BSidesSF 2026 - Practice Cyber Skills Like a Musician (Bianca Ionescu)

We are beginning our talk quite shortly. I'd like to introduce Bianca Amescu. She will be talking about cyber skills like a musician. I'm quite excited for this talk. There will be a music demo. Thank you again for joining us.

Thank you for that.

Practice, precision, and patience are what it takes for a musician to learn a piece and get it performance ready. They're also the same skills that are necessary for someone to perform well in cybersecurity. Hi, my name is Bianca. I've trained as a violist for many years until I switched over to cybersecurity. Uh when I switched over to cyber, people that knew me for a while, they asked me, "Well, aren't those complete opposites?" You'd think so, but after a while, I learned that they're a lot more connected. Uh musicians are trained in a very specific way, and it's that training that changed how I developed my security skills. Oh. With cyber, how it looks nowadays is

it's really heavy on self-studying, and there's many tools to master, and it's constantly evolving so quickly. So much to the point that those that are just getting into the fields are really overwhelmed or even those making that switch themselves. Where you might hear many people say, "Oh, well, I'm just not cut out for cyber, or it's I'm not technical enough." But what's really the issue is the lack of structured skill development. While in music, it's a lot more structured. So much to the point that you can develop your very own routine. There's constant feedback loops that you might get in practice room, in an ensemble rehearsal, or even in a private lesson. Not to mention the

noticeable improvement that happens over time. So, if musical training is structured so differently, what does the structure actually look like? And more importantly, how does this translate into cybersecurity? Well, it starts with practice. So, as a musician, if you want to keep your skills updated, you constantly have to practice. That might involve either um going over drills, different exercises, scales in order to develop your muscle memory, and make sure you're constantly in tune. Um you may want how you might want to warm up. For example, um I can

For example, I'll show you what a C major scale looks like on the viola.

So, now that I've gotten warmed up, um you should know that deliberate practice matters. If you simply play notes without a plan, well, you're just playing notes. You're not making music. And you have to be deliberate with practicing your cyber skills as well. This might look like um maybe creating your own home lab, playing around with it, or even with pre-made labs. Participating in CTFs, so B-Sides has a CTF going on, maybe try your hand at that. And or even repeating a command until you really understand what it's actually doing. Consistency builds confidence. But practice alone isn't enough. Precision matters. So, I'll show you what that means.

I'm going to be playing an excerpt from Beethoven's Fifth Fifth Symphony, second movement, just the few opening bars. I'll play this twice and want you to notice some details. So, here's the first take.

Now, the notes are technically correct, but something's off. Let's take

>> What changed? Anyone want to I see a hand there.

So, some of the notes I did a little vibrato. Yes. I like that someone knows the term. Thank you. Uh anyone else? Any other noticeable differences?

Emphasis on the second time. Yes, I like that. Okay. All right. I think I saw another hand back there. Yes.

Yes, the length and the of tempo of the notes. It was slower, right? Yeah. Okay, cool. So, you're saying I I did not rush, right? Okay cool. So, you do know the difference. Awesome. So, um yes, the the notes didn't change, right? The execution did. So, I added more dynamics, more emotion, took my time, right? I didn't rush. Um so, in cybersecurity, that's often the difference between simply looking and observing. So, in a security operation center, for example, that kind of meticulousness allows you to spot details that others might simply dismiss. Precision is discipline under pressure, and discipline is built through deliberate practice. Now, in practice, you don't just repeat a piece over and over again

until you think you can magically get it right. If only it worked that way. Um, you have to break it down into sections and slow it down. You drill it and you fix it before the performance exposes it. Kind of like doing your very own vulnerability assessment. And you even learn how to mitigate it as well. We don't want to wait for an attacker to tell us where we're weak. We scan, we test, we patch. But, musicians don't improve alone. That's where ensemble training comes in. So, it changes how you learn. The musicians, they perform in either um, different quartets or more string players, maybe a whole orchestra. And when you play in a group, you can't just

focus on your own part or be in your own little bubble, in your own little world. You otherwise your mistakes will just stick out really easily. You have to listen, adjust, and sync. That constant feedback that you get from other musicians, it accelerates improvement. You hear where you're rushing or you're out of balance. In cybersecurity, learning shouldn't happen in isolation, either. Read study groups or find someone to like a lab partner to work on whatever home lab you're working on. Have someone peer review a project or some code that you've been working through. Strong security professionals aren't just technically precise. They respond to context. They listen before they act. And learning accelerates environments where feedback is immediate and honest.

But, even in environments where there is strong feedback, mastery is slow in every discipline. In music, no one expects to pick up an instrument and perform like a virtuoso in a few months. If only it worked like that. Um it takes years of repetition and refinement and uncomfortable correction. In cybersecurity, it's no different. But, we don't always treat it that way. We expect rapid competence in field that's like constantly evolving. And well, when we adopt a musician's mindset, slow growth stops feeling like failure. In the music world, we often say practice doesn't make perfect, practice makes progress. If you think like that, you can make it part of the process. So, why does this matter beyond the analogy?

Well, when you train through repetition and precision, you become better at noticing the deviations. And cybersecurity depends on pattern recognition. When you rehearse under constructive criticism, you become comfortable with being uncomfortable. So, when pressure shows up, it's not going to throw you off balance. And as much as I would love to memorize things, um memorization won't help you in the real world. Adaptability will. And when you build skills this way, the strengths will transfer. So, what does this look like in practice? Well, rather than approaching cybersecurity like one massive skill set, break it into measures. Just like musicians isolate those difficult passages, find or narrow down those technical weaknesses. If something like log analysis is

really overwhelming, rather than just staring at a bunch of different logs, um take one piece of the log, and then understand what is it really telling you? Once you understand those patterns, then expand to the rest. With that, drill the weak areas. So, don't just practice what you're comfortable with. Identify commands, concepts, or workflows that are constantly slowing you down or confusing you. And then rehearse them deliberately. Then practice under pressure. So, simulate or rehearse in environments that simulate stress. CTFs, uh can't emphasize that enough. That's where you really see like where your skills might be uh lacking, and you can actually go and practice them later on. Conduct mock interviews, and do uh time table top exercises. Really test

your knowledge in the moment. Pressure should be introduced during practice, not discovered during a performance. And with that, learn in ensembles. So, don't build skill in isolation. Create those study groups. Have someone be a peer peer review your work. And find a mentor to guide you. Feedback accelerates refinement. Now, that all sounds clean on slides, but it's not always that clean in real life. When you come from a non-traditional background, especially something artistic like music. It's easy to question whether you belong. And when cybersecurity lacks structure, that doubt can be amplified. The field moves fast. Tools evolve. Expectations are high. And without a structured training model, that pace can feel destabilizing. It took me time to translate confidence

from one discipline into another. And I'm still learning, but taking my time with it. So, how do we build that structure? Well, we borrow it. Starts with deliberate practice. So, treat cybersecurity skills like rehearsal. Schedule repetition. Track your weak spots. And return to them intentionally. Find your stand partner. Or and in the music world, everyone has two to one stand in an orchestra. So, find your stand partner to find the people who are building alongside you. Not just to share resources, but to create feedback. I'm sure you can find some amazing people right at this conference. When when you find a weakness, don't interpret it as failure. Have a mitigation mindset and interpret it as redirection.

Musicians expect correction. We should, too. The most resilient cybersecurity professionals aren't the ones who move the fastest. They're the ones who trained intentionally.

It all comes back to practice, precision, and patience. Practice builds confidence. Precision builds trust. And patience builds professionalism. These are the lessons that uh musicians learn early on. And they're the same lessons that shape strong cybersecurity practitioners. So, the next time that you may want to review your cyber skills, don't just jump into a command prompt without a plan. Practice like a musician. Thank you.

Uh I guess we have time for questions, right?

Oh. What made me decide to change from music to cyber? Yeah, great question. So, um yeah, I was attending like a performing arts high school for a very long time. Wanted to be a professional musician. And then I learned about the GenCyber uh cybersecurity camp at my university, uh University of Nevada, Las Vegas. And it was my first time being um introduced to cybersecurity, and it just really sparked this new interest in me. So, I kept it there uh along the way uh in out of high school. And uh later on, I was like, when deciding what to do in college, well, I saw so many like cyber attacks happening, and I thought back to

fact being told in GenCyber, like we're constantly demand for people in cybersecurity, and I wanted to be part of the solution. So, I thought, "Okay, I'm going to go try to focus cybersecurity." So, yeah. Thank you. Yes.

Ooh, so the biggest difference between the two disciplines. Mhm.

That was good. Ones, zeros, and ones um versus the notes. I mean, it's I I know I went on a few analogies, but I feel like I could almost go on the similarities a lot like for maybe another hour. Um cuz I would almost say, "Oh, you're learning new languages, right?" when you're learning cybersecurity or if you're learning coding, right? But you're learning a new language when you're learning to read notes. So, um and then I I guess biggest difference maybe how much math you use cuz which surprisingly you do use math in some way when you're trying to understand like the tempo rhythm like oh, an eighth note in this many beats per minute. Okay, that's how fast I have

to play it or subdivide, right? But it's just more complex math maybe in some specific areas of cybersecurity. Which is more harmonious? Um I mean, music. Um but I mean, cybersecurity of course has its own ways of being harmonious. Depends like what you'd like to focus on. So. Okay. Um I Okay. I think Let's go you you you and then I think you. I'm like I'm also blinded a bit by the spotlights, so sorry. Yes, you.

What daily cybersecurity practices I do or recommend? So, sweet. I like uh starting my day with reading up on different cyber news. So, I might uh look at different articles from all sorts of websites. Okay, what maybe cyberattack has happened recently and then reading up about that. Maybe and then not to be like just too much of oh, there's so many attacks, but even just new like positive things too in cyber, what's going on. And I like uh playing around with different labs as well. So, personally, I've enjoyed playing with the PortSwigger Web Security Academy. Like I like I enjoy Burp Suite. So, I like playing with maybe one or two labs of that. Um

yeah, it might vary day-to-day, but yeah. Okay. Uh yes, I think you had a question.

Mhm. So, to make sure everyone else also heard the question. So, how do you ensure people understand the intent behind with like sticking with cybersecurity? Is that Mhm.

Mhm.

Mhm. So, maintaining high intent when it comes to like learning cybersecurity so people don't get discouraged. Yeah, I think that's where developing the patience comes in and um or practicing patience cuz I mean, it does take a while to really understand the concepts in cyber or any discipline. And with maintaining intent, I mean uh it sounds mostly like trying to also maintain motivation, right? But if you develop your own consistent routine, that's how you're developing discipline. Uh cuz motivation, it can vary. It can go up and down, right? But when you develop your own routine and you're consistent with it, you're going to you know, you're going to keep going going and then you'll notice some progress.

The We can talk more after, too, if you like. Um but does that answer that? No. Okay, we can talk more later then. If you like. Um Okay then.

So, what was the aha moment when it came to the similarities? Okay. Um I think it was the identifying vulnerabilities because whenever I'd be practicing or even with a private uh teacher they'd be like, "Okay, so you play through the section and then here you're kind of um like you need to change dynamics here or emphasize them more. Okay, like kind of making those different markings, right? And the music's like, "Okay, I need to identify this vulnerability here, this here." Um need to like mitigate that vulnerability, right? And yeah, I related that back to cybersecurity. I was like, "Wait a minute. I've I've known how to identify vulnerabilities for a while, actually." So, that was one of mine.

Yes, I think.

Mm, how do you find your stamp partner to build that community and the feedback? I started off with joining multiple student organizations at my university or I mean, you can join different professional organizations, too from um I know part of uh Women in Cybersecurity, great community, um lots of great people there. And um there's all sorts of professional chapters, like say ISSA, um ISACA. Find like those at least those groups there, like you're going to find like-minded people or people that are going to be you know either already deep in the field what you want to know and you know, you can find your mentors there. And also just again, like-minded people that will help

you right? There's like I guess one back there, yes. Yeah, I yeah. I think in the white shirt? Yes.

Okay. Thank you. Um so, you mentioned to repeat it. Um so, how does What are suggestions for someone new in cybersecurity? Like how do they kind of like I guess get into it or to focus on what they want to do. Yes. Yeah okay. Right. It took me a while to narrow it down as well cuz yes, cybersecurity is quite a broad field. I you just kind of have to try maybe a little bit of everything. Um I think that's why I I heavily recommended CTFs is those are where you're going to see a like all a bunch of different topics and ranges. So, you'll see like, "Okay, I like doing this type of thing like

OSINT or reverse engineering or web application attacks or exploitation." I, you know, if you really enjoy that, you're like, "Okay, then." That kind of helped me to try to go deeper or dive in deeper to that and then you find different roles that specifically handle that kind of um concept. Um yeah, cuz it for a while um I always went with oh yeah, I want to be a pen tester and then later on like I've done some web application stuff, but it's not what exactly I want to do. So then later on I'm like, well, I'm really good at finding things doing research. So I really wanted to go into OSINT. So I figured out that's my thing. So

Yeah, definitely trying out CTFs. Those different like at least anything that can give you a wide exposure to different topics. Does that help? Okay. Um yes.

Okay, so what kind of labs or website or projects do I recommend? Okay. So I think I mentioned earlier one was um if you're interested in say understanding Burp Suite um as a tool, PortSwigger Web Security Academy is a great resource. You get to interact with real labs of trying to do some pen testing a little bit or web application exploitation. And there's always Hack The Box. Try Hack Me a little bit. And or pen testing labs. Um as for projects, I found some great ones through I was able to be part of the CodePath program with cybersecurity. So they offered some labs themselves and even like a great project like a honeypot project um as a starter

which you can develop like uh understanding Google Cloud Platform, develop your own like firewalls, and then also understand like different how it different attackers might try to attack a honeypot. It depends what of course like roles you want to go into for projects. So, I'm kind of mentioning a lot of the pen testing route, but of course there might be some other ones. Is that answer?

Yes.

Uh I mean I don't What time are we at? We have about 5 more minutes. I mean maybe later. Yeah. Yeah, maybe later. But yeah. I mean if you wanted to see me play a little bit more, I know I have like maybe can share some YouTube stuff as I still play as part of orchestra in my town, so the Las Vegas Young Artist Orchestra and yeah they constantly post on YouTube, so you can always check them out and they happen to have a concert next month, too. Okay. I suppose is if that's all questions. We have time for a couple more questions if anyone would like to ask any. Okay. If If not So yeah, if no one else has any other

questions, I will be available around to talk more if you wanted to or answer any other questions that didn't get answered. So feel free to connect with me and yeah, thank you so much for your time.