From Opera to IT: A Tale of Resilience and Innovation with Security Engineer, Akira Brand

Speaker 1: 0:01

How's it going, akira? It's been too long since we first spoke. I mean, I think I like initially reached out in like January or something at this point but, I'm really excited for you to be on the podcast today.

Speaker 2: 0:16

Thank you, I am so happy that we finally linked up. This has like been a long time in the making, for sure.

Speaker 1: 0:24

Yeah, it's been a crazy like six months for me. Yeah, it's like yeah, crazy for you as well, I'm sure. So you know, akira, I start everyone off with giving their background of how they got into IET. Maybe what piqued their interests, what made them, you know, potentially even think that they could go down this path. Right, because I have a lot of my audience that are new to IET, they're new to security and maybe they're wondering you know, can I make this career change? Can I? Will this actually work out for me? So what's your story?

Speaker 2: 1:02

That is such a good question and I love that your audience is maybe on the newer side of their journey. So to start out with I want to say yes, you absolutely have a place in this industry. Keep going, keep grinding like, do what you got to do. It's not an enjoyable time trying to break into it. It's really hard. I know I went through lots of trials and tribulations and nights of like crying and you know all that good emotional stuff. But I'm here now and I'm really glad I didn't give up. So don't give up, keep going. There is definitely a place for you. So I will say this I am a career changer. I did not start out in IET. That was not my MO at all. I was actually a Luddite. I hated computers. I did not believe in technology. I didn't own a computer. I didn't own a smartphone. I owned a flip phone and was very happy about it. Back when I was looking to change careers from my previous career to what I am in now, my previous job which may explain a lot of why I was a Luddite was working in classical music. I am a trained opera singer. I performed and taught opera for 10 years and in there I also did a very small stint in seminary school. So that is a world where technology is not necessarily frowned on, but it's very not a technologically advanced field, as it were. A lot of it is still acoustic instruments and you know you're singing with your voice without a microphone, like you really don't have to think about these kinds of things at all. However, about like I said, about 10 years into that career, I got really bored. Like I got really bored, and I was also extremely depressed, like I was just really miserable. I was really unhappy, I was in a really bad place mentally and the career was just not cutting it for me. It was not leading to any kind of fulfillment. It was actually becoming a huge drag like on my psyche and I knew I needed to make a change. So what I'll say to that is at the time, my former partner who worked in technology suggested that I look into programming and I laughed at him. I was like no way, like that's crazy, like I don't do computers, we don't do that here. And then he essentially like just said like you know, akira, like it would answer a lot of questions for you, it would give you financial stability, like your brain would be engaged. You wouldn't be bored. If you can get over that. You quote unquote don't like computers. You would actually probably really like it. So I found you a code school that have free weekend classes. You need to go check out one weekend classes. You can borrow my computer, I'll drive you, let's go. So I'm actually really grateful to this individual, even though we're no longer together, like he was just so seminal and encouraging me to take this route. I did do the weekend a little like coding boot camp thing, and I fell in love with it. We had two days. One was a front end engineering day, one was a back end engineering day. The front end engineering day I was like, uh, this is like crazy, I don't understand. There's like three things going on Like why am I coding in three languages at the same time as HTML, css and JavaScript, of course? And then the back end day we were doing we were posting to Twitter via the Twitter API and Ruby, and I thought that was the coolest thing ever. Like I looked at the code and it like made sense to me, kind of like in a beautiful mind with John Nash, where he can kind of start to see the patterns and the numbers, I could actually sort of see, like what was going on here with the, with the code, and how things were working together. So, because of, because of that experience, I enrolled in code school. I went to a school called the touring school of software and design. Um, and, yeah, my, my coding journey started there. Flash forward now to about three years later Um, I actually ended up leaving touring because of, again, I was still just in a really bad mental place. I actually was diagnosed with a really severe mental illness later on. So I had to take some time off and like, get better, as it were. Um, just take some time, get stabilized on medication and whatnot. I'm so grateful for Western medicine and I think, of course, it has its limits, but it has saved my life 100%, like it was a life threatening mental health issue and I am alive, so I will take it for what it is. Um, so I left touring. However, I did continue to pursue um, coding. I did continue to pursue the tech industry. I took some time off, like I said to, to heal up and then, um, this is really funny I joined the circus. So, because? So I joined?

Speaker 1: 6:07

the literal circus literal circus.

Speaker 2: 6:10

I joined, like a traveling trade show carnival troop, um, and what I did there is I essentially sold trinkets at trade shows. Now, what the hell does this have to do with technology? Well, I'll tell you right now. When the pandemic hit, all the trade shows closed down and the um mom and pop uh group that I was working for, that did all this, did all this work. I said, well, shoot, we need to transition our business to online, otherwise we're not going to sell anything. And my boss said to me he said, hey, I care like you do stuff with computers, right, like you went to code school. I was like, yeah, I mean I didn't finish, but I really want to do it. And he's like, can you build all our online stores? And I said, well, hell, yeah, I'll totally build all our e-commerce stores. So I built all of our e-commerce stores. I had no idea what the HI was doing. Like it was very much trial by fire. Um, I look back at my work now and I'm like, oh, oh, I mean that looks okay. Like it looks okay, it works, it's functional. It's not the most like beautiful thing I've ever done in my life, but it worked Right and that's what really got me in the door. So from there, um, I took essentially every and any technology job I could find that was interesting to me. That also like played on my skillsets. So I've worked in e-commerce as a web developer. I've worked as a software engineer for ed tech Um, I've also worked as a teacher in ed tech. Like, I created a coding bootcamp for full stack JavaScript. So as interesting as like learning full strap JS as I was teaching it to other people. Um, I've worked in developer relations for cybersecurity companies, because I have that heavy performing and teaching background from teaching music, um, and performing in opera and, of course, marrying that with technical skills has worked really well. But I always, always, always, always, wanted to just go on the engineering side of things. So my, uh, current position now we're fast forwarding all the way to now is as a application security engineer. So, straight engineering with a company called resilient, which is a for profit company that empowers and scales nonprofits. What I'll say to that is that I was able to get this position because I worked really hard, like at doing extra things at every single job I did, to learn the engineering side of things. Um, and I found my kind of like trick is that I can teach someone else something that I will learn it. So my entire career until now, I've been teaching other people about technology and learning the technology as I'm doing it, um. So I've also like mentored people through code schools. I've mentored people through hackathons Like I've done a lot. I've done a lot of teaching and that is kind of like my personal brain hack of how to teach myself engineering skills, and so I just did that every single job I was at. I did a lot of volunteering as well, um, and it all sort of like kind of hit this tipping point where I was finally prepared to take on a full engineering role, and that's where I'm at now. Now, what I'll say again is to the people that are new this took me since 2018 and I didn't become like a full blown like quote unquote like engineer until January of this year. So it took me five years, um, from the beginning of enrolling in code school, to like full blown security engineer. So that's why I keep saying like, don't give up because it can take some time. Right, I took the scenic route, for sure, absolutely took the scenic route, did a lot of uh, did a lot of tech adjacent roles. But if you want to be an engineer, like, just do whatever job you're doing as best as you possibly can do it. Um, let people know that you want to ultimately be an engineer. Um, apply for those roles, interview for those roles, help other people reach their goals in engineering and you'll learn a lot and I think it will work for you. I mean, maybe it won't, but I'm pretty sure it will, so don't come after me if it doesn't.

Speaker 1: 10:14

I'm sorry, but yeah you know, I, I, I think the most interesting part maybe for me that I didn't expect at all when I started this podcast, was the extreme variety of backgrounds that I would be talking with. You know, with everyone, right, that everyone has it's um. I mean, you're obviously the first one that came from the circus, the literal circus. Um, you're obviously, you know, the first opera singer I've ever had on, probably the last. I mean, that is probably the last thing that I would ever guess for a security person to come from. You know, and, um, it's extraordinarily interesting to me the, the wide range of you know backgrounds that we have in security and you talk about, um, you know, never giving up right, and your journey was a little bit longer than than mine actually probably double what mine was because it took me about two and a half years and I even had it experience just to break into security. Um, and that's the important part, you know, when I'm mentoring people and I'm talking to them about you know, my journey into security, what it would take for them to get into security, and you know things like that, as I'm sure you do as well. You know I try to even talk them out of it. You know, because if I could talk you out of it over just a conversation, you know, with some coffee or whatever, you're probably not not cut out for it, because this field is extremely difficult, it's extremely rewarding, you're always going to be learning and if that isn't a fit for you, then it's just not a fit for you. You know, like, let's not try to fit a square into a triangle hole, right, like it's not going to work. But if my active persuasion of trying to get you to not commit to it doesn't work, then this field is probably for you. You know, like, if me telling you, you know, no, you're not, you're not for this thing, you know it's not going to work which, by the way, I would never, I would never tell anyone that they're not for it, right, it would only be in an effort to persuade them or dissuade them from doing it. And if you come out of that and you say, hey, you know what, like I'm still going to do this thing, it's like all right, like my efforts worked. Actually, let's do this, let's go down this road, do you also approach it, you know, from from that same mentality, from that same kind of effort, right, because of the difficult path that you went down. Do you also approach it that same way or do you approach it differently?

Speaker 2: 13:06

You know that's a good question. Um, I was given that treatment actually in opera. So in opera, like, there's a very pervasive sense of like, if you can do anything else, do it, because opera is so freakin hard. Like you're on the road all the time, like you're hardly ever with your friends and family, you have to live the life of a nun or a monk. Like you can't party, you can't drink, you can't smoke, you can't have tattoos, you can't have dreadlocks, you know. So I'm definitely in my rebellion phase right now. Um, when someone comes to me and says I want to do security, I don't necessarily give them like too much tough love, because that was given to me in opera and like it definitely motivated me, but it only pushed me so far. And once I actually like did the thing, I was like okay, I did it. Like now, what? Like I kind of lost a little bit of my joy for it, like through that sort of messaging. Um, not to say that that's the same for everybody, but that's just kind of what happened to me. Um, what I will say is are you prepared for a long, arduous road? Like, so it's kind of the same message, but a little bit more. Um, not like I try to talk someone out of it, but I do try to give them the facts that, like the industry right now is not necessarily the most accepting the newcomers, it's really difficult to get your first job in cyber. Um, at least from my experience and from a lot of anecdotal experience of other people too, I've never seen anyone just like get a job in it outside of you know, maybe they call, they go to college for it or whatever. I've never seen that, um. So I guess I just have to say, like, do you have grit? Like do you have the ability to persevere when things are really really difficult and are you lit up by solving really hard problems and learning all the time? So I guess, joe, it is kind of so much what you're saying I just give each of them like a slightly different, a slightly different messaging medium.

Speaker 1: 15:08

Yeah, I would say it's. It's very similar. Um, you know, like for me, right, like I do it in just that first conversation, right, you pass the first conversation is like all right, let's get to business. You know, let's, let's get to work. You know, I'm not, I'm not spending eight weeks trying to convince someone not to do it, like that's a waste of my time at that point you know, they're like okay, dude, I'm still here, Like you can stop trying to convince me. Right, right, that would never work.

Speaker 2: 15:38

Right.

Speaker 1: 15:40

But, um, you know it, it's interesting, right, Because it's it's so extremely difficult, you know, to get in, to learn the skills, to get the experience. And I feel like a lot of times, you know, nowadays, right, people kind of want that overnight success almost. And I think that even potentially going through a bootcamp or getting a degree in it, you know earns you the right at that, at that position, at that role in the industry and, you know, maybe it earns you the role at a very low level analyst position at the right company that's willing to teach you it, that's willing to work with you on your soft skills. And a lot of companies don't have that mentality. I mean, I mean, like 99% of the companies do not have that mentality. You know you're going into security and you're you're kind of. You know you're kind of going to war. You've been to war before. You already know what it's like to earn the respect of someone else in the room that you know doesn't know you has less technical knowledge or capabilities than you. You know you're able to make friends rather than continue. You know potentially a 10 year disagreement between your organization, this other organization that you you just started at. You don't even know that that exists right, but you're breaking down, breaking down barriers, and it is challenging and I always tell people, you know, to start and help desk first, because help desk, you know you're going to get all the issues. More importantly, you're going to be working through all those soft skills that you learn. You know, because, like for myself, I started with help desk right out of college and you know I can't even tell you the amount of times, even just in one day, where I'd pick up the phone and the other person on the other line is already pissed off at me. They're already having a bad day. I mean, like they've been struggling with my product for hours and they decided to just call me now. You know, even like it's 4pm, like I'm about to leave in 30 minutes and it's like, oh my God, like now I'm, now I'm going to be here. Surprise yeah, you know, and I and I may have just gone through a difficult day, you know I may have just gone through back to back calls of you know, nothing but unhappy people. And you know, now I have to grow through that right. I have to. I have to learn how to handle that, how to not give up, how to keep going, when to hand it off, when to escalate it. Those things, those things are expected in security right. Is that also your mentality with it or your experience with it?

Speaker 2: 18:24

Yeah, I mean wow. Honestly, the biggest surprise in working in my current role which I'm so glad that I've prepared for and I have so much more room to grow with is the soft skills. Like just the communication can influence like influencing people to do what you're doing, to do is no joke. Like it is no joke knowing how to do the political game of like who do I talk to to talk to this other person, to talk to this other person to make sure this thing gets done. It's not necessarily like Game of Thrones politics like no one is like playing the Game of Thrones and you live or you die, it's just security training right. But it can feel like that a little bit, though, right, like how do I? How do I do? How do I do what I need to do so that other people are motivated to do what they need to do, so that we're all secure here, and that is not easy. What I'll say is that my biggest boon in that area has been my teaching experience, because a lot of teaching involves motivating other people to do things that they may not necessarily want to do but that are going to get them to a better place, right? So, for example, one mistake I made was like I just like gave security training to the engineers in my company. I was like, hey, do this training. And they were like cool, what's in it for me? Like why do I have to do this? Like forget you, lady. And now I'm learning, like how to like essentially frame this truthfully, because this is the truth, that this will help them in their career. It will help them in their getting promotions, getting raises, becoming more respected by their peers. But I can't just give them a security training and expect them to like fill in all those amazing gaps. I know that, but they don't know that, and if I tell them that it means one thing, but if I can get their engineering managers to tell them that that is an entirely different ballgame, and if I can get the lead engineer excuse me, the lead event, the head of engineering to tell the engineering managers, to tell them that that's even better, so the more I can stack this in a way that is like look, this is beneficial not just for our company or organization in being more secure. You know, we have better CIS scores Woohoo, cool. But we're positioned better in the market where we are more attractive to customers, and it's better for the engineers themselves to have these skills. And that is something that I did not realize was going to have to be done with so much finesse. Right, and I'm learning. I'm learning a lot. Like that is a big area of like oh, I can't just like plop something on someone's desk and expect them to be a excited to do it Because, like, if someone did that to me, like I wouldn't be, like I don't care, like cool, thanks to this extra work. And B. I can't expect people to just intrinsically know why this benefits them. I have to tell them.

Speaker 1: 21:26

Yeah, that is. You know. You bring up a really good point of not being able to just, you know, hand something over, plop it on their desk, so to speak, and expect them to get it done and be okay with it, right, you know? It reminds me of a time when I worked for a credit bureau and the security team that I was on had a very bad relationship like extremely bad with the database admin team or database engineering team and, like I set it out as my personal mission because I was the lead on this team to you know, kind of mend some broken pathways there. And you know I spent probably a month, maybe two months, of taking their team out to lunch, buying them drinks, you know, stopping by their desk daily, seeing how they're doing maybe not daily, weekly, definitely seeing how they're doing. Before I ever asked them to do anything right, when I asked them to do something it wasn't a get it done immediately. I kind of need this. You know, maybe within a couple of days, right, and it just got plopped on my desk and so I need your expertise. You know that sort of thing.

Speaker 2: 22:45

Yeah.

Speaker 1: 22:47

And it was interesting because a couple of months down the line you know me and my team we were performing an upgrade and we ran into an issue that was very specific to the database. It was something that, you know, none of us would have known to how to resolve. Right To them, it's a 30 second issue. They know exactly how to do it, like this is just normal everyday things for them. For me it's not. And whenever we're talking about a database, I get nervous because I've dropped too many databases in my lifetime and I know what that's like. And you know my team had someone from my team had called them basically into our conference call. It was trying to get them to help and they were very standoffish, very against it and whatnot, and I was just busy at the time, right. But when I heard that they were, you know, being very difficult to work with, I chimed in and I said, hey, you know, this is Joe. You know we need your help. We called you because we don't have this expertise, we don't know what we're doing and we just simply, you know, need your help. And the whole conversation changed as soon as I chimed in, as soon as I was present. They knew I was there, they knew that I had exhausted all of my resources, that, like, I wasn't even Googling the right things, right, like it was at that level, yeah, and they were much more willing to help me Once I put in that work though of the previous months. I was, like I'm not going to give up that work though of the previous months of stopping by again to know these guys, taking them out to lunch, learning what their favorite beer is right, buying them a six pack of it over the weekend and, you know, bringing it to them on Monday. You know, like that sort of stuff, right, and this is all coming out of my own pocket, like I'm not using it on a company card or anything like that, like I'm putting in genuine work here.

Speaker 2: 24:39

Yeah, yeah, I mean, the more you can build, the more relationships, the better. I'm so glad that you just told that anecdote because like I feel like that's above and beyond, like I haven't even thought about like, oh, like, what's someone's favorite XYZ thing? Like maybe we can like get it for them or whatever. I love that. It's almost like what I'll say is this when working with internal stakeholders to be like corporate about it internal stakeholders a good way to think of it is that you are doing customer service. Internal stakeholders are your customers, right? And when you do white glove customer service, that's when really magical things start to happen. And then I think this for me personally, the second I start to think of my internal colleagues or internal stakeholders is not customers, but just like coworkers. Where we all have to do this thing is when it loses a lot of the magic right. It loses a lot of the spark. One thing that I found this is actually a cool lesson my father taught me. My dad worked in oil and gas and then he worked in insurance sales for like a really long time and he did really well for himself. And one thing he always did for people is, he said, do the extra work. That's like the paperwork for them so they don't have to do it, and that will go a long way. So, for example, like when I gave out my secure coding training recently to the engineering managers, I like made them all tracking sheets. I was like, hey, like you know, we can't. We, I looked into if we can do this through a particular piece of software. We have to track who's doing it. We can't, so here's like a sheet for it's. I just made it for you. It's like did this person do it, yes or no? The end and they were like, wow, this is really great. Now I don't have to go make this sheet. And like figure out a way to track this. And it's like off their mind. If you can do little stuff like that, I guess that's my equivalent of like buying someone a six pack of beers. Like please, let me help you make your job a little bit easier. And, yeah, like the more personable you can be, the better. The best person I have ever seen in the security space, the best person. I'm going to give her a major shout out. Her name is Tanya Janka. She was my former boss at Bright Security. Her people skills are ridiculously good. They are exceptional. She is so good with people and she's so effective at her job and I think part of like I mean, she just that's, that's her special trick, right. She's just so dang good with people and people want to do the thing for Tanya. They want to do it for her because she's so fucking great. Pardon, my friend, it's true and I that was really inspiring to me too, like just to see her, like just how good she is with people and I mean that's, that's all this is. It's just we're just engineers in the people business, right. Like that's all that's all this boils down to, yeah.

Speaker 1: 27:28

I think that's actually really important. What you said you know offering like a white glove treatment, because I think a lot of times when you're an internal, you're an internal employee just dealing with internal customers. Right, you think of white glove treatment typically with, like, a CEO, cio. You know the executive suite. Yeah, rarely do you start thinking about white glove treatment with internal stakeholders that you know assist you to keep your product running. Yeah, right, and that's kind of the the important distinction to make, right, security is very different. Where security people, they typically know exactly what's going on with their system at any one point in time. They're they're very good at understanding. Let's just say, you know Windows Server 2016,. Understanding the ins and outs, what a DLL should be doing, what it shouldn't be doing, things like that. They'll probably even know how to deploy a database, how to set up the database. You know maybe even read the database logs, right, it's a totally different ball game when we start looking at database logs, determining what is wrong and then figuring out the command on the database that resolves it without destroying the database. That's a very different skill that takes database engineers years of experience to develop, and so it's important for us to understand where our limitations are and making those relationships right where, where we need them to be. You know, like I had to make a relationship with the database team. Thankfully it paid off, you know. But I've had to make relationships with systems teams, infrastructure teams, networking teams. Because, you know, maybe I'm doing a different project. You know like currently at my current workplace, I'm doing a cloud WAF deployment. Right, I've never done a cloud WAF before. I've deployed other technologies that are similar to it. I assume it'll be, you know, roughly the same difficulty level as a proxy or whatnot. Right, but I still need the networking team input. I need their help because I don't know, you know, are we doing, I don't know, bgp or some other protocol between this endpoint and that endpoint? Do we need to intercept to the different way? I mean, there's a million things that I don't know right, right, and I'm not a network security person to save my life, right, like we can start talking about, you know, encryption and stuff, but like that's kind of where it cuts off. And so it's important to identify who you know, not in a disingenuine way, but who you need to befriend and who you need to kind of give that enhanced treatment to early on for you to be successful in the role.

Speaker 2: 30:14

Yeah, absolutely. And like I know, if I ever go to a different company and do the same kind of job again, that'll be my first priority, Like now that I know that right, like and I guess that's something else that I would say to all of our listeners is, like, if you are also like wondering, like how do I get into this career? What's a good skill to develop? Like I know how to hack everything, I know everything about SQL injection. Like why don't I have a job? Um, maybe practicing that kind of like white glove treatment with maybe the people you're interviewing with, like one thing that is really good to do is like go look at their LinkedIn and like learn about them and be like hey, like I saw you, I saw you volunteer at such and such, blah, blah, blah. Like my uncle volunteers at whatever it is right. Like find commonalities, like learn how to make friends and build those relationships with people in your networking excuse me, in your network that already exists, and then you can take those skills into your new job and that's definitely something that I am really looking forward to like doing again, getting better at and you're so right, joe. Like when I first started, I was like oh my God, I need to know everything. Like how am I possibly going to do this job? Like I'm going to need to be like a programming wizard and like a network engineer wizard and like know everything about every single help desk ticket. Like I was like there's no freaking way, like I don't know that I can do this job, and like you just pointed to. What I realized quickly is my job is not to do everyone else's job. My job is to empower people to do their job in a secure manner. That's it. That's all my job is to do. And I need to know about the security. I need to read the security books. I need to do the security courses. I need to futz with the DAS tool that's giving me a headache and having me tear my hair out. That's my job, right. I need to go through the particular pain points that I go through and let other people do their job, to not try to not try to overstep my bounds. At the end of the day, the big theme is stay in my lane Right.

Speaker 1: 32:15

Yeah.

Speaker 2: 32:16

Yeah.

Speaker 1: 32:17

It's a good point to kind of, I guess, shift gears a little bit. But, you know, maybe maybe some of the most difficult people that I have encountered to get to do something, really anything, is developers. And it wasn't until a recent role, where we actually had an app sec team that handled all of that stuff, that I saw what success was like from that perspective. The reason why they were so successful is because they were all this is a team of all like previous developers, they all knew how to develop an application, how to write code. You know, inside and out, they spoke more coding languages fluently than they spoke English even. I mean, like you know, I'm saying like their skill level was extremely high with coding in ways that I'll never achieve. And so there was a skill gap slash, like communication gap, that I had with developers that I just couldn't fill, you know, because I didn't. I mean I didn't know like, if you put some Python in front of me and said it did this, I couldn't really challenge you on it. I mean I couldn't say yes or no. It'd be like, okay, yeah, that's what it does. You know, these guys were able to, you know, step into the situation and not only describe the code of exactly what they wanted, you know the developer to write, but they were able to properly explain the security implications of doing it that way. Yeah, and having that bridge is I mean it's, it's absolutely required, especially nowadays, right, because we're not only developing more things faster than we ever have before, but we're putting them up into the cloud, and in the cloud, you're typically separating everything out right, which is a totally different way of developing something on prem legacy way that you know was was normal when you and I started in it right, of developing it all in one stack on one server. Maybe you have a database server that's separate, but you know it's all together right, in the cloud. It's all separate and it's completely different, and so it's. It's so extremely important, you know, if you're going to go down the app sec route, to honestly, in my opinion, be a developer first right is that? is that what you've run into as well, you know, in terms of your developer skill set really paying dividends, in terms of how you engage with other developers, how you get them to do things that you know they would normally push back on a lot? Are you able to answer questions more effectively? I guess I'm asking too many questions right now All at once, right, because I'm kind of, I'm kind of fascinated, though, you know, like these guys, you know that I encountered. They were I mean, they were the smartest people I've ever met in security, and that's really saying something.

Speaker 2: 35:31

Right, yeah, no, security is full of really smart people. That is so interesting and I want our listeners to understand that this is a matter of opinion. If you do not fall into a particular background, it does not mean you're doomed and you can't do this job. Like like Joe said earlier, people come to this job from all kinds of backgrounds. Right, I have not had a ton of development experience. A lot of my experience has been in more like teaching, like so, teaching tools and things like that. I can read code really well. I can write code okay. I would not say that my sweet spot is in writing applications. I can code, I can write software and like I, my personal, like genius, is being able to explain why something matters in a security mindset. So, for example, like you were talking about, like your developers, like they could like refactor a piece of code, let's say they could be like you know you should try it this way and it'll run it. You know X times better with. You know X memory. You know just, it'll be better, it'll be more performant, it'll be, you know, easier to read, whatever it is right. So I can do that, but I can also. What I can really do is explain why this matters for security, for example, like, well, if we refactor this code, then we're going to have less of what's called an attack surface, and an attack surface is blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah. And then I will explain these security concepts so that people can then be like, oh, not only am I getting rid of technical data and refactoring whatever, but because it just will make my code more performant, it'll make my code more easy to read, it'll, you know, lead to some like resiliency in the code base. But also there's now this security thing called attack surface that I can also now be mindful of, and I'll be able to explain what that means to them really, really well. So, like I said, I've learned that I need to stay in my lane. I can't come into a developer space and be like, oh, I know how to write this better than you, because for stuff I haven't been working in their code base for as long as they have, like I can't write it better than them. I'm not like a freaking wizard, like I'm not a genius I know there's coding geniuses out there, but I'm not one of them. But I can give them extra tools in their tool belt to make sure that what they are doing is being done in a secure manner. So that's kind of my zone of genius, as it were. So I definitely want to say, like you know, like does it help to be an amazing developer? Hell yeah, like I wish I was a better developer a lot like. I'm constantly learning, I'm constantly like taking classes, I'm constantly trying to write my own stuff, like with varying degrees of success. One thing I want to do, as well as like start contributing to like open source, so that I can like have a little bit more of like a regular practice, and like it's also more important, at least for me in my viewpoint, to learn about the security implications of like things like secure code review, things like DAS tools, things like SAS tools, things like oh gosh, what else Like doing like audits of all of our particular pieces of software that we're using? Like how can we do third party integrations in a secure manner? Like there's so much more aside from just writing code that goes in the app stack that I was completely unaware before I started doing this job, and the things that would differentiate me are those particular things Like it's not, like oh, I'm going to be a better coder than you are. It's, oh, I'm going to have a more security oriented mindset than you are, that I can teach you so that you can be a better coder. And what I'll say again to all your listeners is, like everyone's different, like that may not be your approach, that might not be your zone of genius. Maybe your zone of genius as you are an extremely proficient coder and you can do like you just know about security headers and you always do the right thing with input, validation and that's just like in your second nature and that's like what you can do. But maybe you're coming to it much from like a programmer mindset first and a security mindset second. I come to it from a security mindset first and a programmer mindset second. Have I had success? Yeah, do I know any different? Could I be more successful if I was another way? Maybe, but I don't know. I just I'm only me and that's my limited viewpoint of it.

Speaker 1: 40:02

So, yeah, yeah, I think you bring up a really good point of knowing your skillset, knowing your strengths and then really learning how to lean on other resources to make up the difference, right, and I think that that is something as new people are coming into the field, they have to kind of learn and understand that you're not going to be an expert in developing an application and go laying than a developer, right, like you don't need to be that. You need to understand the code, you need to understand what you're looking at. You can maybe even write some right, but you're not supposed to be the expert in that. You're supposed to be the expert in how to secure whatever that is in that code. You know, and it's an important distinction because I think as security professionals, we're a little bit more curious than other people. We're a little bit more even self-conscious in ways, right, of knowledge, of skillset, of imposter syndrome, right, and it's important to know where those boundaries are. You know, for yourself and even for your team when you become more senior and directing them through this process as well. You know, have you encountered very much imposter syndrome? And I ask because your background is an opera singer, right, so I would imagine me personally, I mean, I would definitely be struggling with imposter syndrome on a daily basis. You know, if I was an opera singer, which I do not have the voice for, I don't have the skillset for, my wife is a violinist and, like she's the talented one in the family, you know, oh, that's so cool.

Speaker 2: 41:51

Yeah, oh, wow. Imposter syndrome there is a lot to say about that, wow, and we only have like 10 minutes.

Speaker 1: 42:04

Should we have a part two for imposter syndrome?

Speaker 2: 42:07

I have thoughts, man. I have some serious thoughts. I'm going to say it this way Imposter syndrome is twofold, fold number one true imposter syndrome. Actually threefold, sorry, threefold, whoa, true imposter syndrome, which is a feeling of deficiency or not being good enough or feeling lesser than I think that is a psychological thing, that is part of the human condition. I think everybody has it in some area in their life and if they say they don't, they're lying to you. And if it shows up in your professional life, that's just where it shows up and that's what we call imposter syndrome. Do I deal with that? Yes, do things to mitigate that? Absolutely yes. Like, I seek help dealing with that through many different channels and avenues. Otherwise it will completely cripple me and it's not good. So if you're feeling like, genuinely like I'm lesser than I'm not worthy, I'm not good enough, like honestly, the best thing I can say to counteract that is like talk to a mental health professional, talk to a trusted friend, take psilocybin mushrooms and have an experience about it. Like you know. Like do what you need to do to like really take care of yourself and realize that you are in fact worthy and have inherent value. That is very important, not only for a job but for just a good quality of life. Right, the second thing I'll say of the trifecta is genuine imposter. Like maybe you just don't have the skills Right, like maybe you're in a job and the skills required of you you just don't have. I love that section of imposter syndrome because that's easy. You just go get the skills, you just go get the training. For example, at one of my jobs I was a developer relations for a company called Fusion Auth man. That job was way over my skill set. Whoa, holy moly. I was like not up to par for that job and I had to teach the shit out of myself how to do a lot of that job. And I learned a lot. Like holy crap, I learned a lot. And so if you're internal like clock or your internal compass is like hey, like you may not really be up to this task because you don't, you have a big skills gap. Listen to that and close the skills gap. It's okay, like it's okay to not know. That's why you're in this job. I think in tech, everybody also has imposter syndrome because there's a huge skill gap. There's always something new that you need to be learning and applying just as soon as you learn it in order to do your job. So I think that's also why we talk about imposter syndrome a lot in tech is because, yeah, like true to fact, we're all kind of imposters because we just don't know what we need to know ever right, and then we know it and then the next problem comes. That's why we get paid the big bucks is because we're solving problems that no one has ever solved before. So, yeah, that's going to lead to some psychological like oh shit, like maybe I don't know what I need to know. The problem then is when that goes into the psychological side of like I'm not good enough. It doesn't mean you're not good enough, doesn't mean you're less worthy, it just means you don't know the thing and you can go learn the thing because that's in your capability to do. If you were in this field, you have that capability. It's proven. You can do it. You can do it. I promise you can do it. The third section of imposter syndrome is living inside of a flawed system that is genuinely not designed for you. This is especially true if you're a minority group in technology, if you're a woman, bipoc, lgbtq, maybe you have a disability, maybe you are neurodivergent the world is not necessarily designed for that and you can be operating in this world that is not designed for you and that can lead to a lot of feelings of inferiority and you have to realize no, I'm just working inside of a flawed system. A lot of people did the very best they could to create this very flawed system and a lot of people are doing not the best they can and they're actually making it worse. And that's just a part of life, right. Learning how to maneuver in a jacked up system and changing it where you can and accepting where you can, like that whole serenity prayer, right, god, grant me the ability to change the things I can and accept the things I can't change. That is almost like a spiritual practice of work or spiritual practice of life. Right, it's like learning to accept that you may have these feelings because you're working in a system that is probably not designed for you, even if you are one of the people it's designed for. Everyone is different, everyone has tough times in their life, and it's just. Life is hard right. So that's what I'll say. That's the three pronged view of imposter syndrome. I could go very deep into all those three topics where we don't have enough time.

Speaker 1: 46:58

Of course you bring up. I think a lot of it has to do with mental health as well as, like you said, identifying that the environment isn't necessarily made for you. It's more about you figuring out how to potentially be yourself and be successful in this environment. That's not an easy thing to do for anyone and I've talked about it before on this podcast. I haven't talked about it too recently, I guess, but mental health is extremely important. This past weekend I went and did a float session at float 60. It was fantastic. I have one of my personal goals for the year is to actually do it between six and 12 times. I'm a little bit behind, so I got to rank it up, start going with that a little bit more. But working out regularly, right, going for walks, getting away from your computer, kind of detaching, all of those things they help and they kind of stack on each other over time, right, like. So you start feeling better and better and I guess the unfortunate side effect of that right At least for me with my mentality is like it'll build up. It's like, oh okay, I can stop for a while, right, and so I stopped for a while, and then I stopped for too long and then these issues kind of like reemerge and it's like, oh wait, I need to go for walks again. Oh wait, I need to go work out. I haven't worked out in a while. For me, it's those hard for me. It has to be like a really difficult workout, right? It has to be something that I'm starting to question why am I still moving? That's when I get the most benefit from it. And as security professionals, it's easy for us to get caught up in a world of you have to know everything, you have to know everything, you have to be better, you have to be continuously growing and whatnot, and that'll wear on you for sure. And it's extremely important for you to be mindful of your mental health and work on it. Right. And I think even a part of that is like what you mentioned with the serenity prayer, right? Just understanding your sphere of control. What do you have direct control over? What do you have no control over? And only focus on the things that you have control over, because it's not fair to yourself to be focused on things that you can't control, because what are you supposed to do in that situation? For me, I'm very solution oriented, right? So when my wife presents me with a problem, like, well, when I present you with a solution, don't be thrown off by it. Or when I'm knocked down so many times, it's like, okay, you tell me how to solve this, because that's just how my mind is right. I'm very solution oriented and I think a lot of us in security are. So, it's just yeah.

Speaker 2: 50:17

That's why they pay us the big bucks or the $80, I mean whatever.

Speaker 1: 50:23

Yeah, you bring up another good point. I have a friend that I made this friend early on in my security career, thankfully, and he told me that you know, we earn our paycheck maybe at the very most two or three times a year. I mean at the absolute most. Right, I said well, what do you mean? Like I go to work every single day, I'm working hard, he goes. No, you earn your paycheck because we're paid way more than what other people in IT are. Typically, you earn it when everything's going wrong, when your system's guy has no clue of what's going on with the server, when the networking guy has no clue of what's going on, when the database guy doesn't understand the logs that he is reading. You're the type of person that has to be able to come in and sort out the chaos, direct the team, develop a plan of action and move forward and resolve that issue, because your company is more than likely losing money every single minute that that issue goes on, and so that's how we actually earn our paycheck, and that's very true. You earn it when everyone else is in disarray. There has to be some major issues going on, and hopefully that doesn't happen three times in a year, because people are probably losing their job if it happens three times in a year, yeah, Ew Right, oh, shoot.

Speaker 2: 52:00

No, that's true, joe, and one thing I'm really grateful for that I found cybersecurity in my career path is that that was also my sweet spot when I worked in opera. Like I was the person people would call if a soprano got really sick at the last second and they needed someone to come and fill in in two hours. Right, I was literally known as the last minute queen. Like if people needed a sub. Like right, effing now for really hard music on like Holy Week or something, when there's like thousands of people, whatever, right, like that was me and I love that shit. Like I love that experience. And like you also pointed to earlier, I think that mental health is really important and you have to be consistently doing things that bolster your resilience. And this is a gross overgeneralization. I could be totally wrong, but I don't think I am. I think people that work in security love adrenaline. I think they are like adrenaline junkies. Right, like there's something about security. People that like we just love that edge. right, we're like yeah, like I'm going to dye my hair purple and put it in dreadlocks and like F society and I would like learn how to hack and I'm going to know all the things. And when shit goes down, I'm the one that's like, yeah, I can fix it. Like we love that adrenaline rush right, and if we aren't careful, that will overtake us, especially in my case I'm not 20 years old anymore. Like my body is like you better take care of me or I'm not going to take care of you because your lifestyle is a little extreme, like you're a little bit of an extreme person. So, yeah, I think that you're right, we do earn our paycheck in that we can, like essentially make sure the entire company doesn't implode, which is good. So, like a lot of people rely on us for their livelihood, right, they rely on us for the company's reputation, for the data you know the whole CIA triangle like this confidentiality, integrity, availability of customers, data like these are big responsibilities. They are like they wait and they can weigh heavy if you think too much about it and if you don't take care of yourself. Like you got to take care of yourself. Otherwise, it's like this will just get in your head. Man, like I had my first existential crisis about working in security a few months ago where I was like, oh my God, like if I mess up my job, like so many people are going to be affected in a non-trivial manner, and I talked to a friend of mine who's a CISO and they were like yep, did you work out today? You know, like that was kind of their response. I was like no, I'm going to go to the gym and pick up something really heavy and like not think about it. But yeah, and it's good that we want to learn all the things, because we have to have that kind of drive, we have to be the kind of person that does have our tendrils and a little bit of everything right, like that has our my silly old network throughout the entire company. We're constantly getting information and putting information out and like we have to be that type of a temperament, like there is a temperament and that's I'm so glad I found cyber, because I'm like, yes, my people, my people, I try, but yeah, if you don't take care of yourself, man, like forget it, yeah.

Speaker 1: 55:18

So yeah, absolutely Well, kara, you know we're at time, unfortunately, so I'll definitely just have to have you back on it. We'll talk more about, you know, mental health and imposter syndrome and all that good stuff. But before I let you go, how about you tell my audience, you know where they could find you if they wanted to reach out to you? Maybe you know the company if there's a website? I know you're on the security weekly podcast now for application security weekly. So if you just want to, you know, say where they can find you. That'd be great.

Speaker 2: 55:51

Yeah, so you can find me. A good way to get in touch with me is just to email me. You can find me at the T-H-E Akirati A-K-I-R-A-T-I. It's like the Illuminati, but the Akirati, you know. So that's an email address I use just for correspondence with you know people that hear me on podcasts and want to ask questions and whatnot. I'll do my best to reply. Sometimes I get swamped and it's just like you gotta just kind of catch me on LinkedIn. Linkedin is another good place to follow me. I like to write a lot of like long form posts on cybersecurity and also just life and philosophy and music and stuff like that. And lastly, I do have a website. It's akirabrandcom. It is very in need of a revamp, so a lot of the information is kind of old. But every time I go on a podcast I'm like man, I really need to update my website. So check it out. By the time you're listening to this, I may have gotten around to it, which is very exciting. So, yeah, and also, I guess, sorry. One last thing you can find me on application security weekly. I don't host every week, but I host about once or twice a month and you can hear just my hot takes on all things cyber. I'm I podcast with the gods, right. Like the people that I do the podcast with have been in the industry for like a bazillion leaders and they're so knowledgeable so I'm the person that's like hey, like explain to your less ha ha ha. So you can kind of. If you're a beginner, it's really good for you to listen to this podcast because I'm also coming to it from beginner mind, right, so you'll get a lot out of it. Actually, on the, on the shows I'm on, you're going to hear a lot of like bringing in perspective. So that might be that will prove useful to you. So that's how you can find me.

Speaker 1: 57:29

Awesome. Well, thanks Kara for coming on. I really enjoyed our conversation and I hope everyone enjoyed this episode.