Ismaelle Vixsama (aka Izzy) has a knack for finding strategic flaws and speaking up about them. Doing so helped her get her first full-time job as well as have repercussions for defensive egos. Her whole career is a war story.
Izzy is an ISMS manager with 7 years of experience. She has worked in FinTech, Government, and Security R&D. Her work has allowed her to work on several mainstream products and services with some of the most well recognized brands.
ISMS - Information Systems Security Manager
Creates a security program around a company's information systems.
Played the CISO role initially, very CISO like role
First role in security was in Risk
Izzy comes from a very traditional Haitian back
Izzy came up benefits at her job for an opportunity to learn something new and be in a non-toxic environment.
First heard/learned about hacking at 15 from an AOL chat with a "hacker".
At 23 decided to speak up in a meeting a provide feedback, which led to her being hired Full-Time.
"At the time I was 22 years old, the pay wasn't that great but for me it was amazing because I was doing something I hated, I had benefits at my previous job but this company was giving me an opportunity to learn something new. To me that was so exciting."
"He looked at my resume and he said 'I realize you have no cybersecurity experience.' By starting the conversation like that it took some pressure off of my shoulders."
"I was so nervous that he was going to drill into me about all these topics I had no clue about."
"I didn't even [know] I had sisters."
"Everyone just kinda wrote me off."
"Who is the audience, what do we want to say here?"
Worst comment ever... "We have to really train you on your critical thinking skills."
"A good idea is a good idea, regardless of who it came from."
From Zero to One, David is a lifelong builder. Wherever he goes he just builds things. From an electric car to adhoc android apps to ZAP HUD, an awesome heads up display for ZAP Proxy, a game changer imho. We discuss the lack of UX in the security tooling community, how contributing to Open Source got him his job, and even about imposter syndrome.
David Scrobonia is part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and leads development for the OWASP ZAP Heads Up Display project.
Mostly interested in architecture and mechanical engineering when younger.
Built his own electric car with his dad, out of a Porsche 914!!
David explains XSS and why certain languages are better than others, such as react.
David gets lost in El Segundo. Yes.
"It's just a program that listens on these silly protocols."
"Playing with my hands I wanted to do more hands on stuff, quickly fell in love with the coding side as a lot of people do."
"I was like... what's GET? what's POST? What do you mean?"
"Before you know it right it seems so daunting."
"Still plenty of opportunities out there. Will be a long time before the world is perfect and secure."
"With all those things, I've been working in the security industry, but I didn't really feel part of any security community."
"I have nothing but good things to say about the open source community."
"...they're (security tools) just not built with user experience first."
"I think people underestimate what they are able to contribute."
Leron Gray is a man of many talents. Not getting really into computers until much later in life, but always having a creative side, he now finds himself as a pentester working from home and nerdcore rapper producing amazing beats!
Leron is currently a penetration tester and a ten year Navy veteran with four years experience as a Cryptologic Technician (Networks), focusing primarily in offensive cyber operations. He holds a Bachelor's degree from Dakota State University in Cyber Operations. With a passion for Python, he loves automating tedious daily routine tasks for efficiency and considers himself to always be in a position to learn more and pass on knowledge. He always enjoys competing in as many Capture-the-Flag events as possible and also often performs as a nerdcore rapper.
Leron currently holds eCPPT, eWPT, GPYC, GPEN, GAWN, GCFE, and GICSP certifications. He also maintains a blog and maintains an active Twitter discussing music, information security and wrestling.
Went to a high school that made you choose majors.
Grew up poor, was not allowed to go out much.
Technological learning came from school.
Didn't really get into computers until he was 25.
Has been in music sister Jr. High School. Marching band, jazz band, and concert band... all the bands.
Networking is the biggest thing that Leron says would help.
Leron offers his passionate opinion on "aptitude". It's a pet peeve of his.
"I learned a lot... I made sure not to waste any opportunity for learning..."
"Job searching in general is a pain."
"I don't think I would be where I am right now if I hadn't gone out and made that effort."
"One of the big deals that people had were degrees, I wasn't really sure why; I have 10 years of IT/Cyber experience."
"It turned out the company no longer owned that server. Their DNS was still pointing to it though."
"I took Java in high school and was really bad at it and I found out everyone is bad at Java so it doesn't really matter."
"It's so much easier to learn when you have a problem to fix."
"It's not even just information security that learning pyt hon could help... it could be anything you do.. .often enough to warrant not to do it manual."
"Nobody does a CTF and expects not to learn something by the time they leave ."
"Job searches shouldn't be like that. They should be based on you merit. But..."
"Maybe the person can't get OSCP, but maybe they have the skills or knowledge..."
"The idea of aptitude... raises too many borders."
Jared Folkins understands people, technology, and the world around him. He can smell a toxic environment from a mile away and has used that EIQ spider sense for good. Jared shares with us some VERY personal stories (tear jerker warning!) in integrity and life decisions as well a bunch of on the job war stories including a famous one featured in the news! This is probably my most dramatic episode yet.
At 18 got promoted to manage a team of 50, because he wasn't lazy.
In hindsight was able to see indicators of the dot com crash, but didn't realize that.
Had a fork in the road where he had a major decision to make.
Jared shares with us a VERY personal story and the life lesson from that which he applies in his professional life.
Having low tolerance for toxic relationships, Jared has been able sense toxicity and it's been a driving force for good for him.
"I believe in the power of admitting when you're wrong."
" I carry my guilt between my shoulder blades."
"When I make that mistake; When you have a team that you can trust or a team that honors you, you have the freedom to say stuff like that."
"You can only control you."
"Constraints can be healthy."
"Stepping outside of your comfort zone... super healthy too."
"If someone tells me this person... is not a good person, I'll actually go meet that person. I want to asses it for myself."
Marcus Carey has been hacking since we was five. A true MacGuyver he had to make due with little resources available to him. He later enrolled for the Navy, worked for 3 letter agencies including the NSA, and now has his own security startup. Marcus shares a TON with us in this episode.
Marcus is renowned in the cybersecurity industry and has spent his more than 20-year career working in penetration testing, incident response, and digital forensics with federal agencies such as NSA, DC3, DIA, and DARPA. He started his career in cryptography in the U.S. Navy and holds a Master’s degree in Network Security from Capitol College. Marcus regularly speaks at security conferences across the country. He is passionate about giving back to the community through things like mentorship, hackathons, and speaking engagements, and is a voracious reader in his spare time.
Marcus had an opportunity to play college basketball, but couldn't since it was only a partial scholarship
After taking the ASVAB test had the choice of nuclear engineering or cryptography. He chose cryptography.
Marcus made a olympic sized track pit, up to spec as a child.
Marcus like many other security professionals, had a strong artistic side. Achieved first chair in just a few weeks in Jr. High.
Marcus teaches us "How to Learn".
Marcus achieved over 115 college credits, on his own, without attending college!
Open source tools Marcus created ended up being used be used to save people's lives in other parts of the world.
"[I] Told them all I wanted to do was work with computers."
"I've always been a tinkerer. I built stuff, I was a science fair geek... the whole nine."
"I was the poorest person growing up... so anything I did was a hack. I made my own hackey sack. I used to make my own toys."
"You can't learn how Marcus learns, because everyone is different.... Nobody can tell you how to learn as good as yourself."
"So now, I'm like a finely tuned weapon when it comes to learning... cause I know exactly how to learn."
"Never be surprised how your work turns out to be used for good... it actually blew my mind that my stuff was being used to do that [saving people's lives]. "
"Show externally that you've mastered those concepts in some way."
"Sometimes your employees are going to go rouge, and hopefully you can detect when they do."
"If you're focusing on a specific set of skills that are evergreen, and if you work that long enough, it doesn't matter your aptitude, you can become an expert at that."
"There's people out here that are celebrities and they act like they know everything. Don't be one of those people."
"Aptitude allows people to learn stuff faster. I think the military requires you to learn stuff fast."
Robin Stuart started off as a paralegal until she was challenged one day to get her boss's password. (Hint: Do not challenge Robin). Fast forward she switched careers to Technology but kept a lookout for a career in security.
Veteran cyber crime investigator and contributing author to the Handbook for Information Security by Wiley.
She is also debut author in cyber crime fiction with a short story in the Sisters in Crime NorCal anthology Fault Lines, which is due out in early 2019.
She consults on all things cyber security for Fortune 100 companies, television shows, and media outlets, including BBC and NowThis News.
She was a significant contributor to the Tech Museum of Innovation's acclaimed Cyber Detectives interactive installation, one of the museum's most popular permanent exhibits, which earned praise from the Obama Administration.
"Years of being a paralegal, I think like a lawyer and that's helped me very well"
"My Google works a little better than other people's Google"
Someone said to Robin once: "I've got an hour... can you teach me everything you know?"
"Taught myself Assembly by writing a program all in assembly, just to prove to myself that I understood it."
Combination of Enthusiasm and Perseverance
Creativity matters a lot!
Setting up a home lab to train
Robin's First "Hack"! EPIC!
There isn't a linear path into information security, no need for a degree necessarily
Matt Toth is a Senior Security and Veteran Sales Engineer. Matt has two decades of experience in IT with a focus on cybersecurity, having collaborated with the Department of Defense on War Games and advised senior leaders on possible cyberthreats. With a passion for security, Matt is deeply engaged with the community to educate and prepare the next generation of Cyber Professional.
On top of that, he’s a good friend of mine in the industry with solid advice for those looking for a career in Information Security.
In our chat, Matt breaks down a Sales Engineer’s role, explains his love of conference badges, and gets philosophical on issues related to those trying to make it in the field.
The jack-of-all-trades nature of Sales Engineer work.
Matt describes one company’s dishonest approach to “AI.”
How a luxury car and stylish threads can make the wrong impression on your client.
Con culture and breaking through the shyness barrier.
Matt delves into #BadgeLife.
The surprising accuracy of Hackers and Mr. Robot.
How Matt’s art school’s aspirations shifted to IT.
InfoSec wargames and the “Russian nesting doll” scenario Matt encountered working with a client.
Why some companies prefer to live with a security problem rather than attempt to fix it.
Lastly: Have you been keeping an ear out for my Easter eggs? Listen closely.
“I’m here, the customer trusts me to be here, and I’m gonna make sure that when they’re done, they’re happy with the situation so that they never come back and say ‘Hey dude, you screwed me over’.”
“You have to understand that you’re responsible for your own success. You can’t hide because you do have a quota.”
“If you really don’t like the technology you’re dealing with you’re not going to sell it well.”
“It’s awesome.. It’s iconic… that soundtrack is still incredible! On the way out to BlackHat this year I watched Hackers on the airplane and it was freaking me out… all of the attacks… are real world attacks we’re dealing with today still!”
“When you’re meeting with your audience, understand who they are and understand what they expect.”
“‘Hi, I’m Matt and I’m an InfoSec addict!’ ‘Hi Matt!’”
“If you’re just getting into the industry, recognize that all of us have our skill gaps. There is no one who knows everything.”
“My thoughts on certs are, do you like to get paid?”
“Most insider threats aren't malicious, they're just people trying to do their job and oftentimes working around the system to try to be more efficient.”
Masha Sedova comes from a history of computer scientists! Her grandmother was in the first Computer Science graduating class in 1954 under Stalin in the Soviet Union!! She loves challenges and is now utilizing what she thought was a waste of time in Liberal Arts to conquer challenges in Information Security using behavioral science, emotional intelligence, and other human factors.
Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security delivering the first people-centric security platform that leverages behavioral-science to transform employees into security superhumans. Before Elevate, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, Masha has been a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as Black-hat, RSA, ISSA, Enigma and SANS.
Grandmother was in the first Computer Science graduating class in 1954 under Stalin in the Soviet Union!!
Her Grandma taught her dad and her dad taught her programming around the 6th grade.
Had access to a computer only through the local University.
Masha began her search into 3 disciplines
Leaderboards are better for only a small subset
"You can't patch a human being."
"We've taken a technology solution to a human problem, and I think that's totally wrong way of going about it."
"Without the human interaction we would not have been able to get that alert."
"Focus on failure as an eventual outcome."
"I like picking hard challenges and very tall mountains to climb and computer science seemed like a tall mountain."
"If you give people the correct amount of challenge, that is a state of happiness."
"I found that leaderboards are effective for a small subset of people."
"The reasons people don't do things is not because they don't know."