Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Code as Critical Infrastructure, Entrepreneurship, and Funding Innovation
2 Playsin 10 hours
Tanya Janca joins the show this week, with unique perspective on building secure software and advocating for better cybersecurity policy.
George K and George A talk to Tanya about:
- Her transition from 14 years as a Canadian public servant to private sector entrepreneurship
- The core values that guide her work: performing good and moving the industry toward secure software
- Entrepreneurship since age 19: solving real problems that hurt badly enough for people to pay
- Civil advocacy for security by design policies and challenging inadequate government cybersecurity practices
Tanya's perspective on building businesses around genuine problem-solving rather than just seeking acquisition or wealth creation offers valuable insights for any founder.
Whether you're interested in secure coding, entrepreneurship, or how to advocate for better cybersecurity policy, this episode delivers actionable insights from someone who's been in the trenches and made real impact.
Mentioned:
- The Eh List: https://ehlist.org/
- Forte Group: forte-group.org/home-our-mission
- Tanya’s petition: https://www.ipetitions.com/petition/secure-canadas-future
- Tanya’s Secure Coding Guideline: newsletter.shehackspurple.ca/c/secure-coding-guideline
Recommended
Transcript
Software as Critical Infrastructure
00:00:00
Speaker
I feel that the software that runs our country is part of critical infrastructure. So I don't just think that a power plant and like a physical thing is critical infrastructure. I believe that if all the software that makes all the things happen goes down, we're just in that of a spot.
Introduction to Bare Knuckles and Brass Tacks and Tanya Jenka
00:00:28
Speaker
Yo, this is Bare Knuckles and Brass Tacks. This is the technology podcast that tackles the human side of the industry. And today's guest is Tanya Jenka, long time secure coding evangelist. She has been a I don't know, a founder entrepreneur since she was 19. There's a lot in this episode. There's policy.
00:00:50
Speaker
There is critical infrastructure. There is entrepreneurship. There is how do we better the Canadian economy? This is like full bore Canada episode. And as the American, I am here for it.
00:01:02
Speaker
Yeah, this was, not going to lie to you. ah Folks, our American friends who are listening right now, we went peak Canadiana. Yeah. um The beauty of Tanya, and really like i've been I've been following her career for a while because she she was from auto before she moved out west.
00:01:19
Speaker
um I remember my first B-sides, she was one of the first speakers I ever saw live, like when I first joined the industry. So I'd known her for a long time. it was cool to finally get her out here.
00:01:30
Speaker
She is someone who has the rare mix, who she is equally as technical as she is um detail-oriented from a policy standpoint. And honestly, the vibe of just like, I don't know, fuck it. Let's just try it. See what happens.
00:01:47
Speaker
That is her. So I'm so pleased that we were able to bring this type of energy to our show. And especially, you know, finally a Canadian cyber kind of staple. I appreciate that you allowed me to go me on this, George. And this is just really good fun.
00:02:04
Speaker
Yeah, it's a I learned a lot. So let's turn it over to Tanya.
Tanya Jenka's Career and New Book
00:02:09
Speaker
Tanya Janko, welcome to the show. Thank you so much for having me. yeah We are very pleased to have you.
00:02:17
Speaker
You are ah purple teamer. You have done the code. You have done the hacking, but you're also on the vendor side. So by the rules of the show, that entitles George A. the CISO to have first crack. So take it away.
00:02:31
Speaker
Awesome. Thank you, George. Tanya, good to talk to you again, friend. It's been a minute. The last time we saw each other might have been, was it B-Sides? Yep. B-Sides, Ottawa.
00:02:43
Speaker
We had like an accidental panel together. It was kind of hilarious. I thought it was great. Oh, it was super fun. I'm just saying the entire Policy Village experience, which by the way, was highly reviewed.
00:02:57
Speaker
um We definitely just threw that together as we were going. Hey, sometimes you gotta raw dog it and it's fine. And it looks great and it works out and you know, don't overthink it guys.
00:03:08
Speaker
Appreciate that. So let's let's hear about what's been happening with you, let's say since that B-side, which I believe was November last year. I have released a new book since then.
00:03:23
Speaker
So I wrote another Alice and Bob Learn book, this one about secure coding. And so I've been doing lots of talks about secure coding. And then like now conferences are starting to book me to do trainings.
00:03:38
Speaker
So like a deep dive into JavaScript, for instance, and like exactly what features you should use and then which ones are sort of the danger zone and then like common issues that people have.
00:03:50
Speaker
And so I'm doing that with all sorts of different languages, but JavaScript seems to be the super hot one right now that conferences are saying yes to a lot more often. because Everything is built in JS, so you know that.
00:04:00
Speaker
and Exactly. it's a very popular I have to say, though, this is just to clarify to folks so people understand um the technical background and like the rich history you have. And it's like I don't like Georgia would know this, but you were like a public servant in Canada for like 10 years doing this as like a very, very quiet ah civil servant federally for us before you kind of went off and then took over the world.
00:04:26
Speaker
Um, the type of coding that you're teaching is actually traditional old school pattern-based analysis and code building and not, uh, essentially how to prompt your vibe code in, right?
00:04:41
Speaker
Um, yes, I'm doing the old school where you actually write your own code. Although, however, starting in September, I'm, I'm teaching how to use AI more securely. My first
AI Tools in Secure Coding
00:04:51
Speaker
client got booked. I actually just signed right before this.
00:04:54
Speaker
um So that's exciting that now I get to do like how to divide code a lot more safely. And just like, I think a lot of the key is reviewing the code to make sure it's safe. So if you can't understand the code you're getting, whether it's from Stack Overflow, whether it's from your colleague, whether it's from an ai ah if you don't understand it, should you check it in?
00:05:15
Speaker
Just compile it, ship it, let's go. Yeah. Let's deploy to production, everyone. How about we go? George, over to you. Yeah, well, that's a great segue, Tanya. I was going to ask. um the It's interesting to me how much you're getting booked about this.
00:05:34
Speaker
secure coding, which tells me there is still very much demand around an audience of software engineers, despite what LinkedIn would have us believe, which is like, you only need two now and a few LLMs, right?
00:05:46
Speaker
But you're sort of sort of on the cutting edge there between a generation who knows, the generation who's learning, and generation might be leaning is what I would say LLMs.
00:05:59
Speaker
So yeah, I guess I wanna give you space to talk a little bit there about like how you're taking the principles that you know you've stood on for a number of years and how you're gonna translate that to a generation that is I think maybe very eager to just lean on AI to do a lot of the coding for them.
00:06:19
Speaker
I think it's totally okay to lean on all your tools. Right. Like whether you're using, you know, a zillion different cool plugins in your IDE to help you do various things. So for instance, like, um, I often use like the 42 crunch plugin for APIs to help me harden my,
00:06:39
Speaker
and like my open API file to just make sure like, oh, did I miss this? Did I miss that? I use, mean, work at some grips, I probably use that one. um But like, there's all sorts of cool tools that you can use that help you write better code. And so AI is one of them.
00:06:54
Speaker
The issue is, is when we don't read the thing that comes out of it and just copy and paste and and then move on. And i remember um a million years ago, i was working at the Department of Justice on some top secret stuff.
00:07:10
Speaker
and I had to apply redactions. um But I was applying redactions to thousands and thousands and thousands and thousands of documents like in one go. and I messed it up. Basically, like I got nervous because it's the database thing was running so long.
00:07:24
Speaker
i paused it and then I ran it again. And so then had double redactions, and I had to remove my double redactions. And I remember like going on Stack Overflow, i five guys from Rola because I'm that old, and all sorts of other sites. and finding some code and being like, if I don't understand I don't think I can run it on our production top secret database, right?
00:07:45
Speaker
In top secret databases, they don't have um they don't have like a lot of backups because they're top secret, because then you have to do so much work to protect them, right? So we didn't have a backup.
00:07:57
Speaker
ah Like it was that there's no dev, there's no QA, there's just prod. um And so I remember like really fussing over it a lot and then making my boss come and review the code with me and walk him through it. And he's like, honestly, Tanya, like no one really understands what you, know.
00:08:14
Speaker
I was just like, oh um but then we ran it and everything was fine. And it fixed all my double redactions that I was all upset about. However, I mean, like if you redact something twice, it's just two black boxes on top of each other. The lawyers are like, you're overreacting. It's fine. But anyway, um we should like the key is taking the time to review and analyze and also like make things your own.
00:08:38
Speaker
Like whenever i get the AI to write something up, I'm always like, that sounds like crap. yeah And then and then I i joke, I call it a Tonya is it. But I just you you want to make whatever it is your own, whether it's your code or it's not your code.
00:08:53
Speaker
I'm actually creating um a new course for Sumgrep Academy called Sumgrep for devs. which will be free, like everything in there. And so i my boss was like, oh, I need you to make an intentionally vulnerable app. I'm like, oh, it's great. I'll just ask the AI to make an app and it'll just be vulnerable. Yes, vulnerable by default.
00:09:10
Speaker
Vulnerable by design. That's what we're going to call it. Vulnerable by design. Yeah. Well, like whenever I'm making um coding samples for training, I do this thing called bad, better, best. And so I start with bad code. So we have a lesson. and Like, let's say it's input validation or HTTPS everywhere, whatever it is, what I want them to do.
00:09:28
Speaker
And the bad code, of course, doesn't do the same. Right. And so when I asked the AI to do the code, I'd say 85, 90% of the time, perfect code. it's perfect bad code I don't have to edit out anything. It's totally screwed it up. And I'm like, sweet.
00:09:42
Speaker
And then I just add defenses and add. So then it's better. I added. And then it's best when I've added like multiple layers of hardening. Right. And I just like, thanks guys. And so, yeah, I asked it to make it more vulnerable. So it's the world's ugliest plant store. I was like, I want you to sell plants and everything's going to be pink or purple. Cause that's what I like. And it's really, really terrible.
00:10:04
Speaker
um And I was like, I want the whole OVOS top 10 in there. And it's like, watch me go. Like you could hear the AI like cracking its knuckles. It's like, let's do this. I'm Claude. It's going to be awful. um
Early InfoSec Experiences and Government Work
00:10:16
Speaker
Yeah, it's great.
00:10:17
Speaker
It's very broken. wow that's a good answer. Yeah, so that's kind of funny. to just like You're talking about the Department of Justice story there, and all I could think of was just like, that is a nightmare of an ATIP request.
00:10:30
Speaker
It sounds like it was yeah, a good time. um i Yeah, when I worked there, I had to do the ATIP request for mayor Aram. and Oh no. Whoa. Yeah. And I had nightmares all the time at the publicly released data for that.
00:10:45
Speaker
And I ended up doing counterterrorism and I ended up just having nightmares every single night. And that was actually my first foray into information security in like 2006. And I was just like, I'm not tough enough to work in InfoSec. That's what I thought.
00:10:58
Speaker
And so I went back to programming and then years later, an ethical hacker who changed my mind. right And so a lot of people don't have the best first experience with InfoSec and then they might leave not realizing like you don't have to look at terrible, terrible, terrible things every day or read things that make you need to go to therapy in order to like work in InfoSec. There's lots of jobs for those of us that are more sensitive.
00:11:24
Speaker
I mean, like accidenting yourself into, you know, counterinsurgency operations or like support to CI ops. And like that I lived that world too and like in uniform. So it was just like, I understand because like at least we get a little bit of warning, but I can only imagine if you're like in a civilian position and you're like just suddenly like, okay, your task is now this profile. And you're just like, okay.
00:11:49
Speaker
Okay, cool. Like, it's, it just reminds me of like, even like Jeffrey DeLille when that, that thing happened. um He was a ah dude who kind of like tried to sell secrets to the Russians and I went to university with him and that was like a thing at RMC.
00:12:05
Speaker
um Yeah, so that, and again, all the intrigue. I digress. I actually want to talk about policy with you. We did a policy village together, and you have done a ton of advocacy work ah for a better policy from government up here.
00:12:21
Speaker
um If you could help our listeners who are in America, could we perhaps get your... Let's say your current state assessment as to Canadian governmental policy when it comes to cybersecurity issues and or and defending our national supply chain.
00:12:43
Speaker
um I actually literally like yesterday was reviewing their 2025 strategy from like the Canadian Center for Cyber Security, I think they call it, or cyber.gc.ca, which is a little easier.
Canada's Cybersecurity Policies and Challenges
00:12:57
Speaker
it's It's our CISA for our American fans. Sorry. Okay. um it's Yeah, it's our it's our cyber agency. it It's like it's the the really, really, really smart folks.
00:13:10
Speaker
um And they have a bunch of different things. So they have guidance online about how to protect the software supply chain that I feel is decent, but not affordable.
00:13:22
Speaker
So everything they suggest is manual. So no software composition analysis to analyze your dependencies. All their advice is like all manual things you should do, which I don't feel is reasonable. Like if it's not scalable, it's not affordable, people aren't going to do it.
00:13:36
Speaker
um I do think the advice is good, but we need automation. Like whenever possible. um And I realized like I work at a vendor that sells one of those things. But even if I didn't, like before I worked for them, I said the same thing. Like we just can't manually look at every single library. Like we just can't.
00:13:54
Speaker
um Or we're just tying both our hands behind our backs and putting tying our ankles together too. right? Like it's just, it's not reasonable. um I don't know what they're doing to protect.
00:14:05
Speaker
So when you say supply chain, do you mean like food and all sorts of other things or do you mean just like software related? Categorized a critical infrastructure industry.
00:14:16
Speaker
So they, they are supposed to be partnering with industry about cybersecurity and they're pretty vague on what they're doing. One of the things they're doing is trying to create some sort of certification approval for IoT devices, which sounds so good.
00:14:34
Speaker
And then they're supposed to be partnering with private industry, but it's very vague as to exactly what their plan is. They're supposed to be partnering with um the educational um basically there's a university program and a college program of all the tons and tons and tons of many, many programs that they are currently trying to partner with.
00:14:57
Speaker
And it's like, if we give them funding, I think you should be like, guess what? If you want the funding next year, you're our partner now, but that's me. um so like they're, they're doing some things, but as for protecting like critical infrastructure overall, I'm,
00:15:11
Speaker
i'm not sure if it's a secret, right? So what I've seen, i'm like, hmm, I feel that the software that runs our country is part of critical infrastructure. So I don't just think that a power plant and like a physical thing is critical infrastructure. I believe that if all the software that makes all the things happen goes down. We're just in bad of a spot.
00:15:40
Speaker
um I'm not sure if you're aware, but like most governmental departments, they have like a list of five mission critical pieces of software. And one of them is always their website. And I remember being like, who gives a crap if our website goes down? They're like, literally people start panicking and there'll be riots if the government's website just goes down. Like public perception.
00:16:03
Speaker
Mm-hmm. there will be literal panic, um like crimes will happen. like Like they're like, we're we're not kidding. if it If it goes down for a few hours, it's really serious. And when I was at elections and I was the CISO there and the election was happening on election day, we went down for, i believe three or four minutes, which,
00:16:21
Speaker
To be quite blunt, we weren't expecting 23 million Canadians to all visit the site at the exact same minute. Because we have five time zones or is it six across Canada? I know we have five at least.
00:16:33
Speaker
actually and so as a yeah So as a result, we weren't expecting literally all of us to all get online at the exact same time, but apparently we did. um And so we we went down for like under five minutes. We got back up very quickly. i was super impressed with my team. But like that was like, OK, now I'm going to go answer the 400 news people that just called because we just went down. And we're like, oh, my gosh, we're being attacked. They're like, no, it's legit traffic from Canadians. And we're like, oh, OK, we'll let them on in.
00:17:01
Speaker
Right. yeah So. um I feel like we don't have a plan for software right now. If you look on the internet, they're planned for software.
00:17:13
Speaker
um There's a document, which of course I don't have the name of, like I i could get it for you if you give me like two seconds. um The second, word where is it? theres So there is guidance from the CCCS and it is kind of vague.
00:17:30
Speaker
So basically like the main thing that they have is the software security code of practice. It's not mandatory. So that means no departments have to follow it. Right. And then when I looked through it, there's four sections and one section them is about code. And there's only actually four things that relate to coding.
00:17:49
Speaker
And one is you should practice secure by design and that's it. And like, what was that mean? Like, That's like saying you should just write better code.
00:18:01
Speaker
What if you just sucked less? Do you think then that the CAN CyberSecure framework absolutely missed that? Because that was supposed to be the solution, right? um And so I actually didn't go through that because i was focusing specifically on like governmental assets, like securing the critical infrastructure that the Canadian government maintains. But you're right that private industry when it gets past a certain point, it becomes critical infrastructure. So for instance, like correct when Rogers went down for, yeah. And like people in parts of the country couldn't call 911, right? We don't even know if there were deaths.
00:18:39
Speaker
And so like that to me, it becomes critical infrastructure. So you're, you're right that private industry can get there. Definitely. I would say like, cause we only really have three telecommunication companies.
00:18:51
Speaker
yeah I would say that that qualifies as critical infrastructure. So maybe I do need to review that document some more. I know that the CCCS has a site called Protecting um Your Website and it's decent. It's not bad. Like it's very beginner. It's like, you know, you should scan it with Zap and maybe fix the things you find. You should run SubGrip on it and you should maybe fix the things you find. And it's like very basic advice to secure, like I would say a website versus a web app.
00:19:18
Speaker
And like, it's not bad. It's a like I would. Like if I was gonna rate it, i would be like this totally, there's like kindergarten grade one, like it's a good beginning. It's not where we need to go.
00:19:29
Speaker
So why don't we ah pivot here, Tanya, to some of the lobbying that you have been doing and talk a little bit about that policy. Like where's that policy focus that's got your attention?
00:19:42
Speaker
So I used to work at the Canadian Revenue Agency and I wrote their web app security policy. um And so then after that, I worked at PSPC and I tried to write one for them.
00:19:56
Speaker
And I kind of just kept going down this path of right. And then I left the government and I started getting contracts where I would be writing secure coding guidelines, writing policies. And then, of course, then I wrote books. right And the first book had a more basic one. The second one.
00:20:10
Speaker
um has quite an extensive, basically a summary that you can download that has the 48 things I think you must do to create software good enough to go on the internet.
00:20:22
Speaker
And so my advocacy started with CRA. So one day I went to log in to the Canadian Revenue Agency, which for American listeners is like the IRS. own a business, which means I absolutely have to log in at least once a month. And I'm a citizen, which means I have to file my taxes at least once a year. So Bare minimum, I'm in there at least once a month, but let's face it, it's a lot more often because they pay close attention to people like me that run more than one business.
00:20:47
Speaker
So you have to use their site. The other option is waiting on hold for up to eight, 10 hours at a time. It's just not acceptable. You have work to do. And so when you log into their site, the terms of service say that they are not liable if they lose your data.
00:21:04
Speaker
um because the internet's not safe and they've done every single reasonable thing they can do to protect your data. But then I look in my little web developer tools in my browser and it's like, oh, the cookie doesn't have any of the security settings. They're not using any security headers.
00:21:21
Speaker
um Like all the things that I would consider super basic web hygiene aren't there. And so I wrote them and was like, I'm not okay with this. I don't accept your terms. And they're like, well, then you can just like write us letters from now on And I was like, well, clearly that I can't do that, right? Like I can't conduct my business. Like you have to pay fees each month and do all this fancy stuff.
00:21:43
Speaker
um And so I kept writing them and asking them for
Web Security Policies and Canadian Revenue Agency
00:21:46
Speaker
details, et cetera. And they wouldn't write me back. i escalated or the prime minister's office, et cetera. But eventually I realized I wasn't gonna get anywhere with them.
00:21:53
Speaker
Like I went so far as to visit Ottawa and speak at an event where I knew their chief information officer was and made a speech about how their terms of service were shit. And then I went and spoke to him after in the hallway, very politely, because I'm Canadian.
00:22:07
Speaker
If I'm not polite, they'll throw me out. And so and we spoke about it. And he's like, how do you know what this says? Like, how would you know what our policy is? I'm like, I wrote it when I worked for you and you're not following it. And I'm upset. I'm a citizen and I demand more. And he's just like flex, man. civil Civil flex is what that is. Yeah.
00:22:24
Speaker
I know, because otherwise I wouldn't know what it says, right? um I am suggesting something much stricter than that now because times have changed. think Things have changed. the The way we write things are have changed. So then more recently when my book came out, I created up a policy from the new book and was like, this is super concise, it's super actionable, let's do this. And so my member of parliament at the time, Alistair McGregor, was like, yeah, yeah.
00:22:52
Speaker
And so him and I did this letter writing campaign where we wrote the head of the military, the head of shared services, the head of public safety. I wrote the privacy commissioner because you cannot have privacy without security.
00:23:04
Speaker
um You can have security without privacy though, Google. um However, ah So I wrote all these people and none of them wrote back. Then we had an election. Unfortunately, Alistair didn't get back in. I voted for him, but apparently not enough other people felt how I did. And so now we have a new MP and I've been rating him. I haven't got back from him.
00:23:25
Speaker
Now I have a petition going. So generally in Canada, what you want is to have an MP that backs you. And then you do a petition with the House of Commons and then you get 500 signatures and then they have to hear you.
00:23:40
Speaker
However, you can't do that without a member of parliament. So what I'm trying to do right now is find a member of parliament that will support this. And like, I've written mine twice now and I've phoned and I'm just gonna keep, you know, gently, politely and respectfully being very annoying until hopefully he gives me the time of day, but I'm trying to approach other MPs now And so part of the petition is like contact your MP, ask if they'll support me.
00:24:05
Speaker
But so the petition I'm writing is a general petition on ipetition.com or whatever it is. If I get enough of those and I show it to an MP, I'm hoping that then they will support it
00:24:17
Speaker
are Hey, listeners, if you dig the snark, the stories and the big swings we take, we'd appreciate your support. You can now become an official supporter of the show. You can send us a one time gift or sign up as a member to provide ongoing support. Memberships start for as little as one dollar per month. Just follow the link in the show notes.
00:24:40
Speaker
Each membership tier comes with a unique set of benefits, including exclusive discounts to the BKBT swag shop and even advisory services for your team. So really, for less than you'd pay for one cup of coffee per month, you can support the show.
00:24:57
Speaker
It covers our hosting fees, helps us make cool swag, and it lets us know that what we're doing is valuable to you. Many thanks to listener Elizabeth Ramirez for her recent pledge of support. We'd love to have yours too.
00:25:10
Speaker
Now, back to the show. Yeah, man, I i love this. and We never talk, we talk about cyber at these macro policy levels, but we do not talk about it enough. got to change it on the show, maybe about this sort of ground up citizen led inquiries into as you said, basic infrastructure, but which is in some part critical to the revenue of the state um and, and transacts in some of the most sensitive data of Canadian citizens. So, I mean, good on you.
00:25:47
Speaker
Yeah. Like CRE lost my parents' identities on the internet and now they have to have credit monitoring for the rest of their lives. And now You know, they always have questions like, do you think this is someone stealing my identity?
00:25:59
Speaker
And it's just... Yes, unacceptable. It's just unacceptable. We should be able to trust our public servants. And i I know there are many amazing, super awesome, outstanding public servants, but we need to have some leadership in
Leadership and Security Culture in Public Services
00:26:16
Speaker
order to get there, right? Like, it doesn't matter if there's some dev that's like, I really love security and I want this to happen if that's not what that person is assigned as their work.
00:26:24
Speaker
Mm-hmm. It's just, they they can't just go be cowboys doing security off the side of their desk. It's not allowed really. i yeah I have to give you um a recommendation. And I love this, that we get to a nerd about, like K and Pauly, on like the show, because we never get to do this.
00:26:42
Speaker
um If you get a hold of Alexandre Boulerice, he's the ah MP for Rosemont La Petite Petrie in Quebec. He's super technically savvy, and he can understand the issue.
00:26:56
Speaker
That's awesome. I mean, and one of the things that I wanted to say earlier when you were describing the policy of basically suck less, write better code is this. I mean, i don't know anything as the American in the bunch, but.
00:27:11
Speaker
It just sounds like what we have here in the U.S., which is the vast majority of our elected officials are lawyers and actually not technologists. So when they write things about technology, it's like, oh, you're writing just use security by design because you don't know anything about how stuff is built. Oh, did you remember the Cambridge Analytica hearings? Yes. Like Zuckerberg. like What is the Internet? Yes.
00:27:35
Speaker
Yes. Yes. How, how, how does it transmit from here to there? Is it like radio waves? Oh my God. Um, yeah. And you raise a good point on it inadvertently, right? Like a lot of the things that we face in both countries, whether it's climate, cyber, um,
00:27:55
Speaker
even renewable technology, like there's so much science ahead of us. And if our elected officials don't have, they can't just have staffers, right? They have to have like a basic technical acumen about some of this stuff.
00:28:11
Speaker
And that's what's sort of driving me crazy is because it's like me arguing with my mom all the time, basically. It's like how we try to get jammed technology policy through.
00:28:24
Speaker
Well, maybe we need to have technical advisors. So like a thing that I do, so I do too many things and I'm a technical advisor for some startups and I just give them technical advice. Like sometimes it's product market fit or features that they need, but sometimes it's like, if you architect it like this, it'll run faster and people want things to run fast.
00:28:46
Speaker
Right. And when I was in the Canadian government, one of the positions I held for quite a while was technical advisor. and then Enterprise Architect and and then InfoSec, et cetera, right? Because I was there a while.
00:28:57
Speaker
And like, why would politicians not have yeah a technical advisor or a technical briefing? Like I know in the United States, um a couple of times they've had information security folks like Katie, Missouri,
00:29:13
Speaker
um address the Congress and like explain things from a technical perspective. yeah I don't know. I did. um I did ah influence operations briefings for the Senate ah staffing caucus. So i was like briefing the staffers because they were the ones who would then,
00:29:30
Speaker
have to ladder up the messaging and stuff for elected officials. But yes, 100%. And some, at least in the US, it's uneven because some people who take it seriously dedicate part of their payroll to having like a cybersecurity staffer or a climate change staffer. But it's catch as catch can, right? If you don't value that, then you don't pay for that. And then you don't have that in your ear.
00:29:54
Speaker
um But yeah, i want i want to pivot ah right here in the second part of the show. So you said you run multiple companies.
Tanya Jenka's Entrepreneurial Journey
00:30:01
Speaker
So just want to get your take here on that intellectual leap from going practitioner, founder, entrepreneur. It's a different reflex. And just want to give you the space to talk about how you either discovered that entrepreneurial swagger and then you know how you've run it so far.
00:30:23
Speaker
So i started my first business when I was 19. Um, and I basically wanted to play music in bars and very quickly I realized, oh, if I organize the concert with other bands, like different bands, I can make more money and then actually be able to afford to do this.
00:30:44
Speaker
Um, and yeah. And then I figured out, oh, like if I make my own little record label, then I can afford to put out albums because if I pay someone else to do it, I'm never goingnna be able to afford this.
00:30:56
Speaker
And so figuring out how to do to a tour, figuring out how to run like lots and lots of different concerts at different bars, eventually like I ended up organizing music festivals, although I didn't run the whole festival.
00:31:09
Speaker
I was part of a team. And so I started running small businesses right away. And then when I graduated college at age 23, And like the whole time i was like playing music everywhere and then working at a startup because obviously just going to college for computer science isn't enough of stuff to do.
00:31:30
Speaker
ah so so then I started my first startup and basically our entire business model was what Netflix does today. and um I didn't know how to raise funds. And so we just kept trying to be profitable immediately. So that didn't go very well.
00:31:45
Speaker
Uh, and then, um, and then I ran like a little like contracting company of, of one. So that's not really entrepreneurship. So then I joined the government and I still playing music all the time, running like bigger and bigger concerts, releasing more albums. I released five solo albums. I released albums with different bands.
00:32:03
Speaker
Um, I was mentioned in Rolling Stone one year i was like, you know, I'm on Spotify. I played the band's warp tour. Like I did lots of stuff and and that was awesome. And that kept me like quite entertained for a while.
00:32:15
Speaker
um
00:32:17
Speaker
Then I was like, oh this isn't enough. So then I started a yoga company where I would have... Tanya, you sound over-employed. know.
00:32:28
Speaker
I really like... So while was doing all the other stuff, I was like, really like doing yoga at lunch. And so my sister, like one of my sisters had taken this yoga training class. And so I had her come in and teach yoga at lunch.
00:32:42
Speaker
And then all my... friends were really jealous. They're like, I can't believe you just have someone come into your office building. You use one of the big meeting rooms and you just all do yoga at lunch. And my sister thought it was great. She didn't have to pay all the yoga studio fees. She just got to keep the money. Everyone else thought it was great because it's half the price.
00:32:59
Speaker
Like she's getting paid twice as much. They're paying half as much. Awesome. So I'm like, what if there was a middleman or a middle woman? So then I started like sending yoga ladies everywhere ah all over Ottawa. And so after that,
00:33:12
Speaker
um Once I started doing cybersecurity, I was like, well, immediately I'm going to do a small consultancy on the side where I pen test stuff. And then I started getting paid to speak. I started like people started asking me, will you come train our devs? And I was like, sure.
00:33:25
Speaker
And then here I am at at Microsoft and I left Microsoft to start a startup. um Me and a friend started a company where we were going to make a product and the product was going to solve the inventory problem. So for those of you that don't know,
00:33:40
Speaker
finding all your APIs and all your different pieces of software, like software as a service, custom software scripts. Like there's so much software out there and you don't know you have it, which means you can't protect it.
00:33:51
Speaker
And so we started a company to do that, but we exploded very quickly. It took us 10 weeks. So if you're going to fail, you should fail fast. um Yes, a thousand percent. Yeah. And then there I am, like I've quit my job at Microsoft.
00:34:05
Speaker
I have this huge nest egg saved up so I can start a company and I have nothing to do. And so my friend Karen said, well, I would pay money to read your blog.
00:34:16
Speaker
And I was like, my v blog's free. And she's like, people would like to pay money to read your blog. I'm like, no one wants to pay for things that are free. She's like, some of them do. And i figured out that I could just, I could make a community and I could still give tons of content away for free, but I would get some of it.
00:34:35
Speaker
And so basically people that wanted to participate more and like spend time with me get like more regular lessons and things like that, they'd be happy to pay seven bucks a month. Like, it's like you're buying someone a nice latte.
00:34:48
Speaker
Do you know what i mean? And so that turned into an entire academy and community called WeHack Purple. And it just got bigger and bigger. Like our community had like 13,000 people in it at one point. We had almost 10,000 students in the academy at one point. And then we got acquired by Soundgrep.
00:35:04
Speaker
Thanks guys. Um, yeah, And so I've been just kind of, and and the whole time I've worked at Sumgrap, I'm still doing secure coding training because like I thought when I made my entire academy catalog free, was like, oh, no one's going hire me anymore. People wanted to hire me more than ever before. They're like this live, this will be so much better. Then we can pepper you with questions the whole time.
00:35:26
Speaker
Then it can be updated because when you give live training, it always like update everything. So it's like perfectly fresh. Right. And so Yeah, the whole time I've still been doing that. And like, I didn't even like advertise it really. And people are just like, yo, it's been a year, get back here.
00:35:42
Speaker
like, oh, yes, sir. So I feel like, I feel like being an entrepreneur or a founder, it's kind of like built into you, if that makes sense from the beginning.
00:35:56
Speaker
Like you just can't help but want to solve problems. So I also own like a farm. um and grow vegetables and flowers and I kid you not like I just kept growing vegetables because that is a hobby and I also like I have um have like dietary issues I can't eat gluten I can't eat corn so I mostly have to eat unprocessed foods so I'm like well I might as well just grow them so they're free right and then someone was giving it to all my neighbors and they're like you need a farm stand. i i I would like to purchase them from you. And I was like, oh, okay. And then I was growing flowers. Got to listen to the market, Tanya. Got to listen to the market.
00:36:33
Speaker
I know. And so like, here I am just growing flowers at the front of my property. So it looks pretty. And someone's at the farm stand and they're like, hey, how much are those flowers? And I look at them. I'm like, they're a dollar. And she's like, I'll take 10.
00:36:43
Speaker
I'm like, okay. And then Like I sold like five or $6,000 worth of flowers on the end of my driveway last year. I know. And like, well, I wait, wait, I want to think, I think, I think so so. One thing that George and I have, uh, harped on a lot on the show is a lot of security tooling that comes out.
00:37:03
Speaker
It feels like it's not actually solving a problem. It feels like, Oh, I see that you started this because you want to be acquired by Google. Like the way that it's like architected or whatever, right? a feature.
00:37:14
Speaker
Yeah, it's like you, it's just a feature. But I, but I, I like that you, so what you said there is that, and it it comes through very much in your story, right? Like, how do I play in more bars and, and make a living wage? I have to start this business, right? So i like that you come at it from how do I solve a problem, which is also very much a essentially a secure coding challenge, right? How do I solve this problem, get this data to pass through this, but not, you know, be accessible here.
00:37:43
Speaker
Anyway, that's a very interesting, we've never heard that. We've never heard like entrepreneurship is solving a problem versus like, I just have this wild delusion and I want to make a lot of money. If you want to make a lot of money, you need to solve a problem that is, that hurts so bad.
00:37:59
Speaker
that people are willing to pay to solve it, or um do a thing that's so fun, people are willing to give you money do to experience or or do or have the thing.
00:38:11
Speaker
So with yoga, the the thing is like people want to be fitter. People want to be more flexible. People want to have the image that they're a person that does yoga. People want to look cute in their little yoga pants, whatever the thing is, right? Like you're you're solving an issue for them.
00:38:26
Speaker
Maybe it's just, I'm bored at lunch, right? like to be To be quite blunt, like it's something fun to do. like i I don't know, I am a huge yoga fan. And so if you are not solving a problem that really hurts, no one's gonna buy your thing, especially if your thing's expensive.
00:38:45
Speaker
And so people that wanna start a company to get rich, but don't really passionately wanna solve a problem, sometimes they get lost. And if you start a company with the sole goal of being acquired, that's okay as long as you're going to go in the acquisition and still solve that problem.
00:39:04
Speaker
Does that make sense? So like, when I agreed to be acquired by Sumgrab, like the deal was I wanted all the things to be free and they're such hippies. They're so great. They're like, dude, we give our product away for free. Like we are so down.
00:39:16
Speaker
And I was like, you know, I want to build community. I want to like have people connect. I want to teach and like have people. And they're like, yes, this is so us. Right. And that's why it was such a good match.
00:39:29
Speaker
But I had people offer like basically more money to put every single thing i ever do behind a paywall. And I was like, so um one of my career goals. So I have two like overarching kind of mission goals. And one is to perform good in this world.
00:39:46
Speaker
And perform good. I mean, like Superman, not programmer. Yeah. and And the other one is that I need to meaningfully move our industry forward to create more secure software.
00:39:59
Speaker
I don't necessarily need to sell them a product to do that, but I need us to all make better. more secure, safer, reliable software. And that is basically the the same as the SamGrep mission. It's worded differently, but basically, like they're like, oh, that's what you want. And they showed me their mission. i was like, oh. um But i I feel like um every single thing I do, I'm trying to get to one ah or both of those things. right And if you are starting a company and you don't have that, you don't have
00:40:31
Speaker
Like a North star. Yeah. Yeah. Like, you know how um companies will have like their values on the wall. So we had purple had values and like accessibility was one of our values. And we would spend a small fortune, like translating things and getting captions and other things like that.
00:40:47
Speaker
And like doing lots of things to make sure people who, don't have the same visual abilities that I do can see or can fully participate.
00:40:57
Speaker
People that can't hear can fully participate. People for whom English is like their fifth language that they can fully participate, right? We really wanted to have diversity. We wanted to not just be a whole bunch of cis straight white dudes.
00:41:11
Speaker
Like i was like, I want everyone to join security. not all like I really want more cis straight white dudes, but I want everyone else also to come on this journey with me. And so when we would make decisions, it was always part of like that. And I remember someone telling me that Enron had integrity on the wall and their copy is one of their things. And it's not a thing that you put on the wall or you put in a memo, but It's how you decide who gets promoted.
00:41:40
Speaker
It's how you decide that someone is dismissed from your company versus just a reprimand, right? It's part of hiring. It's part of like your culture. And so people that are starting a business where their whole thing is to get rich, I'm like, go invest in crypto.
00:41:58
Speaker
I have to have to ask though, because we're getting near the end, but there's one question that I kind of have to call out because i think you might have a unique perspective to give. The Canadian startup ecosystem relative to America, relative to Europe, relative to like Asia and the Arab world right now even, it is um lacking.
Challenges for Canadian Startups
00:42:20
Speaker
It is not good. Yeah, for the listeners, that received a double thumbs down. and I'm trying to be polite because I'm friends with lot angel investors out here. I'm friends of the Invest Ottawa community. ah Sonia Shory and her team are doing really good work.
00:42:34
Speaker
But other than small localized pockets like here in New Brunswick, a little bit out west, we just don't seem to get it. And it seems to me like the typical Canadian founder dream is to get acquired by someone in the States, right? Or to move down to San Fran and just basically become an American and just do that thing.
00:42:55
Speaker
How do we create a nationwide culture of tech innovation? Because I don't think you can achieve or we can achieve the goal that you're talking about, which is by default, secure by design, if we don't have a fundamental culture of innovation to begin with.
00:43:14
Speaker
How do we fix it? There are a bunch of things. So I don't know if you know, but in the United States, if you invest in a small business and a startup counts for five years or more,
00:43:25
Speaker
you pay zero capital gains, but we have to pay 27% on every capital gain. So if I invest in a startup, so let's say I'm a nice angel.
00:43:37
Speaker
And when you invest as an angel, like you're taking a big risk. I really appreciate angels. And by angels, I mean an angel investor. So they are the person that gives someone like me a bunch money. I bootstrapped, but you know maybe for my next venture or my venture after.
00:43:53
Speaker
And they're taking a ginormous risk, right? And they usually give you a lot of time, advice and help. They introduce you to people, they get you opportunities, they do all this magic for you, right? To try to make their investment take off.
00:44:07
Speaker
And then they do that for maybe 10 companies or 20 companies. And the hope is that one hits it. Okay, so one of them hits it. Every other investment, they get zero back. So let's say they give 100,000 20 different companies Because on average, then you might hit one if you're super lucky.
00:44:25
Speaker
Okay. So that is $2 million. dollars So let's say that one hits it and it makes a hundred million. Okay. And so you get back, like you, you get a big investment. So let's say you get 10 million back because you're so lucky. It like is the unicorn, right?
00:44:44
Speaker
Then you have to pay 27% on that. You get zero back on the other ones. Okay. Right. You get zero, you get nothing. um but then you're paying 27 percent on the one that you got. So you're only getting about three quarters of your actual profit.
00:45:00
Speaker
So if we change something like that, right, like if you'll keep the money in five years and you're allowed to take it from one startup and put it into another startup. As long as you don't go spend. Yeah, which is how investors sort of begin to grow the portfolio anyway.
00:45:15
Speaker
Exactly. So that would be one thing. make that Make it actually be like tax-wise something reasonable to do. Another thing would be teaching us about it.
00:45:27
Speaker
Like when I went to college, they didn't like I went to computer science school. If someone is going to start a startup, it's the computer science student thousand who was class president four years in a row. Right? Be that chick. Right.
00:45:40
Speaker
And so like they didn't teach us any of that. They taught us how to follow the stock market. And guess what? It made me think not to do a lot stock market stuff. um They didn't teach us about how to do IPO. They didn't teach us how to raise funds. I had no idea any of that even existed until much later in my life.
00:45:58
Speaker
So whenever I started a business, I just bootstrapped everything or they could loan you money. Generally, the Canadian government wants to loan you more and more and more money, especially if you're a farm. Speaking of critical infrastructure, so owning a firm, I don't know if you know, but you can have a maximum loss of $32,500 a year.
00:46:17
Speaker
Everything else you get back zero. Did you know also you're only allowed to claim 50% of that loss? So if I have a $32,500 loss because I had to clear three acres of trees so I could make my firm, which I did, I can only claim half of $32,500 against my main income.
00:46:37
Speaker
as a sole proprietor, even though normally i should be able to claim 100% of what I actually lost, or at least do it year over year. And to me, that's complete crap.
00:46:47
Speaker
All they want to do is loan you money as a small business and make you more and more in debt, especially if you're a firm. There's a million programs for women business owners where they will happily place me into debt until I die.
00:47:00
Speaker
All of them want to loan you money. None of them want to give you any. And so should we give every single person a huge fat check? No, that's not gonna work, right? But um I actually am currently, like for my little consulting company, i was like, hey, I'm gonna join this like women's business, whatever, so I could get some training.
00:47:19
Speaker
Cause I wanted um basically like some training on any like Canadian tax laws, things I should know, et cetera. And they're like, you already know everything, we can already tell. And I was like, well then maybe I could meet peers so who also run businesses.
00:47:32
Speaker
And I had explained how I'd gone to like this women business networking thing. And like there was a massage therapist who rented herself to a bigger office. And I'm like, that's not a business. Like it is technically, but it's not, right? And there was like a woman who sold Tupperware. And there was another woman who was a dog photographer.
00:47:51
Speaker
You could pay her money. And every like few months, someone would pay her and she would take pictures of their dog. And I was like, this is not where I belong. There has to be a place where I belong. This is not where I belong. like I'm negotiating deals with countries around the world.
00:48:09
Speaker
I got to address the Swiss government for cybersecurity. I'm like, I do not belong here. I'm sorry to the dog photographer lady. But yeah, the Canadian government program, they're like, that's who you're going to meet in this program. There aren't peers for you here. You need to go to America.
00:48:24
Speaker
And I'm like, no, there's gotta be other cool chicks here. I know there are, know that there are really cool, amazing women in business. mean, know those people, so we know they're there.
00:48:35
Speaker
Well, I'm a founding member of the Forte group, which is um an American nonprofit of over 100 women in cyber who are CISOs, startup founders, five-star generals, et cetera. Like it's the most senior women. So I helped start that and I'm on their board.
00:48:52
Speaker
And that's where I find peers. Right. But I feel like if we want Canada to change, we need to find those people. So there's this really cool guy named Sean Lynch from Vancouver, and he runs something called the A-List.
00:49:06
Speaker
Yeah, that's right. E-H-List. So if you are a founder and you're listening and you're Canadian, join the A-List with me and Sean and a bunch of other amazing humans. He's been organizing us for free out of the goodness of his heart. The dude's amazing.
00:49:20
Speaker
Nice. um So there's a like there's a lot of like unofficial communities and things like that. um But there's there's not there's not a lot. That's where it starts. You know, Silicon Valley definitely used to be a whole bunch of people with, you know, like-minded interests huddled in cafes and whatever before it sort of became, you know, Sand Hill Road and everything else. But it had to start from a community somewhere. So, um yeah, that's a perfect place to end. On a high note, the growth of the Canadian ah innovative tech sector.
00:49:54
Speaker
Well, Tanya, thank you so much for the time. ah We know you're very busy, so we really appreciate you giving us a ah bit of yours. Really appreciate it. Oh, this was amazing. Thank you both so much for having me.
00:50:06
Speaker
Appreciate you, friends. you again soon. All right. We will see you soon.
00:50:14
Speaker
If you like this conversation, share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tacks drop every Monday.
00:50:27
Speaker
If you're already subscribed, thank you for your support and your swagger. Please consider leaving a rating or a review. It helps others find the show. We'll catch you next week, but until then, stay real.