Tracy Maleeff led a successful career transition into the tech and cybersecurity world nearly seven years ago. Now a security researcher with the Krebs Stamos Group, the former librarian still uses her hard-won open source intelligence skills to sort through a deluge of cybersecurity information for clients and for subscribers of her free InfoSecSherpa news roundups. In the latest WE’RE IN! episode, she speaks to the importance of having diverse perspectives at the table when it comes to cybersecurity and warns of a disconnect between tech hiring managers and HR departments.
Tracy Maleeff led a successful career transition into the tech and cybersecurity world nearly seven years ago. Now a security researcher with the Krebs Stamos Group, the former librarian still uses her hard-won open source intelligence skills to sort through a deluge of cybersecurity information for clients and for subscribers of her free InfoSecSherpa news roundups.
In the latest WE’RE IN! episode, she speaks to the importance of having diverse perspectives at the table when it comes to cybersecurity and warns of a disconnect between tech hiring managers and HR departments.
“Companies keep hunting for unicorns when they really just need to pay attention to the squirrels at the base of the tree,” Maleeff said.
---------
Here are a few more reasons to listen:
* Discover Tracy’s tips for breaking into the cybersecurity industry from other professions: She once helped a mechanic launch a career in pentesting
* Learn how she’s used Twitter to advance her own cybersecurity career
* Hear about out her favorite episode of Keeping up with the Kardashians – and yes, there is an infosec connection!
---------
Links:
* https://infosecsherpa.medium.com/
welcome in Tracy. Uh, it's, it's lovely to get to chat with you today. Um, I've been really, really looking forward to this conversation. So I guess, first of all, how are you doing today?
Tracy: Uh, I'm doing excellent. Thank you. It's you know, it's, it's a lovely day. I'm thrilled to be here today and just honor that you, uh, that you [00:04:00] all invited me. So
Bella: absolutely. So the first time that I ever actually saw you speak was at the Diana initiative conference in 2020, which I think it was their first year, uh, virtual and I was so jazzed to get to attend that conference, especially virtually it was like really, it just made things really like easy and all the, all the talks were, were beautiful, but specifically your talk was titled empathy as a service to create a culture of security.
Um, and I found it really, really interesting and impactful, and I loved this concept of approaching security, you know, with a more human centric approach. And, uh, I was wondering if you could just sort of tell us a little bit about that approach and what that.
Tracy: Sure. Thank you. So, so much for that, that kind feedback. Yeah. That's a talk I'm really proud of. And, and yes, and it came about because of my unique career change from library science world. I was a librarian, mostly at law firms for about [00:05:00] 15 years, total and. I was very shocked to see an InfoSec, how much the, the end user or customer, uh, whatever term you want to use.
The consumer of security services at an organization, uh, was met with a lot of disdain and ridicule and coming from the library science world. I mean, don't get me wrong. There's plenty of anonymous library and Twitter accounts that like to complain about library patrons, but this was, uh, open hostility that I haven't really hadn't really experienced before.
And I found that really troublesome because I'm, I am well aware that we want these users on our side. And I know that that there's a better way to go about that. So I, I, based that talk empathy as a service on a seven step guideline that is taught in. In grad school for library science and used by [00:06:00] librarians all over.
It's called the reference interview. The, the purpose of that is to help you figure out what a patron's really asking for, because sometimes it's not clear, but I was able to take those seven steps and apply them to our information security world, through stories, through, you know, throw true stories that I experienced and really trying to get people to understand that if you create allies within your company, not just, you know, the, not just the receptionist through the C-suite, but also just other tech departments too, that we really need to get rid of that attitude that somehow security is superior and doesn't have time to talk to any other departments or work with them.
So, um, I'm just doing the best that I can in my little corner of the world to try and get people to have a really different approach about security. I want to take it from, you know, the [00:07:00] none shall pass to welcome. Come in. Do you want some tea? You know, I really want to turn it on its head. So that's what I'm trying to do with,
Bella: and it was a really cool that the talk. Oh,
Jeremiah: I liked that Lord of the rings
Bella: talk was really cool. And it was it,
Jeremiah: reference. I, I, I just wanted to mention that.
Bella: it was really cool that listening to the talk, there was a lot of, I think a lot of the talk was focused on sort of, uh, how a security department can like be more approachable to the rest of the company and the C-suites and things like that.
I've also had conversations where we come with.
Like we found this really interesting vulnerability. And like, when we, we focus more on like how let's turn this conversation into like a learning experience for both of us, let's focus on, you know, how to make this. Like, I don't want to say a pleasant experience. Right. Cause it's not fun to find bugs.
It's not fun to find vulnerabilities, but that, that culture of like, this is a cool thing that we now get to like learn about together. Um, I find it like way more successful and then customers come to me with questions and we just get like, when those [00:09:00] experiences happen, I find the customers more often to like ask me for advice and things like that.
And it just like, it's so positive.
Tracy: Absolutely. Yeah. That's approachability, which is one of the steps in the reference interview and yeah, you have to be approachable and it's all about empowerment. You want your customers or your users to feel empowered and be a part of the process. So yeah, rather than admonish them, turn it into a teachable moment of, okay, so yeah.
W Hey, we did find something bad, but let's, let's talk through it. Let's see how we can improve it. Uh, but this also goes for other departments too. And if I can share a quick story, I had a real wake up call in one of my, my jobs as a blue teamer, where we were asked to meet with an engineering or development department, uh, within this company, because they wanted to use an open source free software, and [00:10:00] we were there to evaluate it and.
In hindsight, I realized, um, the team was probably going in a little harsh and the wake up call came when the manager of the other department said, why do I feel like I'm being punished? Because I asked security to weigh in on this product. And that was like a gut punch and a real wake up call. And I that's when I really spoke up and said, okay, let's, you know, you're absolutely.
You know, you're, you're not being treated fairly here. Let's go about this a different way. And in my own way, I was able to cut to the heart of the matter, which was they didn't have the funding to get the more secure paid version. So that's when I said, okay, well then who do we, as security need to talk to, to get you more money so that you can get the more secure paid version for this product, because it really would be a major vulnerability and liability to this company.
Jeremiah: I think there's this weird stigma in cybersecurity when individuals, uh, try to think about, um, uh, admonishment for asking questions and doing things. And when in fact, uh, us either on the cybersecurity side or red teaming side, blue teaming [00:12:00] side, we look at it as they're trying to get over one on us, or they're trying to bypass security controls, or they're trying to, you know, circumvent the system and, and that doesn't help anybody.
Right. Because we're not coming about it from a perspective of trying to understand we're coming about it from a perspective of, of they're doing wrong already. Right. And I think that's, that's an important distinction that you just briefly touched on. And I just kinda want to, you know, uh, say that. Those of us individuals in the industry that are doing this might want to reflect on that.
Tracy: Yeah, that's a good point for you highlighting that. And I wanted to mention that again, too, that yes, I, I'm not naive enough to think that everything is, is innocent. Yes. You may uncover some, uh, you know, some insider threats, uh, or somebody may try to be putting something past you, but this is my perspective on that.
If you are good at your job, you [00:13:00] will be able to ferret that out. So don't insert assume malintent, but. If you are skilled at what you do, you should be the one to pick up on mal-intent and not assume that everyone who is it comes across in your, your department is, is trying to get one past you.
Jeremiah: So quick question, you started your career in around 2015. Um, and from, uh, the outside, look again, it seems like you've had tremendous success across the board and a number of the initiatives that you've gone through at Bella just mentioned one of the fantastic talks that you've done. Right. Um, you've also worked at the New York times, and now you currently work in the Krebs stainless group, um, which was ultimately formed by, uh, CIS, uh, director, uh, Chris Krebs.
And I, if I pronounced that wrong, I, I apologize. Um,
Tracy: It stomp most. Yep. And
Jeremiah: was that correct?
Tracy: And action. Well, my career started later than 2015. If I can just interject Toronto 25th,
Jeremiah: okay. Yeah.
Tracy: when I declared the year of my career and I was still a law firm librarian and I decided to dip a toe in the tech world first because I knew [00:18:00] that I wanted to make a career change.
So it wasn't until about maybe halfway through 2015 is when I found cybersecurity. Uh, so I actually quit my law firm job in January of 2016. And then it took me a year and a half from there, uh, to get my first, uh, sock job in 2017. So, uh, so yeah, so you're not, you're not entirely wrong, but yeah, I was still a law firm librarian, uh, through January, 2016.
Yes.
Jeremiah: Yeah,
Tracy: Which is another point. I wonder, I want to mention real
Tracy: okay. Is a lot of folks say that they're interested in cybersecurity, but they're not ready to make a change yet, or things like that. Or I actually had one woman say to me, I am completely content as a software engineer, but I'm feeling all this societal pressure that I should get into cyber security.
And I tell people just be a security advocate where you will. That's what I did as a librarian. You know, when [00:19:00] I, I described it to the CIO of the law firm, as security is my quirky hobby, you know, and that's when I offered to run. Yeah, that's a longer story. So it was like great bloom where you're planted, you know, just, just be calm security advocate where you.
Jeremiah: it's interesting for me, uh, to learn about the perspectives of individuals that started elsewhere and then migrated into cyber because one, there's a huge talent gap shortage. Everybody realizes that. And so the more people, the more people we can get into cyber, the more women we can get into cyber and the more, uh, individuals that want to come in and participate is exciting to me because I've always been enamored with cybersecurity.
And so I'm kind of curious where your journey started to think more broadly about culture and InfoSec and, and, and the community and trying to bring it
Tracy: Sure. Uh, well, [00:21:00] this came about my career change came about because I felt like I had reached. Everything that I could do in the law firm library world. So in the fall of 2014, I would be very sad, very sad commuter on the train, in and out of Philly. And I mean, there were times when I was crying on the train, I was that awkward person crying on the train because I, I had worked so hard to get to this, this level at the law firm and within the library world.
And I had accomplished a lot in the library world and I just thought, is this. Like, I feel like I don't, I, you know, I don't feel like I can coast on this career until retirement. Whereas I do have former colleagues and friends who are completely content to coast in library world, uh, for, you know, till the end of their careers.
And I wasn't satisfied with that. So I happened to read an article in the train. It was in entrepreneur magazine and the title of the articles called how to [00:22:00] future-proof your career in 2015? And I read this article and a couple of things stood out to me and one was, um, take a look back at all the jobs or classes or things that you've done in the past and try to find a common thread.
And when I thought back, I've realized that tech was my common thread, whenever something needed to be fixed in the office, whether it be a printer, I had one job where I discovered a back channel email that nobody knew existed. Uh, I found things like that. I enjoyed going to the computer lab, pre Gooley internet.
Cause I am that I am that senior. And, uh, and that's when I realized that. And I just had never considered tech.
Jeremiah: right there with you.
Tracy: Yeah. I'm on the, uh, the gopher boards and everything poking around. Um, I, my, my funniest story is when, uh, just as a side note, I met up with, I T I managed to track down, uh, someone, I was friends with that she moved away when we were elementary [00:23:00] school.
And we, I remember we met up for brunch one day and she, I remember she said to me, she was like, you know, it was so great to hear from you, but I'm so surprised you found my email address because my college is, um, you know, address. Book it or no, or, you know, directory is really locked down. I'm like, is it like, so, um, but I, at the time I didn't realize that was hacking.
I didn't, again, I wasn't exposed to people or media or anything to know that what I was doing was a skill. Uh, so, you know, and again, I do have some regrets that I didn't get involved in this sooner, but this is why outreach is so important. I didn't know. I had no idea. Uh, for so many times I was the only woman in the computer lab on campus, and nobody would talk to me.
I feel like there's so many more options now and I want to be part of that catalyst for change.
Jeremiah: but that brings up another question. Yeah, no, no, that, that completely brings up another question for me that, um, is just I've I feel is right on point. And, uh, clearly we have a diversity problem in cybersecurity and, um, throughout the tech industry as a whole, really, uh, so what are some of the things ultimately that we can all be doing to change this dynamic and increase, uh, the pipeline for underrepresented communities to be able to come in and.
Tracy: absolutely. Yeah. This is really important. This is a big passion of mine. And I'm going to know, say this here and I I've said it on Twitter and I've said it out loud, white women aren't diverse. Okay. [00:25:00] Yes, we do need women in the industry, but white women already have, have certain privileges and have also broken a lot of barriers already.
It's it's the underrepresented folks of color that we really need to. To help get in further, and you need to do that by being an ally and you need companies need to be better about also posting jobs where communities can, can see them underrepresented communities. For example, there's a hashtag black tech Twitter, and there's a.
That will retweet you if you use that, that hashtag. So if you've ever followed me on Twitter, you'll notice that I try to tag as many diverse groups and hashtags that I can fit into the tweet because I want to get on their radar. Uh, another thing you can do is sometimes you need to reach out to folks from underrepresented groups in order to invite them to apply.
[00:26:00] And people may be saying, well, that's, you know, an unfair advantage and all this stuff. No. You need what I have found in my experience. I'm not going to speak from anyone else's experience. You need to help ensure to that person of color, that they're not walking into a bad situation. You know, they may not apply someone of color may not apply to your job blindly because you know, for, to your company blindly, because they don't know the culture there.
They may not know any people there. And, you know, think about that. You know, that might, that's a very scary situation to walk into. And do you, you know, you don't know what the culture is like there. Uh, so I feel like we need it. The, the burden is on. The onus is on us to reach out, make folks from underrepresented groups, feel more inclusive and wanted, and that, that falls on us, you know, to reach out to folks.
So, uh, that, that's the way I see it. [00:27:00] Uh, it's also crucial to have diversity because we all have different threat models. And if we're only basing thing on a, you know, CIS straight white, you know, profile, that's doing a disservice to so many different groups. I actually do a lot of mentoring. Uh, with Africans. I feel like Africa is a continent is a huge, uh, growing future workforce for cyber security.
In addition to the source of a [00:28:00] threat, it's both. Um, but it's no more a threat or a resource than anywhere else in the world. I feel like people make Africa out to be more of a threat than a resource. There are very brilliant minds in Africa and the African diaspora who can definitely help us with tech and cybersecurity issues, but they're just not getting the chances.
Bella: I think all of this that we're talking about, um, with, you know, the different perspectives in particular, I know that's something that you mentioned is how important it is to have different perspectives in the cybersecurity conversation and tech conversation. And it reminds me of.
Uh, I feel like this is almost a cliche example at this point, but it's one of the clearest illustrations of this for me is when, um, a black woman realized that facial recognition technology like didn't catch like, or was incredibly less reliable on particularly like black women's and black people's faces.
And it's like, you know, this is one example there.
It's not, it's not possible for any one person to be able to account for everyone's perspective. And so it's important to get as many perspectives as possible in the room, um, particularly for tech and cyber safety.
Tracy: Absolutely. And I take an Aqua jog class, which is filled with mostly senior citizens and myself and this morning, uh, had one of my ladies swim up to me and they know what line of work I'm in. And she said, what do you think? A ways, the app ways, because that's how she used to get around. And, you know, first I, I commended her for asking me about the security and privacy features and I said, [00:33:00] Let's make sure that your profile is locked down so that people can't follow you.
I said, I, I know that there's a, there's gotta be an article or instructions from the way's website to direct you, how to make sure the privacy setting is enabled.
I'll text that to you later and, and do that. And then another woman came over and said, why does my Google maps pop up and prompt me to get, to always come to the gym when it's time for class? And so I was just as quickly as I could in the middle of the pool and got into, you know, machine learning. Yeah.
Machine learning and things like that. I was like, well, let's, it's learned patterns. So. Again, I know that not everybody's up for that answering questions in public. Um, I kind of got used to it as a librarian. there's a condition called librarian face where people will just approach librarians in public because they can just tell that you're a librarian.
And I'm just so used to that, that I just carrying the, carried that over to cybersecurity. Um, and an example of this is I know some people say, well, I told someone to use a password manager and then, you know, slapping hands, like [00:35:00] my work here done. No, you can't just tell them to use a password manager, maybe pull up, you know, maybe have had something on your phone. That's like a dummy entry so that you're not showing people, your password maybe have like something called, you know, four A's or something.
So it sits up top and just say, Hey, can I show you real quick? This is what a password manager does. You can't just say, oh, go to L you know, insert name, password manager here. Um, and just use that that's that's not really help,
Bella: yeah. Cause like to someone who doesn't know about cybersecurity, I feel like the F the word password manager alone. What is that, is that a website? Is that a person? Do I have to pay for it is, do I have to redo all my passwords to use it like that? Doesn't it means almost. It's funny that you talk about password manager, because that example is one that I have with my friends a lot is like, people constantly ask me, like, how do I do better passwords?
Or like, or like, I was shamed once for having a bad password. How do I fix it? And it's, it's always passwords. [00:36:00] And, and it really is like, if, if I feel like that example of like, if you're, if you're not like giving someone advice that like meets them where they are with their understanding level, it's kind of useless Tracy: but I mean, think about it this way. It's like kindergarten, we had show and tell, right? You didn't just hold up your stuff monkey and not say a word about it, or you didn't stand there and describe something, but had no pictures to show it was called show and tell for a reason. And we kind of need to get back to those basics.
So that's what I want people to think about when I give my empathy as a service talk. I talk about Dungeons and dragons in one of my talks. I said, did you ever have a mean dungeon master who made fun of you because you didn't know how to do things and you can hear all these murmurs and see the nods and in the audience.
And I'm like, if that's what helps you realize this, then think back to that, I say to people you weren't born knowing how to code, you had to learn. And your code was probably really crappy when you first did it. Right. You know? [00:40:00] Um, so I try to get people to remember, to take themselves out of the situation
Bella: yeah, yeah. And speaking of this idea of like, you know, people being novices and, and learning a new skill and things like that, um, we talked a little bit earlier about the diversity issue in tech. Um, I think beyond just, um, a lack of diverse, you know, individuals in tech and in cybersecurity, there's also just like a lack of, of people.
Um, you know, people talk a lot about this, uh, you know, the, the talent shortage and there's a bunch of different cliche names for it, but it's this idea that there are a lot there, like all these open jobs in [00:41:00] cybersecurity. And then there aren't people with the, um, expected skill sets or the interest or background, whatever it is there, there aren't people to fill those jobs.
How do we get people interested in, in tech
Tracy: Well get comfortable because I have very strong opinions about this. And if I may respectfully
Bella: fair?
Tracy: don't think we do have a people shortage. I think we have a problem with hiring and retention and getting past, uh, you know, fire the F the HR firewall. Um, there are too many job postings that are not written correctly requiring a CIS S P for an entry level position.
Uh, I think there's a big [00:42:00] disconnect between the hiring managers and the HR and personnel departments. And it is, it is very difficult to get past those screens. And all the, the technology that companies are utilizing to screen resumes and letters and applications and things like that. So that then requires people to rely heavily on people networking.
Well, what happens is too many people have homogenous professional circles. So who keeps getting referred for jobs and getting behind that HR firewall are just other people who just look like you from your homogenous professional network. So I really don't think we have a shortage because I'm on Twitter all the time.
And there are constantly people begging for jobs and. I, I really don't think it's a shortage. I think it's that the companies aren't really well-equipped to hire companies aren't willing to train. They want every, they want turnkey employees to show up on their [00:43:00] doorstep. Well, you know what? That's great.
If you're in a long, well established industry, we're still in its infancy, especially compared to other industries. So you need to change your mindset that you're not going to find these fully functional, you know, uh, red teamers,
Bella: And I think like, I think it's almost like, um, and, and for the record, I, I, I agree with you. I think this is a fun, sorry, you caught me being incendiary,
Tracy: No, no, no, no, no. I like, I like to, I like to get fired up. I'm glad you, you
Bella: Good. Um, but I think it's such an, it's almost like a self fulfilling prophecy, right? Of like when these companies are like, oh no, we don't have like, there's nobody to hire to fill these jobs.
But also we require, you know, 10 billion requirements and then the people that are interested, the people that you're talking to on Twitter, that it would, would be able to do this job, have the interest, but maybe don't have, uh, a degree because [00:44:00] Lord knows there's a zillion different reasons why people can't like why getting a degree is not accessible to everyone, or they don't have a super expensive certificate, whatever it is, then those people might have interests.
It feels like it discourages them from, from like, I've seen people who try to get into this industry can't and then switch. Right. Because you can't, you can't like look for a job for years and years and it's like, When companies are saying like, no, there's no one to fill these jobs with these requirements and then no one can fill them because they're looking for these absurd requirements.
Tracy: Well, someone reminded me of a, of a pull quote from my entry and try the hackers. And I forgot that I said this, but I said something about companies keep, um, hunting for unicorns when they really just need to pay attention to the squirrels at the base of the tree. [00:45:00] There are so many squirrels out there, but they keep looking for unicorns and nobody wants to train.
They don't want to spend time. And then it gets into the debate of is cybersecurity, an entry level industry. And I can understand why people say no, but I feel like the people saying no are also the ones with, with a lot of privilege and also fell, but backwards into security after being in tech. So I feel like it's very. to me about their gatekeeping of, you know, oh, you can't be entry-level and be in cybersecurity. Well, you started somewhere, you know, you you've probably showed up one day at work. We're told, okay, now you're part of security. Well, you weren't necessarily up to speed. Where are you? But, oh, well that's, that's different.
Is it? You know, so, um, yeah, so I have very, and maybe it's just the Philadelphian and me, but I have very [00:46:00] low tolerance for this kind of BS. I don't believe that there's a person shortage. I, I do believe that we're growing, there's a growing need, which is a difference.
Uh, and my situation is very, is very unusual. And I admit that. And that's why I'm very careful about when I give career advice. I already had a master's degree coming into this with a transferable set of skills. And that's why I was able to jump right in because. I was doing oh, sin for 20 years, but I didn't know it was called Olson.
It literally wasn't until I started to move into the InfoSec space, when somebody said to me, oh, you have all this Osen experience. And I [00:47:00] literally thought Osen was a programming language, like COBOL because of, you know, I, I didn't, I didn't know what it was. And when they described to me what OSA was and th and the guy said to me, well, what did you call it when you were a librarian?
And I said, doing my job, like, we didn't have a fancy name for it. Like that's. So, so what I'm getting at. You may have transferable skills and, you know, whether you worked in fast food or you were a nanny or your nurse or anything, construction, um, mechanic, I actually recently helped, um, a gentleman who worked as a mechanic.
He really wanted to be a pen tester. And I said, okay, let's, you know, that's that technical mindset troubleshooting. And he now has a part-time job as a, as a pen tester. Uh, and he is also working on certs and finishing his degree and things like that. He's a, he's a young kid, but I tell people, harness your transferable skills and have what's called an [00:48:00] elevator pitch ready to describe them
Jeremiah: w it's such an interesting, uh, concept for me, just the transferable skills that are aligned with, um, librarians and the capacity to conduct oh, scent, and to identify, uh, uh, information that, that may be embedded in, uh, troves of knowledge. Right. Uh, and so I never quite thought of it in that [00:52:00] manner until you were talking with us a little bit ago about this very concept and it's, and it's so very interesting to me.
Right? So you mentioned there's not really, you know, Perspective a talent gap shortage. There's, you know, it's a people being hired problem. Um, and, and, and I'm kind of curious about that. Like, how do we, how do we, how do we fix that very cyclical problem that Bella mentioned right around, uh, this, this, uh, individuals hiring the individuals, they know that look like them that are in the same circles, right.
And also address the, uh, growing need problem that’s currently in cyber.
Tracy: Well, a lot of it's education. I mean kind of going back to what I, and, and awareness and things like that. Like I mentioned before, I, I didn't get involved in, in tech or cybersecurity sooner because I just didn't know. I didn't see other women in the computer lab. Visibility is so important and, you know, awareness of this is important.
So. You know, a lot of cybersecurity folks need to be more proactive. You know, if you're, if you don't feel like going to a library, maybe go to your chamber of commerce commerce, where a lot of small business owners are, who may not have necessarily have the funds to protect themselves, but you can give them some tips and, you know, give them what's available and help them with that.
So, I mean, I it's, it's a very complicated issue. I mean, I mean, I think, I think also [00:54:00] because there's no. Standardization really have roles and not, I do believe that that SISA is, or is it so SAR SISA, um, see ISA is, uh, working to, uh, improve this. I, I really love the leadership of, uh, my current boss, my former former CYSA boss and the current assistant boss, Jen easterly.
I feel like there's a whole new push now to really kind of get that career information out. And actually today they put out something about free tools and resources to use. So those, those initiatives are fantastic. So I think it's, there, there is a skill issue to an extent, but I think it's because we don't really have some good standardizations of, you know, these are the skills that you need.
Um, because it's, it's pretty clear. Like, for example, for me to be a librarian, I knew that I needed a masters of library and information science degree. That's what I knew I needed to do. So I got that, [00:55:00] but in our world, I mean, some people don't have high school diplomas or maybe they have a GED and that's great.
I'm not saying that's as a disparaging way. I'm just saying that, you know, I have a master's degree, but there are some people of GDS we're all over the place and we do have people with PhDs and we have lawyers. And so that's the problem is that because again, because we're S we're a relatively new industry, we're kind of all over the place.
And I think. That opportunity also becomes overwhelming to some people because it's not in nice, neat little Kubernetes boxes for us. Um, see what I did there. Um, so,
Jeremiah: that's how I saw that drop in it.
Tracy: um, so I think, I think that's a benefit and a detriment at the same time. I think it's great that we have so much variety and different perspectives and different skillsets, but at the same time it does kind of make things a little chaotic, right?
There are so many transferable skills and I, I think it's, it's almost like this issue of, of, I think sometimes hiring managers or are maybe not hiring managers, but HR in tech need to remember how many transferable skills and are there are from so many different industries and like what that looks like.
Cause it, it does feel like sometimes they're looking for like, do you have a degree in cybersecurity? And it's like, everything else gets ignored. Um, and for what, that's not really getting us.
Tracy: Yeah. And the, the C uh, the SIS, so of, um, his experience. That she had a music degree and she, and my name and the right company, she, there was a, Cisco had a couple of years ago, there was a huge breach. I want to say it was Experian. And she had a music degrees and she got [01:04:00] thrown under the bus left and right, because of these music degrees.
And it wasn't that she was an opera singer is that she did music theory and music, you know, music. Right. It was, and it doesn't even matter if she even did singing, but, um, I remember being very angry about that, of what different, and like whenever there's breaches, I don't recall ever hearing what college majors the male CISOs had, but whenever there's a female, so all of a sudden it's like, oh, she was a liberal arts major.
That's why this happened. No, it's not. You're just trying to find a reason to, you know, discriminate against women in this industry. Uh, so whenever there was a while, when, when there were a lot of breaches going on that I would go online and use my own skills to look up the major of the male CISOs at certain companies and make sure I tweeted that because it seemed only fair that, you know, people know what major everyone had when these things happened, because it's it's oh, so crucial and [01:05:00] really matters.
And in the real world,
Jeremiah: um, there, there are people that I've seen in the industry. Individuals that that do do not have a cybersecurity degree. I myself do not have a cybersecurity degree. Um, and others that I've known and seeing don't have a degrees in cyber. There's an individual. I know that has a degree in psychology. And this particular individual is one of the most creative folks that I know of, uh, to be able to analyze people from a humanistic approach, um, and, and have that kind of training and then they apply it to
Tracy: Yeah. Well, and it's so new too.
Jeremiah: like,
Tracy: I mean, it's such a new discipline that there's not going to be a lot of colleges. There are some institutions that seem to be jumping on the bandwagon and you do see a couple articles a week of colleges starting labs and majors and minors and things like that. And that, and that's great.
But yeah, again, I [01:06:00] think that for the current workforce, it's going to be more unusual that you actually haven't, even if you have a computer science degree, it doesn't necessarily mean that, you know, security I've talked to many computer science majors who don't understand security because that's not the computer science classes that they took.
So yeah, we need to kind of get past all this and you need to look at the person's skills, their aptitude, their ability, their interests, their curiosity, and then problem solving skills. Like we need to kind of get beyond that. You can't measure someone's ability for cybersecurity based on measures for another industry.
Jeremiah: yeah, there's um, there's an interesting, uh, perspective around. Individuals and their ability to bring their current skills. Right. And as I think about that, and as you speak, I'm, I'm [01:07:00] wondering more and more if, uh, our talent gap and I'm using air quotes at this time now instead, uh, I'm wondering if our talent gap is aligned to the fact that we're looking for people with individuals, with cybersecurity in the tagline, and when they're not meeting that, we're just immediately discounting them.
Tracy: Yeah, absolutely. Um, it's yeah, we're, we're getting to in the, in the muck and mire for this and not really thinking outside the box and. I think gone are the days when you just assume that the tech folks will just roll into security, uh, and, and happily take on those jobs. Cause I think that's kind of what has been happening for the most part.
basically if you want to get into this industry, uh, you know, you're just going to have to really fight for it and not expect anything to be handed to you because, um, you know, we're kind of like the, the old, you know, early nineties websites with like the construction worker, diggings is under construction.
In many ways. We are that, you know, we are still under construction as far as, as our industry goes. So if you want in, you just kind of need to jump in the pit with us.
Bella: Y the, sort of the [01:10:00] last question that I want to ask kind of related to that. So, um, I know you mentioned Twitter earlier. I know you're very active on Twitter, um, and in this kind of conversation of getting more people into the industry and, and, um, talking more about how to improve this industry, uh, how do you feel like Twitter as a conversation tool works for that kind of motive
Tracy: Oh, All of my cybersecurity jobs are a result of Twitter. So I say that it works. Um, I have learned so much from Twitter. I've connected with people through Twitter. I've helped so many people through Twitter. Um, and LinkedIn too. We'll just lump them in here to, uh, no, I think it's very useful tool. Is there drama?
Yes. Is there drama in every industry? Yes. That's what makes me laugh because again, I think about library and Twitter drama and people in [01:11:00] InfoSec, InfoSec, Twitter saying like, oh, are we the only industry that fights like this? No, no. Every industry has their own, you know, villains and heroes and rock stars and, you know, We're not unique, which makes me laugh like, oh, I bet we're the only industry does that.
No. It's and if they don't use Twitter, they use something else they say to your face or something. So, um, Twitter can be a very useful tool to help you connect with people to help you learn. Um, like I said, I was able to build a brand and reputation, uh, and professional networking through Twitter that yes, literally all three of my cybersecurity jobs had a Twitter factor in there one way or another and yeah, it's, it's,
Jeremiah: how awesome
Tracy: And, uh, you know, they it's it's
Jeremiah: the power of community.
Tracy: it's been amazing. So yeah, I mean, it's not, again, I'm not trying to look at it [01:12:00] through rose colored glasses. I know that there's also a lot of bad stuff that happens, but you know, again, I also have a personal rule that I try. I don't like to go on Twitter after midnight, because in my experience it's kind of just like
Bella: At devolves. Yeah.
Tracy: just, it, yeah. Like I just, it just gets weird and yeah. And it's just not a good, so that's, I, I w I'm like, you know, like I even try not to look at it cause I'm like, it is after midnight, Eastern time, Twitter turns it's like after dark and it's like, you know what? I am too old for this club. Like, I just, I'm gonna just go wait for you at the donut shop across the street, and then he'll help your drunk, you know, self get home in the bed.
So, um, yeah, it can be very useful and it can be a very fun and community place and, and everything. Um, but again, it just like anything. It's a
Bella: yeah,
Tracy: and it's how you use it. And if you're going to go on there and be a jerk and smash people down and [01:13:00] make idiotic comments and mean things, then yeah. You're not really using the tool right then.
Bella: yeah,
Tracy: But if you go on and you try to help people and you're a decent person, then yeah. It can be a very beneficial place. So that's how I feel about that. I mean, I know it's not the best place in the world, but it's not the worst either.
Bella: So on that, our very last question for you. This is a question that we ask all of our guests. Uh, it doesn't have to be too serious. Um, what is something that we wouldn't know about you just from looking at your LinkedIn Twitter, social media presence?
Tracy: Oh, that's hard because I'm pretty, um, open with all my, uh, uh, things.
Jeremiah: is our social
Tracy: Yeah. I was going to say, um, all right, fine. So, I mean, I, I feel like I've, I don't think I've tweeted this before, but, um, I do have a favorite episode of keeping up with the Kardashians and it's the [01:14:00] episode where they try to teach. I want to say.
Kendall a lesson about privacy and security.
Bella: What.
Tracy: Yeah,
Jeremiah: how funny?
Tracy: I
Jeremiah: That is funny.
Tracy: and her posts again, this was, uh, this was like many years ago by now. The show has been on forever. Um, but I want to say it was like Kim and Courtney and who's the other one, Chloe. I think they wanted to, because I think she got a stalker out of it because she kept posting where she was and they were trying to teach her about geolocation.
Yes, I am very well aware. It is. Real. I know it's a reality show. I know it's not that real, but I still think that it was a very good way to show folks that who wouldn't normally sit for a privacy and security conversation to do that. And then later, unfortunately, Kim had the issue in Paris where she was robbed.
And again, I feel like they were able to turn that into like a [01:15:00] PSA for privacy and security to reach people that normally wouldn't sit still for something like that. I'm like, this is really valuable privacy and security information that they're dropping, but they're doing it in such an approachable way and people are going to be listening to it who may not even realize that they're what they're listening to, but just know to do these things because Kim said so, you know, because,
Bella: Sneaky
Tracy: you know, so, so yeah, so that's kind of my guilty pleasure of watching some Kardashians episodes, um, and just kind of pulling out the like real world lessons
Bella: That's awesome. Thank you for sharing.
Tracy: sure.
Bella: All right. I think that's it. I think we did it. Yep. Tracy,
Jeremiah: Thank you so
Bella: for joining us today, this was a really a really great conversation and it was great to get to talk with you.
Jeremiah: Thank you for your time.