honestly what I would

recommend as far as the last question too I would say the one thing that you have to keep in mind I'm an overthinker so I get the like I get the perspective where you look at the end of the staircase and you're like so overwhelmed by it just please keep your mind and your attention on that first step or that next step that you have to take maybe one or two steps extra but that's the thing that you have to focus on when you have a big overwhelming anything you just want to make sure you put it into as compartmentalized little pieces as you can and organize yourself before you move forward okay so that's the one

thing I'll say do you have any advice for up and cominging security people yeah I would say like this Market is um interesting so anything you can do to stand out is always a good idea like that that includes things like volunteering ctfs uh bug Bounty anything that shows that you have an interest outside of just what you did academically will really help you a way do we have any more we can do one more I think we have time for one more question okay seems Seems like it is the way into the field but what if you are coming from another technical field and already midcareer what path is recommended so I mean like when I you're

right I was a tech person like I was an SRE but like I was mid-career I basically started over right I was well on my way I I had actually gotten to principal basically and started over right I was like I really want to do security I'm just going to do it I think if you have anything that t i mean security is about being curious and being willing to explore and being willing to ask questions so if you do anything that allows you to you know Embrace creative thinking you can do security do you want any last comments yeah so um I would recommend for whoever is like wondering about this to at least

go to your local library check out a book um on the subject of the cissp okay it's the cissp it's by a company called ISC squared and it's like our certification that we a lot of people take I'm not saying you have to take that certification it's just going to illustrate to you the mile long you know description of what security actually is and what are all the different domains like how does Finance Connect into security how does management leadership business um interact with security how does you know XYZ thing interact with Security even if it's like computer management or whatever so that book is really going to help you illust like understand what are

the different segments of security and how can you play around in that Arena because security people love to interact with people who come from different background grounds because it gives us a different mindset that we hadn't thought of before right a person who's working in marketing is going to give us a completely different perspective about password management than the like local it person who like loves a password manager right so well we just want to thank everybody for showing up and as we said we'll be upstairs please connect with us on like Den we're happy to chat more what wonderful Synergy these two ladies have Lee and the thank you so much for your presentation we have a

little gifts for you from one of our sponsors to thank you for your time and energy um we couldn't do this without our sponsors and the gift bags are actually from socket security so thank you so much socket security um just so you know we have an extended break a 30 minute break in between the next speakers so feel free to relax get some fresh air and also um the bar and chill out space sponsored by dvo is taking orders until 5:00 p.m. today and remember both non-alcoholic and alcoholic options are available all right we look forward to seeing you soon and remember these ladies are going to be up in the City View to take extra

questions um and you can linger a little bit since we have a a longer break