Alyssa Miller is a life-long hacker and experienced security executive. She has a passion for security which she advocates to fellow business leaders and industry audiences both as a high-level cyber security professional and through her presence in the security community. She blends a unique mix of technical expertise and executive experience to bridge the gap that can often form between security practitioners and business leaders. Her goal is to change the way we look at the security of our interconnected way of life and focus attention on defending privacy and cultivating trust.
We discuss her own journey into Security, breaking into cybersecurity a ground level, advice for career transitioners, the unwritten educational elements, Certs, training, mentorship, networking groups and of course her new book.
SYMLINKS
Linkedin
Twitter
AlyssaSec
DEFCON
BSIDES
WYCYS
CyberJitsu
BLU BAR | Milwaukee WI
DRINK INSTRUCTION
CLASS ACT
1 oz Southern Comfort
1 oz Advocaat
1/2 oz Coconut Rum
2 oz Pineapple Juice
Pour all ingredients into a shaker of ice. Shake, then strain into a rocks glass full of ice. Constantly mix the drink in your glass, because the Advocaat will settle.
EPISODE SPONSOR
Center For Internet Security (CIS)
CONNECT WITH US
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Chris: Alyssa Miller is a lifelong hacker, turned executive, an internationally recognized public speaker and author. She has over two decades of experience in technology and cybersecurity. Alyssa. Thanks so much for stopping by BarCode.
Alyssa: Yeah, thanks for having me, Chris. It’s really good to see you.
Chris: Yeah, you as well. Would you mind just talking a little bit about your background in hacking and you know, how that passion led you on a journey into a full blown cybersecurity career?
Alyssa: I mean, you know, you said at the beginning, I know I gave you that bio, but I, I tell people that all the time, lifelong hacker, cause I really have been you know, I mean, first of all, I was the kid who always liked to take my toys apart and figure out how they worked.
Alyssa: So that kind of right. Pretty iconic of the hacker mindset, but you know, I, I was four years old. My dad brought home a computer from work, so it was big Zenith Heath kit for anyone that goes back that far eight inch floppy discs, by the way Because he was literally, he kind of pioneered work from home.
Alyssa: Right. He brought this thing home over the holidays because they were converting, he was an accountant. They were converting the books and he didn’t want to go into the office where there was gonna be no one, but him there for, you know, the two weeks over the holiday times. So he brought it home and when he wasn’t working on it, he let me play video games on it.
Alyssa: So you know, that got me started in computers. You know, then it was Mr. Wizard watching him with computers on his show. As a kid, we had computers at my school. We were actually fortunate enough that early on we had TRS eighties later, we got a complete apple. Thanks to I forget what they called it, but apple did this whole like box tops thing with schools and they could get a bunch of funding for apple computers.
Alyssa: But when I was 12 is really when I kind of took off because I decided I wanted my own computer. It’s 1989. Yeah. You can now figure out my age, but you know, my oy is crap anyway, so, or my Optic rather is crap. So, you know, you can find out anything.
Chris: I was gonna disclose that later, but…..
Alyssa: but no seriously though. So I, you know, Went out, got a, a paper route and saved up about a thousand dollars, went to best buy and bought an Epson, 80, 86 computers, an Epson equity one. Plus I actually remember that you know, and I, later on, I got A modem for it. And I started messing around with prodigy. Again, I’m really dating myself.
Alyssa: Everybody’s like, God, this chick is so old.
Chris: Everyone that’s listening is looking this up though.
Alyssa: right? I mean, I’m, I’m hopeful that there’s so children of the eighties who remember prodigy. I mean, it was a competitor to AOL, right? So they send you the discs and you get 50 free hours. And then after that, of course you have to pay for subscription.
Alyssa: And well, I’m 12 years old. I’m not gonna pay for, I didn’t have a credit card. How am I gonna do that? Went to the library, started reading up on like you art and serial comes and the whole nine yard. And like I ended up packing in the Prodi. And yes, I’ve looked, I am well past the, you know, the computer fraud and abuse act you know, statute of limitations.
Alyssa: So I’m safe here talking about it. Yes, yes. But you know, I mean, yeah, nowadays obviously they watch for that stuff a little bit more and you’d probably get arrested and it wouldn’t go so well, but you know, at the time, you know, it was the thing. And then I found my way into like the IRC channels.
Alyssa: On internet, when you know, the internet became a thing. You know, that was late teens and, or actually I guess, mid-teens even, and you know, early in my college career. So I grew up in kind of that hacker culture in those, in those places, you know, we were slapping people with a trout and whatever.
Chris: Now were you friends into it too? Like, were you surrounded by friends that were into that or were you sort alone or in that space?
Alyssa: That’s the thing I was kind of, I mean, I don’t wanna say I didn’t have friends. I did. You know, I didn’t have a lot of friends in school. I was bullied in school. It was, you know and so the hacker community was like, kind of, those were my people, right.
Alyssa: They were the geeks who loved computers, loved taking things apart. You know, guys would come in there talking about freaking and stuff. I’m like, oh, this is. This is cool, you know tried out a few techniques at, you know, different locations for different reasons. But no, it was, you know, it was really cool.
Alyssa: They were, I mean, they were just the people that I identified with.
Chris: now were you getting all this Intel online or did you actually know people that, that you,
Alyssa: oh, these were all just people I knew online. I didn’t know any of these people in real life, but that was the magic of it, right? Yes. Like no one knew anybody from anything you didn’t know anybody’s background, you didn’t really.
Alyssa: All we cared about was we were there to talk about hacks and yeah. I mean, people were jerks to each other sometimes, you know, and, but at the end of the day, it was like, these were my people. We all kind of understood how each other thought and that’s what we wanted to do. We just wanted to, you know, we wanted to deal with the digital computer systems that most people thought we were like insane farm.
Alyssa: Even in the early nineties, you know, the Internet’s starting to do its thing. A lot of people still didn’t get like, oh, you just wanna work on computers all day. Well, yeah. Cause they’re cool. They’re awesome. Look at this stuff. You know, and of course again, you had like, you know, other people who were hacking other things, you know you know, but yeah, it was, you know, it was interesting and I didn’t see it as a career though, you know, I, I never thought that, oh, this could be a job.
Alyssa: So, you know, I actually went to college for prem. I had no intentions of getting into tech at all, but I’ll tell you what three semesters of college level chemistry will wake you up to whether or not you actually want to be a doctor. And I did not want any piece of that. So scrambling to find a new major found out they had a computer science program.
Alyssa: I already knew how to program. I’d already taught myself basic and C plus. And so I’m like, oh, this will be simple. Bounced around, ended up a couple different degrees. I did CS at first. Then I moved into like an MIS degree. And I think my final that I actually graduated with was like back there somewhere.
Alyssa: Just information technology or whatever was the name. But while I was in school still, I got my first job. I was 19. Going to school full time, got a job as a programmer for a local company that was in financial services. And, you know, I mean, it was.com era. Like they would take anybody who knew how to program anything and, you know, so that got me in the door into tech and then it was nine years later, someone from the security team who I had worked with said, Hey, you wanna join my pen testing team?
Alyssa: And I’m like pen testing. I, I don’t know how to do. Okay girl. Yeah, you did. You know, I found out quick. I really did, but yeah, I ended up leading that team 15 years with that company. I got out decided I wanna see the rest of the world got into consulting for a while. I bounced through you know, some roles with a couple different companies in like the vendor space.
Alyssa: So a reseller and then a vendor. And then I landed last. Yeah, very beginning of last year at a place called S and P global, which most people know because it’s, you know, they own the S and P 500, the Dow Jones, you know? Okay. Yeah. Kind of important things that people have heard of at least once or twice
Alyssa: And so that was like my first foray into like true executive roles. Right. I mean, I consulted with executives, but never. You know, wasn’t actually myself in an executive role until that point. And then yeah, more recently landed in the CISO role at epic global. I told someone today my new rule, I only work for companies that have global in the name.
Alyssa: S P global now epic, global. I don’t know who to be next, but no. So that’s, that’s hacking, that’s actually my whole career history in a nutshell. I think you ran
Chris: through that in like five minutes, so that’s very impressive. Well, didn’t take
Alyssa: the whole show, so that’s good.
Chris: no, that’s good. Cuz I do wanna get into more, but congratulations on the new position.
Chris: I’m sure you’ll kill it. I’m curious to know what you explained and, and your passion growing up and, and hacking mm-hmm . How does that transfer over to a leadership role? Are you able to tap into that passion with your current role and having. Leadership responsibility.
Alyssa: I think so. I mean, first of all, the tech side hasn’t escaped me.
Alyssa: Totally. Okay. I mean, I don’t pen test anymore. I don’t know that I could really break into systems much anymore, but I mean, as you know, as early as two years ago, I was, you know, I bought a, a GPU and, you know, started messing around with deep fakes and, you know, All the stuff in tenor flow to build machine learning models and some of the deep fake tools, you know?
Alyssa: So I, I enjoy that and I still use that today. Right. But when it comes to the executive roles, there’s a couple things. First of all, the former hacker persona, like, I’ll be honest, you can walk into a board meeting and that’s kind of part of your bio. they actually think it’s really cool. right. Yeah. Like it does, it actually gives you a certain level of credibility.
Alyssa: Yes. And it’s not common either. No, it’s not. Right. And, and there’s good reason for that quite honestly, because what you do find out when you, you know, I think there’s a lot of people out there kind of see like a CISO role as you know, the, the epitome of a cybersecurity career. Maybe it is for. , but as you start getting into those leadership roles and the higher you go, the more you realize it is less and less and less about cybersecurity, it is more and more and more and more about understanding how business functions and understanding the role that cybersecurity can play in that.
Alyssa: But it is a lot less about ones and zeros or, you know, What controls and things we’re putting in place. Yeah. That’s all still necessary. It’s a part of it. So actually, ironically enough, I’m, I’m giving a talk next week on hacking the boardroom. Nice. Where you talk about this idea. You know, the way I look at it is I’ve had to learn the, the same things.
Alyssa: That I used. And that, that curiosity, that passion, that, that want to understand how something functions and you know, how to manipulate it, to make it work the way I want to be exactly what I do when I walk into a boardroom. So, you know, at S and P I reported into seven regulatory boards in a corporate.
Alyssa: So that’s a lot, right? I mean, I learn it fast. I mean, I’d done some board presentations before that, but really S and P opened that door for me to really dig in. And I did. I spent a lot of time just looking through resources, understanding, okay, how do boards work? Like how, what do they actually do?
Alyssa: What do they, what is, what is a typical board meeting? Like, like I’ve seen, you know, I’ve gone in and do an hour long presentation, but when they do board meetings, they come in for like two days. And they get all their updates and everything else. I’m like, what is that? Like? What are these different meetings?
Alyssa: Like? So, yeah, I just, I, I did a lot of research. I read and by research, I mean, reading different books talking to people. Who serve on boards. I also have the fortune of being able to serve on the board of an organization now, myself. So I get to see a little bit of that world, as well as I I’m on the board for two conferences as well, little different field, but you know, similar kind of idea.
Alyssa: And so, you know, I, I used. To understand. All right, well, this is what they’re used to doing now. How do I use that to get them to react to me the way I want, right? How do I get them to, so it’s a little bit of social engineering. It’s a little bit of hacking, but at the end of the day, it, it is still just understanding how that particular system works and where it’s vulnerable, how I can exploit that vulnerability.
Alyssa: So to speak to. You know, gain the, the response and the action that I want now, you know, maybe less, a little less nefarious. I mean, I was never really a nefarious hacker. I like never saw the value in like breaking things for people, but you know, it’s, it is at least like I’m, I’m trying to do good.
Alyssa: Right. I I’m trying to get these people to think differently. because, you know, cybersecurity all too much is just looked at as still today, that cost center. And so it’s really about how do I get them to see that what I’m doing is actually really cool for their business. It’s like something that’s gonna help them drive revenue.
Alyssa: It’s gonna help them grow and innovate. And those are the things that really important.
Chris: absolutely. Do, do you feel like that’s that psychology is, is sort of embedded in you being able to just think differently? be able to, to do the mental research and, and understand how things work and then try to use that as an advantage.
Alyssa: Oh, totally. I mean, it, it, it’s, I’ll be blunt. It’s how I look at the world. You know, it’s just, it, it, it’s my way. Some people, you know, are very good in other respects and they don’t really care. Like how does their car function, right. Or, you know, how does, how does. Cool little, you know, electronics thing.
Alyssa: I mean, honestly, and oh God, I’m, I’m gonna pick a fight with a lot of people right now, but the reason I use Android phones is because I can actually dig into it and figure out how it works. Apple doesn’t wanna let you see any of that. So I’ve never, that’s why I’ve never really, and that’s, I’m. Belittling apple at all, apple has their place.
Alyssa: And they’re a great fit in my opinion, in particular, for people who don’t wanna know all that stuff, don’t wanna customize it. Don’t wanna have to know all that stuff. Right. Yeah. And don’t get me wrong. I mean, obviously MacBook are great. I have used to have a MacBook you know, and there’s all sorts of reasons.
Alyssa: So please don’t blast me that I’m hating on apple. I’m just telling you , that’s why I choose. You know, an Android phone in this case because yeah. You know what, for me, I like that I can customize it, manipulate it, do all those things. I can easily jail break it if I want to, because that’s who I am. I mean that, that’s just, that’s how I look at the world.
Alyssa: Other people don’t and, and that’s not. Obviously, there’s nothing wrong with that. There’s not something noble about the fact that I like to, you know, deconstruct all my technology and know how it works on the inside. Yeah. But that’s how I just look at the world. And so when it comes to other things, people interactions between people how I relate to other people.
Alyssa: It’s a lot of the same now. I, I would be awful. I mean this, I would not be a good social engineer in the sense of like what some really cool people do with, you know, social engineering, physical assessments, those types of things. I’d be the worst. Like I’m a terrible liar but what I do feel like I do well is I have a strong amount of empathy and can figure out kind of what people are thinking or what motivates them enough that I can figure out how to talk to them.
Alyssa: in the way that’s gonna be most meaningful to them. Right. So I’m not lying to them. I’m not, you know, I wouldn’t even call ’em manipulation. Yeah. Yeah. I’m just speaking to the things that they care about bringing ’em the information that they need in a way that they’re going to understand it and be engaged with it.
Alyssa: So you can
Chris: look for those indicators a lot faster than it would take someone else to get.
Alyssa: Yeah. I mean, some people, that’s just not a skill that they particularly have, or aren’t really, you know, developed in and that’s, again, that’s not a judgment of anybody. We all have things that we do well and things that we’re not good at.
Alyssa: I mean, I can give you a laundry list of things I’m not good at. But you know, that just happens to be where I feel like I have a strong skillset and I think it’s why. You know, I, I I’ve gotten into leadership roles and why I enjoy the leadership roles because doing that sort of thing is something I enjoy.
Alyssa: Got it.
Chris: So let’s fast forward up to 2022. Yep. As we go into 2023 now you know, how can someone break into cybersecurity right now at ground? Let’s take it from, I guess, an aspiring professional perspective and then maybe a career transitioner perspective.
Alyssa: Yeah. I mean, it’s, it’s so weird to me, honestly, because if you had told me, you know, 10, 15 years ago that we would have.
Alyssa: All of these academic programs, all of this academic research happening, everything we were screaming about 15 years ago that we needed and didn’t have that. We would have that now. And we still can’t find people mm-hmm and, you know, we would, we would have this massive so-called talent gap. People couldn’t see me doing the air quotes when I said that, but trust me, we’ll get back to that in a minute.
Alyssa: I’m sure. But you know, it, I would’ve never believed it. I would never believe that this would be where we would that with all of that in place, we would still be this awful. At bringing talent into this industry, but the fact is we are so when you know, I talk to people about, okay, how are you gonna break into cyber security?
Alyssa: It, it’s not an easy thing because you know, you’ll have hiring managers will tell you, well, I wanna see passion. I can teach anybody the tools, but I wanna see passion. And then they’ll write a job description that has requirements for 42 different tools that you have to be expert in. Every one of them, you know, like,
Chris: yeah, I’ve seen it.
Chris: Doesn’t work.
Alyssa: and something we wonder, you know, okay, I’m looking for this unicorn. Why can’t I find that unicorn? Well there, how many, how many organizations out there use the exact same tool set that you use? None. We all have our own mix of different tools and we all use ’em in our own way. So you know, the first thing I tell people is if you’re trying to break into cyber security and you’re looking at those jobs, ignore all.
Alyssa: Those bullet points, right? Like they’re not there as check boxes, even though some people like to treat ’em that way. And you will run into hiring managers who do that. The reality is they’re never gonna find that person that fills all those anyway. You know, certainly there is value in having that curiosity, demonstrating that curiosity and learning and you know, doing some things on your own.
Alyssa: But the problem with all that is, you know, I think we’ve told people to do that for a long time now. Like, oh, oh, do your, you know, build labs and do all these things great. How do I put that on my resume? Oh, I don’t know. Or, oh, there it is. But that’s not actual experience. So I’m just gonna ignore that.
Alyssa: Right. And that’s what hiring managers do. And you know, so what I do tell people is at minimum, make some kind of. If you’re doing that, that type of work anyway, make some content, you know, create videos, you know, do AAC channel or a YouTube channel or whoever, you know, write stuff on medium. I don’t care if you have five subscribers or, you know, 10 people that follow you just put it out.
Alyssa: And put it out there in a consolidated place where now that is something you can put on a resume and at least it, it says, Hey, I did something in the cybersecurity community. Maybe it wasn’t job expertise, but it was experience. It was a skillset I developed and I’ve demonstrated it and used it to teach others.
Alyssa: So at least you’ve got something and the smart hiring managers will see that and pick up on that. Right. The other thing. And now this is, I probably should have started here, cuz this is the most fundamental part of it. But maybe you do some of those other things first, but the key here is know what you wanna do in cybersecurity.
Alyssa: Know what interests you. There is nothing more difficult for me. And I love helping people out and I love helping them get into the space. The most challenging aspects of helping people out are when they come to me and they say, Hey, I really wanna get into cybersecurity. Can you help me out? And I say, sure, what, you know, what part of cybersecurity interests you?
Alyssa: Because I don’t know everything in cybersecurity. And if I can’t directly help, y’all connect you to someone I know who can right. And then they’re like, the response is, well, well, I just wanna know all of it or I don’t care what I just wanna get into cyber. Well, okay. I mean, I get that. I love that. That’s what you want to do.
Alyssa: And even if it’s just because, you know, it’s a hot field and there’s money here and there’s job security here and that’s the only thing motivating you. That’s okay. But you still gotta figure out where you wanna focus, because if you come in and you say, I just wanna know it all. Well, none of us do. Yeah.
Alyssa: None of us ever will. So it’s all about, you know, just sort of figure out where your passion lies. What’s the thing that you want to do.
Chris: So when you hit that point and, and they’re like, I don’t know where I want to go. Is there a, a, a resource or somewhere that you can point them to, to, to get introduced to different areas of cyber.
Alyssa: Are you setting me up to plug my book or what? I mean, we can do it right now. Yeah. Yes. Legitimately the, the, the book I wrote cyber security career guide, that is like one of the first things that it talks about. What is cyber security? What are the areas of cyber security what’s going on with hiring in cybersecurity?
Alyssa: And then how do you discover your own passions and desires and, and that sort of thing. And. A little bit of a spoiler. One of the things I tell people to do is you what? Just go out and read cybersecurity news sites, go to any pick like five, go to them and, and go through their headlines. Don’t read this whole story.
Alyssa: Just go through the headlines and grab five headlines on each. So we’re talking 25 total headlines, right? Grab five headlines from each that interest you the most. That sound really cool or. Put ’em all on a list. Now, just look at that list. 25 is pretty manageable. It fits on one side of wide ruled, loose leaf paper.
Alyssa: If anybody still uses that you know, one per line or 25 lines still remember that, is there 25 lines? Wide ruled paper and half, five 11. Yes. I still remember that. Never knew that wow. Tangents all over the place about how old Alyssa is. You take the 25 and you just look at those and you say, all right, let, let me identify the commonalities in them.
Alyssa: What is the theme or themes that I can find in there? Are they about, you know, now, as long as I understand, first of all those different areas of cyber security, right? Like, what is it? Is it because they’re talking about, you know, some really cool investigation that somebody’s doing, or you know, how people are addressing nation, state actors, or some really cool hack that somebody just pulled off.
Alyssa: What is the, what are the things, you know, what what’s interesting you there. And then, I mean, that. Starts to give you that idea, because now you can start to take that and you can apply that back to okay. Where do these fit in terms of the different areas in cybersecurity? And now that starts to give you some sense of what interests you like, if I’m really into like that whole investigation side of things, digital forensics incident response might be the thing.
Alyssa: Yeah. You know, you really like that kind of adrenaline rush of that situation. Wow. Get an incident response. I mean, I mean, I hate to say that it’s fun, but it can be fun. Right? Absolutely. I mean, and for some people it’s, it’s incredibly fun me. It means that I’m staying up at night, but that’s, you know, that’s the job I’ve chosen at this point.
Alyssa: I have to, you know, but don’t say your CISO, so you’re staying up anywhere. Yeah. Yeah. I’m, I’m there for those that that’s, that’s not my, that’s just part of the job now. But you know, so really just being able to do that, and I would say the same thing to somebody that wants to. Okay. Now the thing that might shape them more is a, they might have a better idea.
Alyssa: Generally. They do. They have a little better idea of where they want to go, just because, you know, especially if they’re pivoting from one tech career into another, in terms of cyber security now, you know, you’ve probably been exposed to it, but if you’ve been working in just about any corporate organization, you’ve probably have been exposed to your security team in some way.
Alyssa: And so you probably have some know. but still understanding, like, what is the role that would interest you? And it doesn’t necessarily have to be a role that ties back to what you’re doing now. Mm-hmm, just because you’re a network administrator now doesn’t mean that you can’t get into app security, right?
Alyssa: Because you’ve probably been exposed to developers or at least, you know, the issues of what happens when people deploy software that you’re not your network’s not ready for or something. Right. I mean, there’s you run into all that. Yeah. So you get a lot of the details, maybe there’s skills, you gotta shore up.
Alyssa: But so knowing that is so fundamental to all of this and it it’s, it’s surprising how many people don’t, but then it’s really just, okay, now I’ve got this. Now, whether you’re pivoting or you’re coming in from completely, you know, fresh outta school or you’re pivoting, even from say a non-tech career, like say you’re barista at Starbucks, or you’ve worked at the gap for the last five years, take a look at what skills you have and then finding ways to tie those.
Alyssa: To skill sets, transferable skills, right. Things that kind of transcend one industry to another find those things. So, you know, my infamous, if it’s infamous, I don’t know. My favorite metaphor here is the barista. Right? So think about a barista at your local coffee shop. What do they do? They’re standing there.
Alyssa: They’re, they’re taking a bunch of inputs really. If they’re busy, they’re getting inputs thrown at ’em from a number of different directions. They’re processing those, they’re breaking them down into tasks. They prioritize those tasks and execute them and execute them in the way that’s gonna be the most efficient and then ultimately deliver a product.
Alyssa: And many times they have to do all that while also figuring out maintenance activities and conducting those as. Yeah. If I describe it in those terms, doesn’t that sound a lot, like what I’d ask a, so analyst to do. Yeah. A hundred percent. And, and that’s what I tell people focus on because you got hiring managers, standing there saying, they’ll teach you the technology.
Alyssa: Well, if you can demonstrate to them that that’s a skillset that you have and talk to them about that in those terms. . Yeah, not saying every hiring manager is ready for that either. They’re not like there’s a lot of hiring managers. I’m still trying to influence hiring managers to understand this too.
Alyssa: Like that those are the, those transferable skills are the things that are gonna tell you if someone’s gonna be successful or not. It’s not about whether or not they’ve written a hundred Splunk queries before. Right. Mm-hmm . You know, we can teach them how to write Splunk queries. I can Splunk will train them for free in many cases, depending on your contract with Splunk.
Alyssa: So, you know, that’s probably not the thing. I don’t know why I’m picking on Splunk. I’m really not, but you know, they’re just such a handy example, so
Chris: I can beep them out if you need me to.
Alyssa: I, I don’t care. I don’t, I don’t think you’re gonna Sue me for dropping their name, like six times, you know, that’s marketing for them.
Alyssa: But seriously though, you know, and that’s the thing. So understanding what really makes a candidate successful and how those, you know, candidates understanding. Yeah. This is something I actually do bring to the table and valuing that. Right. Don’t, don’t downplay that, but value that, that, that is something truly you bring to the table that’s of value to that organization.
Chris: So I didn’t come up through academia. Right. I didn’t follow a. Formalized program when I got into cybersecurity. So I was always fascinated with the aspect of the unwritten education. Like to me, it’s impossible to teach culture. It’s impossible to learn how to obtain tribal knowledge, you know, the unseen rules when getting into cybersecurity, the pitfalls to avoid.
Chris: So I’m curious, like in the time. You were on the practitioner side and leadership side. Do you have any advice for those, those elements that aren’t taught within the classroom?
Alyssa: I think seeing the bigger picture outside of cybersecurity. Quite honestly, I mean, it, it’s great. You know, you wanna learn the, you wanna learn the concepts, right.
Alyssa: And that’s what academia’s great for. They’ll teach you the concepts. They’ll teach you the frameworks, all the things. But when it comes to practically applying that in a business setting where most of us do this work There, there’s not that level of connection, right? Like you don’t see the, the bigger picture of, you know, do I really need to require 14 character passwords?
Alyssa: Because I know that those are, you know, it’s gonna take X amount of time. To crack that versus, you know, crack a, a character password. I think, you know, some of that stuff gets missed. You know, it, how do I even evaluate that in terms of business risk? You know, is it, you know, can I look at a system and say, you know what, that system sits out there and all it does is consolidate and serve up publicly available information.
Alyssa: That’s probably not so important to. Right. And in, in terms of prioritizing my, my applications in my organization. Yeah. It’s important. Cuz it’s probably driving revenue and whatever. So maybe the availability of it is important, but if someone compromises it and exposes that data, congrats. Yeah. You know, you, you exposed a bunch of public data to the public.
Alyssa: Good, good job. You know, but so we don’t, I think a lot of that context and how to make those practical applications is probably one of the things we miss the most. Okay. And any, you mentioned it, right? I mean, there’s, I don’t think there’s any way for academia to really prepare a person for what it’s like to work in a corporate environment where now it’s not just about the cybersecurity strategy, but the personalities that you’re going to encounter.
Alyssa: How they are going to respond to the things that you want them to do. So you’re gonna say, you know what, we’re implementing MFA on everything. Okay. What does that mean? Oh, it means you’re gonna need to have, you know, this token on your phone or worse yet, you’re gonna have to carry a token and you’re gonna have to use that to access every one of your applications.
Alyssa: And then suddenly you get the pushback of, well, wait that a, that application authenticates people from outside our company too. How’s that gonna work? Crap. How do we do that? Right. And that’s the thing like you all the way that security has to mesh with the rest of the business, it’s getting better in some academic programs, but we still miss a lot of that.
Alyssa: And I, I feel like, you know, a lot of the people I’ve talked to coming outta school. That’s the part that they, they don’t really get to see unless they’ve done like an internship or something like that. That’s, you know, at least given them some level of that visibility.
Chris: I was gonna ask you about internship or even mentorship, like how does mentorship fall into this equation?
Chris: Can they help with that?
Alyssa: Mentors? Definitely can. And internships can the, is the issue with internships by the way, is that unfortunately what happens all too often is we give the people menial tasks. Right. And that’s all we do with them. Mm-hmm right. And to me, and, and that’s not specific to cybersecurity either, right?
Alyssa: I mean, look at what we do with interns. Any number of industries and that’s kind of the, the thing, right? You give them some menial tasks that no one else wants to do that you wanna get done cheaper, free. I hate that also that we, we still do unpaid internships. I think that’s a crock. So when I look at internships, one of the things I look at is how am I giving that person value?
Alyssa: Because they’re giving me work every day for a very cheap. The payback to them should be that they’re actually gaining some really solid knowledge. So I’m looking at, yeah, maybe, maybe I’m asking to them to do some of the more repetitive, simple, whatever tasks that we need to get done or low hanging fruit that I just don’t wanna burn a bunch of resource hours from, you know, people I’m paying six figures to, how can I make sure that they’re getting value back cuz that that’s the, you know, that should be the unwritten contract there.
Alyssa: They’re getting that value, but mentors can fill a lot of that void too. You know, just helping people understand. And it really it’s. I, where I see the biggest value in mentorship is the, the informal conversations, the informal setups, like I know a lot of people are like setting up really structured mentorships where, well, we meet once a month and we talk about career goals and we lay out a career plan and that’s all good.
Alyssa: That’s all really, really good. But I personally have always found I can deliver more value and I got more value from my mentors when we just sat down and we, we shot the breeze and they shared with me things that were going on in their job, what they were seeing, how they were reacting. I did the same and we had talked through each other’s problems.
Alyssa: We used each other as sounding boards and yeah, that does go both ways. If you’re a mentor, don’t feel like that person on the other side of the table doesn’t have anything to. They’re an outside set of eyes with no preconceptions or biases from your organization. Yeah. Talk to them, like throw it past them, see what they say.
Alyssa: It, it doesn’t hurt to hear what they have to say. And they might say something that really clicks. So, you know, I think that’s where. Mentors being willing to share that and talk about their experience in their job day to day and what they see. And of course also talking about challenges they’ve overcome in the past and how and mistakes they made and how they corrected for that or whatever that’s valuable.
Alyssa: That’s really, really valuable for people, especially coming outta school with no real corporate experience.
Chris: Yeah. I, I really like the. Way that you phrase that in terms of it being a bidirectional mentorship, like you’re both going to be learning from, from both sides and it should be, you know, that off the record type of conversation.
Chris: I mean, that’s the way that I like to, to have my conversations as well. So
Alyssa: it’s just more natural. Yeah. And it’s probably more enjoyable too.
Chris: Yes. Agreed. So what are your thoughts on certifications? You know, that’s a question I get often, do I need a cert to get started in cybersecurity? Does it.
Alyssa: It does help.
Alyssa: For two reasons, one, I think it does show a little bit of a commitment to like, yeah, this is something I’m chasing. Also there’s the much maligned idea of ATSs or applicant tracking systems that are looking for a certain, if you don’t enter a cert, you get knocked down in priority for the role. You know, so it does help to have something in there.
Alyssa: Alphabet soup after your name is not helpful. Don’t bother with it. Get a cert, especially if you’re brand new and especially if you’re paying for it yourself, get, get a comp tea cert, seriously, the most attainable, affordable certs out there. Security plus will give you that broad, same broad. Of the CISSP without, of course the same depth as a CISSP, but for a price that is at least more attainable still kind of tough for a lot of people, depending on where they’re coming from.
Alyssa: But way better than, you know, a few thousand for a, you know, EC council or a, you know, God forbid sands with their $7,000 certs now. If, if you can’t get your company, if you’re not working for a company who was willing to pay for it, don’t invest that kind of money in a cert get, get a comp tea cert. I’m trying to think.
Alyssa: Oh, there’s another organization I’m kicking myself. I can’t think of their name now. EER security is now a part of another company. I can’t think of who they merged with, but they always had really good material and certs, but yeah, get something that’s affordable just so you can put it in there.
Alyssa: You can say, Hey, I did this thing, you know sometimes even like AWS or, you know, Cisco, well, Cisco’s kind of tough. But even Microsoft and they, they all, you know, Google, GCP, they all have security search related to like their cloud environments. So if you’re working in a company now that’s using one of those where maybe you can tie it to your current job, but also a security job.
Alyssa: Sometimes that’s a cool way to get search paid for. But yeah, search at the end of the day, I had at one time, four of ’em I’ve dropped three of ’em. There’s only one that I keep its. I have a C I S. Through Isak I keep it a, because it was really hard to get. It was as harder, harder than the CISSP.
Alyssa: And. B, it just, it it’s the one that applies to what I’m doing now. Right? Sure. Information security manager. That’s who I am. So you know, so I keep it for those reasons. I’m proud of it. I maintain it and I; I keep it out there. I it’s actually, you can’t see it because you’re all just an audio, but it’s actually on the wall behind me.
Alyssa: I’ll validate that for the listeners. I, I do keep the shirt up there, so, you know,
Chris: Yeah, security plus is always my go to when people ask. I think cybrary actually has some cert program now also.
Alyssa: Do they, I know they have like badging and stuff and that’s at least something, right. Like you can even do some of their titles and go through and, you know, and, and things like try hack me and hack the box too.
Alyssa: Like they have all sorts of stuff to at least legitimize the work you’ve done. So, you know, those are all things you can list too. And I wouldn’t be shy about listing those in the cert field, if you can you know, just, Hey, you know, play the game. You know, if hiring managers or their systems are gonna force that on you, the hiring manager may not even like that.
Alyssa: It does that. So, you know, just play the game, fill something in there, just make sure it’s justifiable, you know,
Chris: One other aspect I want to hit on quickly is, you know, I don’t want folks to underestimate the power of networking and joining organizations. There’s many legit security organizations out there that cost nothing that, that you can gain valuable information from.
Chris: And, and one of those organizations is WYCYS and, and I know the WYCYS chapter in Philly very well. I know you have some involvement in, in WYCYS as well. And I’m just curious if you have any other thoughts on, you know, maybe other organizations that you would suggest folks get involved with.
Alyssa: Oh my gosh.
Alyssa: There’s tons of communities out there. So you mentioned WEAs yeah. I’m, I’m actually part of their equity ad advocacy committee. That’s a mouthful. I’m also still at least somewhat involved in their, their BSO affiliate, which I don’t know if they’re gonna keep me now. I’m not a BSO anymore. I’m a CSO, but whatever.
Alyssa: But yeah, SISs is a great one for women in cybersecurity. And honestly, you know, I mean, they want allies too. So if you’re. Not a woman and you still wanna join, please do there’s you know, cyber jujitsu society or society. Jitsu. Any local chapters of various groups, like you know, ISACA Issa all of those.
Alyssa: A lot of those, you can go to those chapter meetings and you don’t have to pay or be a member. You can just go to the meeting. You know, you’ll get probably pressured to join. Which again, you know, consider finances on that. Cuz some of them do cost a fair amount of money, but you know, look into those the DEFCON groups, especially if you’re more on the hacking side of things.
Alyssa: But actually check out your local DEFCON group, even if you’re not in the hacking, cuz a lot of them are a lot broader than that. Now, anyway, you know, Chicago area has a really cool group called burbs sec. I think there’s one in Kansas city. That’s similar to. I’m trying to think of what’s called down in Texas.
Alyssa: If you’re in the Dallas area, there’s the Dallas hackers. So a lot of those are really good. And then also look for like, even just the local security conferences that you can go to local BSides or other, just, you know, area conferences that exist. lot of times the cost to enter for those is pretty.
Alyssa: You know, especially if like you’re a student or something, a lot of times they’ll have scholarships or they might just have free student passes or at least highly discounted passes. You know, we do that. I’m on the board, as I mentioned before, for two conferences, blue team con and circle city, and I know blue team conference.
Alyssa: Sure. I’d have to go back and look my pressure circle city as well, have student level tickets. Just to, you know, again, make it accessible and how people build that network. I mean, I can’t stress enough how important those networks are for even just finding a job. And I think you’ll hear a lot of people in the industry tell you that, and they’re not just blowing smoke.
Alyssa: It’s, you know, my last three jobs came because of my network through events and social networking, you know, and, and to that end, you know, even Twitter and LinkedIn could be great places to connect with other people.
Chris: Yeah, I couldn’t agree more. And, and I, I would urge everyone that’s looking to get into cyber, just go to one conference or, or one networking event and, and you’ll be hooked.
Chris: I mean, yeah.
Alyssa: Two tips for that really quick. If you’re gonna go to your first conference, a go with somebody. If you can try and find somebody who’s been to conferences before, who wants to go with you always great. If you’ve got someone that can kind of show you the ropes, you’ll feel far less awkward and far less overwhelmed, be strongly recommend.
Alyssa: Don’t make your first conference DEFCON there’s 30,000 people in Las Vegas for that conference alone. And it gets so overwhelming. You know, people have been in the industry for 10 years will go to that conference and we’ve gone to other conferences will go to that conference for the first time and be overwhelmed.
Alyssa: So just, don’t try not to make that your first hacker conference, because at this point it’s so huge. It will, it might give you the wrong impression. It’s great. I love DEFCON. Don’t get me wrong. It’s just don’t make it the first one.
Chris: Yeah, that’s good advice. Yeah, let’s talk about your new book quickly.
Chris: Sure. Cybersecurity career guidebook. You talk to us a little bit about the, the driver there, what people can expect, where can we find it? Is it out yet? Yes.
Alyssa: It is out at shipping. I’ve, I’ve been having it pop up in my Twitter feed over and over again, cuz people are getting the book and tweeting about it, which is honestly, really cool too.
Alyssa: But it’s from Manning publications. So you can’t just go to their. To purchase it that is the most cost effective way to purchase it. You can go through, you know, the major retailers to Amazon target burns and noble C cetera, et cetera, cetera, cetera. It’s available through all of ’em. It is available on Kindle now as well.
Alyssa: If you have other eBook platforms, you can get other eBook platforms direct through Manning as well. They have all the EUB formats supported. So, you know, you’ve got all those options. Doesn’t matter to me. Where you go to buy it. But the easiest way to get there, if you really just wanna get it and get it for cheap, go to alyssa.link.
Alyssa: L I N K slash book. Could I make it any easier? I don’t think so. A L Y ssa.link do slash book. And yeah, that’ll take you right to the Manning page. It takes you to the discounted page where you’ll you again? You’ll, you’ll get it cheaper there than anywhere else. They don’t have free overnight shipping like prime, but you’re also gonna be paying, I think last I checked like $15 less for the book, so, oh,
Chris: okay.
Chris: And I’ll get that link up on the site too, so, okay. It’ll just be one click away now, geographically, where are you located in the world?
Alyssa: I’m in the Midwest. I’m a little bit north of Milwaukee. Okay.
Chris: I picked up on that Midwestern accent. Oh yeah.
Alyssa: See right there. I just did it. Not even thinking about it.
Alyssa: It happens, so, yeah. Oh yeah.
Chris: I’m curious, like in, in, in your area or you travel a lot, you’ve traveled, you know, I do doing a lot of talks. Where’s the best bar that you’ve ever been to.
Alyssa: I’m embarrassed. And I’m embarrassed because it’s in my hometown, all the places I travel and everything else. I think one of my favorite bars I’ve ever been to actually is it’s called blue and it’s on the top floor of the fester hotel in downtown Milwaukee.
Alyssa: and what I like about it, see, I’m not one that’s into high energy bars. Like I don’t like sports bars or any of that stuff. Like I don’t dig any of that. I’m the type of person. I like wine bars. I like piano bars are cool, cuz they’re a lot of fun, but you know, I’m, I’m generally more chill.
Alyssa: Like if there’s jazz or something plain, and that’s kinda what blue is, it’s this, you know, rooftop bar. Well, not, I shouldn’t say rooftop. It’s not open air. But it’s the top level. You have a beautiful view, not only of downtown Milwaukee, but of like Michigan. . And yeah, it’s just, it’s, it’s a lower key bar when they have live music, it’s usually like jazz or something like that.
Alyssa: So it’s, you know, not ripping your ears off, you can actually have a conversation with the person you went to the bar with. Everything is very lounge style, so it’s all, you know, nice, comfortable chairs and little tables. That’s my style bar. Yeah. And just, you know, so that sort of thing. Yeah. That, honestly, of all the bars I can think of, I’ve been to, I think that is actually my favorite.
Chris: That’s awesome. You don’t even need to like leave town to go to your favorite
Alyssa: bar? No, I mean, to be fair, I’ve seen similar bars in other cities too, but yeah, that’s, that’s the one.
Chris: All right. I just heard last call here. You got time for one more? I got one more. Yep. All right. If you opened a cybersecurity theme bar, what would the name be?
Chris: And what would your signature drink be?
Alyssa: Oh, you didn’t tell me I was gonna have to come prepared. What would I name a cyber security? Oh, God. I’d probably call it. We’re in,
Chris: we’re in
Alyssa: nice signature drink, boy, that that’s, you know, that’s a harder one. Just call it the happy dance. I mean, that’s what I always did.
Alyssa: I always did my poem dance. Right. There we go. We’ll call it the poem, dance, the tone dance. There it is. Sounds fair. I like
Chris: it. I love it. Thank you so much, Alyssa, for coming on the show. Really appreciate it. Enjoy Vegas and be safe.
Alyssa: Yeah, you do the same hope to see you there. Take care of everyone.