Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 9: Follow Your Happiness: Finding Your Path in Security and DevOps with Alan Shimel, Founder, CEO, and Editor-in-Chief of Techstrong
149 Plays1 year ago
Episode 9 of CyberPsych with Dr. Stacy Thayer is now live! In this episode, Stacy talks with Alan Shimel, Founder, CEO, and Editor-in-Chief of Techstrong about the importance of following what makes you happy and how to create a career path in security and DevOps. Contact us here: https://netography.com/contact/ #Netography
Recommended
Transcript
Introduction to Cyber Psych Podcast
00:00:12
Speaker
Hello and welcome to Cyber Psych, a notography podcast where we talk with industry professionals about the human side of technology and how it relates to the field of security and how it impacts your overall business. I'm your host, Dr. Stacey Thayer, and I'm a cyber psychologist as well as senior manager of research and engagement at
Meet Alan Schimel: TechStrong's Visionary
00:00:30
Speaker
Notography. I'm very, very excited today to welcome our guest, Alan Schimel.
00:00:35
Speaker
For those of you who don't know Alan, he is a founder and CEO and Editor-in-Chief of TechStrong, and that's the company behind DevOps.com, Cloud Native Now, Security Boulevard, TechStrong AI, and Digital CXO. He's also the co-founder of the DevOps Institute.
00:00:51
Speaker
He has almost 30 years of entrepreneurial experience and has been instrumental in the success of several organizations. And then in addition to all of that, he also does the DevOps podcast Tech Strong TV and has this really unique combination of a strong business background, deep technology and knowledge,
00:01:15
Speaker
and a legal degree from New York law, creating this just trifecta of knowledge that I can't wait to dig into. So Alan, welcome. I'm so excited to have you here.
00:01:25
Speaker
Stacy, thank you. I'm embarrassed. I hope I can live up to all of that. But yeah, that's me. That's you. Well, I'm going to just dig right in because there's just so much knowledge. And over the years, we've had so many wonderful and, to me, inspiring conversations, too. And you've offered wisdom and advice.
00:01:45
Speaker
So I wanted to get into, you have this background of technology, business, and law, which whenever somebody's got multiple layers and approaches and perspectives, I love to hear about
From Law Aspirations to Business Dreams
00:01:58
Speaker
that. So can you talk about your journey from when you started to where you are now, and then we'll get into how those integrate into your perspective? Sure. So part of it is if you live long enough, you get all of these experiences.
00:02:16
Speaker
But really, I will tell you that I view my journey as just searching for happiness, searching for what fulfills me at some level, right? You know, it's a cliche. You hear people say, if you do something you love, you never work a day in your life. Well, I've been looking pretty much since I was a kid to do something that I love, right?
00:02:45
Speaker
I was one of those kids who, you know, like my family told me I was going to be an attorney kind of thing since I was a little kid, you'd be a great lawyer, you'll be a great lawyer. And I remember wanting to be a lawyer when I was in high school, junior high school, I was already going to law school. And I graduated law school past the bar, I think I was 23 years old.
00:03:14
Speaker
But the funny thing was I knew I hated being a lawyer in law school. I looked around, I was different than a lot of the kids who were in law school. But surprisingly, back then we didn't have computer science like they do now, let alone cybersecurity classes. Computer classes were still on punch cards and that kind of thing. And I know they wanted to date myself.
Embracing Technology and Entrepreneurship
00:03:45
Speaker
But I knew I wanted to be a business person. I really liked the idea of business. And I graduated law school and started practicing and recognized that, yeah, pretty much what I thought in law school is pretty much what it is. It's not for me necessarily. But I used it as a springboard. I was fascinated with clients who owned businesses, who are operating businesses.
00:04:14
Speaker
And most of these were small businesses, not large enterprises. I wasn't doing big corporate Wall Street law. But I got a good introduction to entrepreneurs. I didn't use the term entrepreneurs back then. It wasn't as fashionable as it has become. But I met a lot of entrepreneurs, people who were starting businesses, multiple businesses, serial businesses. And that kind of appealed to me. At the same time, though,
00:04:45
Speaker
Sometime in the early 90s, I really, so lawyers used WordPerfect. We weren't Microsoft Word users. Most law firms used WordPerfect. And I became the resident WordPerfect expert in the office I was working in. And so much so that I set up computers, first one computer, then multiple computers at home.
00:05:11
Speaker
to practice my word perfect and stuff like that. Now back then, it wasn't so easy setting up multiple computers that talk to each other, right? You didn't have TCP, IP. Well, you did, but it wasn't built in. We had Nobel lands and stuff like that. So I learned a little bit enough to be dangerous with that. And I was able to set up my own little network at home with three computers.
00:05:42
Speaker
And we had the greatest time playing games and I was going, you know, bulletin boards and doing all the things that people were doing back then. And then, uh, then the internet started kind of, you know, I was on genie and comp you serve and all those things, but then the internet came out in the first, it was gopher and wide area search and you know, that kind of
Web Hosting Success Story
00:06:06
Speaker
thing. But I, I distinctly remember the first time I saw, uh,
00:06:12
Speaker
uh, mosaic, which, you know, and then Netscape came out from mosaic, the graphical web user interface. I was like, this is cool. It could be right. And, um, I started, it consumed me, consumed me. Like I just couldn't get enough of it and started doing websites for kicks and then started doing websites for my friends and for some businesses that I had invested in small businesses.
00:06:43
Speaker
And the next thing you knew, I was doing websites, but there was no web hosting industry back then. It is early. And so I'll never forget, I was working with a little little ISP on Long Island called LiNet, Smithtown, Long Island. And they let me put a computer in their racks, you know,
00:07:08
Speaker
And and we started storing the websites a friend of mine one of my childhood friends and I were doing we started storing those websites there because you had to be able to access that and I don't know the next thing, you know, we we We decided to start storing websites that we didn't design Like of other people had websites. They needed a place to keep them. We let them keep them
00:07:36
Speaker
I put a little ad in PC Mag. God's honest, true story. I put a little ad like a 16th of a page in PC Mag. We'll store your websites for $49.95 a month. Stacy, about a year after that, I was hosting about 5,000 websites. Wow. $49.95 a month. And it was crazy. And that was kind of the birth of the whole web hosting industry, right? Then people started calling it web hosting.
00:08:04
Speaker
I had to be around 96. I'm going to guess 1996. And then, um, I don't know by 97 late 97, I actually sold that business to a company doing a rollup and web hosting that had bigger ideas. And the guy behind that was a guy named Brad felt who's a pretty well-known venture capitalist.
00:08:28
Speaker
Brad is one of the founders of Techstars, and he wrote the whole startup community series of books. Back then, Brad was managing partner at SoftBank Venture Capital. And so I sold the company to a company he was doing a roll-up in, and started working with Brad. And I was helping him, well, in the company
Passion over Profession: A Career in Tech
00:08:48
Speaker
that we rolled up, which became Interliant, which is a .com IPO company and everything, what we call an ASP, Application Service Provider.
00:08:57
Speaker
And, but I was also helping Brad as he was looking at companies to invest in, you know, and I, he'd say, Hey, go look at these two companies. Tell me which one you think we should invest in. I always picked the wrong one, but inevitably I did, but, but it was such exposure and you want to know the truth. I was doing what I loved, which was.
00:09:26
Speaker
building businesses, I was consumed with the internet and computers and networks and everything about it. And I had this conversation with my wife where I said, I could die young doing law, or I could do this. And I did this. And I never looked back. And then from there, it's been a series of
00:09:56
Speaker
The next thing we interlined, we had to secure all these sites and first websites and then applications. We were hosting. And so I started, I said, oh, I'll learn a little bit about security, right? Because back then it was all network security was really security. And so this is 98 maybe, right? That's 99. I started diving into security.
00:10:25
Speaker
And that consumed me like, why aren't we, you know, thermonuclear war is not a game, you know, and so I started really getting into security back then. And that became the next kind of passion for me. So, you know, fast forward in 2024, I've been pursuing what makes me happy for the last 28 years.
00:10:50
Speaker
Right. And, and what makes me happy has changed a little bit, but not much. It's still about building businesses and doing things, cutting. I always like to be what's new in technology. So like AI now is like blowing my mind. I consumed with that. It's, but it, but you know what, like I said, to bring it full circle.
00:11:16
Speaker
Yeah. If you do what you love, you don't work a day in your life. I do what I love to do, which is, you know, there's a little bit of ADHD in there because I'm always pursuing the next shiny trend. Yeah. The other thing is I've met so many great people who are like me who also just, you know, just do what they, what makes them happy about doing it. And, and that, I would say is also the biggest joy of, of my career.
00:11:45
Speaker
is the people I've had the chance to play with, to work with, you know, on this journey. You know, I love that, you know, just following what makes you happy. There's this concept of flow. And when they talk about it, like, in the terms of athletics, of like, when you're in the zone, they think of, you know, athletics being in the zone, but when you but with flow, when you're in the workforce, it's like, it's just doing what comes naturally. And yeah,
00:12:12
Speaker
When I'm talking with my students or anything, they say, what do I major in? What do I do with this? I say, you'll keep leaning into your successes. And because I've learned now when I'm not set up for success, because being also ADHD, it's like, oh gosh, if you're going to have me look at a spreadsheet all day or edit, or that is not going to set me up for success, I'll be miserable. You'll be miserable with my results. And this is not a win-win.
00:12:41
Speaker
scenario, so it's when I think yeah, I Love that of this pursue what makes you happy pursue what? Feels like you Yeah, I mean and that's I think that's the key to peep I mean so I have two sons who graduate ones in law school ones graduating college I I tell them this right you've got a
00:13:05
Speaker
You've got to be agile enough and nimble enough to see sort of what the market is, where it's heading and what's happening. But you also have to kind of have an inner sense of what makes you happy, what's going to be interesting to you. The worst thing in the world is to leave your house every day to a job or if you're working from home. Start your job every day doing something that you're really not interested in.
00:13:33
Speaker
Yeah, that that's like a life sentence. Yeah, you know, and you know, it's just it just shows in every way versus when somebody is engaged. All the studies say and I talked a lot of organizations about this, like invest in your employees and their engagement level, because when you have an engaged employee who's in the right position, that speaks to their skills, tell managers this all the time, you will see them flourish. And their output flourishes.
00:14:03
Speaker
It's no one wants to do the same. Yeah. Yeah. I agree with you. And so, you know, part of my journey to Stacy has been the transition from being, let's say a single contributor or a lone wolf kind of person to first managing a team and then, you know, managing a company. Right. I was co-founder of several companies, mostly venture back to come. So from the time I sold my first hosting company, TriStar web.
00:14:33
Speaker
I was a co-founder at several venture-backed startups and lived that whole life. And then when I did TechStrong, I purposely, well, I didn't have to raise money, which is always a good thing, right? A business that started being profitable immediately. But running your own company like that is yet another adventure, right?
00:15:04
Speaker
rewarding, but for those out there who want to maybe co-founder a company or become a CEO, I will tell you the responsibility of people's lives, right? I mean, because we work without a net here. We're on a high wire act without a net, right? You got to bring in enough money to make payroll and
00:15:27
Speaker
Do your things and and there's people who have families who are counting on it, right? And that that's an awesome responsibility that you have to get used to living with as well Yeah, right. Yeah, it's not just about what you can do personally You know, all right, I don't want to work today. Okay, I i'm gonna go in a whole different direction there are times i'd like to do that, but you got to do what's
00:15:53
Speaker
right for your people and for your, you know, that's part of that responsibility. And I think it's always harder than you think it will be in the beginning. At least when I started source, the source conference, and I remember thinking like, okay, I put together this superstar board of advisors, and this is pre B sides. And okay, we're going to be a smaller conference that people that you know, and
00:16:18
Speaker
All the advisors, we, 10 of us, and we thought, okay, how many people will we have? We've got 400, 500 easily. It's going to be a loft panel reunion. We've got, you know, Dan Geer keynoting. This is going to fill it up by tons of hotel rooms. Well,
00:16:35
Speaker
We managed to break even, but it wasn't even. It's something to be proud of to at least break even for a lot of people who lose their shirts. Yes, yes. But I think all of us in that first year of having the event and everything went
00:16:52
Speaker
Oh, it isn't if you build it, they'll buy it. If you make the service, they'll buy it. If you build the conference, they'll attend it. No matter what your star power, no matter what it is, when it comes to people paying for things, when it comes to actually opening up the wallet and shilling it out,
Challenges of Hosting Tech Events
00:17:08
Speaker
it is so much harder than, for me speaking, when I asked an entrepreneur, thank goodness I wasn't venture packed or anything like that. But yeah, we definitely thought, if we build it, they'll come.
00:17:20
Speaker
I've been there done that. I actually lost my shirt the first time we tried to do events here at Tech Strong in person events. But, you know, one of the great things about the internet Stacey is I still get excited when I log on to a virtual event. And I say, Hey, this is Alan from Boca Raton. Welcome. And all these people say hi from here, hi from there, hi. And you realize
00:17:49
Speaker
It's a small world and the people who are there are from everywhere and anywhere.
00:17:56
Speaker
You know, and so it surprises you because, you know, you say, Oh, I'm going to make it source forested. Well, are people going to fly in for that? Or are we just going to have locals? Yeah, we'll probably have 75% locals. And then you find out, you know, that it's maybe only 50% locals or 40% locals and people did fly in and you just, man, why didn't I see that coming? Or they didn't fly in and why didn't I see that coming?
00:18:22
Speaker
But that's part of the fun, right? Yeah. I mean, as long as you don't lose to start anything, it was like, Oh, okay. You know, we had the sponsorship hall, not where everybody in a different room. And it was like, Oh gosh, that was a mistake. But, but I,
00:18:36
Speaker
I love doing it. Absolutely. Yeah, it was just like, okay, I've never felt anything in my life that came together and I loved it and just joy in it. And I was thinking about it actually today, like, gosh, I remember in college going into communications because I wanted to speak to people. I didn't know what I had to say. I just like public speaking. I like connecting.
00:19:00
Speaker
And then when technology and not doing the podcast and it's like, I'm back there and that like, Oh, great. I'm doing events and speaking to people and getting it's because it's the people. And like I said, the community that you get to talk with and connect with it brings, brings a lot of joy too. Well, I'll tell you putting financial results aside, I thought the source conferences were amazing. At a time where.
00:19:28
Speaker
You know, this is security. It was a different community than it is today, right? We weren't all cyber crazy. We called it security. It was, it was not, I don't want to use the term insider, but it wasn't experts. I mean, you really did have a great panel of experts. You really did have the movers and shakers. Yeah.
00:19:53
Speaker
I still don't understand what it takes to get someone off their butt and to go see a dad gear talk, right? I mean, you're privileged to go hear him. Yes. Yeah. One of those genius minds love to hand me. I thought you did a great job with that. I was a fan.
00:20:12
Speaker
You know, it was great. I mean, we grew into Barcelona. I love everything we did, but it was such a learning experience about business. And I love learning about different communities too. Like you said, small world.
00:20:27
Speaker
After doing so many events and being really ingrained for me in the security industry for such a long time, when I was working at my previous organization and went to KubeCon, it was getting to Kubernetes. And there you are. And it was like, well, world, there's Alan. What are you doing here? Out of my wanderlust. My security friend. What is my security friend doing at a Kubernetes event? What's happening? It was so great to see you.
00:20:52
Speaker
But I'd love to hear more about then. So what brought you then to the DevOps community? Cause you know, you're, you're security. So, okay.
Discovering DevOps with Gene Kim
00:21:00
Speaker
Got it. So I'll tell you how I got into DevOps. Um, I forgot what year it is. Maybe 2012. I am the sponsor Wrangler for besides Las Vegas. That is not an easy task. Well, it was easier than cause it was early in the B sides journey.
00:21:22
Speaker
and and companies were wanting and besides Las Vegas was the the Marquis that in San Francisco were probably the two Marquis besides anyway we put on a great event and one of the guys on the uh like the besides you know the organizing committee for the Vegas that year was Gene Kim who had just left Tripwire recently
00:21:50
Speaker
And after the event or the last day, Gene says, you know, let's go grab dinner and celebrate a great event. I'd love to sit and talk with you. I'd say great. So I went to dinner with Gene and we consumed a couple of bottles of wine. And he whips out this manuscript of a book he was working on. And that book became the Phoenix Project, which is kind of the, you know, the Bible of DevOps, if you will.
00:22:18
Speaker
He started telling me about DevOps and, you know, telling me about the book. And, and I had already known gold rats, the gold book, which is what Phoenix projects based on, right? We both, you know, kind of same thing. And except that's on manufacturing. This is on it and software development. And immediately to me, Stacy, I saw in DevOps.
00:22:45
Speaker
The opportunity to write some wrongs in security. One of the problems we've had in security, as you know, is security was always sort of the redheaded stepchild, the caboose on the train. It was an afterthought. It was bolted on. It wasn't built in. It was
00:23:06
Speaker
you know, separate and apart from IT. Back then, actually, a lot of security organizations weren't even part of the IT, they were under risk and coming under the CFO and stuff. Yeah, yeah. And I said, man, this, if we could get this, I bet your security can get it done, right? We could do it right. And that was my initial thought around DevOps. That's what attracted me. And back then, we didn't have this thing called DevSecOps, right? There were a lot of
00:23:36
Speaker
different names. My friend James Wicket from Austin had started something called the rugged DevOps movement, which was kind of hardening DevOps. And I remember at one of the RSA shows, I guess it was 2014. So I launched DevOps. Well, what happened was I got from 2012, I really pursuing my happiness, right? I
00:24:02
Speaker
dove into DevOps to see what it's about and what can we do to make security better.
DevSecOps: Bridging Security and IT
00:24:08
Speaker
And my friend Brad Feld invited me to an event, Boulder, where just the tech stars and the Foundry group portfolio companies were talking DevOps and he asked me to speak. And I spoke there. And then after the conference, we were sitting around talking, my friend Raj Bhargava, who's CEO of JumpCloud now, and Brad,
00:24:29
Speaker
And they said, you know what DevOps needs? DevOps needs like a site where people can go and learn about DevOps and stuff like this. And I said, yeah. And Brad said, you know what they need? Shimmy, Brad calls me Shimmy. Shimmy, you are the perfect guy to go do this. You should go start a site around DevOps and write about it and get other people excited. And I said, yeah, that sounds good.
00:24:56
Speaker
I said, let me, let me look into it. He said, do it. Bring me a business plan. Maybe it's something we could fund or whatever. I said, okay. And I, I went back home and thought about it and did a little model, a little PowerPoint. And I still have that PowerPoint. I show it every year at our all hands meeting here. It was called DevOps Central. That was the original working title.
00:25:20
Speaker
And surprisingly, I was pretty good on forecasting what I wanted to do with it. But the opportunity came up to actually have DevOps.com as the site. And that's a good name if you're writing about DevOps. And so I did that. I never raised any money from Brad or any VC because we had sponsors signing on almost immediately.
00:25:46
Speaker
And that's how I started DevOps.com within six months. So that was March of 2014. The next RSA is probably February of 2015, because back then it was always February. Britta Glade and the RSA folks, actually maybe Jean still, asked me to do a DevSecOps, we didn't call it DevSecOps, but a DevOps and security
00:26:14
Speaker
symposium, seminar, whatever you want to call it. And we did. And I had people like Gene Cam Talk and Josh Corman, who were big at the time. Wicket was there. I tried to bring together my security friends with the DevOps tribe. And I got to tell you, it was like oil and vinegar, Stacy.
00:26:38
Speaker
Because the security people said, please don't try to tell me that developers give a crap about security. We know they don't. Only we care about security. Because that's the security mindset, right? Only we care about security. You have to pry it out of our cold dead hands. Developers, on the other hand,
00:26:58
Speaker
These security people, all they do is say no. They're like a weight around my ankle. They slow me down. I can't stand them. They hate us anyway. They're not really IT people. They're all weird. We are all a little, you know, I, it's a whole nother story, but anyway, but in spite of that, I kept pushing it and pushing it and year one to year two to year three, this year we're going to have year eight or nine.
00:27:26
Speaker
of what become DevSecOps. And it became a thing. People realized security is synonymous with quality. No developer raises their hand and says, I want to write crappy code. I want to write code that's insecure. But they're not security professionals either. And by and large, security people, I think, have come to realize that developers and ops people, they want to produce quality.
00:27:56
Speaker
They're just not security people. They need different tools. They don't understand the final points of GDPR or PCI or SOC 2 or any other kind of compliance standard you want to throw at them. But they want quality. We all want quality. And that's that common thread that binds this. And so to me, that was
00:28:26
Speaker
I'm not saying the story's over, but that was the climax of the story of security people coming together with the DevOps people for the sake of quality. And so I'm happy to report success, right? People like Shannon Leitz who started DevSecOps.org. Yeah. And James Wicked and Ernest Mueller and the guys from Austin's DevOps days, my friend John Willis.
00:28:55
Speaker
one of the co-authors of DevOps Handbook and stuff. There's so many examples of just coming together. Yeah. Well, it's great. Yeah. Because, because being on the, the, the dev side in my last company, but you know, always still with that security mindset, you know, back, um, you know, 2008, 2009, where people were either writing code, either wrote code or you were,
00:29:22
Speaker
maybe a consultant or something like that. And if you wrote code, it was a lot of time. That still is, I think. You've got a deadline, you've got a product, you've got a feature that you've got to add. How you write code securely or are you just patching it, okay, we just need to make this work for the deliverable or a salesperson needs it. And so I think that there's a lot of push and pull between I want quality, but I'm on a deadline.
00:29:46
Speaker
But what are the security implications behind it? Because I know looking at merging in just third party code. We didn't write it. Who wrote it? What are all of these problems? Then going to the developer with there's a security vulnerability. Anyway, so a lot of this push and pull. I mean, you talk to a lot of people with everything that you do. And so I'd love to hear
00:30:12
Speaker
What are the themes that you hear? I mean, so, because they do have to work together, I think. I agree with you on that. There has to be the more we can understand each other in these different departments. And so how can CISOs now, I mean, connect or work best with
Evolving Role of the CISO
00:30:28
Speaker
teams? How can those teams merge and what themes are you seeing that are the same and different between these communities? Sure. So first of all, it's tough being a CISO today, man.
00:30:41
Speaker
I don't know if I'd even want that job with what the SEC has been doing lately and what we've seen on this. And let's face it, Stacy, when you and I first got into security, CSO wasn't a thing, right? The rise of CSOs is a relatively, I don't know, dozen years to dozen and a half years. And they've had to fight for their seat at the table, meaning at the seat level of the table.
00:31:10
Speaker
You know, a lot of CISOs were glorified security architects. They'd come in, they'd architect out of security program and architecture, and then the team would say, okay, now you go back to being the security admin, right? CISO means so. But that's changed. Today's CISO is a real job, and God knows we've come to find out it has real responsibilities and repercussions if you don't do it.
00:31:40
Speaker
correctly or to someone else's standards. On the other hand, I've seen a trend towards the CISO and the CIO role coming together. I have friends who are both CISOs and CIO. CIO is the CISO because security is so important to that whole IT piece that
00:32:07
Speaker
you know, it goes together. And so I'm not saying it's the majority or the norm, but it's not as rare as you would think. So we are seeing that come together. The other thing, I think it goes back to this whole DevSecOps notion of everybody's interested in quality, just, but we all have different views of how much time and effort goes into that.
00:32:34
Speaker
And the CISO's job is to stay true to his North or her North Star in terms of what's good security while empowering with the right tools and policies and processes the entire spectrum of people working in IT.
00:32:54
Speaker
and it's security people, it's developers, it's your DevOps team, it's your ops teams, your SREs, your platform engineers. They all have to have a security mindset. They may not be security professionals, but they've got to have a security mindset. And you may encounter some headwinds in bringing that to your organization, but I think that's your job.
00:33:24
Speaker
So what, what common mistake do you think people make when communicating either like between with their DevOps or with their teams or about security or what are some common challenges that you've seen from CISOs and leadership roles as well? Is thinking that everyone is a security, is as well versed in security as a security person is.
00:33:51
Speaker
Because a lot of what we do in security may not be intuitive. So for me, for instance, I always felt that compliance was a bit of a red herring in security. And there was a period of time, 2008, maybe through 2015, that time frame, where we were doing compliance for compliance sake. We were so hung up on getting PCI right.
00:34:17
Speaker
and all of these compliance statutes and governance risk and all that, GRC, that we were doing. In my mind, compliance was always a byproduct of good security. If you had good security hygiene, if you had good security process and policies,
00:34:37
Speaker
you would be compliant because compliance for the most part is kind of lowest common denominator security right it's the it's the minimum of what you should do not the maximum so if you're doing your security right you should be compliant for the most part um and so to me compliance was
00:35:02
Speaker
Kind of common sense. Okay. You're doing security, just good basic security stuff. It'll work. But you know what, when you're a developer or an ops person or an SRE or an architect, it's not as common sense as we think. They don't understand why the heck I got to be worried about storing credit cards. Storing credit cards makes my business so much more easier to do reoccurring charges and
00:35:30
Speaker
and all of this, so why can't I do that? And that's just an example. But security is not intuitive to non-security people, and we need to remember that. And giving them tools that were designed for security people is like giving me something written in Mandarin Chinese. I don't know what to do with it. So if we want people to
00:36:02
Speaker
do things in security, we've got to give them tools that are geared to them. We've got to give them policies that they don't think are arbitrary, that there's a good reason why. Tell them what that reason is.
00:36:21
Speaker
How do we learn things, right? You're connecting one neuron to the other. And you just give somebody information and they don't know why or how it relates to them or what the end result is. It doesn't connect. It doesn't click. It doesn't remain as a piece of knowledge. And I would say that there's so many people now I don't think common sense.
Navigating Security Compliance
00:36:40
Speaker
Even exist anymore you know it's like what makes sense to me i'm like what common sense isn't as common as we think yes. But it's it's it's true cuz i'm.
00:36:55
Speaker
Yeah, my last company not being security. I remember we had to go through a security audit to add a vendor. We're like, are you done yet? Are you done yet? I'm thinking, Stacy, you know better than to pick on this poor one security person. Who has to do the audit. But I had to remind myself, and you know why this is happening. So don't nag them. You know what it takes. You know this. Because I understood the why.
00:37:23
Speaker
I could empathize at least and be like this, this poor, so sole security person is underwater. I can't even though it's, it's meaning I can't do my job a little bit. He's doing the best he can, you know, dial it back. But that's even me with years of security, you know, community knowledge, what it's going through. Not everybody has that. Most don't know. We're going through that right now. We have to do a level two thing for some large cloud provider that we partner with. And we're Stacey.
00:37:53
Speaker
I outsourced everything. We don't have a lot of our own infrastructure, right? It's all third-party SaaS stuff that's all SOC 2 and ISO compliant. But they're putting us through the ringer on this. And look, I know why they're doing it. And I know at the end of the day, we'll be OK because it's not mine. But other people in our organization are coming to me like, oh, man, this is crazy. What are we doing? It's going to take forever.
00:38:23
Speaker
You can't make wine before it's time. You got to just let the process play out and keep doing it. It's crazy. Do you think with CISOs or just, I mean, I think security professionals in general, they have to manage, I mean, inconveniencing people in a way. I mean, I'm sure they hear all the time, like, why do I have to change my password every 90 days, right? And why this?
00:38:52
Speaker
Do you have recommendation or thoughts, I mean, from all the people that you've talked to and seen of, how can they communicate that? Does security always have to be the like, all right, we have to do this, this, this, and this? I bought my house for Christmas. We always have to be the ball and chain. Yes, we always have to be the ball and chain that inconveniences people. And how can you do that gracefully?
00:39:23
Speaker
This isn't only security people's fault. It's not our fault necessarily. Because here's an interesting thing. I remember reading a survey. I think we might have done the survey even. Do you view security people as slowing down your development speeds? 80% said absolutely. Yes. Do you want security to slow down your development?
00:39:53
Speaker
65% or 70% said yes, absolutely. Because they realized that they're going at such a fast break as fast as they can, in essence, that there has to be something system-wide that puts these checks in there so that we don't wind up being on the front page of the Times or the next breach victim.
00:40:22
Speaker
And so they expect us to be that. So it becomes almost a self-fulfilling prophecy. And by the same token, there are security people who relish the role of being the break on the system. Yeah. Right. That is our role. We're supposed to do that. Don't don't don't fault me for being a tiger with stripes. Yeah. So to a certain extent, it's always going to be like that. But it goes back to the why. Right.
00:40:52
Speaker
as a parent, we've all done this. Why do I got to do this dad or mom? Because I told you so. And that's enough. Yeah. Right. I don't need, but that's a, that's not a great parenting, right? People, and it, and it's not just with children, it's with employees and colleagues as well. If they understand the why it's a lot easier to, to accept the what. Yeah. Yeah. And so,
00:41:21
Speaker
I think from a CSO point of view, and security point of view too, they need to make sure people understand the why. And then the what follows. Yeah. And to your point, it's not all on the CSO shoulders either because
00:41:43
Speaker
The others in the company have to be able to, so if, say someone in DevOps is writing their code and they've hit a deadline and they're like, I can't slow down because of security. It's also on their side to say, here's my why. Because those are the win-win scenarios. When everybody can come to the table and say, here's my goal, what I'm trying to accomplish, and here's why. And then you look at them kind of next to each other. It's not as isolating for, again, that CISO is going, okay, yeah, 80% of people,
00:42:11
Speaker
I think we slow them down and don't like it. How do we work together? But those same people want us to slow them down. So it is what it is. But I think the why is important. And the other thing is, this is again a lesson I learned in security a long time ago.
00:42:33
Speaker
Like security fundamentals are just that fundamental. It's about managing risk. Here's the why. If I just let you deploy this software without finishing the testing, here's the downside. Are you willing to accept that downside? Because if you're willing to accept it and the CFO and the rest of the team is willing to accept it, I won't stand in your way. I'm just duly noted that I'm making this
00:43:02
Speaker
request, you guys want to overrule it because you're willing to live with that risk. I've had it, right? So security still comes down to managing risk. Yeah, it always does.
00:43:19
Speaker
Well, we've got a couple of minutes left by actually doing resources that you really enjoy either books, podcasts, conferences, any kind of recommendations for anyone I mean in the security or DevOps or even balancing, you know, how to overlap and learn about the two.
DevOps Resources and Community Engagement
00:43:35
Speaker
Okay. So for my security friends out there who want to maybe get more involved or more in the know around DevOps, DevOps has its own sort of besides analog.
00:43:49
Speaker
called DevOps days. And it very much like besides it, it's a worldwide organization, but the locals run their own local events with the help of the worldwide organization. So it's called DevOps days. And there, there are DevOps days going, going on every week and somewhere in the world everywhere. And, and so if you want to really,
00:44:18
Speaker
If you're into security besides, you'll love DevOps days. And by all means, do check that out. The other thing is I would say there's so much DevSecOps knowledge and training available. And I'm not talking about traditional stuff where you're going to go get a certificate or have to pay a good zillion dollars.
00:44:46
Speaker
But like, there's so many people who are treasures. There's a woman named Carolyn Wong. I don't know if you know Caroline. Caroline is the chief strategy officer at Cobalt, which is AppSec company. But Caroline has written some DevSecOps courses for LinkedIn, and they often run them for free. They're great. And Caroline's a treasure, right? A lot of what she's, she works with Olaf and others.
00:45:15
Speaker
So there's some great stuff that she's written in there. I mentioned James Wicked and Ernest Bueller. They've also done the DevSecOps course on LinkedIn, which is a great resource. The Gene Kim IT revolution, the whole library, he probably has 30 or 40 books in IT Rev now. Check those out.
00:45:40
Speaker
Retech Strong sites, whether it's DevOps.com or Security Boulevard or Cloud Native now, we're constantly doing that. There's still this vibrant community of security content creators.
00:45:59
Speaker
A lot of the people from the security bloggers network that I helped start in 2003 with Jennifer Legio and Rich Mogul and Mike Rothman and so forth.
00:46:10
Speaker
Those people are still there. This year for RSA, I actually want to change security bloggers meetup to security creators. So anyone who creates content around security should come to it. And I want to revitalize it because, I mean, quite frankly, a lot of the people who I was doing it with back then, we're old now. There's a lot of younger, smarter, better people that should get involved in it. So I'll be publishing more about that in the weeks ahead.
00:46:40
Speaker
as we get closer to RSA time in, in, in May. And again, RSA, RSA is one of these conferences where all the kids too cool for school and security say, I would never go to RSA or, you know, blah, blah, blah. Yeah. There's still 40, 50, 60,000 people there go to RSA black hat. There's still 40, I think 40,000 people went to black hat this summer or summer camp, right? Between black hat, deaf con.
00:47:06
Speaker
You know, go to those, those bigger shows. There's a lot to learn that there are so many, um, security conferences right back when, like, you know, the source, what's sourced today, it's not besides per se, but there are a lot of local security shows that you can go to and network, you know, meetups and stuff like that. Um,
00:47:34
Speaker
I think the way we get training, I mean, you people get training in colleges and schools and high schools now. Right. Well, you don't necessarily need to rely. Those sands still does a great job in the comptias of the world and all of those. But there's so many other places now. Right. But do it if you have a burning passion to do it. Don't if you think it's like third grade homework where why am I learning algebra? I'm never going to use it.
00:48:04
Speaker
then don't do it, right? Because if you don't feel it, it's not the right thing for you. Yeah. Well, it brings us, and we'll end on nine now, because that brings us right full circle of what you said, which I'm going to hold on to and love, do what you love with that internal knowledge of, you know, what your passion is and what
00:48:27
Speaker
doesn't feel like work as much as it may be work. No one wants to write. No one wants to work every day. It's hard. Yeah. Well, Alan, thank you so much for being a guest and sharing your knowledge and infinite wisdom of so many different industries and knowledge. Infinite, I don't know about it. It's probably a symbol, Phil, that I just keep recirculating. But Stacy, thank you. Thank you for all you do with this and all you've done.
00:48:54
Speaker
You know, I've been a fan for a long time. So it's so great to see you doing this. Yeah. Thank you. Thank you. And I'm sure I'll see you at RSA this year. Absolutely you will. All right. All right. Thank you, Alan. And to my listeners and viewers, I'll see you next time. Thank you.