Take control of your career: A panel with Industry Leaders

[Music] all right awesome hello everybody hello Portland um my name is Lee so I will be introducing myself I'll be moderating this panel I'll be taking your questions there is a slido with a number please feel free to send your questions as we're talking don't worry got some prepared um I'm a principal security engineer at Microsoft and I'm going to let the panel introduce [Music] themselves hello my name is Tara cook uh I am currently the governance risk and compliance cyber security manager at boom Supersonic and also just generally do security there because security just has to get done there hi I'm RNA DOI and I'm director dor of third party security at Salesforce and I've been doing security

for the last 13 years or so hi I'm Diana claghorn I'm the head of application security and the associate principal security engineer at Sirius XM and I've been in security professionally for about 6 years six and a half years hey I'm Jess H menz I'm a security engineering director at Dropbox I'm responsible for defensive security as well as our product security um organizations okay so we're going to get going um so as we said we're going to discuss what it's like to grow your career in security um deciding between being an IC or a manager what to do if you feel stuck and just whatever you guys want to learn about it like please ask your

questions got the slido for this reason it's all Anonymous so ask away but to kick us off cuz I doubt anybody's been like that fast and I of course I'm trying to do face ID from far away that works beautifully um what does success look like for your [Music] role you want me to start cool I can start that's fine um I forgot to mention I've been in security for 15 years so what success looks like for me has like varied wildly throughout the years um specifically in the realm of GRC my personal belief is every GRC person has about 12 different jobs that they're trying to do um so what success looks like for me does typically actually vary

on a day-to-day basis um and considering what is being asked of me but more than anything I feel like success is being able to successfully sorry success is being able to accurately dictate the needs of security to the rest of the business because if you can't do that you're kind of dead in the water regardless and especially from a compliance standpoint a lot of people don't quite understand it and view it as kind of smoking mirrors and it's this very scary place so a lot of the time I'm taking the things from the business translating it into security and then flipping it and doing the same and building relationships um although GRC is considered non-technical or not

technical first of all that's wrong secondly um being able to build relationships and successfully communicate with people I feel like is my biggest form of success at work because if I can't do that I will go absolutely nowhere and writing right a lot of policies um so I'm a people manager and for me mostly success currently looks like making sure my team is successful they're getting the growth opportunities the learning opportunities and the you know projects that they really want to do um obviously what you know Tera just said we we have to focus on the business because otherwise we'll be out of business uh but really making sure that you know taking the business goals and

then dovetailing into what the team success looks like that's what success looks to me right now so I'm going to agree a lot with what Tara said that a lot of what I do is to communicate with the business what risks we're engaging in um what risks we can mitigate what risks we should probably accept and so forth and then to figure out how to manage the culture with the engineering teams to improve the processes that they have so that they can with as little friction as possible include security into their design into the application as early as possible and so they can get the feedback that they need to feel successful and empowered to do that

themselves I feel like that is if I'm able to do that or move us in that direction I am creating I'm moving towards my success criteria hey I'm going to answer this question on a couple of different dimensions um success for me in my my role serving the company um is to enable the business to be successful in a way that protects our customers privacy and security um so for me that's a lot of understanding the customer needs the business requirements and then working backwards to um how we apply Security in a way that's an enablement um as frictionless as possible and as a people manager right echoing what's been said before empowering the folks who work for

me understanding their career goals and helping to set them up for opportunities and then for me personally um f success for me personally is finding a role that aligns my core values with the core values of the company I'm working at right and making sure that I have the the personal satisfaction um along with the professional success all right awesome we're getting questions rolling in I'm going to keep doing a couple of ours and then we'll flip to those um what are one or two or more depending on how many you have things that have helped you grow your career across different levels sure um so I've been I've kind of restarted my career multiple times I

started in the Army and then I worked in the Intel community and then started over really started over like weekend night shift as an incident Handler and got to like work my way up multiple times um but but really the key for me is um just asking curious questions and always having a desire to learn and grow more and like you know never being satisfied with what I what I'm doing and wanting to know how I can contribute more to the success of the mission I come from a very non-traditional background I don't have a CS degree I didn't start my career in my early 20s as a security person I worked as a teacher as my previous job

um and I moved into this career in large part and then and grew my career because of the community that I was able to surround myself with the people that I was able to meet in this industry that taught me the things I needed to learn that taught me how to appropriately Google the things that I shouldn't be asking them and how to have the confidence to just go figure it the heck out um is probably what has been most instrumental in me being able to grow my career and also recog izing where my strengths and my Noto strengths are and moving into those strengths and trying to compensate for the things that I'm not as good

at um I'll just add to what previously has been said I'm reading this book right now called disrupt yourself it's several years old by Whitney Johnson but um over my career I have just done a lot of different things um pushing myself to get out of my comfort zone and try something entirely new either it's a new organization or a new industry you know moving from biotech to Big Tech or completely different teams where I had no knowledge of that area or domain and just learning and trying to grow into that space but really getting out of my comfort zone over the years has made me grow tremendously can you ask what the question is again because quite honestly

I forgot what are one or one or plus things that have helped you as you've Advanced your career that's my reframing of it thank you um not taking some of the traditional advice of oh you need to stay at a job and working in in five no I don't do that um and it's not and I say that because obviously people can look at my resume or my LinkedIn and be like oh you're a job Hopper like yeah I get it um but at the same time I personally do not find Value in showing up for my job every day and hating it and being miserable because that spills into other parts of my life so when I

don't like a job yes I go to my management and I try and do the right things and have the conversations etc etc but if that does not work out I'm leaving um and it goes against everything that I was taught by like my dad when I had a good government job and you stay because you get a pension and I'm like that pension doesn't pay my bills in this current moment though father and neither are you so like what are we doing um so I left and it was honestly one of the best decisions that I could have made um other things that have helped me be successful as being genuine to myself just as a person I realized early in my

career when I was a consultant and I had to fit into the box of a consultant of wearing my slacks to work and my my fancy shirt and this that and the third I felt very stifled um and because I was not being who I was it showed in my work when I had to present all the time and so when I used to lead audit conversations I'd make like really bad dad jokes and use slang or a a and my management was like you can't do that and I was like well but I can first of all um and secondly my work performance got better and I was actually able to build better relationships because I

showed up as a human and not some like weird little robot um so somewhat non-traditional just being like ah this is who I am you can kind of take it or leave it but that also comes with privilege and over time like I wasn't able to do that the gate cuz bills had to get paid nice um maybe I'll just take a stab at this one too um because I have a very specific answer to this um so I mentioned I'm a principal security engineer a lot of my job is actually about influencing others and I remember being a more Junior engineer being like H the I don't I don't know how to do that I also was like I don't really

understand who gets to decide the strategy and who gets to do the like what I thought was the cool work um and I actually switched gears and became a TPM for a while and I have a talk about why that's like the best job ever and I still think it might be um but it's the thing like that job is what I point to when people are like how did you accelerate your curve so fast that job because that job was a lot harder than I was expecting and I just remember being like woo I am unprepared for this and it like honestly best experience ever I only did it for four years but man did I

learn a lot um we've had a lot of questions roll in I'm going to also reserve my right as moderator to slightly modify some of your questions what are the biggest mistakes that you've made as a leader some of my biggest mistakes I've made as a leader are uh innumerable um but I would say that probably my biggest one is I have a confidence problem and I sometimes let my ic's they they technically not their manager but I kind of am it's weird um I let my ic's know when I'm lacking confidence in something and sometimes they become very not confident too when I'm clearly relying on them to be the experts and so sometimes I need to be

more careful about my my own insecurity and make sure that that they know where my confidence is in them and because I'm not confident in something and I'm expressing like oh I don't think that this is the right that I'm the right person to be handling this I'm going to hand it to you it's not because I think it's impossible I think that you can do it better and I think that you're the expert that I hired to solve this problem because this is what you're good for this is like this is your best thing go do it and kick ass and then teach me how to do it um and so not not feeling confident and

expressing that is something that I've had to learn how to do differently and better so that my ic's can Model A Better behavior and be confident in their strengths I think the biggest um failure that I it's a mistake I continue to make but like starting today for real this time I'm going to be better at it um I don't say no enough not like I'm pretty good at defending my team's uh you know Charter like I don't put a bunch of random things on my team to do but I definitely like anytime there's a hesitancy and a meeting and we've got to get something done like the NCO and me the non-commission officer me is like

I'll just do it so we can stop admiring the problem and move on to the next thing and the end result of that is like I have zero time like I have less time to dedicate to my team and my team strategy I have less time to dedicate to my family and my friends um um I don't have the capacity to do the Deep work that I need to do so I think not saying no enough is probably the biggest mistake that again starting today yall are here and my accountability friends I'm going to stop doing [Music] same um I have the same problem but I'm I'm getting better at it I've worked at a long time um one thing that I am not

great at that I'm still working on um I'm a natural introvert and so my tendency is to not want to go and talk to a lot of people I have enough meetings on my calendar you know and so um part of my job as a manager though is to evangelize my team and the work we're doing and go talk to different teams and say hey look at all the awesome things my team is doing tell me about your team or what are you working on and that's one thing that um over the last years you know I have let go off or not done enough of and that that's um you know kind of hinders my team in their growth

and so that's one of the things that I'm working on to fix mine is the same as just always saying yes to everything yeah 100% all right this I like this question how can someone in a junior role support a team or organization that is behind in security maturity and not moving quickly so from a manager perspective what how would you advise someone who's in a more Junior role to help a team [Music] mature I'm going to use a very real life experience of the magician I just hired um uh this is his first job in security I'm going to leave his name and any details out but he's a magician and he is very very very good

at what he's good at and he's really good at solving complicated problems and knowing your Niche and then making it clear that like I am super good at these things I want to solve these problems and then coming to your management and saying I am super bad at these things and they are important for me to continue to solve these problems help me solve this he's incredible at everything whenever we have a problem that's really hard we hand it to one of us and whenever we have a problem we think is imposs we hand it to him and 4 hours later he solved it um but you know he's going to have knowledge gaps it's his

first job in security and so he's been very good at coming to us and saying I have no idea what you're even talking about or I don't understand this thing and he has no he doesn't need to have any Shame about exposing that he doesn't know what he's doing because he knows inside the environment that we have I go to him and I say I don't know what this is can you help me and I'm his leader and then he says oh yeah let me help you or let's figure it out together and you know we go and we explore it we figure it out and so as an entry level or Junior engineer know your strengths work

on them and then recognize your weaknesses and ask the people around you to help Mentor you into growing in those strengths into or those weaknesses maybe not into strengths but into something that you can work with or around um something that's very underrated in insecurity in my opinion in general is storytelling um we all are just like oh my gosh everything's bad and it's like oh my gosh yes it is um but that doesn't really do much in the grand scheme of things because we all just collectively agree that it's bad um how do you tell that story to your manager because also keeping in mind and it took me a very long time to like understand that I was

not the most important person in my manager's life um because I'm me and I'm a middle child but anyway um being able to tell an appropriate story to your management who has 50 bajillion other things that are going on is like pivotal that I'm starting to like realize more and more and more so if you start to understand how to speak to them and you work with them long enough and understand like well these are the things that I noticed that they really care about how can I spend this into some of the other problems and things that I see or things that I think are important is reverse psychology um by the time it really boils down to it and

stuff that we've been doing to our parents forever um but also like I'm in law school right now and I'm in a clash about negotiations and mediations and there's thing called a bat a best alternative to negotiable agreement um so you might have one specific way that you would go about doing this thing and as far as you're concerned it's the only right way about doing it which is fair um also a problem that I suffer with but if you can I'm just being honest about me as a person um but if you can come up with like I can't get to this but I'll take that and at least it's moving us forward instead of being so like just

hellbent when it has to be done this way I will instead it's just I'll take this increment and maybe that increment is good enough for your management and for you um because as we all know budgets are super tight right now so like these big Pie in the Sky things that would have not been Pie in the Sky 3 years ago really not sure if you can like swing it in the budget so what something smaller we can do but more importantly understanding what's important to your management and essentially managing up to them um in order to get the way that you wanted to go there's an awesome book called turn the ship around um and I won't spoil it

for you if you want to go read it you should definitely go read it um but but one of the key Concepts it talks about is building a culture of empowerment in your teams and so I think if you're a junior or you know earlier in your career engineer feeling like you don't know what to do or you you have an idea to make things better um one of the key Concepts that I've embraced is to just call your shot and then go do it right and not wait for permission not ask not be stuck in this but who needs to say that I can do this thing um just call your shot ahead of time so you get the

credit right it doesn't count if you just go silently do things you got to call the shot and then go do the thing um and that's how you build up your the trust of your colleagues um and your reputation as somebody who can solve problems but also go turn the ship around all right R okay good we can keep going it's it's been said that's that's kind of the problem a lot of times you'll like be on a panel and be like yeah what they said and you're like oh crap I need to say something what type of entrylevel security roles are good if you want to pursue a future in and they specifically list GRC or absc but you

could just be like any security domain what are good entry level roles for getting started in this field want go first you want who's a GRC person raise your hand I know it's synonymous but hey what's good hey I see yo like more than one hand that's super nice um GRC has been in like an uptick in the past two to three years which has been wild to see after 15 years or wouldn't be like ew um so it's really nice uh things that you can do to get started in GRC I am of the mindset take any job that you can get right now not the best mentality but hear me out GRC people like I said do like 12

different jobs and I wish I were kidding but you're really doing very many different jobs and I did not start in GRC I started as an information system security engineer and I've done QA I've done virtually almost everything except for pin testing and anything dealing with programming because I do not like it but I can read code um because you have to work with such a wide variety of people getting any knowledge that you can is beneficial to you versus like in some roles that are more I guess traditional security like if you're doing programming yes it's programming and it's almost like seemingly sorry to any programmers in here my bad that that's all you do versus I have to write

policies and I have to write technical policies like a change management policy or a system development life cycle policy so being had I having been in QA and having to do sit sat and unit testing I'm like all right cool I'm not just this policy from a pie in the sky I'm actually writing it having literally sat next to Engineers or having been an auditor which don't I know a lot of people don't like Auditors it was my favorite thing that I've ever done in the entire world I'm so sorry um I love being an auditor to know like it's so good anyway being one is also great because you have to do so much and

you're talking to like various teams that all are working with the same Tech stack but they've all implemented 15 different ways for various different reasons they don't talk to each other and so they're like it's like siblings and you got to like try and mediate between them and understand things so if you actually have the chance to be an auditor I really can only audit in like big firms or like doing internal audit and that's his own special place um but you get to touch so much and learn so much and like you are heavily building those relationships um but I do definitely recommend it or any job that actually has JY in the title it's

positive cuz it's in theory in theory that is what you'll be doing job works are a lie job titles are a lie you get there you're doing something different um I see heads nodding we've all been there um but yeah I would say if you can get an any entry-level job into security and then you like to show hey I like to document things or hey I like to have these conversations with people to translate from A to B eventually you will probably see yourself very naturally going towards a GRC position because a lot of companies still to this day don't realize they need GRC people until they're about to stare down and IPO or until they have

like some third party coming in saying you need to do this that and the third it's very much an afterthought unfortunately so there's that I'll just say generically for any security role or early career take the first job especially if you can be in a client facing or business facing role because you're going to learn so much about how the business operates what the you know what essentially you know most companies are around to bring in money right and so you know being Security Professionals we are often in position of saying no and you know how to say no it's really about the risk conversation right uh you know it's this is really risky this is less risky do this um it's

it's an art to say no but you can't really say no you can't tell them do this not this unless you understand the business and so I found at least early on having the client facing experience has has been tremendous to be able to talk that business language I have so many thoughts so I'm going to ask that you repeat the question so that I stay on question um it was oh jeez sorry like put me on the spot here I'm like oh I can memorize it no I did not memorize it my bad what type of entry level security roles are good if I want to pursue a future in they originally asked you C

absc but choose your secur poison so as someone who runs an absc team and got their start working in Security in GRC I have a lot of opinions um I also took the first possible role that was offered to me because I was at Defcon and someone was like why do you not work in security and I was like I don't know um and he was like you want a job and I was like yeah and I'm still at serus XM and so and I've had I think six jobs in six years there and so there's been a lot of like every year I start something new starting off in GRC the first thing that

I did was vendor risk and data governance and I figured out vendor Risk by reading the octave risk management framework learning about nist and listening to way too many security podcasts and that's how I leveled myself up enough that I could do the job that was coming up in a few months I learned to code and I figured out how to work a bunch of different systems I figured out I listened to the security Nows how the internet works I think it's episode 26 or 27 like six times until I had digested it and then read every book I could get my hands on I used that in order to just feel ready for render risk

it was a great first job data governance was also a really great sort of first step and then we and then we needed to hire a team somehow I ended up in charge of that team and I ended up being the person in charge of preparing oursel for gdpr CCPA um in the on the security GRC side and learning some of these Niche things the PCI stuff we had to do all of our policy being a good writer learning how to become a policy writer I hired a cont contractor fresh out of college super talented great writer and really good at running people down and his job was just to help us make our policies match PCI

well enough that we were doing okay and that we were not lying and that we and making sure that we were doing what we said we were going to do in our policies so these are all these entry-level jobs that I did my first two years working there with ABC I leveled myself up really in a weird way but basically if you are a rockstar coder that then figures out how to break everything not everything break some things and legally please um being able to get your foot in the door um in an entry-level absc position really means that you understand the fundamentals of how code Works how checking code works and how breaking code works and so these are the

things that I look for when I'm trying to hire this absc role and so the but more than anything I'm looking for someone that's incredibly curious wants to figure things out and doesn't frustrate easily because that's my job and so we need those are the those are the areas that that I would say look for roles in those areas if you can write code you will probably be an incredible asset to any security team because I will say right now that is probably one of the things that security just generally lacks is people that are profoundly good developers software developers not just understand how to write code like you can write scripts all day that's cool um but being able to

profoundly write good secure code is something that you should develop in order to be able to make a really big difference in that entry-level career I'm sorry to tell you to like go CL climb out enter wrist now but I'm going to go a little bit more meta and say just apply for the job like job descriptions are written WR looking for stupid unicorns that don't exist in the real world like a hiring manager is lucky if they get something that meets two or three of the 10 required skills so just go apply for the job and then fake it till you make it man I used to joke and I swear someday one of my managers going to call me out

on this that I have never applied for a job that I thought I was actually qualified for or even taken the said job like I'm just like I can do that I totally have no idea what I'm doing most of the time I like that first I'm like okay I'm just going to learn everything and that's the awesome part of onboarding by the way you have the time to learn the thing you don't know so I'm always like just like does it look cool do you think you could do it are you energetic like go for it like just just please try all right so so many questions we're not going to get to all of them I'm really sorry folks um

how do you know when it was the right time or you accumulated enough skills to move from IC into a leadership role I'm really curious I don't want to call anyone out but I'm always curious do you think leadership means management or do you just say is this just a leadership just more generalized how about we do this does everybody think leadership is management okay does anybody think that leadership doesn't have to be management okay okay well they have mostly like managers I just figur i' ask so what do you guys think sure whoever paper scissors all right um here I I'll give you my two second Pitch it's when you find yourself influencing more than

doing building nice s super similar to that Lee I think that when I decided to move into leadership technical leadership and then people leadership was the point at which I realized I was happiest at the end of the day when I'd spent the day helping other people figure out problems instead of figuring out the problem myself what Jess said you've probably already been thrown into leadership and had no idea you're just like wow oh my gosh and so I'd actually challenge everyone to take a step back in their life and realize when someone more times than that it's been someone else who who's thrown you into the role and you didn't know it like I

was a leader my sophomore year in high school when I was the captain of the drum line I'm 15 I'm full of hormones what am I doing ah um or when I was 19 and I was leading teams as a black hat volunteer and I'm like ah um so you've probably already done it it's just are you formally doing formally with air quotations and if it's at your job are you getting paid to do it that's another conversation [Music] though as the person here that is not a people manager officially um I definitely straddle the IC uh leader role officially but I will say that leadership comes from within you are always leading as someone who

works in security because you are probably one of the only people at your company that does the thing that you do um it is it is your job to lead whenever you're explaining what's going on with the system you're working on or what's happening with your with your services every time that you have to tell your boss something you are leading from the bottom up I read a not very good book that I won't tell you the name of so that you don't have to put yourself through it but it walks you through how to be a leader when you're not the person in charge of something and the takeaway was basically you're always in

charge of something and so just take the bull by the horns and do it um but being able to transition from sort of this like I was very much in ic with no leadership official rule like to being told you are now the head of absc go um I super did not think I was ready there was nothing inside of my body that said that I was going to succeed the only thing that made it so that I felt like I could be successful as a leader was making sure I surrounded myself with people that were more confident in me than me so I would say making making sure that you have the support to to

lead if you're trying to do this transition um having people behind you when you feel like you need a little extra push in the leadership sphere being able to go to your ceso and say hey ceso I need you to back me up and him saying all right let's do this is probably one of the things that's going to help support you into moving into a more official capacity as a leader because you already are a leader okay so um I'll I'll flip this up a bit when did you decide that it was time to become a manager because we all talked about leadership it's awesome by the way to be a leader um in case

anyone's wondering i' I've been a manager and my answer for why I'm not today is I hate performance you so when did you guys decide that you want to be a manager I have always wanted to be a manager which I feel like a lot of people don't say but oh bye sorry it was just like Mass Exodus sorry to put like emphasis on youall I'm so sorry bye um but no I've always wanted to be a manager and maybe it's because my grandma cursed me by saying I was like egotistical and so um but it is very fulfilling for me to are you talking about people manager or just manager manager yeah I mean

people management yeah performance reviews are not my jam Fair answer um I love helping people as much as I'm an introvert as much as you will hear me say if you come across me or my friends who've probably heard me say I hate people my God I really do um but there is something about still helping people that is genuinely satisfying to me um and mentoring them and supporting them and seeing them be successful is just really chef's kiss um so for me when I was starting to like see that was when I started to push more to be like there are so many not only that we've all probably within security have had that

person who was pushing into a people manager position and they sucked at it CU they didn't want to be there either um and there's laughter and head nods so and no disrespect Lee cuz I saw you rais your hand and I was like oh no um I don't want that like I want to try and avoid that as much as possible if you can actually have a person who wants to be in ic continue to be in ic great they're playing to their strengths let me play to my strengths as someone who feels like I'm very emotionally intelligent who wants to be helping people in that way who wants to be doing these things let's all just like play to

The Best of Both Worlds and move [Music] on I had to really get over my ego to get into a manager role like the as maybe a little bit awkwardly turn this out there as a woman in Tech like I always intentionally chose the most technical role that I could possibly find and then within that role the most technical projects to take on just because I felt like I always had to prove myself to the colleagues that I was working with and so then going into a manager role like I'd to have a really long internal conversation with myself that it's okay to being a manager doesn't mean I'm not technical anymore right um and it's okay to take a step

over into the management space and recognize that that people leadership is a skill and a craft that you have to hone just as much as I did in a technical role um so so that right um and then for me like I was an NCO right and so um the NCO creed sticks with me and there's a line in there all all soldiers deserve outstanding leadership and I will provide that leadership and that's always been kind of my Mantra that I follow so um really once I got over the I don't have to prove myself to you anymore I'm going to go do what makes me happy and help everybody else was really what pulled me into a people

leader role okay that actually Dove Tails well into a question um and you can choose to answer this how you want I'm just going to put that out there um could you go over some of the issues you have faced being a fem presenting person within the security industry and community at General I totally botched that but idea being like what's it like to be a woman in security is the gist of it and I realized it's a hard question so that's why I had to warn them yeah man [Music] I there's been a lot um do you not like me anymore now no no this is a really good question and actually like I I've

been kind of thrown around the idea of like writing a book that says no I'm not your secretary and like real world examples plus how to actually handle those situations both you know in the first person and as an ally in the room coauthor that cuz I got a lot of stories about that like there a you know like lean in when with like the support groups and the yeah we need that right um I mean things all the way from like we used to have to whenever we'd hire a new girl or a new lady in the office like Warner about the dirty old man to like don't be alone in the kitchen with

this guy to like I came into work one day and there was a live scorpion on my desk to just all kinds of things right and I think it's getting better but but what I worry about is is it getting better because of the position I have and so like nobody's going to bully me as a director but there's still bullying ic's and then also in this like new remote first world I can't go walk the floor of the sock and like check the temperature in the room and make sure there's no inappropriate comments happening everything things you know in slack groups that managers aren't invited to and so I worry a lot that like maybe things actually haven't

gotten better and really it's just in places that are hidden from leadership [Music] view I really want to tell two stories I was walking to the train station with my cooworker [Music] and um i' been spending a lot of time with the VP because we were doing a bunch of preparedness for some compliance stuff I had been just been working on making sure that our we were appropriately encrypting some data um and um he and I were talking about different encryption algorithms their merits when they should apply how to how how to appropriately use encryption we're walking to the train station he knows that I spend a lot of time with the VP his boss's boss's

boss who was my boss um and out of the goodness of his heart he said you know I don't know what you do in our organization are you are are you the vp's secretary in what world is the VP secretary going to go into this incredibly in in-depth encryption discussion maybe in this world totally fair I don't work at a security company Maybe but you know who knows it was shocking though that that was clearly as the only woman that worked in the entire organization of that part of the company outside of a couple of systems administrators for a very specific system I was the only woman that sat in that section I was the only woman that

sat with the systems administrators I was the only one sshing into these boxes and I was clearly the vp's secretary and I work at a super supportive amazing culturally not horrible company and so I was really shocked um I forgot my second story so I'm going to move this on um I'll say being a woman in Tech or security being a person of color um especially early career there were a lot of things that happened that were slights you know that just for backhanded compliments or not and you it makes you question yourself you go back and go I'm not technical enough I don't know I can't talk like this person you know I didn't do programming I was just

never good at it um and you it you know it deprives you of confidence um it's taken a long time for me personally to get over that and and you know often I find myself in my last few years in the the only female in the room you know or the only person of color and female in the room and initially it was intimidating but I have now found found myself I have to represent the people are not there I have to speak up and I have to bring a diverse Viewpoint that's why I'm there in that room and so you know for me it's been really that journey of I just I have to show up I

have to turn my camera on and I have to speak up and provide that diverse Viewpoint other it's going to left un said and so you know it loses it makes you lose confidence in yourself and your abilities uh but just believe in yourself I guess it's cliche but just believe in yourself and then you know it'll work itself

out this is one of my favorite topics oh my gosh uh let's see like I mentioned been in security for 15 years it is the only job only career that I have ever known which is very baffling to people when it's like oh my gosh how' you get into sec it's like oh I don't know I've been here um so like put respect on it it's a it's a very sensitive point for me but anyway Hood uh let's see so I love being in meetings where I say an idea and no one says anything but then a man who's white says the same thing and everybody's like oh my gosh look at how original that idea is and it's like wow

I totally just said that so that's cool or being as uh people's calendars because of course I'm checking the other person's calendars if I don't have my own things to do or when I go to L Christmas party as you do and people walk up to you and you're with your partner and they're like oh my gosh are you in the security practice and I'm like no it's me Doo for anybody who watches anime um so yeah it's been tumultuous to say the least at this stage in my career and I will say again it comes with privilege I will never not say that you can come in out the gate swinging in the way that I do now if I

did before I would have been fired um I don't care anymore like at all I know I am one of the best in my industry at what I do and so you either put respect on it or you don't and it's fine if you don't because I will leave again I have no qualms for just going and find another job and I am thankful that I have had leaders uh as of late who are hyper supportive of me being just who I am uh in showing up as I do heavily tattooed my hair is in locks I dye my hair different colors I am very visibly black and a woman at work and if you do

not like that that is totally fine um and I don't care cuz it doesn't pay my bills at the end of every night and as my grandma used to tell me you don't sleep next to me at the end of every night so your opinion is null and void um I am thankful that there are certain parts of the community that I think are getting better if I look back to 15 years years ago and when it was still called information and not even cyber security um but that is not to say that there are still not strides to be made like when going to defc con and people again asking like oh is who are you here

with your boyfriend or your husband and like No actually they're here with me well it's good like what you want to talk about and I have had that happen and then we locked eyes cuz we actually worked at the same company and he didn't know that he worked at the same company with me and the next year he locked eyes with me from across the room when we were doing our Defcon debrief and I was like yeah it's me and he came up and talked to me afterwards and was like I am so sorry I was like yeah I bet you are um he doesn't live it down either I still like to remind him of that although we don't

work together anymore but anyway being a woman in Tech honestly kind of sucks sometimes like I would never sugar coat and be like it's so great no it's not um cuz people are still awful towards us but it has gotten better I would

say man that's amazing that's a power move that uh that score scorpion that wound up on my desk like my uh my boss walked by while I was freaking out and he was like no pets at work Jess and I was like thanks bro uh but I went gangster and I decorated that little Scorpion's uh Fishbowl and I F figured out how to keep it alive and like me and that scorpion were bestest friends after that cuz you're not going to intimidate me like I don't care but like I I mean you made a good point right about the privilege that we have in the leadership roles now and that if you're starting out as and I

see like you don't have that safety net to be able to call BS when somebody's doing things or saying things that are unacceptable or inappropriate right so like call out or call it action to everybody here in this room that does have that the positional privilege and the authority and your orgs to be the Ally and to provide that level of protection for people it kind of the litmus test for me right if I can't go home and share with my partner the comment that you made to me at work at the end of the day without worrying if my partner is going to get arrested the next time we like go out to a team

dinner because what you said was just completely disrespectful like you shouldn't say that at work right and as Leaders we all have an obligation to create that safe work environment and inclusive work environment for everybody on our teams this is going to keep going oh I'm was gonna I got a story too like you know I know I'm moderating but I I got my story so let me do my story um yeah so at one point like and if you know me like this may amuse you a lot um I remember I was sitting in a room and I was disagreeing with the architect I mean I don't remember what the heck we're arguing over something to pki I

just thought it was opinion was wrong like and I backed it up with like data cuz you know that's what you do and he got so mad at me he's getting matter matter I'm really earlier in my career I was pretty good at egging people on I've tried to tone that down a little and uh finally snaps and he's like well I don't even know why I'm listening to you you were only hired for your soft [Music] skills now I'm fairly I'm I'm more Junior at this time right I'm also like not a like there's so many reasons why at that time that comment was hilarious to me because it was so wrong like I was

Uber Technical and my soft skills sucked I didn't have leadership skills so that's why I became a TPM for God's sakes anyways I always think of that guy now and I like to look him up on LinkedIn to see what he's doing and hey man like I'm a principal security engineer so like enjoy your life like but also please don't ever say that oh my God pause for a second and if you think you're going to say something out of anger just leave the room don't say that to someone can I can I can I reverse power power move real quick so we were in a negotiation with a third party and I was dealing with doing a

major sort of I'm going to call it an audit we were we were making sure that their security practices met our particular needs and that they were going to be able to handle our data appropriately so I'm working with them on this every time that I ask a question or say anything and we're kind of in the the legal negotiation part of the situation and every time that I say anything or my my co woman lawyer with with me uh there's two women in the room me and my the assistant general counsel I think I don't know um way up there on the legal org we're having a negotiation they will not listen to me so my I I

send a message to my VP same VP um and I say they're not listening he's like all right cancel the meeting reschedule it for you know in a couple days invite me cool um so we do that show up to the meeting he's like all right so hi I'm the VP of this technology org let's let's start this negotiation they start asking him questions and then he says I don't know I need to defer to my security expert Diana and I would say something they would then talk over me or just you know he would repeat literally every single word I had just said and they would agree with him and this this is how the call went

he just repeated the word that I said verbatim so this was a reverse power mood I had no power I was just nothing in the room to them and there was very little power I could assert but I went and I found my power partner and we worked as a team to make sure that we got what we needed to get and I wasn't able to just just you know leave the negotiation we needed to deal with this I didn't have the the internal strength or the the things after my name or whatever to make them respect me but he did and it sucks that that was the situation but these are kind of the

situations that you're going to get into as a fem presenting person sometimes and you got to figure out where your power move is and sometimes it's not you but an ally is pretty damn good it's a second second choice but let's do it all right awesome that was that was great that was great wasn't that great how do you feel now are you like feeling good no okay um anyways we are like way over time thank you for being an awesome audience I've got our uh names if you took the photo feel free to hit us up on LinkedIn we'll be floating around ask us the like bajillion questions you all sent in that we didn't have time for

thank you for all that thank you for participating enjoy the rest of your day [Applause] [Music] folks