Alyssa Miller, Business Information Security Officer at S&P Global Ratings and author of the forthcoming book, “Cyber Defenders' Career Guide, is one of the most provocative, unfiltered and interesting voices in the cybersecurity community. She’s essential reading on infosec Twitter and a regular draw at conferences around the world. In this episode, she dives into all sorts of issues in the cybersecurity community, from incoherent job postings to a lack of diversity—she covers it all. Tune in to find out how you can best address these problems and also learn how to reach out of your comfort zone and forge your own path to success.
Alyssa Miller, Business Information Security Officer at S&P Global Ratings and author of the forthcoming book, “Cyber Defenders' Career Guide, is one of the most provocative, unfiltered and interesting voices in the cybersecurity community. She’s essential reading on infosec Twitter and a regular draw at conferences around the world. In this episode, she dives into all sorts of issues in the cybersecurity community, from incoherent job postings to a lack of diversity—she covers it all. Tune in to find out how you can best address these problems and also learn how to reach out of your comfort zone and forge your own path to success.
--------
Why you should listen:
* Figure out why most cybersecurity job postings “suck” and how the industry can help fix the issue.
* Learn how to address key issues that come up during a cybersecurity job hunt.
* Identify how to maximize opportunities for personal growth and realize your potential in the infosec community.
* Understand how to be a better ally to underrepresented groups in the cybersecurity community.
* Hear about the value of diversity and inclusion in cybersecurity.
--------
Key Quotes:
* “Read the narrative at the beginning of the job description. If that sounds like something you can do and something you can learn and grow in, apply. The very worst thing they can do is tell you no."
* "The difference between you experiencing success or not is in how you respond to opportunities. Do you take those moments and go after them or do you let them go by the wayside."
* “If we want to be better at cybersecurity, having diversity matters.”
* "You don't get diversity of thought by having 20 heterosexual white males sitting in a room talking about how to build cybersecurity defenses."
--------
Related Links:
* https://www.synack.com/lp/cloud-security-solutions/
*https://twitter.com/AlyssaM_InfoSec?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor
Jeremiah Roe: So welcome to the show. My name is Jeremiah Rowe and my illustrious co-host Bella, how are you?
[00:00:52] Bella DeShantz: Hey, Jeremiah. I am doing pretty well.
[00:01:28] Jeremiah Roe: How are you Alyssa? Welcome to the show. Thank you so much for joining us.
[00:01:33] Alyssa Miller: Yeah, I appreciate it. Thank you. I'm really honored to be asked to join you and happy to be.
[00:02:27] Jeremiah Roe: There's so much to your background. That's just exceedingly impressive. And, you know, just starting right off the bat, you know, maybe you could, you know, let us know how you got into the business in the first place. And I say the business, I mean, sort of what it is that you do, what drew you into the cybersecurity space and, and everything that you participate in because you know, for those listening, it's a lot.
[00:02:53] Alyssa Miller: All right. Well, I'll try to condense it cause it's, it's really a lifelong story, right? I mean, I, I go back, I, I tell people I've [00:03:00] been a hacker all my life and I mean, it, I was that four year old kid that took apart or toys to figure out how they work, to see how she could make them work differently, stuff like that.
And it was also that early in my life that I got introduced to computers, my dad was an accountant and he worked for this little HVAC company. They were changing over their accounting system, you know, from one year to the next and, you know, Over the holidays. They never had anyone in the office anyway.
So rather than going to the office by himself to close out the books and do this conversion, he brought home this gigantic Zenith computer and, you know, kind of pioneered working from home, back in the eighties. Right. And, uh, so when he wasn't working on, he let me play with it. And, you know, from there, I was fortunate enough that we had computers when I was in elementary school.
First, it was the TRS eighties. Then later on, they got an apple lab. And around that same time when I was 12, I got myself a paper route of all, things [00:04:00] saved up a bunch of money. And you know, most kids, this is probably what, not what you would have expected.
[00:04:05] Jeremiah Roe: I've actually, I've actually done that on a bicycle and a bicycle paper out, like chucking those papers out in the, yeah, I've done that.
[00:04:11] Alyssa Miller: Oh yeah,
[00:04:12] Jeremiah Roe: I hated it.
[00:04:13] Alyssa Miller: definitely. Uh, it had its moments, especially in Wisconsin, winters, uh,
[00:04:18] Jeremiah Roe: Ooh. Ooh.
[00:04:20] Alyssa Miller: but you know, most kids, like the last thing you're going to expect, especially then we're talking like late eighties here. Last thing you expect them to do is go out and buy a computer. That's exactly what I did saved up about a thousand bucks, went to best buy with my dad and bought myself a computer.
And that led to kind of my first hacks where I started messing around with this little, uh, community software. Some people might remember called prodigy back in the day. Um, but you know, and honestly, still, even then, like, there was no idea that this could be a career path for me. In fact, when I went to college, it was pre-med.
I was all set to be a [00:05:00] doctor.
[00:05:00] Jeremiah Roe: Oh, wow.
[00:05:01] Alyssa Miller: Yeah. But try three semesters of chemistry in college. Yeah. And you'll find out really fast whether or not you're cut out to be in
[00:05:08] Jeremiah Roe: Yeah, I barely got
[00:05:09] Alyssa Miller: and I was not.
[00:05:10] Bella DeShantz: Physics is what made me change, uh, change, study paths. So I feel that.
[00:05:14] Alyssa Miller: Yes. So it was like scramble, like, holy crap. I got to find, you know, a, a different, uh, career path, a different major. And I go through the course catalog and they had computer science. I'm like, well, hell I already know how to program. This'll be easy. That was not the, that was not the wisest of assessments.
I mean, I'm still glad I went there, but you know, definitely it was not the easy path, but what did work out well was that was during the.com boom. And so I got my first job as a programmer while I was still in school because I mean, they were just dying to hire programmers, wherever they could find them.
And I had programming experience, I was going to school to get my degree. I got hired into this financial services company programming on their electronic payment platform. [00:06:00] And it was after about nine years of doing that, that the security team, one of the managers I've worked with plenty of times on different projects came to me and asked if I wanted to be a pen tester on her.
And that was kind of where the all security got started. For me, it was all really serendipitous out, but, you know, it was,
[00:06:20] Jeremiah Roe: like when you were initially asked to be a pen tester, like that was fairly not a normal thing in that particular time.
[00:06:29] Alyssa Miller: it was not like we think about it today. I mean, this was, um, you know, it was mid two thousands, I think. Um, and yeah, I mean, you know, there were people were hiring pen testers, but it was not the norm. Definitely not for, you know, just general industry, obviously financial services kind of led the curve a bit on stuff like that as they still kind of do today.
But, um, yeah, it was, you know, it was not something that you saw everywhere. So it was interesting too. When I started working in that field, [00:07:00] people would ask what I do for a living and I would tell them, well, you know, I break into people's computers and tell them how I did it before the bad guys can do it, you know?
And it's, that was like the easiest way to explain it. Cause how do you tell somebody you're a pen test or an ethical hacker? They don't, most people don't even know what that means.
at what point in all of that, did you stop and decide, you know, I should put all of this knowledge in a book because you do have a book coming out.
[00:15:17] Alyssa Miller: I can do so. It's interesting. Cause honestly, and I hate to say this, but some of it was just because I had a couple of publishers reach out to me. So it worked out well because they, they came to me at a time when I was doing a lot of research on the supposed skills gap. Right. We hear about it a lot.
I've seen estimates anywhere from 800,000 to 4 million open jobs in cybersecurity. And, but on the flip side, you know, as someone who's been here for a while, I certainly try to help mentor other people. And I'm hearing from all these people who are coming out of degree programs are trying to pivot from.
Other areas of technology into cyber [00:16:00] security. And they're telling me, Hey, we can't find jobs. People won't hire us. There's no entry level jobs. These job descriptions are ridiculous, et cetera, et cetera, et cetera. And so I was doing some of that research anyway. And so, like I said, I had a couple of different authors who came to me and finally it was, it was Manning my, my publisher that came to me finally.
And, uh, it was like, all right. Yeah, I want to do this now. You know, I, I, at that point had been through a lot of different things. I was really ready with the research. I had done to start putting it down on paper. And I really just, I, I mean, there's details of just how, what they offer in terms of the book.
I mean, like you can go out today. The book's not even published in print yet. Right. I mean, in fact, I just turned in my last chapter earlier this
[00:16:47] Bella DeShantz: Congrats.
[00:16:48] Alyssa Miller: yeah, yeah. I guess it was earlier this week. Wow. Why's oh,
[00:16:52] Jeremiah Roe: Congratulations.
[00:16:53] Alyssa Miller: you can go out, you can buy the book now and you can actually start reading it now. So you can read the chapters that I have submitted that aren't even, you know, final edits [00:17:00] yet, which I thought was really cool.
this is really something that's needed in the industry, right? Like there's, there's books on how to get into pen testing there's books that have talked about how to get into a cyber career, but they're all really focused on here's all the, you know, talent and you know, all the, all the different, you know, technology you need to build up and how to do that.
It wasn't something that looked at the industry holistically and acknowledged that sales is a part of cyber security. Social engineering, threat hunting, uh, threat intelligence, all these, this huge map of all the various roles in the [00:18:00] diverse personalities that are needed for those roles. There really isn't a book out there that talks about it in that, that sense.
[00:18:36] Bella DeShantz: something that's really important to me is encouraging more folks to join the cybersecurity industry. And so I've been in sort of mentor positions with folks and the questions that I. Yeah, our, okay, cool. Like I've read the books on how to hack.
I understand the tools. That's great. But how do I get a job? How do I approach the [00:19:00] industry? What jobs are even out there? And I've had so many conversations just talking about like, okay, well there's so many more jobs beyond pen testing. Let's talk about what this field really is. And I've never had a resource to be able have those conversations with.
So I'm very excited to plug your book because it will answer all the questions that I've been asked. It sounds like.
[00:19:18] Alyssa Miller: I hope so. I mean, that, that's the goal, right? I mean, right away, chapter one, we're talking about what is cyber security? Chapter two is talking about here's all the roles you can do. And chapter three is where it all begins, because it's all about like, how do you find your way in, like, you know, you probably run into.
If you're mentoring people, I'm sure you've heard people or had them come to you and they say, you know, Hey, can you, can you help me get into cyber security? My first answer to that always that's like a really broad question is, well, what do you want to do in cyber security? And so many of them are I get that answer either.
Yeah. One they want to just, you know, pen testing is the only thing they've ever considered or they're just like, well, I just want to know all of it. Okay. [00:20:00] That's not really realistic. So what let's, let's dig into that deeper and how can you explore yourself and figure out, okay, this is, what's really interesting to me about cyber security.
So this is where I want to go in cyber security. Right? And that, I think that piece alone is so important for a lot of people, either. You know, the ones who only see pen testing as, you know, a cyber school. Path or they just don't know. And they just know that, Hey, cybersecurity's a hot field. It sounds really cool.
I want to do it.
[00:21:09] Bella DeShantz: part of that issue of how do I get into the security. Uh, the security field is an issue that you've talked about, which is that a lot of cybersecurity job postings suck. Um, and so why do you think that is, and also, uh, could you give us some examples of
[00:21:28] Jeremiah Roe: do don't they.
[00:21:29] Bella DeShantz: Yeah. Um, but also, do you have any examples of like the worst job posting
[00:21:34] Alyssa Miller: Or, you know, I do
[00:21:36] Bella DeShantz: Yes.
[00:21:37] Alyssa Miller: I knew. Um, so yeah, I mean, so, well, first of all, why do job descriptions suck? There's a few reasons. One, we just don't have cybersecurity is still young and it's exploded really quick. Right? Technology grows super fast. So cybersecurity is growing super fast. We don't really have a good career progression map for [00:22:00] anybody.
Right? I mean, you think about like, if you want to be a doctor it's really simple. Right. I mean, it's very specific. You go through schooling and you go to a specialty school and you get into your residency, blah, blah, blah. All the way up. Right. Very structured progression. Yeah. We don't have anything like that in cybersecurity.
So you've got that piece. You have the fact that we're like really hyper focused then on, well, you've got to know all the tools and technologies that we use in our organization. And so what you see then are these job descriptions that list out this myriad of tools and things that you, you have to know in order to be qualified for this job.
[00:22:38] Jeremiah Roe: Plus 20 years of experience.
[00:22:40] Alyssa Miller: getting there. Wait. We're, we're getting there too. Right. Um, so you know, those are challenges in and of themselves and we don't really, we don't really understand, well, what makes for a good cybersecurity hire, right? What, what are the characteristics I should be looking for? I did this survey last year that [00:23:00] included hiring managers and I asked hiring managers, you know, What is the one piece of advice you'd give to somebody coming in and they all say predominantly, I think it was like 60% of the answers were passionate, have passion, you know, some variation of passion.
Well, what the heck does that mean? How do you, how do you hire for passion? How do you put that in a yo in a job description? So somebody knows if they have passion or not, or they know how to demonstrate it, you can't. So how do we actually start to look at that? And you know, what are ways that people can demonstrate that what are the things, not technology skills that we can send people to training for?
And they can learn how to use, you know, security, onion, or they can learn how to use some SIM tool or, you know, is, um, you know, cloud security tool. We can send them the training to do that. What are the things I should be looking for in that person that are going to tell me that they're there. Candidate.
So because of that, because we don't know really what we're doing, quite honestly, we've kind of created this, uh, unsustainable model of everybody we hire has to have this high level of skill.
And so now we, how do we measure that? We try to put all these, you know, bullet points in there. We, we become hyper-focused on certifications, 91% of job descriptions call for a three-year degree, a four year degree, and at least one certification. What's really interesting. 71% of entry-level roles that call for ACI SSP or.
Do you know what 5% of the entire cybersecurity workforce [00:25:00] right now, actually less than 5% of the entire cybersecurity workforce has a CIS P right now. And if you're entry level,
[00:25:06] Jeremiah Roe: And what does the CIS S P take to
[00:25:08] Alyssa Miller: right, you got to have five years of experience to get it right. I was at an entry-level requirement. Um, so some of the examples that I've seen are like that some of the others, one that I use quite often is this three page job description.
And it's three pages, just the way I happened to screen print it. And you can barely read it if I throw it on a slide and it's up on the big screen, right? I mean, you, can't still can't read these bullet points. There's something on the order, like 50 bullet points of responsibilities and technologies for this position.
Who's that unicorn, right? Like you're not going to find that it just doesn't happen. Right.
[00:26:32] Bella DeShantz: where is that disconnect coming from though? Right? Cause I know, like I didn't write the job. Like we've hired more people in my team and I'm not writing the job description for, you know, the teammates that, that we hire, but like who is, who is making this mistake? How does that happen?
[00:26:47] Alyssa Miller: So that, that's another interesting thing, right? It is a disconnect between usually the hiring manager and the human resources team. Um, you have organizations that have gone through [00:27:00] normalization, they call it right. A lot of times where you're trying to set very standard job descriptions for specific titles.
And that can be problematic. Now there's reasons that they do this right. And I mean, there there's, you know, especially if you're dealing with federal contracts and things, they're very specific requirements you have to meet. But sometimes that, that gets done to, you know, a flawed level and it, it causes problems a lot of times.
You know, if you've got your recruitment or your HR team doing that in a vacuum, they can lose perspective or they just simply don't have the knowledge or the wherewithal for how to, how to get that into a job description. And a lot of times even hiring managers, just, you know, they don't take the time to sit down and really go through a job description or they don't know how to write a good job description for a cybersecurity role because who gets training in that [00:28:00] you don't typically, and you'll all have that's problematic.
[00:28:50] Jeremiah Roe: there was a gentleman that I was speaking with at Def con And this very topic came up [00:29:00] And they, this individual felt like they didn't have the particular skills that was necessary to, you know, apply for this role. And as we were talking, I said, you know, this kind of thing has happened.
Just, just apply, just apply and submit a resume, submit a cover letter, sort of explaining why you think you can do this gig and just.
[00:29:20] Alyssa Miller: And that's what I tell people too. I always tell them, forget about all of the balloons. Go look at the bullet points, read the, that narrative at the beginning. It tells you what the job does. And that sounds like something you can do and something you can learn and grow in apply. The very, very worst thing they can do is tell you, no, literally that is the worst thing.
So if that's the worst, what do you got to lose? Apply. Put your name out there. Get seen. If nothing else, maybe you get to speak to somebody. And even if you're not a fit for that job, maybe you're a fit for something else or down the road. They remember your name because you made a really good impression on them.
And that creates an [00:30:00] opportunity. It never hurts to at least apply to a job.
[00:30:17] Bella DeShantz: I want to talk about your recent, uh, keynote talk at the Diana initiative conference, which was awesome. Um, the talk was called sparking your security career. And for those that don't know, the Diana initiative is an organization that focuses on increasing diversity in cybersecurity.
And I have been able to attend their virtual conferences for the last two years in a row. And both times I've like left the weekend, just feeling so excited. Spiraled and proud. And it really, it like that conference reignites my passion for security. Uh, anyways, though, I wanted to ask you about, you know, in that talk, you speak about your career [00:31:00] trajectory and your drive to take on more leadership roles.
Uh, and I'm wondering, how did you go through that process to put yourself out there more assert yourself in the industry and have a bigger voice in this community?
[00:31:12] Alyssa Miller: Oh, oh, you ask tough questions. Um, so you got it. I don't even know for sure. So, I mean, I, I got started speaking at conferences, um, kind of just sort of by happenstance again, serendipitous events throughout the course of my career. It's really busy. But no, as well as working at fish net, we were sponsoring a conference in grand rapids, Michigan called Gert con and con was looking for more submissions.
They had had their CFP out there. They didn't get as many submissions as they had hoped for or whatever. And they, you know, they reached out to us as a sponsor and said, Hey, do you have anybody who could, you know, throw in some more submissions? We want to get a deeper pool. And I submitted, it got accepted.
I gave this talk [00:32:00] and I found honestly, one of the biggest things about it for me, that was great was I'm believe it or not, I'm socially awkward as all get out. And so what I found was that public speaking at these conferences was a great way to meet people because now I had an ice breaker,. Now I can have a conversation. So that kind of got me started it was in 2019 that I got asked to do my first keynote. And I got, I ended [00:33:00] up, it was, my keynote was immediately following the opening keynote that was given by one of my, I hate this term, but I'll say it heroes in cybersecurity, her name's Karen Azari.
And I'd seen her speak at Def con. I'd seen her Ted talk and. Okay. I'm already super excited. And we got to talking, you know, after sharing a stage, you know, of course we got the chance to talk before and after. And really, she just inspired me to get my butt out there and really make something of it. But then the other piece of it really is, I mean, that's kind of the selfish side of it, but I love this community. Right. I tell people I grew up in hacker county. I was in the IRC rooms on, uh, under net way back in the day. And I just, this has always been my, my place.
So as I start seeing opportunities to help make our whole community better, I want to, those are things I want to chase and that's kind of where that keynote I gave it. Diana initiative came from was like, I see the challenges, especially for, you know, non males, but even just across the board, within cyber security of people, when they go, you know, being talked out of chasing their dreams, uh, being talked out of just negotiating for what you want from your next job, things like that.
And it was like, all right, it's time to use my [00:35:00] successes and failures from my career progression in that regard, the lessons that I've learned and give that to some other people and see if I can help them maybe skip over some of those steps I had to go through that sort of held me backwards.
[00:35:14] Bella DeShantz: I also, I consider myself an introvert. I have a really hard time meeting new people, speaking in public recording podcast episodes. Oops. Um, you know, it's but I feel like I've. Fired by the folks that I've seen in industry that includes you, that have pushed me to kind of see beyond just my own nerves and realize like there's a purpose for this.
We're making improvements within the industry. And so you used a word serendipity earlier, and I've also heard a lot of us use words like luck and, oh, it just happened to work out this way. So I want to ask you about something that I think a lot of us in the industry, especially folks starting out struggle with, which is imposter syndrome, [00:36:00] which for me, I think I'm connecting those.
Cause I think the way that I see myself having imposter syndrome is by saying that a lot of the reasons that I've gotten places are because of luck. But anyways, my question is, do you have advice for those of us that struggle with that?
[00:36:15] Alyssa Miller: I wrote a whole chapter out it, yes. I have lots of advice on this because it is that important and it is one of those things that holds people back. And what you just described is a perfect example of it, right? The, oh, I just got. Or, you know, so-and-so really helped me make that happen. That wasn't me, or, you know, things like that.
Those are all symptoms of imposter syndrome. And so specifically to that, what I tell people is, look, you need to recognize every person who's gotten where they are today, whether it's me, whether it's Katie, Ms. Syrahs, Dave Kennedy, Jason street unit, whatever big name you can think of from the security industry, you know, all of these people, they didn't get there by [00:37:00] themselves.
Somebody helped them out. They had lucky breaks that occurred at some point that, you know, fortunate things that happened. The fact that, you know, you had someone helping you. That's like, like a dumb moment. Like yes, everybody did the fact that lucky things happened to, of course they happen to everybody.
The difference between yo experiencing success or not in regard to that at least. You know, it, it's how you respond. Do you take those moments and go after them or do you kind of, you know, not recognize them or whatever, and you let them go by the wayside. Perfect example from my life, that manager that came to me and said, Hey, do you want to join my pen testing team?
I didn't know anything about pen testing. And I told her that, and she's like, well, you know, you're smart. You'll figure it out. But it, you know, it was a hard decision for me. I'm like, do I really do that? I don't know anything about this. I'm a programmer. I I've never thought [00:38:00] about working insecurity before, but I took the leap.
It was kind of a leap of faith, but it worked out and worked out big time. Right. Um, the, the role I'm in now, it popped up. It was literally somebody who is in my network. Um, you know, the former CSO of our organization, who she had showed up on a Cecil panel, I moderated at one point and. So that was how we connected.
And I'd seen that on LinkedIn, she had posted this position was available. And again, it was like, yo boy, am I really, you know, am I really qualified for that? I don't know, but I took the leap and I asked her, you know, we talked about it. She got me connected with the hiring manager here. I said. And so, you know, that is a big thing is just understanding those fortunate opportunities.
Just come up for all of us. You have to go after them. And then the other piece of it is just being objective in how you look at, you know, [00:39:00] your own successes. there's that line between humility and conceitedness, don't cross too far the other side, but don't be afraid of bragging.
You know, you don't have to be the super humble person who never admits they did [00:40:00] something. Cool. If you did something cool. Tell people about it. Be proud, especially tell your employer, your manager, make sure they know that you're doing these really cool things that are bringing value to. And yeah, just, you know, I know it's easier said than done, but just recognize that.
[00:40:18] Bella DeShantz: So I wanted to ask you about something and you touched on this in your talk at the Diana initiative, but I think it's worth talking about here. Um, what are some unique challenges that women, or I guess non men, uh, and under. Groups face in this industry. And also how can the industry do a better job of making this field more welcoming and approachable to those folks?
[00:40:41] Alyssa Miller: the biggest challenge is that we are underrepresented, right? I mean, so you're looking at, you talk about things that feed imposter syndrome. How about not seeing anybody that you can identify with at high level positions that you aspire to get to? You know, I mean that alone is huge.
That's why Diane initiative is so [00:41:00] important to me. It's like, here's an opportunity for y'all women, non binary, whomever to see a greater focus put on that representation to see. You know, people who are in high level roles out there speaking, sharing, and knowing that, Hey, you can do this too. You can get here as well.
Right. I, I think that is a big thing. That really is a challenge. If you're underrepresented in some way, you know, I, I think it's also very challenging in that there is just toxic behavior that exists toward people from those underrepresented groups in particular. And I know anybody who follows me on Twitter, you've seen me thousands of times take on the level of misogyny that exists in a certain subset of the, you know, the males that are the predominant, uh, demographic in this industry.
And yeah, it's a small group, but they're a very loud group [00:42:00] and that can, you know, that can be very daunting to take that on. You know, I mean, just talk to any woman who's gone to his cyber security conference and the chances are. Quite likely. And I saw somewhere numbers, like 80% of them will tell you that they've experienced some form of physical harassment.
They've been assaulted. They've been, you know, touched in inappropriate ways, whatever, and you know, myself included and you know, that's an unfortunate reality. It's getting better. But, you know, from an industry perspective, we have to do better at recognizing a that those things do happen to people. You know, there is racism, there is sexism, it does exist.
We can't deny that it's still there. We have to call it out when we see it. And quite honestly, my white CIS hetero males, dudes, we need you to speak up because when it's, you know, this subset of that predominant group [00:43:00] that is responsible for a lot of this behavior, it's hearing it from other members of their own group that will be most effective in helping them understand that.
This stuff isn't acceptable anymore. There might've been a time and a place not anymore. And so I think, you know, that is one thing the industry can do. The other is just embracing the reality that there is a business value in diversity. If we want to be better at cybersecurity, having diversity matters and don't throw that dog whistle at me of, oh, well we want diversity of thought.
Of course we want diversity of thought, but you don't get diversity of thought by having 20 heterosexual white males sitting in a room talking about how to build cybersecurity defenses,
[00:43:49] Jeremiah Roe: Yeah,
[00:43:50] Alyssa Miller: it doesn't have.
[00:43:50] Jeremiah Roe: I I've, I've got, I've got really two, two questions around that and I want to kind of focus on this area if we can, because It, is so important. So [00:44:00] there's a lot of toxicity in sort of the Twitter, Twitter verse. And I think maybe all of us can, can point that out. And so in that toxicity, both in the Twitter verse, in the workplace with diversity, you know, how do you, how do you address that?
And in the process of addressing that, how do you, you know, if you happen to have any male allies or heterosexual, male, white male allies that are in that realm, how do we jump into that and help out there?
[00:44:36] Alyssa Miller: Um, you know, so my God, I could go on for days about this, but first, how do I address it? Right. I mean, personally, I call it out when I see it. Um, people are not unfamiliar with it. You know, it was sharing screenshots of really horrific tweets from other people. Um, you know, some of you might've seen myself an inverted geek and a [00:45:00] few others take on a certain certification organization in our industry that published some really awful stuff.
You know? I mean, that's step one. The other thing though, and this is where I think everybody can start. If you can't come up with any other way to get started in helping understand this cliche of a rising tide raises all ships, the more you do to raise up other people, the more you're going to elevate yourself.
And I think a lot of the toxicity that we do see is people who feel threatened by other entrance into the community. It's not that they inherently hate women or they inherently hate black people. I mean, in some cases, right? understand that if you raise up [00:46:00] other people that raises you, And, you know, I think that happens now when you are one of those allies of which I have countless hundreds that I could name off in a heartbeat. You know, when you see that, when someone, you know, again, it's see something, say something, you see that, that white male yo or whoever. I mean, it doesn't even have to be a white male.
It could be anybody, whoever it is that is being, you know, abusive in that way to somebody else speak up, [00:47:00] don't be afraid. There's this, you know, you get called a white Knight or your, uh, your virtue signaling like God, um, you know, who gives a shit, right? I mean, come on, seriously, speak up. Know that what you do matters know that when you know, I and others are out there arguing with, you know, these people are fighting back against the toxic behaviors that when, you know, one of you steps up and steps into that conversation and says, yeah, I agree with these women, you are acting the fool, knock it off.
That's meaningful.
[00:48:48] Bella DeShantz: something that I hear all the time when someone says something. Bad to me, which inevitably happens. I'm a woman in this [00:49:00] industry. A lot of times when I, when I speak out and say, Hey, that's not cool. We don't, we're not accepting that. I hear people say like, oh, that's just how cybersecurity is.
That's just like, if you don't like this culture leave. And I think this conversation reminds me of how important it is for folks to speak up, because this is not the culture. It does not have to be the culture we in this industry set the culture. And I don't know, I guess this is a mini rant. I'm sick of hearing people say, this is just how the culture is because it's not.
[00:49:30] Jeremiah Roe: I just, I just want to re highlight something. I'm so sorry, Alyssa. There was a quote there. I love that. Actually. Bella just said, and I love that we in this industry set the culture.
[00:49:41] Alyssa Miller: Yeah,
[00:49:42] Jeremiah Roe: That's that's, that's pretty, that's pretty powerful. I think I don't, you know,
[00:49:46] Alyssa Miller: it is. I mean, it's our industry to make and shape how we want it to be it's our community, right?I love this community. This community means the world to me, this community, the hacker culture was there [00:50:00] when I was that awkward teenager. And I had nothing else, like, you know, I didn't have a lot of friends.
I didn't have a lot of anything. I had hacker culture that brought me along. They were my safe place and I love this community. I want to see it be that for so many others. And so you can't, every one of us has to recognize where we have a certain level of privilege. Yeah. I'm a woman in this industry, so I'm highly underrepresented, but I'm also a white person.
So literally today, not two hours ago. I saw an email at work. We were putting together some information and someone mentioned putting together a white list. Now their white list blacklist, there is a terminology that we are starting to really try to push out of this industry for the reasons of inclusion and so forth and making people more comfortable.
And, and, you know, just getting away from that idea of white is good. Black is bad, right? I mean sure does. Is that, was that person wrote it inherently racist? [00:51:00] No, I doubt it, but understanding the impact of language and what that means in terms of that, my immediate email response was, Hey, I like what you wrote here, but can we take this term and change it?
Just a simple thing. You know what I mean? It's, day-to-day corporate environment. It's not always that you see somebody attacking someone else. It's just, Hey, you know what? Here's this thing I saw happen. Could we just change it? Can we just.
[00:51:28] Jeremiah Roe: Interesting things as we see them.
[00:51:30] Alyssa Miller: Yeah. And obviously not that I come after him in some woke sense and attack him or anything.
No, it was very simply just, Hey, you know what? The industry is kind of trying to get away from that terminology. So could we change that to say allow list instead done? Yeah. Everybody took to it fine. They understood it and they're fine with it. Okay. Moving on. And that's all it has to be. And now, you know, that, that person, the next time that they're thinking about that, that little moment there we'll come [00:52:00] back.
And instead of writing white list, they'll like, they'll write a lot list.
[00:52:07] Bella DeShantz: Yeah, I think like this kind of, yeah. This topic is what I is kind of one of the biggest things that I've really wanted to talk about in this podcast. It's something that is so important to me. I truly could probably talk about it for hours, but I want to switch back to kind of the more technical side of things you have so much experience working as a consultant, the business side of things, uh, the business side of security programs.
And so I have a question for you about all of that. Uh, what is one of the most common missteps that you see in organizations, security programs?
[00:52:44] Alyssa Miller: Honestly, and this is going to sound really a theorial, but you know, it it's, it's not seen how integrated we are with the business and our role in that sense. The example of this I use is, think [00:53:00] about the idea of dev ops or dev sec. Right. I mean, dev ops shows up on the scene in 2008, 2009, and security scrambling.
How do we get involved? Dev ops is out there preaching this idea of shared responsibility. That was the whole point of dev ops. How do we make operations and developers equally responsible for getting software delivered efficiently, quickly, stable security comes to the door and we say, well, we're going to force our way in here.
And what happens when security starts talking about shared responsibility, we destroy the message we come in and we say, yeah, shared responsibility. Everybody's responsible for security. There's a certain arrogance in that. Like what about security being responsible for software? Getting out the door fast.
If we're going to say you're the dev you're responsible for security. Hey. [00:54:00] That means you're taking on the part of that responsibility then to make sure that the software goes out the door fast, which means you better come to the table with tools that can be automated in a pipeline that, you know, can be a part of the development phase.
You're going to trust your developers with a certain level of enablement and accountability that says, Hey, we're gonna give you these tools and we're going to trust you to run them. We're not going to sit here and hover over you. We're not going to create gates that holds you up or keep you from moving.
And that's really what it comes down to. I mean, if you in security are not doing the things to pave the road, you're standing in the way, get out of there, get out of the way.
[00:55:14] Jeremiah Roe: if any of our listeners would like to get in touch with you, learn more about you hear more from you read more about some of the views that you've posted and also read your book. How can they go about doing So what's the best way?
[00:55:35] Alyssa Miller: So you can follow me on Twitter. That's an easy one. Uh, Alyssa M underscore InfoSec, probably the lamest Twitter handle ever in the history of mankind, but, you know, um, Hey, it happens. Uh, that's a different story for a different time. How that ended up as my handle. Yeah, my website as well. Alyssa sec.com again, Alyssa Miller was taken cause there's some [00:56:00] model sports illustrated.
I don't know, whatever. She's not important. Um, but no, seriously, check out
[00:56:06] Jeremiah Roe: Not on this podcast.
[00:56:08] Alyssa Miller: Uh, yes. Thanks. Um, but no, seriously check out your L Y SSA sec.com. Um, I have link to my book there as well. [00:57:41] Bella DeShantz: And then our final question for you, which is the question that we ask everyone at the end of the show. What is one thing that we wouldn't know about you just from looking at your LinkedIn profile and your online social media?
[00:57:53] Alyssa Miller: Well, let's see. My social media has all the pictures of everything behind me, like my guitars and photo seed and all of that. [00:58:00] Let's see the fact that I'm a soccer referee. Um, in fact, uh, fall soccer season spinning up, uh, the workings, lots of college games this fall, including a four or five for the big 10.
So there you go. That's something most people don't.
[00:58:16] Bella DeShantz: That's so cool.
[00:58:18] Jeremiah Roe: That's Awesome, I would never have guessed
[00:58:21] Bella DeShantz: Awesome, Alyssa, thank you so much for talking with us today. And if you enjoyed this discussion as much as we did, please be sure to subscribe, share and leave us a five star review on apple podcasts.[00:59:00] [01:00:00]