How to pick your cybersecurity career path

Alyssa Miller of S&P Global Ratings discusses the easiest pentest she ever ran on an app and the importance of diversity of hiring, not just "diversity of thought." She also gives some of the best advice we've heard yet on picking your cybersecurity path.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 - Intro
  • 2:44 - Miller's origin story
  • 5:53 - Experiences working while at school
  • 8:20 - Pursuing a degree
  • 10:57 - How has cybersecurity changed?
  • 12:58 - Coming into cybersecurity from a different perspective
  • 13:55 - Moving to pentesting versus programming
  • 18:52 - Penetration testing through the years
  • 20:46 - A big change in your industry
  • 25:27 - Specifics of a business information security officer
  • 29:09 - Skills for a business information security officer role
  • 32:34 - "Cyber Defenders' Career Guide" book
  • 35:08 - What surprised you about writing the book?
  • 41:46 - Equity and inclusion in cybersecurity
  • 47:11 - Who is doing equity correctly?
  • 49:12 - Long-term equity strategies?
  • 52:45 - Final cybersecurity career advice
  • 55:40 - Outro

[00:00:00] CS: Today on Cyber Work, Alyssa Miller, hacker, security researcher, advocate, and international public speaker joins us. Alyssa spoke to me about the easiest pen test she ever ran on an app, you're going to want to hear that story, the importance of diversity of hiring and not just diversity of thought, and give some of the best advice I've heard yet on picking your cybersecurity path. You don't want to miss this one, so check it out today on Cyber Work.

Also get excited because our second annual Cyber Work live event is coming up in just a few days. On Wednesday, June 23rd, at 11:00 AM Central time, I welcome Amyn Gilani, Curtis Brazzell, and Ken Jenkins to talk about red teaming. If you have any questions about red team operations, how to get started, or anything else about this exciting profession, email them to me at cyberwork@infosecinstitute.com, and we'll do our best to answer them live on the air. That's Wednesday, June 23rd at 11:00 AM. Go to infosecinstitute.com/events to sign up and be in the virtual audience live. Without further ado, let's start the show.

[INTERVIEW]

[00:01:06] CS: Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of infosec professionals, and offer tips for breaking in or moving up the ladder in the cybersecurity industry.

Alyssa Miller is a hacker, security researcher, advocate, and international public speaker with over 15 years of experience in cybersecurity. From a young age, she has enjoyed exploring and deconstructing technology to learn more about how it works. At 12 years old, she bought her first computer. From that $1,000 purchase, she launched a hobby that would become her career. Just seven years later, she was hired to her full-time salary job as a programmer.

Alyssa is also passionate that doing better in security begins with sharing knowledge and learning from each other. She regularly presents her perspectives through public speaking engagements, speaking at various industry conferences, vendor and customer-hosted events, and non-security related events. Alyssa’s mission is to improve all aspects of the security community. Therefore, her topics ranged from technical to strategic, the higher level community and policy issues. Alyssa is also a member of the Women in Cybersecurity Racial Equity Committee. She additionally participates in other organizations designed to build a more welcoming and cooperative culture in security. As a member of ISACA, Alyssa currently holds a Certified Information Security Manager certification, and she is also the author of the Cyber Defenders’ Career Guide, published by Manning in May 2021.

So we're going to be discussing all of Alyssa’s fascinating story today; her career journey, the work of demystifying cybersecurity, and her work to create a more inclusive and welcoming space in the cybersecurity industry. Alyssa, welcome to Cyber Work.

[00:02:42] AM: Hey. Thanks, Chris. It's great to be here.

[00:02:44] CS: It's great to have you. So we like to usually start by getting the story of our guests’ cybersecurity journey in their own words, and your bio lays out your passion for computers bare. Your paper route at age 12 that used to pay for a new computer shows beyond a doubt that you've always been passionate about this stuff. So what was the initial appeal?

[00:03:04] AM: Honestly, it started even younger than that. I mean, I can go back to when I was four years old, and my dad was an accountant for a company. Well, first of all, even at four years old, like I was that kid who took everything apart. Any toys I had whatever, electronics that were lying around the house like a radio that stopped working or something, I always took stuff that works. I want to figure out how it worked. If it was broken, I want to see if I could figure out how to fix it. I mean, kind of, I guess ambitious at four years old.

[00:03:31] CS: That's awesome. Yeah.

[00:03:33] AM: But my dad –

[00:03:34] CS: I can’t do that now.

[00:03:34] AM: So back to my father. My father was an accountant for this like small heating and cooling company. I remember when I was four years old, they were switching over from one accounting system to the other. Small companies, especially back then, they weren't open over the holidays. So from Christmas to New Year's there was like – There wasn't really anybody in the office, so he didn't really want to go in. He had to work on converting all the books now from the old system to the new. He didn't want to go into the office, so my father probably never thought of it this way.

But 1981, that's how old I am, he was kind of pioneering work from home. He brought home this huge Zenith compiler with the disk drives and everything else. But the reason I bring it up is because that's where I got into computers because he had this computer. When he wasn't working on it while it was at home, he was letting me play video games on it, so that just got me started. Then I was fortunate enough that in grade school, we had computers. At first, it was TRS-80s, and we built an Apple lab, and I started staying after school learning how to do basic programming.

Like you said, at 12, I bought my own computer and did some more programming and found my way into prodigy out of subscription. So things that, thank God, the CFAA has a certain statute of limitations because –

[00:05:09] CS: You're not our first guest to have a similar story.

[00:05:12] AM: I'm sure. I am sure. But, yeah, what's funny is through all that, I still didn't see really tech being my career. I started as a pre-med major at Marquette University. But after three semesters of college level chemistry, I was just like, “Peace out. I'm done. I am not doing this.”

[00:05:32] CS: I feel it. I feel it.

[00:05:35] AM: But now, I'm scrambling to find a – I got to go through the course catalog what degree program, and they had a computer science degree. I'm reading about it like, “Oh, this is all programming. I know how to program. This will be easy. Yeah. This will be easy. Good idea.”

[00:05:53] CS: I wanted to ask about that.

[00:05:54] AM: What’s that?

[00:05:54] CS: I'm sorry. I wanted to ask about that. I mean, because – Just keep going. But I was going to say, I noticed that in your bio on LinkedIn, like you were working already in sort of a programming role. But then you also went to school for computer science at the same time. Can you talk about your experiences taking this kind of high stakes job while also going to school to learn and increase the same skills you're using in your day-to-day operations?

[00:06:18] AM: Sure. Yeah. First of all, I mean, I told you how old I am. So if you do the math on this, you can figure out that —

[00:06:23] CS: I’m a similar age.

[00:06:25] AM: I was in college during the .com boom, right? So here I had skills. At that point now, I had a part-time job doing technical support for a software company here in Wisconsin. But I'm still going to school and whatever, and it was the .com boom. I mean, they were desperate for programmers, wherever they could find them. So I had a little bit of programming experience that I got at that job but I also had all of what I had done on my own and I'm in school for it. So I went after this job. I got it, working for a financial technologies company as a software developer in their home banking division, doing all that online bill pay and banking. In fact, honestly, it was dial up and touch-tone as well.

Internet banking was just getting started, right? They were just diving into that, so a lot of what I did – I mean, I was supporting Racal modems and racks with T1s plugged into them. I had to learn VB1.5 I think because for the touch-tone system, the dialogic cards that we use. That was the only programming language you could use for them. It's just weird stuff. But, yeah, it was just an opportunity for me, just taking advantage of kind of the situation the world was in and like, “Hey, this is what I'm looking to do in my career, anyway.”

By this point, I already had a kid, so I needed a good job that had health insurance and all that. Yeah, it was just something I made work. I mean, I switched schools a couple times, whatever. I took some time off before I finally finished my degree, but, yeah, working full-time, doing the full-time school thing. Then I got really silly and decided to get a master's degree too.

[00:08:19] CS: Yeah. I was going to ask about the studies. Did you have a sense of your graduate and undergrad work solidifying or strengthening the self-teaching you'd already done? Or did you just kind of feel like you needed the degree for the type of work you wanted to do? Like where was the sort of level of like did it really kick your butt? Or was it like, “I already know all this but I just kind of wanted to get it sort of systematized in an academic setting.”?

[00:08:43] AM: So it's actually a really good question because, I mean, initially, it was just like, “Look, I got to finish college, right?” I'm in school. I'm not doing the pre-med thing anymore. I got into something else. It’s like, “Okay. Well, this would be a good career field to get into, so I'll get a degree there.” What I did that was actually I'm really glad I did was I got out of the computer science degree and actually switched into more of what we used to call it MIS degree, where it was still computers. But now, it was more of a business focus. So like, I mean, I literally had to take accounting classes.

That was actually a really good switch because it helped me see the applicability of technology to an overall business environment and start to understand the broader scope of, okay, technology is a piece of this, but it drives this bigger picture. So it was – Then when I got my master's, it was the same thing. I mean, I debated an MBA and then decided, “Well.” In fact, actually, I went to someone in my HR team at the time and I said like, “Look, I'm looking at this MBA. Or there's this management or manager of information systems degree.” What he told me is like, “That MBA, I see 100 of those come across my desk every day.” He's like, “This degree over here, this information systems one, I don't see that. So I would recommend you go get that because that's going to stand out. Where you want to go in your career, that's going to apply better.”

I think that was a good move too because, again, it had a lot of the content like you would get in the MBA as far as like business and that sort of thing. But it wasn't as heavy on things like accounting and reporting and the things that – I got more out of the security side of it or the information system side of it.

[00:10:33] CS: It sounds like it was very sort of tightly tied to what you were studying already as well.

[00:10:37] AM: Yeah, exactly. Tightly tied to the job I was in too. I mean, that was it as well. Like, okay, at this point, I was now leading a team. I think by the end of it, I can't remember. Yeah. So I think by – No. It'd been right after I graduated is when I first made the shift over to security then.

[00:10:57] CS: Now, can you sort of speak to how has the landscape changed at all? Do you feel like if you see someone – I don't know how much [inaudible 00:11:05]. But if you see someone with an MIS degree come across or something, do you think that the sort of academic credentials are still as important in job hunting these days? Or has that changed at all?

[00:11:20] AM: So that's kind of a what do I think versus what is the –

[00:11:24] CS: What's the perception in the world? Yeah, exactly.

[00:11:26] AM: Yeah. I mean, unfortunately, the industry is still pretty focused on people having degrees and degrees in the specific field. You mentioned before the book that I wrote, and some of the investigation and research I did for that book was into job descriptions. Most of the job descriptions you see still list that they want a four-year degree. When they do, they always say they want it in a technology field, which for security, in my opinion, is wrong. Just [inaudible 00:11:58]. It's wrong. It’s a good thing to have. It's an asset. But you know what? I'll take somebody with a degree in English because you know what? They’ll be a great writer.

[00:12:09] CS: Yeah, communicator.

[00:12:09] AM: They'll be able to do – If they have the technical aptitude to learn some of the security side of it, that’s a skill set that a lot of people in security don't have or maybe somebody with some other arts degree or something. I mean, security, we want that diversity of people. We really need it. Because when you think about collective problem solving, which is really what security is, when you want that collective problem solving, it gets stronger when we have those diverse backgrounds and ideas coming together. So if we get everybody to follow that same path, they’ve been a programmer or a sysadmin or something like that and they pivot into security, that gets us such a myopic view of the world that it’s – I just don’t think it’s right.

[00:12:57] CS: Yeah. You’re not thinking as laterally as you could be.

[00:13:01] AM: Exactly.

[00:13:04] CS: I have lots of guests on here who talk about stories like that, like the digital forensics specialist who said like her best team member was a former child psychologist who was able to look into – If you had to sort of look through 10,000 phone messages to figure out what was going on with this particular case, like the child psychologist is going to have a better sense of like, “Okay, I understand this pattern of behavior and things like that.” That just sort of spreads out through the entire industry, I imagine.

[00:13:32] AM: Yeah. I mean, there are so many great stories like that that people come in that way. I mean, I've hired some of them. One of my favorite people in security actually is [inaudible 00:13:41] Dennis. She didn't work in IT at all, and now she's got a black badge from DEFCON. I mean –

[00:13:48] CS: That’s awesome.

[00:13:50] AM: There's space for everybody.

[00:13:51] CS: Yeah. That's great. I want to move back. Your bio noted that you moved from a lead programming role into penetration testing. What was the initial appeal of pen testing versus programming? Just that it looks awesome.

[00:14:04] AM: Well, I don't know if there was one.

[00:14:05] CS: Really? It just sort of happened.

[00:14:08] AM: What happened was working in the programming role, obviously, I'd worked with the infosec team many, many times; large organization, many projects where we had to engage with our security team. At one point, the manager of what was the security test team for that organization came to me and asked if I'd be interested in joining her team. She was building it out. I actually said to her, I'm like, “Well, it sounds kind of cool. I mean, that whole idea of, hey, I'm going to break our system, so I can tell you how before the bad guys do it. Okay, that sounds cool.” But I said like, “I don't know anything about pen testing. I've never done it before.” She’s like, “You're smart. You'll figure it out. That's why I came to you.”

You don't hear someone say that to you and then turn them down, right? I mean, at that point, it was like, “All right, I definitely got to check this out.” Yeah, sure enough, I mean, I got into it, with the developer background, of course. App sec was really my niche. That's where I fit best. We had – At that point now, we're mid-2000s, and web apps and e-commerce and everything are really, really, really taking off. So we had plenty of web applications in particular that needed to be looked at and taken care of. I've got some pretty wild stories of some of the things that I found.

[00:15:34] CS: Please, tell me about it.

[00:15:36] AM: Well, the one I –

[00:15:37] CS: I was going to ask if you had any kind of like crazy war stories or unconventional hacks or tactics that you found.

[00:15:43] AM: Yeah. I mean, the one I always tell is the web app that I was able to pop a shell on in under three minutes. Yeah. Which is scary as hell, right?

[00:15:53] CS: Yeah.

[00:15:55] AM: Well, at least it's scary when it's your organization that you’re popping.

[00:15:57] CS: There’s a strongly worded report at the end of that, I imagine.

[00:16:00] AM: Yeah. It was not good. So it was a web project management application, and I get in there. So it's got a file upload utility. All right. Well, I'm instantly interested. I mean, this is all an initial recon, right? I’m just logging in. I immediately find this file upload. Okay. Well, I'm going to play with this right away because I want to see this –

[00:16:21] CS: You're just in the initial notes phase at this point, I imagine, right?

[00:16:24] AM: Yeah. I'm literally just trying to figure out what does this app even do. So I find this file upload. I'm like, “Well, let's see.” So I start uploading files with weird extensions. I can upload an ASP file. It's written in classic ASP. .NET was still just kind of getting going. So it's written in classic ASP. All right. Can I put this somewhere else? I start playing with directory traversal and, of course, that works just like that. Dot, dot, slash and I can throw it wherever the hell I want. Oh, no. This is too good.

So now, I take it. Can I throw it in Webroot? Yes. So I grabbed – I don't remember who wrote it at the time. There was an ASP shell just out there. Today, we call it in the open source world. I downloaded it, and it’s ASP that basically gives you a command prompt on the box. So I uploaded that into Webroot. I fired it up. I hit it. I come up. First [inaudible 00:17:24] command, who am I. It was the IAS user. Second, look at the groups, administrators. I mean like game over. I don't even have to do anymore. I can literally do anything to this app, to this server. I can pivot. I can do whatever I want.

[00:17:44] CS: You were probably imagining like days of work or just fiddling and tinkering, and you're like, “Well, there it is right there, and the front door is open.”

[00:17:49] AM: Yeah. [inaudible 00:17:49]. I'm like, “You got to be kidding me.” What sucks about that though is it does make doing the rest of the pen test really hard because now you want to find all the other vulnerabilities. But you got like this really cool one that you can do anything with, and so I'm like, “Oh, I got to buckle down.”

[00:18:06] CS: Pretend that’s not there. Yeah.

[00:18:09] AM: I mean, I did. I will say I did cheat then. I used that access to find other vulnerabilities because I could find things easier too. I could download the entire source code of the website. It was supposed to be more blackboxed, and that I wasn't supposed to have access to code. But it's all written in classic ASP, so it's all just – The code is there. I was able to download the ASP files, so that was easy enough. Then yeah, that led me all sorts of directions. Of course, I mean, there's everything from SQL injection to problems with cookies and session tokens. You name it. I mean, it was a nightmare, as you can imagine.

[00:18:47] CS: More holes in fabric. Yeah.

[00:18:49] AM: Yeah. All stemming from one little file upload.

[00:18:53] CS: As I understand it, it sounds like you were kind of doing pen testing at the sort of dawn of the art. When you find these crazy vulnerabilities like this, was this especially egregious, even for the time? Or was it just that people weren't thinking about app sec as tightly as they are now, and everyone was this wide open? Do you have a sense?

[00:19:16] AM: I mean, some of it was egregious. I mean, we definitely knew better than to be running IAS under an administrator. Like come on. I mean, some of the things with directory traversal. Yeah. I mean, this was I think we were getting close to almost 2010 at this point, so OWASP Top 10 had been out. A version of that came out in, what, 2003. Now, I think we had a subsequent one 2007. I mean, some of this was known, but it was still pretty early for devs. They weren't there.

Unfortunately, with an organization at that point, I think we had like maybe 1,200 applications. You would love to test them all before they go to production, but that's not feasible, right? So unfortunately, yeah, this one did hit our production environment. Thankfully, we found it before it became something that someone else was going to exploit. I mean, we actually shut it down because it was that bad. Took it down for a couple days, and devs, who probably hated me ever since, were working night and day to get this thing updated, tested.

The easy one was fixing the file upload. It was actually the IAS thing that was harder because, of course, they had to regression test the whole thing to make sure that they had all the permissions right and all that crazy stuff, so yeah.

[00:20:47] CS: To that end, I mean, that's a great story, and I'm so glad you told it. But I also want to know sort of was that difficult? It doesn't tell me if that was a difficult challenge compared to some of the other sort of pen testing things you do, and I ask that only to pivot to the fact that I wanted to sort of get a sense of if you can think of some key moments in your life or career when a big change happened, where there's a job change or a big project that gave you new tools or new opportunities, can you think of things like, “Aha, I just kind of leveled up.”?

[00:21:16] AM: Oh, my god. There's a laundry list. I mean, obviously, just that manager coming to me and saying, “Hey, do you want to join this pen testing team?”

[00:21:23] CS: Sure, yeah. That's amazing.

[00:21:26] AM: After that, it was we had a merger in that company, where we got bought off by – We were a company of about 5,500. We got bought out by a company of about 28,000. Through a merger, as things do, they're cutting people, whatever. Well, I ended up leaving not only that team but now bringing in all the people from the other organization that I was leading across multiple countries. I had ownership for the entire vulnerability management program and security testing program.

This is – I mean, I was like in my early, early, early 30s, so that was a big one for me. Unfortunately, I didn't really look at it that way until more recently because imposter syndrome does its thing, right? Something serendipitously happens to you. You get a really cool thing. You don't really give yourself credit for it. But, yeah, looking back on it now like, “Oh, my god.” I was running the entire vulnerability management program for a Fortune 200 company in financial technologies, no less. I think there's been a number. Some have been good. Some have been bad, right?

I mean, I had an issue far more recently with an organization I was at, where I got passed over for a promotion and under very, very questionable circumstances. So that's one of those down moments that really kind of kicked me into a bad space because, of course, I could sit there and I could say, “Okay, this is really questionable. I really think something else is going on here.” But you still take it to heart and you start to question yourself, and so you lose that confidence. That was actually a defining moment too because I'd still be at that organization if I had gotten that promotion. But instead, I left and went to work for another company.

While I was there, a couple things happen that like really built me up again. One was I was contacted as part of an executive search for one of the big three social media companies. It was a new role that they were creating. They ended up not creating the role as it turned out later. So I didn't get that, but that was like a – They reached out to me with an executive search, right? So that right there kind of, again –

[00:23:55] CS: That’s a great message. Yeah.

[00:23:55] AM: Suddenly, confidence was coming back.

[00:23:57] CS: Exactly, yeah.

[00:23:59] AM: Then it was I think the biggest thing was now landing this role that I'm in now as a business information security officer. This is one of those things like, “Wow, this is really cool.” Because after I'd been at that financial services company for a long time, I left and went into consulting, I spent the next eight years in consulting. So coming now to S&P in this BISO role was a return, first of all, to working in a corporate environment, where you can make things happen and you're actually a part of seeing them happen and you own them, right? You don't get that in consulting.

But now, I'm in a position where, okay, I own security strategy for an entire division, right? I mean, multibillion dollar a year revenue division, 104 within S&P Global. Like that – I mean, talk about a moment where you just feel like you've arrived like, “Here I am. This is my shot. I've got a chance now to really do something meaningful for a big company that's fairly prominent.” Most people have heard of the S&P 500 and the Dow Jones Industrial. Okay, that's part of what we do. Most people know about standards and poor and the credit ratings, which that's my division.

Not one of the big three media companies had that job worked out. I mean, that would have been really huge too but almost equally as prominent and definitely so in the business world.

[00:25:27] CS: Now, I know most of the job titles but I don't really know the specifics of what a BISO, Business Information Security Officer. We talked to a lot of CISOs, and we talked to CTOs and so forth. Can you give me what the distinction is between a BISO, a CISO, and some of the others, our C-suite people?

[00:25:47] AM: Yeah. I get this question a lot because it is a new role. Actually, it varies a bit based on which organization you're in. Some organizations implement the concept very, very differently than others. But for me, in this role, the way it ultimately works out too is it's very similar to like a divisional CISO. Typically, when organizations have large divisions like that, you might have a central CISO at kind of the corporate level, but then each division has their own CISO as well. Usually, those CISOs report into that centralized CISO function.

So my role is similar in that I oversee security for our division, but this is where the B comes into play. It’s B for business because I report into the business line and into the CTOs organization. My focus is not exclusive to security. It's bridging the gap between security and the centralized CISO function at our organization. So really bringing those security initiatives, all the strategy that's coming down from that centralized organization, and building out my strategy for how that's going to apply, given the context of our business. So how do I make this meaningful? How do I apply this frictionlessly? How do I make sure that it plugs into our pipelines and our SDLC processes the way that we need it to, to keep the business going and to actually enable the business to move quicker

Then on the flip side, it's also bringing the message the other direction, which is bringing that business context to the security team in the central organization and helping them understand, “Okay. If you guys want to deploy this DLP solution, here's things you need to understand because, A, we're heavily regulated. So here's how it's got to – Here's some of the requirements it's going to have. We need processes here and here and here because these people need to be able to do things that are going to be exceptions to the DLP policy that you're proposing.” Things like that. All of that kind of work is a part of it, too.

I was just talking with a friend last night, and the way she termed it was it’s like the great translator between the security organization and the rest of the business.

[00:28:12] CS: So that you're not creating these things in a vacuum. You're letting them know you can't just make this sort of beautiful object exactly the way you want it. It has to be able to serve the business in this way. Is that sort of the idea?

[00:28:26] AM: Yeah, exactly. Sometimes, it's forcing accountability both directions too. My security team is going to come and say, “We want this new thing. We want to implement this new process.” Well, why? Show me why. Show me the business value. Or let's talk about it and let's find the business value because I know on the back end, I've got engineering teams and product teams, everyone else that I have to justify this to. If it's going to introduce friction, that's problematic. So how do we adjust for that?

Then, of course, the other direction too, how do I make sure that my teams are accountable for addressing their vulnerabilities and doing the things that they need to do? Are they getting the necessary architecture reviews and following our architecture standards and things like that?

[00:29:09] CS: Now, a lot of our listeners – We have a wide range, but a good chunk of our listeners have said in in polls that they have zero to four years of cybersecurity experience, and they're here to sort of learn about the industry and what roles do I want to start with and which ladder do I want to climb up and stuff. So can you talk a little bit about what the primary skills are that are required for a BISO, as opposed to other sort of C-suite level things? What should they be working on at lower levels in their careers to sort of prepare them if they want to do something like that, as opposed to other like CISO?

[00:29:47] AM: I mean, yeah. So the technical skills are always important, mostly because it's what people are looking for, and you do have to have the technical aptitude in a lot of these jobs. But honestly, it's under – I mean, the most underrated skill, and everybody's going to kind of roll their eyes like, “Oh, that's such a soft answer,” but empathy, empathy more than anything.

[00:30:10] CS: I love that.

[00:30:11] AM: The ability to actually look at the people that you're dealing with, whether they're your engineers, your SREs, your DBAs, your product managers, your infosec team. Understand what drives them and how you can motivate them. I mean, we hear so often. It’s funny. You hear managers pontificate that, “Oh. Well, I can teach anybody how to use this technical tool. I need them to show passion and other things.”

[00:30:41] CS: Soft skills. Yeah.

[00:30:43] AM: It’s or what I call core transferable skills because they're those things that like you might have learned working as a barista, how to take a bunch of multiple inputs really fast and prioritize them and execute on them and quality and all those things that a barista does. Well, if you think about that in those terms, take the coffee portion out of it, and just focus on it at that level, that's a transferable skill that would work really well for someone in your sock, for instance. There is that. There's just the awareness of some of the security concepts.

I know people come to me all the time and they ask about, “What certification should I get?” I'm not a big fan of certifications as training because a lot of them aren't. A lot of them are designed to really justify that you have the skills that you've already learned versus actually train you up for them. But one of the ones I do point people to is the Security+ because what I like about Security+, first of all, for someone new to the industry, it's easily attainable, right? It's not super expensive. It's not a $4,000 sans course. It’s not the CISSP where you got to have five years of experience just to get it.

So I point them that way and partially too because CompTIA has done a really nice job with the training that goes along with that. What the Security+ gives you is it gives you that well-rounded view of a lot of different security spaces, the basics of like, “Here’s the security domains and here's concepts of things like lease privilege, separation of duties, zero trust.” All of that kind of stuff, where I want people understand that more than I necessarily want them to understand how to write a query in Splunk.

[00:32:34] CS: Okay. Yeah. That feathers nicely into my next question. I want to talk about your new book, The Cyber Defenders’ Career Guide, which was published last month. It sounds like the perfect book for our listeners, as it's aimed to things we've been talking about here all the time like adapting your existing skills into cybersecurity roles and figuring out how your individual skills or interests can help you choose the particular flavor of cybersecurity that's best suited to you. So you mentioned a little bit already. Well, what can our listeners look forward to if they buy your book?

[00:33:05] AM: One direction, it hasn't actually been published yet. So what is available is it's available for pre-purchase.

[00:33:12] CS: I’ve been given bad intel.

[00:33:12] AM: When you buy it for pre-purchase, what you get, and this is something that's really cool about Manning publications, my publisher, and this is part of the reason why when they came to me, I was excited to go with them, is it's in what they call their Manning Early Access Program. You can pre-purchase the book, either in print or e-book format. So when it is published, it's yours. But what you get is you get early access to the book. So we've got right now the first five chapters available. Now, they're not finalized, right? I mean, you'll go in there. You're going to find even just simple copy edit things like spelling or grammar error.

[00:33:51] CS: Behind the scenes.

[00:33:52] AM: I can tell you right now that like the first chapter is going to break up into two different chapters and things like that. So I'm still working on the book. I've got two more chapters to finish, and there's going to be nine chapters total. But so you get to start reading it right away, and what's really cool about that is now you get access to it early. But you can send me feedback. They have a forum that you can send feedback to the publisher or people follow me on Twitter or LinkedIn or whatever. Just let me know. What do you think? That I really missed the boat on something? Is there something else you wish I covered? Yeah. If you go and you buy this MEAP version of the book, you get all that and you're going to get the book when it's done.

[00:34:36] CS: You kind of get to watch it being sort of crafted, I imagine too. If you're looking at it now and then it comes later and you say, “Oh, that's different than how it was before,” that stretches your brain all the further. Was there anything –

[00:34:47] AM: Yeah. I mean, you know it's not going to change massively.

[00:34:49] CS: No, of course. Yeah.

[00:34:50] AM: I mean, so it's not like you got worried about like, “I read all this, and it totally changed.” I might have added some things or whatever. But, yeah, I guess I might take one chapter and split it into two, just because the first chapter is really, really long.

[00:35:06] CS: Right. I love that.

[00:35:07] AM: Things like that. Now, was there anything that you discovered to realize in the writing of the book that even surprised you? Are you considering writing more books in addition to your other projects?

[00:35:17] AM: The first thing that I found was, honestly, not even related to book writing directly. It was the impact that COVID had.

[00:35:23] CS: Really? Okay.

[00:35:24] AM: I this book – I think I started offering it in March of last year and had planned to have it done last year. But the impact of COVID just – I know I'm not the only author who experienced this. It was huge. It slowed everything down in terms of just even trying to find time and motivation to work on it, right? I mean, you're sitting there and you're in your house all day. Now, all the things I had planned to do to like set aside my time for writing the book suddenly all shifted.

Aside from that, something else I learned is peer review in the book process is really interesting because at least this publisher – I don't know. I assume other publishers do the same. As I release chunks of the book, they send it off for peer review to get feedback, and it's really interesting to read those because you get many different personalities, and some of them are downright brutal. There is one person who has been in both rounds of peer review, who I don't know if he knows me outside this space, and he doesn't like me. But the way that he approaches it is it's brutal. Sometimes, I mean, there's things that he'll say. People in my publisher are not cybersecurity experts, so they're reading this, and they're like, “He’s saying this, this, and this, and that you're wrong.” I'm like, “No, that's one opinion of how to look at the world.”

That’s been really eye-opening to me, that process. It’s really good. In the end, I mean, I'm not complaining. Don't get me wrong. I've always been taught with feedback like that you take what you can use. If you can't use it, you just forget about it.

[00:37:19] CS: There you go.

[00:37:21] AM: I mean, I do take it to heart. That's not to say I've completely dismissed any of the heavy, heavy, brutal reviews that I've gotten from this one individual. I do try to consider why does this person feel this way about these things. Then you read the others where many of the others are like glowing reviews. They love the – The things that he's complaining about are the other things that people say they love about the book.

[00:37:42] CS: The best part of it, yeah.

[00:37:43] AM: It's like you do have to balance it. So that was really eye-opening for me too. Would I write another one? We'll see. I mean, this was something I was already kind of looking into anyway. So when the publisher approached me and said, “Hey, we'd really like you to write a book on this topic,” I was like, “All right, I've got the necessary research. I'm going to add some other research to it.” I mean, spoiler alert here. I actually had a publisher four months earlier that had approached me to write basically the same book. But at that point, I didn't have any research. I didn't have anything, so I turned them down.

I think I would have to be in that situation, again, where I had done enough really heavy duty research into a particular topic that wasn't getting a lot of attention, and I felt ready to write a book on it. In this case, this book, one of the things that really makes it, in my opinion, stand out, is that there's a lot – There’s a number of books on how to get into a pen testing role. People tend to think about security jobs in terms of offensive security. This book is written to cover any job insecurity.

So, I mean, in – I think it's chapter two or chapter three. I talk about roles in security. It might even be chapter one. I talk about roles in security. I cover sales, also engineering, operational security. So your SOC analysts, things like that, application security, of course. How can I write a book and not talk about application security? But all of these things that people don't traditionally think of as part of the security landscape, and so covering that broader scope of here's how you do it.

It’s very little the book talks about building technical skills, right? I’m not going to tell you, “Oh, you need to go build a lab and do all these things.” Sure, I covered that. That's such a small component of the overall. There are far bigger hills decline in order to get that first job, and that's really what the book focuses on.

[00:40:07] CS: Yeah. I mean, we've talked to risk analysts and threat modelers and all kinds of things, where the most technical thing you're using is paper and pencil. I mean, there's so many different options and there's so many – I think some of the skills gap aspects are sort of a perceptual issue of like, “I can't do that because I haven't been, say, hacking since I was 12 years old or buy my first computer or whatever.” I think this is going to be a really valuable book in that regard because I think it really sort of takes some of the fear away from people who say, “Well.” We just had a live event where people were saying, “Well, I'm 50 years old. I feel like the ship sailed for me. I can't get into cybersecurity but I want to.” I think this kind of book is going to be really valuable for people to just hear that, right?

[00:40:57] AM: Yeah, and I hope so. I mean, that's the intention is to hit not just people who are coming out of college necessarily, but also to connect with those people who are trying to pivot from some other role. How do you get there? I gave a TEDx talk earlier this year on the same topic and covered a barista or a retail employee and how they can make that transition. So, yeah, there's – I hope that that's what I'm able to connect with, and I hope it does some good for some people and really helps them find a way in because we need them. We need those diverse backgrounds. We can't just all be network administrators, system administrators, and developers. I mean, that's not going to make us any better in security.

[00:41:45] CS: I totally agree. As we're recording this, I want to sort of jump on that a little bit. We're in the middle of Pride Month, and we've seen industries and companies of all sorts do the window dressing of celebrating pride, without doing the work of equity and real inclusivity. Can you talk about some ways that cybersecurity industry can move beyond lip service and start to embrace and foster equity and Inclusion at all levels and not just to say in the month of June?

[00:42:11] AM: Right back to what we were just talking about, it’s recognizing the actual business value of diversity, right? It frustrates me when we have these conversations. First is the dog whistle. There's a dog whistle out there that I want to throw and smash things every time I hear it, and that's when someone says, “Well, what we really need is diversity of thought.” No, dog. But that is a dog whistle to say that, “Well, we can accomplish diversity of thought by hiring a bunch of white dudes.” No, you can't? You absolutely cannot and you have to recognize. I mean, there are so many examples now. Look at the AI models that were creating deep fake images of people. It turned Barack Obama into a white man. How did that happen? Because of bias, right?

Or I think one of my favorite stories is the TSA, the new body scanners. They find out these body scanners unfairly targeting women of color. Why, you ask? Well, because there are certain hairstyles that are very predominant to black women that it was having problems with. So isn't that kind of got you questioning now? Didn't you have any black women in your test sets? Like shouldn't this have come up? So from security, it's the same thing. It’s recognizing that. So, yeah, when people say, “Well, I want diversity of thought,” well, you better think about how you get diversity of thought.

Then the other part of it is stop thinking of diversity as this like feel good thing. We want to make people feel good that we're inclusive and blah, blah, blah, blah, blah. Diversity is what makes us. As I said early in this podcast, it's what makes us stronger in this sense of collective solutioning or collective problem solving. You need those various aspects. You need people who look at things very different ways because of their experience. Someone who can look at a body scanner and say, “What's that going to do when I walk through with my hair like this?” Because they know from other experiences that that particular hairstyle they have gets treated differently.

I think those are the kinds of things. We don't recognize that right now in a lot of senses. We don't see that. It is actually a business value to be diverse and it's something that you have to hire for. Now, I'm not saying you're going to go out and say, “We only want black applicants for this position.” That would be illegal, right? This is illegal as saying, “I only want white applicants for this position.” But rethink what your qualifications are. What are you looking for in terms of the people you want to hire, and how many of those just reflect your own personal experience or your own personal biases? How can you look at what makes somebody a good fit and a good diverse fit for your team, inclusive of things that maybe don't fit into what you write immediately think of in terms of what that person and that role should be? It’s so broad in that sense.

[00:45:25] CS: Not just checking off checkboxes but also like disabled people or neurodiverse people. There's so many places where the interfaces and the technology are being used, like you said, differently by different people. Yeah. It seems like it should be like an exciting opportunity to be meeting with people and thinking in these ways and stuff. But there's that that sort of feeling of like, “Oh, god. It’s June. Hurry, hurry, scramble, scramble.” We got to do the thing.

[00:45:57] AM: I mean, yeah, and I could go on for days about the rainbow washing and everything that goes in Pride Month, right? I mean like come on. Live it 12 months of the year or don't bother. Yeah. That reminds me of another dog whistle that's out there too that frustrates me, and that is the, “Well, we want to hire the best candidate for the job.” Again, it’s suggesting that, well, if I hire a black person or I hire a neurodivergent person, they're automatically less qualified. No. You need to rethink your qualifications and what makes a person qualified. How are you evaluating? Chances are you're not evaluating them on level playing fields. You have biases in how you evaluate. As a result, you are going to be immediately shaded towards hiring someone who looks and sounds and acts like you.

[00:46:51] CS: Or in a similar financial situation where it's like, “Well, this person takes up too much time because they have family problems.” Or like, “These are all things that I think are going to be so systemic and are going to take so long to just clean this particular attic out of all these sort of like old assumptions of like –” It’s amazing. I mean, to sort of flip that around, are there any specific things you've seen being done in this area that can act as like advice or guideposts for other organizations that want to do better but haven't gone all in yet?

[00:47:25] AM: Boy, there's so many, quite honestly. There's a lot of concrete discussion out there on how do we make ourselves more inclusive. It starts with understand that you have to be deliberate, right? I mean, you really have to be deliberate in hiring for a diverse talent pool. You cannot – By delivered, I mean, again, you have to look at your job descriptions. You have to look at your evaluation criteria. You have to look at all of these things that are part of just how do you even make sure that you get a diverse pool of individuals in the first place.

[00:48:01] CS: Yeah. If you're not looking in the right places, I mean that's another thing too or looking in the same old places.

[00:48:07] AM: Well, yeah. I mean, I've heard people say it a million times like, “Well, we really want to hire diverse, but we don't get diverse applicants.” Well, then look at your job description. What might be holding out those more diverse applicants? I think you need to be doing that. You need to understand. I think most HR teams do now that unless you have an inclusive environment, you can't hire diversity because they're just going to leave anyway. If they come in and you've got a toxic, crappy environment, they don't see representation of their demographics at high levels of the organization. If you've got an all-white male board, oh, my god, go look at how many companies. You go to their leadership page, and it's all white males. Maybe they have like one woman who is in HR or marketing, right? That’s the only woman there and there's nobody of color and there's nobody with really any diversity, whatsoever. That’s problematic, and you have to understand the impact that that has on your people.

[00:49:11] CS: Working backwards from the future we want in which our industry is fully meaningfully become truly diverse, inclusive, and equitable, and every person who wants to contribute their skills is helped to feel safe, understood, and wholeheartedly welcomed. So like how did we get here? What are some long-term strategies that you've seen that are going to be most effective at breaking down these monocultural biases and prejudices?

[00:49:33] AM: I mean, boy, this really goes back to, again, just kind of looking at how do we get out of this mindset of the people we bring in have to have all these technical, specific experience. I look at job descriptions. I talk about this, and my favorite example is one from a grocery store chain in their corporate office, trying to hire a security architect, and the job description goes on for three pages. It’s got in intricate detail every single technology that they use, and thou must have experience in all of these technologies. That unicorn you're looking for doesn't exist, so stop it.

Look at the things that are actually going to make people successful in that role. Those we talked about before, the transferable skills. That's how you know if someone's going to be good, right? You can teach them all the skills but you got to find the person who's got the right mindset, the right core skills, the things that are going to apply in any industry. That's what's going to tell you if they're going to be successful or not, not whether or not they've spent 10 years working with Kubernetes. By the way, it hasn't existed for 10 years, folks. So stop doing that too. Little things like that.

[00:50:51] CS: Yeah. I mean, it also sort of speaks to like you see it and you think, “Well, if they need me to have this exact skill set with these exact things.” It doesn't speak very well to their idea of like their ability to train people either because like they seem to want someone that they can literally just like a fuse that you can plug into a fuse box and just like turning them on, and then that's it. What is your situation like that you need? You can only take a candidate that has all of these skills already set, and you're just like, “Okay, I'm going to push you into that desk, and you're going to deal with it.”

[00:51:24] AM: Well, when you like them to have skills and other tools that you're not using, so they can compare –

[00:51:28] CS: Then they can like tell you things that you're not doing, and you're falling down on the drame. Yeah.

[00:51:33] AM: Great. You use CyberArk all this time to handle your privilege access management. Good. Well, you know how it works too. Yeah. Doesn't it do? Somebody who's used a different PAM tool probably knows because they've been working with it for a long time, and they can tell you what it does that CyberArk doesn't do. So, yeah, I mean, things like that. It's just, again, come on. We've got to think about this differently.

[00:51:58] CS: Also, I mean, it seems like – I mean, not to go on and on about this, but like is there – There need to be sort of a change made in terms of cyberspace security teams being able to take that kind of feedback. If someone comes in with a completely different background and says, “Oh, my kind of hair is going to not go through this the scanner in a certain way or this the skin color or the way I interface because I'm legally blind or whatever.” It’s still going to take some work to get security teams to take that feedback and say, “Oh, yeah. Good point. We should –” Not just like, “Oh, that's not going to happen enough times to make it worthwhile,” right?

[00:52:36] AM: Yeah.

[00:52:37] CS: Yeah. So, I mean, there's – This is going to be a hard challenge, but I'm glad we got to talk about this a little bit today.

[00:52:43] AM: Yeah, for sure.

[00:52:45] CS: As we wrap up today, do you have any final career advice for listeners who might be considering cybersecurity as a career and are feeling a little intimidated by the possibility? We talked a lot about your career guidance stuff, but I'd like to sort of wrap it up on a note where people are sort of like – Because we get so many comments of just like, “I don't know where to start. I don't know where to begin. Please help me.” Any thoughts?

[00:53:05] AM: Yeah. Let's talk about where to start, and I'm going to give you just a little bit of a selection out of the book. That is you've got to know yourself first. Know what interests you. You don't have to pick your career for life. You don't have to pick the aspect of security that you're going to be in for the rest of your life. Because the thing is, once you're in security, it's really easy to pivot around and go wherever you want to go. But come in with some sense of what interests you, what about security as you're looking for a job here.

The activity I give people, the exercise I give people in the book is if you really need to just sit down and figure this out, a great way to do it is go to some security blogs. Pick 5, 10, maybe 15 security blogs and news sites and other things, and grab the headlines that interest you the most. Look back over the last few months. Grab just the headlines that interests you the most from those. As you get them together now, rank them out as to which ones seem most interesting, and then look for the patterns. What's in those headlines? What are those headlines talking about that what was the rest of the article? What was in there? What aspect of security was it? Was it something with IoT security? Was it something with your OT security, pipelines getting breached lately? Not breached but ransomwared.

I mean, that is such an important first step because I do get these and I know a lot of my colleagues do too, get these messages from people looking for help. You ask them, “Okay. Well, what part of cybersecurity or what do you want to do in cybersecurity?” They’re like, “Well, I just want to learn cybersecurity. I just want to learn it all.” That’s a huge domain. You’re not going to learn it all. I don't know it all, so I can't even teach you it all if that's what you're looking for. But, yeah, I mean, know yourself. Know where it is that you want to go and chase that initial dream. Get in.

Then now, if you decide later, “Yeah, I really don't like doing threat analysis,” okay, great. So you pivot into app sec or something? Who knows? I mean, you can do that.

[00:55:14] CS: That's some of the best career advice I think we've gotten on the show yet. So everyone who's listening, get the transcript of this. Write that down and double underline it because –

[00:55:22] AM: Get the book because the exercise is in there.

[00:55:25] CS: Absolutely. It does. You're not choosing something that you're stuck with for the rest of your life and choose based on your passion. I love the way that was put. Thank you very much. One last question, if our listeners want to learn more about Alyssa Miller and your book and your many awesome activities, where can they go online?

[00:55:43] AM: A couple things. Online, find me on Twitter. That is by far the easiest, @AlyssaM_InfoSec. You can find me on LinkedIn too if you search for Alyssa Miller or security or BISO or something. The book, if you're looking for that, the easiest way to get there is to go to alyssa.link, L-I-N-K, alyssa.link/book. It'll take you right to the page. It'll get you that simple forwarding URL, taking right to where you need to go. So if you are interested in purchasing an advanced copy. Then you know what? You’ll get the real deal once it's fully published.

[00:56:23] CS: Awesome. All right. Well, Alyssa, thank you so much for joining us today and sharing your history and story with us. This was so much fun.

[00:56:30] AM: Yeah. Thank you.

[00:56:31] CS: Thanks as always to everyone listening at home or at work or work at home for listening. New episodes of the Cyber Work Podcast are available every Monday at 1:00 Pm Central, both on video at our YouTube page and on audio wherever you find podcasts are downloaded. To read Infosec’s latest free e-book, Developing Cybersecurity Talent and Teams, which collects practical team development ideas compiled from industry leaders, including professionals from Raytheon, KPMG, Cyber, Booz Allen, NICE, JPMorgan Chase, and more, just go to infosecinstitute.com/ebook and start learning today.

Thank you once again to Alyssa Miller, and thank you all for watching and listening. We'll talk to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.