In this episode, Stephanie Wong, head of Google Cloud Developer Engagement, explores Google’s security culture, why it conducts “blameless” postmortems after security testing and how it’s working to dispel lingering misconceptions about the cloud. She also talks about her journey in Silicon Valley and how her experiences winning pageants such as Miss Asian North America 2020 helped her become one of today’s most visible technology content gurus.
In this episode, Stephanie Wong, head of Google Cloud Developer Engagement, explores Google’s security culture, why it conducts “blameless” postmortems after security testing and how it’s working to dispel lingering misconceptions about the cloud. She also talks about her journey in Silicon Valley and how her experiences winning pageants such as Miss Asian North America 2020 helped her become one of today’s most visible technology content gurus.
Why you should listen:
* Learn how to build an effective cybersecurity culture within your organization.
* Get the inside scoop on the security precautions that Google takes with its physical data center.
* Hear about what Google is doing to overcome misperceptions about cloud security.
* Figure out how to conduct security postmortems the Google way.
* If you don't know about the "pancake principle," you'll find out why it matters, and how it can work for you.
Key Quotes:
* "It's become really clear that remote work will be a very defining characteristic of the new normal and modernizing security is going to be imperative."
* "Our teams are really horrified by network-based security because network-based security is hackable, even with two factor authentication."
* “It's all about empowering [users] so that they can be the ones to flag suspicious activity, websites, and phishing in emails."
* "Being in Silicon valley, we're often in a bubble where we assume that a lot of people already understand the value of [the cloud] and how it can actually increase your security posture overall."
* "It's all about blameless postmortems and a blameless culture. No pointing fingers. If something goes wrong, it's all about how can we improve it."
Related Links:
* https://www.synack.com/lp/cloud-security-solutions/
* https://twitter.com/stephr_wong
* https://bit.ly/2Vkckh5 (Stephanie’s Youtube Page)
* https://www.stephrwong.com/about
Rr Bella DeShantz: [00:00:00] Well, hello everybody. My name is Bella Deshaun's cook. I am joined by my wonderful cohost, Jeremiah, how are you doing today, Jeremy?
Jeremiah Roe: [00:00:30] Hey, Bella, how's it going? Stephanie, we're, we're super excited to get to chat with you today. how are you doing. Yeah.
Stephanie Wong: [00:00:58] I'm great. you've got a really interesting background initially you started off going towards the direction of entertainment and production.
And so I'm just kinda curious how you went from that direction. Over to shifting into technology. Stephanie Wong: [00:02:25] I did not expect to be where I am today at all. So maybe I can start with where I began. Um, I went to university and like many students, I did not know what I wanted to do. I was very indecisive and in many ways I still am, but I ended up going into communication studies because UCLA was known for that.
And I was interested in entertainment and production because I just love all the jazz around it. Yeah. And I also was interested in the theory of interpersonal communication and understanding how humans interact. So that was a natural fit for me. And in the midst of it, I also did a minor called digital humanities, which is a brand new field, inter sexting, um, humanities and technology.
And so it was about modernizing the practices of how we analyze various fields within humanities, whether it's history, art, et cetera. And so I did a few projects around social media analytics in relation to various events that were happening around the time. Live events. And so I would take data from Twitter, API, and Facebook, et cetera, Reddit, and try to see if we could do any sentiment analysis around it.
And so I gained some hard skills and some technical skills to through that, but I was more interested in the application of the technology and how it impacts society. Yeah.
Jeremiah Roe: [00:03:47] that has a lot to do with a sociology and psychology embedded within it too.
Stephanie Wong: [00:03:55] Absolutely. It's a very interdisciplinary field [00:04:00] and that's why it's so new. I think because you know, these practices have been more traditionally analog and pen to paper. And so now with the advent of more digital means of collecting data, they wanted to. Information systems and information studies into the field.
And so it's, it's really is a mix of all of these various areas.
Jeremiah Roe: [00:04:21] That's really awesome. And I just find that super, super interestingStephanie Wong: [00:05:02] Yeah. And ironically, I did one of my projects back then on Google. And how it impacts society, how augmented reality impacts society. And so I did a whole thing on that. Uh, not knowing that I would ultimately like actually be working at Google one day. And I think Google is actually refocusing some efforts on Google glass.
Cause I know it was on hiatus for awhile, but, um, yeah, it kind of came full time.
Jeremiah Roe: [00:05:26] You won the, the Midsomer miss Asian north America, 2020, and the miss Chinatown USA 2016. And you've participated in a number of other events like Ms. Chinese international 2017.
I'm wondering how that ties into what you currently do. Stephanie Wong: [00:06:46] I don't consider myself a pageant girl or I guess in the stereotypical sense and did not, again, expect to go into pageants at all, but once I graduated from college, [00:07:00] so to kind of connect the dots here, I ended up working at Oracle for a couple of years. And I was a sales engineer because it did combine my skills of communications on technology.
And so it was a great fit at that point, too. And at the time. Well, I love side projects outside of work. I love a healthy work-life balance. And so when I knew that they were accepting applications for Ms. Chinatown USA, this is something I had always looked up to when I was a child, because the winter sits on the float at the end of the parade for the Chinese new year parade every year in shining lights.
Glitter. It was it, you know, it's just one of those childhood things. And so I was like, you know, I'll just apply and see what happens. And it was an absolutely wonderful experience. I met so many talented women from technology, real estate medical field. I mean, these women are accomplished and it really pushes yourself to go outside of your comfort zone, be on stage in front of hundreds of people and ultimately.
Be a huge ambassador for your community because it is a representation of your [00:08:00] culture. It brought me so much closer to my heritage. And I was able to participate in yearly events around the community in San Francisco and beyond. So tying between that pageant, miss Asian, north America, Ms. Chinese international, all of these really expanded my horizons and brought me closer to my culture.
And I think that comes out in what I do today, which is being a developer advocate at Google. Not only am I talking about technology. On camera all the time and running podcasts like this, but I travel, I empathize and I listened to, and I communicate with our developer audiences to make sure that I can understand their pain points and their experiences.
And so I think having that broader cultural experience and having those listening skills, as well as the communication skills on stage, all come full circle. And I think, uh, they, they culminate in how well you can do your job as a developer.
Bella DeShantz: [00:10:07] I want to talk a little bit more about what exactly that role is. How does a senior developer advocate fill her day?
Stephanie Wong: [00:10:18] Yeah. So a developer advocate, our mission is to drive customer success by winning the hearts and minds of developers through inspiring and educating them about Google. And so this can take the form of our largest conferences, podcasts like this one, speaking on stage, creating technical videos, those how tos and interviews.
And for me on my team, we're specifically focused on scalable online content. So that means videos, podcasts, tutorials, but it's not limited to that. I can also do conferences talks anything. Really to outreach to our community. And so I've gone through many, many rounds of writing my own talks and podcasts [00:11:00] episodes in various, uh, videos for audiences of different levels of depth, depth.
Um, other DA's may also be focused on building product demos, sample applications, integrations with our product, client libraries, tutorials, and overall supporting our product teams with engaging with our developer audience. Yeah.
Bella DeShantz: [00:11:20] Awesome. That's really cool. Uh, I think it's making me realize how helpful it would be to have like a, a human person there to assist you with learning, how to use new tools. Like I've never personally worked as a developer, but I have been around technology tools in my career as a. Security engineer.
And I'm just now thinking about like, imagine how much easier it would be to learn all technology. If there was like a human face being like, here's how it works.
Stephanie Wong: [00:11:54] Yeah, I know it's kind of a relatively new field because. [00:12:00] Engineering and there was sales and there was marketing, but there wasn't really a source of trusted information or people to go to as a developer or a community that wasn't marketing the material you went in, someone that you could really engage with and could empathize with their concerns.
And you also want a representative to, uh, build the community from the ground up, especially for products that are just start.
Bella DeShantz: [00:12:26] So there's been a lot of emphasis on cloud adoption recently, especially this past year when everyone has started to work from home or at least more people have started to work from home.
How did that shift change the way that you have talked about cloud security?
Stephanie Wong: [00:12:54] Well, to be honest. Changed how we talk about cloud network security or cloud security [00:13:00] too much, especially given Google's model and how we approach security. Um, but if anything, it gave it more urgency, especially when it comes to endpoint security? or creating a secure software supply chain or how to ensure you have secure policies in place for moving your code into production.
And just to give some background. Obviously, there is a very unplanned and rapid shift to remote working. And that meant that CIOs and CSOs had to work quickly to counter all of these risks before the adversaries were able to capitalize on them. And so it's become really clear that remote work will be a very defining characteristics of the new normal and modernizing security is going to be imperative.
And so, I guess, just to start from an endpoint perspective, We have devices everywhere and people are joining from mobile devices and we have generally less control or at least less centralized control. And so CSOs today are using this as an [00:14:00] opportunity to modernize because they want it to go in that direction anyway.
And so if anything, this was the acceleration that they needed. at least from Google's perspective, we've always had this model in place where. We have a zero trust model. And so this is something called beyond Corp enterprise. And it's because our teams are really horrified by network based security because network based security is hackable, even with two factor authentication.
And so beyond Corp is Google's implementation of zero trust model, where every single interaction with your application, from the user to the application and the app to the other infrastructure all the way through, they all have to be re reauthorized every year. And this all began as an internal Google project to enable every employee to work from untrusted networks, even without the use of a VPN.
So now this is used by pretty much every Googler every day to provide user and device based authentication and authorization to our core infrastructure and [00:15:00] every single corporate resource. And so the three tenants that exist. Here are we have to publish applications behind web proxies. We want to make sure that we know everything about the user, the location, the device that they're using.
It's key to understanding, you know, any abnormal behavior that might be happening. And then on the client side, we have a lot of security features built into Chrome. So we have an in-depth view of the client side as well. And I think it's like about finding balance too. You don't want to create too many friction points for a user where they have to have a, a much,
Jeremiah Roe: [00:15:34] I can be very intrusive.
Stephanie Wong: [00:15:35] Yeah.
Uh, a much worse user experience. So it's a, it's a balancing.
Bella DeShantz: [00:15:40] Can you talk a little bit about why it's important to adopt a zero trust modelStephanie Wong: [00:15:52] with the network based model where you have. A layer of VPN. [00:16:00] If somebody were to circumvent that you are essentially opening them up to the world of possibilities of still accessing corporate resources. And so you're essentially adding more checks and balances in place so that you have policies at every layer to reauthorize the user, making sure that they are within the allowed access control for every single application that they face.
And so this is really. I would say a more sure way of protecting your corporate resources at every single layer down to the industry.
Bella DeShantz: [00:16:33] And then you mentioned that there are definite security concerns related to cloud adoption. And we talked about all of the different endpoints and all the different devices that users are now connecting to a corporate network from. Are there any other risks associated with the cloud adoption?
Stephanie Wong: [00:16:52] Yeah. Specifically with cloud, a lot of leaders today are hesitant to move to the cloud for a number of understandable [00:17:00] reasons. If you tell people to just simply move their resources to the. Rip and replace doesn't really resonate with many company leaders. And they'll probably tell you to just get, because it's a very high investment and they've already invested a lot in their existing systems, like active directory, Okta, whatever they're using.
Right. And So I think one of the questions we want to ask is how can I enable my team to work effectively without impeding on their productivity, creating friction? As I said, And another cloud's concern is how can I trust the cloud provider to manage these systems? On my behalf, as cloud systems grow, you're moving more applications to the cloud.
You know, companies are very concerned about integrating their security practices into their own cloud environment and sort of moving a little bit more of the responsibility to the cloud provider. And the other concern that pops up is as an it administrator or a cloud administry. How do I maintain [00:18:00] governance and control and compliance with regulations that I need to comply with?
So it's all about the way you approach security in an on-premise environment versus a cloud environment, and really understanding the nuanced differences between the two, lastly, data privacy. I think there's concerns around, you know, is my data really private in a multi-tenant environment, in the cloud.
And lastly, Can I comply with the regulatory compliance, like FedRAMP HIPPA CCPA. Can I keep my data in one location? Because some of those require data locality requirements. And so there's a lot, a lot, a lot that goes into it that our cloud engineers are having very in-depth conversations with customers about.
Jeremiah Roe: [00:18:46] how are you all trying to help, you know, not only inform people about the risks. But also arm them or educate them on the information they need to keep their systems and, or cloud data secure.
Stephanie Wong: [00:19:16]
it's a challenging space to be in because security is something that you have to attack from many angles, whether it's for developers, your cloud security engineers, and. Typical data users, data analysts, people who are leveraging the information in your cloud environment. So what we try to do is we create content that both underlines the clear risks and challenges of it yet also tell a new story.
You don't need to rip and replace. You can actually use existing tools and integrate new cloud security protocols and tools. Um, so you know, your existing security posture. May not be leveraging some of the latest and most secure technologies and approaches that we can help you with. Let me [00:20:00] show you how, so it's really more about enabling your use.
And flipping the message of friction on your users. We want to see that the users are actually the strongest link here. It's all about empowering them so that they can be the ones to flag suspicious activity, websites, phishing in emails, et cetera. And then if it's like the develop development tools, like show them the tools, educate them with your views and just be a little bit more fun and a little bit less serious if it's possible.
Jeremiah Roe: [00:20:26] there's a whole lot of effort that goes into that on the back end and trying to think like the user and trying to figure out what it is they would do and how they would do it.
how does that tie into some of the skills that you've developed from the psychology and sociology? Yeah.
Stephanie Wong: [00:21:42] every time I create a new piece of content, I'm thinking, okay, how can we hit the main points of what I [00:22:00] want to talk about? Technology itself, the concepts that I want to teach here, but how can I intertwine a story into it as well?
And so that's sort of how I bring in, you know, more of that perspective and communication psychology skills into it. But if you're talking about, okay, how do we guess what the user or the audience is looking for next? What do we know about them? How, how can we anticipate the types of skills and the messaging that they want to hear from?
I think it's really about treating them. Treating your content like a blank canvas. Like if you were in their shoes, what would you want to learn about in your cloud journey? It's about encouraging people to understand a new cloud model. being in Silicon valley, we're often in a bubble where we assume that a lot of people already understand these concepts or understand the value of.
And what it brings, but in reality, a lot of enterprises organizations, and even students are still just learning about the value of the cloud and how it can actually increase your security posture overall, as opposed to, you could trying to undertake a [00:23:00] new security project overall for your own organization.
And so. How can we convey that it's not about jumping across the grand canyon, but about creating, stepping stones to get across and build trust by explaining that, you know, the decades of experience that the cloud provider might have in fortifying your systems, you know, that can help you. And we as developers me, the content creator myself, can understand and empathize with the developer and the it leader concerns because we've been there.
Bella DeShantz: [00:23:46] I want to talk a little bit about the shared responsibility matrix. Can you explain what that is? Such an important thing when it comes to cloud security.
Stephanie Wong: [00:23:54] security for things like data classification [00:24:00] or network controls and physical security, they all need very clear. And the division of the responsibilities is known as shared responsibility for cloud security and cloud often handles a lot of it, like using a secure boot stack and the machine identity on our hardware or the cloud providers, hardware.
Or handling data encryption at rest and in transit all the way to handling the robust network that can absorb DDoSs attacks and give you the monitoring and the alerting capabilities. So you can immediately take action. And the cloud provider may also be creating many default settings on your cloud environment to protect your environment from things like any unwanted traffic ingress.
So anything like default deny ingress traffic to your instances. There's a huge part of it. That is still your responsibility. It's up to you to deploy your own firewall rules, build your own specific routing tables. When you [00:25:00] want your traffic to go to particular instances, set up identity, aware, proxies to further protect your applications based on identity and context, and an even ensuring any container images that you do.
Are trusted by using something that we call binary authorization, and then finally ensuring that your organization and the people that make up your teams reflect the security protocols you expect. So it really goes all the way through, from the technology all the way to the culture of your. And holding up your end of the bargain with the shared responsibility model model is obviously easier said than done.
Um, and that's because your responsibility will vary depending on your workload environment, your own requirements, what compliance needs you have. But there are definitely a lot of best practices. We try to teach and impart on our audiences. Like for example, easy things that you can do right off the bat with security are setting up identity.
Identity access management. [00:26:00] And that's hugely important because it's about choosing. If you want to manage and rotate your own encryption keys to store data, choosing who accesses the resources, choosing which teams will have overarching control over which level of resources who's going to be. The first one to respond to security alerts, choosing which teams will review postmortems.
Is it going to be the cloud admin team? Is it going to be the network engineering team or do you have a dedicated security? So as you can see, there's no silver bullet to security. As we like to say, you need constant revisiting iteration learning. And if you need to comply with any compliance like HIPPA, for example, sometimes you do need to ensure that you're deploying your own practices in your cloud.
There's also a checklist of items that you should do when you start designing your systems. We often recommend that developers and security engineers should collaborate and sit closely together to ensure that one is not, you know, deploying resources out of sync with [00:27:00] another
Jeremiah Roe: [00:27:00] Yes,
Stephanie Wong: [00:27:03] I'm sure that you've been telling your clients that too.
Jeremiah Roe: [00:27:06] that is such great advice. I'm just, you know, I'm throwing it out there.
Stephanie Wong: [00:27:10] Yeah,
Bella DeShantz: [00:27:11] I have, um, a little bit of background and a whole lot of interest in threat modeling. And this totally reminds me of the threat modeling perspective of making sure that you understand where everything is connected and, and like this idea of okay, how and who will be using these.
Assets, these pieces of technology that you're connecting. Just kind of like almost checking all of your assumptions, which it's interesting to hear that as, or to talk about that as such an important part of cloud technology, because it's not technology in some sense, right? It's interpersonal it's humans.
It's all the ways that us wonderful humans can introduce errors, but it's such an important part of the design. Stephanie Wong: [00:28:02] as much automation as you can build into your development life cycle, it there's still always going to be a human element to it because you could automate an ad checks and balances, policy, binary authorization. Make sure you have a secure software supply chain, but if people aren't also rallying for it.
and understand the value of.
Then, you know, it can only go so far. So I think, yes, automation first and foremost, move security to the left in your development life cycle, as we like to say, but it's all about building a culture around security.
Jeremiah Roe: [00:28:34] you have to implement that security as a culture but the start of doing that is to review your corporate [00:29:00] policies for humans.
And how that layers into what they do from, from a systemic, you know, corporate culture around security. Stephanie Wong: [00:29:12] Yeah. I was talking to the CSO of. Mongo DB. Months ago, but she also was telling me that she was making sure that every person within the company felt like they were, they had an ownership in, in ensuring a secure culture, ensuring secure practices and the day-to-day of what they did. But also I think they said that they had champions on teams and they had a champion team for security folks from various.
Departments, not even necessarily security departments, but any other business departments do and areas of function. And So it's just all about making sure people feel ownership and it it's, it really permeates the case.
Bella DeShantz: [00:29:50] there are also physical security risks associated. Um, I [00:30:00] know you've spent some time touring. Facilities. What was that like? And what security lessons did you take away from that?
Stephanie Wong: [00:30:06] Yeah, I got a very rare opportunity to visit a Google data center, which was. Such an amazing experience. It was like the pinnacle of my time at Google. Um, and so I got to really see the security practices. Uh, Google data center, at least from a physical perspective, which was awesome. It's like more secure than an airport.
In some cases, I think some of the people who work there in the military, they've seen a lot of various practices in the past and they were like, this place is more secure than military facilities. So that was really cool. But, um, the lessons that I took away from that for sure, the first one is that least privilege is the rule to live by.
And, and this goes for cloud resources that you deploy, but this goes. For physical access points to, there are two rules strictly enforced at all times at Google data scientists, which is least privilege. This is a protocol. And the idea that someone should have only [00:31:00] the bare minimum privileges necessary to perform their job.
So if you're at least privilege is to enter this section or layer two of the data center, then you will not have luck. Two layer three. And so each person's access permissions are checked at badge readers that exist at every single access point to gain. Um, to gain access and permissions and, uh, it could be time constraint too.
So maybe your access is limited to an hour so that you can perform your duties and drop something off, and then you get locked out after that. And there's always someone watching. So yeah, you can't really slip by. And then the other role that exists is to prevent a vehicle or individual closely following another person through a door.
So if the door was open,
Jeremiah Roe: [00:31:45] Tailgating.
Stephanie Wong: [00:31:46] And so it's, if a door is open for too long, for example, like somebody is alerted immediately, and there's also these circular doors that you and one person can only enter at a time. And I got my irises scanned. [00:32:00] I had to check my badge and then the other side of the, the tube will open.
It's almost like star Trek. It's like you enter this tubular circle.
Jeremiah Roe: [00:32:09] There are certain facilities in the DC area for the government that also have those, um, which are excellent. I love them. And I always feel super cool. Anytime I get the opportunity to go through them because I'm like, yeah. Going through a star Trek.
Stephanie Wong: [00:32:56] Yeah, you don't exactly get beamed up, but you do [00:33:00] the other side opens and you're suddenly in somewhere very secure. And in my case, it was the data center floor, which is where all the servers are. So that was really awesome. The other couple takeaways from that
experience where a bad batch checks are super important, you know, about dual, uh, dual authentication or two factor authentication.
So, you know, when you try to sign into account, you might have a one-time password sent to your phone. We take a similar approach at the data centers to verify a person's identity and access. So at some layers of the data center, you're required to swipe your badge and then enter a circle circle lock, which is this tubular doorway.
And that also checks. Eyes or scans your eyes for biometric data to make sure that you are the person you say you are. and then there's also a, another secure area called the, um, secure loading dock where shipments are shut or where shipments are sent.
And this is a special isolated area, and that's where they use this room to receive and send shipments of materials like new hardware and new servers, all the truck deliveries go there and you have to be specially authenticated or authorized. Go into this room. And so if you are someone who just works for the shipment vendor, then you can just go directly there.
And then the last part that was cool is that all hard drives are meticulously tracked. And so hard drive tracking is very important to the security of data. Of course, they all contain encrypted sensitive information. And so Google meticulously tracks the location and status of these hard drives from acquisition to destruction.
And so throughout the life cycle, if they deem that, you know, Can't be [00:35:00] recycled and, you know, it needs to be a decommission. Then they will use this giant machine that essentially crushes all the hard drives, which I got to witness. And it just, all these shredded pieces falling out. So that was fun. And then the last part is this testing program.
So we actually hire unannounced, skilled adversaries to pretend to get into the data center.
Jeremiah Roe: [00:35:21] Nice.
Stephanie Wong: [00:35:23] Like fake exterminators delivery people, catering folks. And.
Jeremiah Roe: [00:35:28] So like real red team activities. That's the best.
Stephanie Wong: [00:35:31] I'm like imagining people sneakily just rappelling off a helicopter into the data center. People have asked that on the YouTube video that I made about it, like, what happens if someone just drops into the data center from the air and I'm like,
Jeremiah Roe: [00:35:47] That's.
That's exactly what Bella and I do. Uh, when we go in and we're going to be conducting an assessment on a building, uh, we repel in and what, why? And I'm flying the helicopter to, uh, once we get there, we put it [00:36:00] in automation mode and then Bella and I just repelling,
Stephanie Wong: [00:36:03] Helicopter just circles around until you're done. Nothing will happen. You'll be fine.
Jeremiah Roe: [00:36:06] hangs out.
Nothing happens. Yeah.
Bella DeShantz: [00:36:09] It is interesting that you say that because like, I can tell that I really, that I'm a security person, right. Because the whole time that you were talking about all of this, I'm, I'm literally thinking, like, I wonder, like what would happen if, like, what if do people think about this? Uh, not that I have any good ideas, especially about that, about eye scans.
That's definitely not my area of expertise, but it is, I think. I'm just thinking about how I've been in this industry just long enough that that's all my brain does now.
Stephanie Wong: [00:36:41] Oh, yeah. Don't you love being in tech that happens to me on a daily basis. Uh, but yeah, the data center experience was super fun.we always have a blameless post post-mortem after these testing attempts. So it's not like we just do them and [00:37:00] Disparage anyone who, you know, we just, it's all about blameless postmortems and a blameless culture.
And I think That's another kind of, um, reminder back to just the security culture that we were talking about is as having a blameless culture, no pointing fingers. If something goes wrong, it's all about how can we improve it?
Jeremiah Roe: [00:37:19] I love that you mentioned that because. Having a culture built around education and bettering themselves is a huge importance rather than building a culture around fear. And, um, personally, Okay.
Stephanie Wong: [00:38:51] Especially in a very high stress position or a high stress environment when it comes to security. And even when it's not a [00:39:00] test and it, and something does happen. Yeah. Blameless culture is what will allow you to progress as an organization and allow individuals to feel like, okay, yes, mistakes are are made and we need to improve depending on the severity of it.
Also what we need to do, but at least let's not just operate in a culture of fear because that, you know, no one's going to want to stay or improve as an individual in their particular field or don't.
Bella DeShantz: [00:39:28] in a previous role, I worked as a penetration test. And some of the most successful engagements that I had were the engagements where when I found a really cool vulnerability, the response from the customer was whoa. How do you do that? Can you explain it to me? Let's get on a call, walk me through it.
Right. Because it's that, it's that culture of like, okay, cool. We've made a mistake. Let's learn everything that we can about it so that we can improve it. Um, versus the alternative, which is no, I don't think that's right. I don't want to hear [00:40:00] about it, which doesn't help anyone. It doesn't lead to improvements.
It doesn't lead to a better security.
Stephanie Wong: [00:40:06] yeah.
I think what the recent, like colonial pipeline and other attacks that have happened that have made their way to the desk of the president, you know, more organizations are now beginning to. Much more proactive stance about penetration testing and, uh, hiring adversaries to hack or make sure that they can discover and uncover any potential vulnerabilities in there.
Jeremiah Roe: [00:40:27] 100% agree. If you're operating from a plan, systematic, streamlined approach that incorporates security, it's going to be smooth and easy, and it goes to communication, right? Communicating things effectively about technology and security so that they can be helpful. Which is, you know, in my personal opinion, essential.
what advice based off of your experience, what advice could you give, give to those system owners? Those businesses, the CSOs who may be struggling in that.
Stephanie Wong: [00:41:53] some of my tips around communicating or creating content really at the end of the day is about practice.
one, a formula that works quite well in creating talks, videos, any kind of content, even short form or long form is using. Uh, this five point argument model, and I know Disney uses something similar in how they create story arcs, but kind of laying the land in the beginning about the challenge space.
You know, why is security. Uh, and you know, why is the ch you could talk about the recent hacks you could talk about, um, why it's so front and center today, the amount of revenue lost as a result of being reactive in the space, and then kind of talk about, okay, this is why we need to talk about that today.
Let's talk about specific, you know, three technology areas that we should invest in and why you go into the evidence and you go into a demo, perhaps, and then you wrap up with caveats things where it's. Going [00:44:00] to, uh, specifically be relevant or maybe, you know, you you've tried a couple other options or routes and they didn't work out and why you're focusing on this approach.
And then you wrap up with like your call to action at the end. So that formula has worked really well with capturing the attention of your audience and overall just persuasive community.
Jeremiah Roe: [00:44:19] what are those questions that you ask yourself when you're creating the content that you create? Stephanie Wong: [00:45:04]
Number one question you should ask, who's your audience, what's the pain point they're experiencing and what am I trying to solve with this content piece or this talk? And would I personally find this interesting with somebody who doesn't know much about this topic, understand it, and is it that the intention?
And so [00:46:00] once you kind of fine tune your audience and the level of depth and what the whole point of the whole talk is, you generally can consider the content to fall into three general buckets. And that is maybe definitions or basic laying the foundation defining terms around the topic. Like what is app engine?
What is Kubernetes? Cloud security basics 1 0 1. Um, perhaps it's about best practices. That's the second category outlining and explaining the best practices around a topic. And then the last set of questions you can ask yourself is what is the main measurable outcome that you want from this content? Are you looking for specific behavior from your audience? What kind of change in behavior do you want? Is it a change in thinking or.
They're change in a sentiment about the topic that you're talking about. And lastly, can you trim this content down into something that's a little bit more problem and solution oriented? Can you write the title of each talk or the content to be around? Bella DeShantz: [00:47:55] I'm a huge proponent of making training and educational resources, easily accessible to those that need them, or also the general public. When I first started in cybersecurity, I was really instantly interested in, in application security.
So like web applications and things like that. And I was sort of told, like, if you want to learn this, you can buy this $50 book and then also get on the job training. Those are your options for learning this skill. Uh, Was great and worked well for me, but also is kind of tricky if you're trying to break into the industry.
How important it is to kind of create a culture of learning and to create resources that are accessible, not only like available on the [00:49:00] internet, but also accessible what you've talked about, about kind of knowing your audience and creating content for different audiences.
Stephanie Wong: [00:49:06] societal and technological advances are definitely shaping how people learn today. And. You know, we used to have a monopoly when it came to learning, like you said, it's like buy this thousand dollar course or this book.
And that's largely due to the ubiquity of a lot of online courses and everything. now people have a lot of choice, right? People generally prefer to learn online at their own pace and it's more accessible than ever, as you said. when it comes to building a culture at your organization, you need to have this growth mindset.
And the first step is to hire. Hire smart. You want to look for people who are intrinsically driven to learn, who want to figure out what needs to be done, how to find a way to do it and do it before you even know about it and [00:50:00] also teach others how to do things instead of. And really just encourage people to explain beyond just this is what you need to know, but how, how can you actually achieve that?
Um, and I think that the one thing that I've appreciated at the places that I've been in so far is that there's always been this culture of encouraging candor and descent and, you know, just making sure that there's a lot of engagement and openness between one another. Ask me the tough questions, ask your manager the tough questions.
Question things, go out of your formal reporting lines and discuss ideas and issues without fear. The one thing that's also been just absolutely fantastic on my current team is supporting a lot of risk taking and failing forward and failing fast. [00:51:00] So as long as people are taking an acceptable risk and learning cultures are supporting them, even though they fail, we're here to, you know, pick you back up and it's okay.
So we call this the first pancake principle because you know, when you're making your first pancake, it's like the grill is too hot. The batter's too thick and you're probably going to burn your pancake. when I'm creating a new piece of content and I'm sh knowledge sharing on behalf of my team, or I'm doing it on YouTube.
It's like the first episode is not going to be great. That's the whole point is to just put it out there. It doesn't need to be perfect understanding the point of diminishing returns also. Right. And making sure that your team really supports this mission and this goal. And practice humility and just be a team and not have individual stars kind of come out of it.
Um, my managers said something that really resonated with me, which was, if you want to go fast, go alone. [00:52:00] If you want to go far, go together. The second part of my answer is about knowledge sharing as a whole.
So just encouraging one another to share their findings on your team, creating a place where you can share your wins, share your knowledge, share tips, and guidance. And if you do want to encourage knowledge sharing externally on YouTube for free, for example, Have a clear workflow and process for your teammates and contributors to write their own content on your company blog, or just putting it up on your YouTube channel, having a podcast like this one.
So just having clear ownership of these areas and actually investing in them as a company, because the best way to advocate and evangelize your product is for your employees to be the ones to create this. You know, this impactful content that is going to benefit from the economies of scale, right? When you [00:53:00] have individuals doing it on your behalf, on your behalf.
Bella DeShantz: [00:53:35] A lot of what you said resonated with me a lot as a, um, What, how, how do I say this? A recovering perfectionist and
Stephanie Wong: [00:53:45] too.
Bella DeShantz: [00:53:47] person with a relatively definitely still there, social anxiety. Like this podcast alone has been a huge. Way for me to kind of practice some of the things that you're talking about.
[00:54:00] And it's really the prospect of facilitate, like me playing a role in facilitating other folks. Learning is really exciting and it helps me remember like, Hey, you know, we're going to make mistakes and we're going to learn from them.
Stephanie Wong: [00:54:14] Yes. I know I've gone through that so many times in different parts of my career. And it's like, people are like, how do you come out with content so frequently? And I'm like, Well, it definitely, I didn't start this way. I had to make a lot of mistakes and trip many, many times. And then finally through iteration, I was able to fine tune my process, streamline it, get better at writing.
Get better at hosting, get better at speaking, and then just becomes second nature. It's like anything in life, it just takes practice. And I think we're our harshest critic and it's just giving yourself that space and that forgiveness to do that because nobody else is expecting perfection from you.
Bella DeShantz: [00:54:51] Awesome. It's been really, really, really cool talking to you. if our listeners want to hear more from you or see your content, how can they do that?
Stephanie Wong: [00:55:08] Well, you can follow me on Twitter at Steph R underscore Wong. my LinkedIn is Steph Arwan. So everything's similar on my LinkedIn. You can also see links to my YouTube playlists of all the stuff that I've ever done at Google. Um, you can also check out my personal YouTube channel, which is called Steph.
You should. A little bit of a pun there. this is a question that we ask every new hire at Synack. Um, so what is one thing that people wouldn't be able to tell about you just by looking at your LinkedIn profile?
Stephanie Wong: [00:56:31] I love this question because it reminds me of like, Tell me a fun fact, except it's like better than that question. Um, and me and my friends have now created this list of like, un-fun fun facts that people say. And it's just funny, but I recently had this little win, this little fun fact, and my friends were like, Oh, you got to add that to your fun fact list in case someone asks you.
So mine is that I recently won a Justin. Competition again, 63 [00:57:00] countries on Nintendo switch.
Bella DeShantz: [00:57:02] gosh.
Stephanie Wong: [00:57:03] I was just by myself in a basement playing against 63 people from different countries. And I got first place and I was so excited and you know, that's now my new fun fact,
Bella DeShantz: [00:57:13] Congratulations.
Stephanie Wong: [00:57:14] but, uh, yeah, I've been a hip hop dancer for my whole life and I haven't gotten to do enough of it during the pandemic.
And so just dance has been my outlet.
Bella DeShantz: [00:57:24] I love that so much. I grew up dancing and I don't do it anymore because like, w w wha how would I, and I've been trying to convince my partner to get just dance for the longest time. And he's just like, absolutely not, not interested.
Jeremiah Roe: [00:57:53] Thank you so much for your time, Stephanie, we really enjoyed having you on the show and, um, uh, you know, uh, look forward [00:58:00] to seeing more from you in the future.
Stephanie Wong: [00:58:02] Thanks so much Jeremiah and fella. I really enjoyed our conversation.