Microsoft Security Researcher: A Tale of one Woman's Resilience and Ambition

Speaker 1: 0:00

How's it going, miriam? It's really good to finally have you on the podcast. I feel like we tried to get this thing together a couple times over the past like six months at this point, and you know it's just been a mess in both of our schedules, I feel.

Speaker 2: 0:16

Hey Joe, yeah, it's great to finally meet you and, yeah, I don't know about way. Yay, we finally made it so, so good to speaking to you.

Speaker 1: 0:27

Yeah, absolutely so you know. Miriam, before we dive into what a security researcher does at Microsoft, I want to start off with your background, you know. How did you get into it? What was that journey like for you? What was that process like? Did you have any mentors along the way to kind of, you know, guide you down that path? Or did you discover it and go down at all on your own?

Speaker 2: 0:54

So I was kind of always interested in IT I when I was a kid I was like, okay, I want to become a game developer or a hacker, but hacker is illegal, so that was all the table. And surprisingly, I never became a game developer either. So but somehow I always wanted to know how to communicate with computers and I started programming very early. I think I was eight years old or something like that, when I developed my first game on my little learning laptop. And later then, after I finished school, I was like, okay, what do I do with my life? And so I started programming very early. I think I was eight years old or something like that when I developed my first game on my little learning laptop. And so I started programming very early. I was like, okay, what do I do with my life? And honestly, I had no idea, like everybody out there after they finished school Maybe there are some people, but they are very rarely, I think. And so my, although my parents were quite against me playing and working with computers, surprisingly it was my parents who found, yeah, in the newspaper they found the call for applications, so for an apprenticeship. And this is when I originally got into IT.

Speaker 1: 2:24

That's really interesting, you know. So you're, you're, you're based out of Germany, right?

Speaker 2: 2:30

Yes, so if I make any mistakes, I'm sorry. I'm not a native speaker.

Speaker 1: 2:36

No problem, you know, I've spent a decent amount of time in Germany and I've I've always been surprised as to how well everyone can speak English, and so, like, whenever I'm there, I try to like ramp myself up on German and, you know, speak German until I can't anymore, and then, like, when the conversation gets to a point where I can't handle it, it's like all right, I'm sorry, like I'm English native speaker and they like test out there English on me and it's a. It's a fun interaction.

Speaker 2: 3:11

Nice, that's really cool. Now you also have to deliver, so what's your favorite German word?

Speaker 1: 3:17

Oh, I don't know if I can even say that you know. So this is the thing, right. So I studied German in college as, like my four language, I had to choose one and so I chose German. I studied abroad in Germany for about six weeks and I was, I was getting to the point where I could hear it and understand it, like fluently pretty much, but responding was a little bit slow and I was still, you know, getting used to it and whatnot. And then I came back to the States and I've been back a couple of times ever since, but it's like when I'm, when I get there, you know there's such a huge gap. But after about 10 days of being in Germany, I start, you know, developing the skills of being able to hear it and understand what's going on. Like you know, last year I was in Germany with a friend for the Tampa Bay Bucks game and and you know, in the beginning it was difficult, like I, I knew what different words were and whatnot, like if I was looking at, like the U-Bahn map or whatnot, or the S-Bahn, like I knew what they were, right, I knew which direction I was going, but like translating it just didn't work in my brain. And then, you know, like we were there for probably 10 days, by the end of my stay, though, I was right back to hearing it and understanding it and I was, like, translating it to my friend, like, oh, this is what they mean, like we got to go over here or do this, you know. So it's just, it's. It's a frustrating journey for me, because I wish I could just move there.

Speaker 2: 4:53

Wow, I did not know that you actually were in Germany for some time. Yeah, cool.

Speaker 1: 5:02

Yeah, yeah, I've. I've spent some time in Berlin, frankfurt, dusseldorf, munich, I think. I think I need to go other places other than other than Germany for my next vacation, unless it's for Oktoberfest, and then I'll go. But yeah, it's, it's, I love it. I love going there. It's always a great time, great atmosphere. Everyone's so friendly. That's what always like threw me off in the beginning, it was like everyone is so friendly.

Speaker 2: 5:38

Yeah, and if you reconsider and plan your vacation, your next vacation in Germany, give me a ping and let me know.

Speaker 1: 5:47

Yeah, absolutely so. So you mentioned that you know you got your start as an apprenticeship in IT, and is that, is that pretty typical for apprenticeships in IT in Germany? And I ask very specifically because you know, through my studies, right, we learned about the education system in Germany and how after school you typically, like for different trades, you'll go and be an apprentice. For you know, at a certain point in your education you start being an apprentice and then you actually transition into the, into the actual field. I didn't realize that IT even had that option of being an apprentice, right? So is that a pretty typical path or is that, you know, an outlying path? I guess?

Speaker 2: 6:39

I think back then it was quite a new thing. So there were two paths. So one path was working with the systems, the other path was development and as I thought, okay, I already know how to develop programs, I thought, okay, I want to learn about the systems, and that was basically my direction. But you asked me if that is a typical thing. I would say it depends. I still see that studying also brings you quite far. In some companies, especially if it's a government or a public sector, then you need to have studied. But there are also a lot of people that are following apprenticeship paths. So and they look at me I was in luck and got in the best position ever and I originally went to the school that would have allowed me to study after. But after school I was like I don't want to learn any longer and so I started the apprenticeship and suddenly I just started learning everything I could and I never stopped. Yeah.

Speaker 1: 8:02

Yeah, that's pretty funny. You got out of it saying that you don't want to, you don't want to learn anymore, and then you get into cybersecurity and IT where, like, the learning never ends.

Speaker 2: 8:14

Yeah, and I think it also really became my passion to just learn and learn and learn everything I could find. So, yeah, I also thought every time, okay, maybe studying at some point would be beneficial, would be cool, but well, I never studied and I never achieved it. Because every time I thought, okay, now could be the time I found a better opportunity, or I got hired at the role of my dreams, or yeah, and somehow I never found the time to study.

Speaker 1: 8:51

And yeah, yeah, that's really interesting. So would you say that you kind of stumbled into it Honestly, like you didn't, I don't know. Like probably growing up or even earlier on in your education, you probably didn't intend to go down that path, right? At least that's what it sounds like a little bit to me, Do you? Because for myself, I guess I never intended to go into IT. I thought it was the most boring thing in the world. I thought if I'm stuck in IT like that would be the most miserable thing ever, right, Right, and here I am so many years later. Was that the same sort of thought process for you as well, that you might be bored in it?

Speaker 2: 9:40

So I also somehow stumbled in it. Or I see it as a puzzle. I was always IT focused, but for me it was not the most boring job, so for me it was the most exciting thing that I could think of because, as I said, as a little girl I was so interested in really understanding computers and communicating with them and really getting to know how they work deep inside, so I did not manage to really understand it 100% yet, but yeah. So, for example, what I'm also super excited about is reverse engineering and assembly, where I'm a beginner at, but I think that leads into the direction of understanding computers. So the dream I had as a little girl. But yeah, basically I stumbled into IT security. So I did not really know that I will be working in IT when I grew up, but I was somehow always interested in but the IT security part I think I stumbled in there. So during my apprenticeship I worked at an institute for foreign and international criminal law and they also had cybersecurity researchers and I observed a lot of their work or could attend even a local conference, which also got my interest sparked. And yeah, after my apprenticeship, by the way, I worked as a developer, but not for games. So and this was when I was already hooked on security and I was literally a pain in the ass for everybody because I was like we need to secure our code, we need to secure our systems. And everybody was like, oh my God, it's Miriam again and she's talking about security. And in the end, I finally reached my current goal and they got more aware about security and they even scanned our code and when we found vulnerabilities, they let me fix the vulnerabilities and I was even able to exploit them. So that was really cool.

Speaker 1: 12:19

Yeah, that's really interesting. In the beginning of my career, I was working as basically a help desk specialist for an application for a very small company here in Chicago and I stumbled upon security and I started to really dive into it because it really piqued my interest and whatnot. And so I started to look at the security of our application and I found it to be really lacking, like really bad. And so I started to vocalize it more and more of hey, we need to be paying attention to this and all these different things. And no one was paying attention. Right, they were like, oh, we patched that, that's fixed, it's not a big deal. And it got to the point where I just sat down in my VP's office who was telling me that everything was secure, when I knew it wasn't. And I was like, okay, you know this vulnerability that says here that you can gain root via this method that we're vulnerable to, like here's the scanner. Okay, well, I'm gonna get root on this thing real quick, right in front of you, and show you that we're not patched. And I did it. And he was very confused as to how I achieved that. He immediately actually called in the lead developer. It was like, hey, how did he just do this? And they're like oh, he kind of done that, like it was patched, like well, if it was patched I wouldn't be able to do it. You know, it doesn't work out like that. And that was really when I kind of, I guess, earned, I guess, the respect of other people within the organization regarding security so that they would actually take my recommendations seriously and actually act on them and whatnot. But that was a long process of me getting so fed up to the point where it was like, all right, I'm just gonna show this guy and I'm not a good hacker or anything like that so me be able to pull that off. It was probably a pretty easy thing to do.

Speaker 2: 14:36

But I think it is the most effective way to improve your point Because I hope at least something happened after that.

Speaker 1: 14:46

Yeah, we definitely changed a lot of things about how we handled security after that. Luckily, I got to run all of that program. I got to manage it from start to finish. It was great experience and I was happy because it made my customers more secure, made them happier. It saved me a lot of headaches too, because I was going on site to federal agencies and the DOD. They would just be destroying me because the product was insecure. I was telling them that it was secure because that's what I was being told. This really alleviated a lot of headaches all over for me.

Speaker 2: 15:35

Yeah, I can imagine. But great thing, you improved it, so okay.

Speaker 1: 15:44

Yeah, absolutely. Currently you're a security researcher at Microsoft. How did you get your start at Microsoft? What does that process look like overall? The reason why I ask is because in IT, you get into IT and all that you hear about is big tech. All that you hear about is going to work for a big tech company and getting in the doors the hardest part. What was that process like?

Speaker 2: 16:25

Yeah, so don't hate me, I was at 100. So before I joined Microsoft I was working as a system administrator. Since I was all about security it's so important In my spare time I learned everything I could about penetration, testing and hacking. I was given the chance by a former employer to build my own PAN testing department. That went quite well. I legally hacked the first customers. That was the time when Microsoft approached me and asked me if I wanted to work for them, since I just achieved my dream having a PAN testing department. I just said no. I told my husband and he was like are you crazy just to decline Microsoft? Are you crazy? He just couldn't take it and he told his best friend. And then his best friend and my husband did an intervention. They listed the positive arguments for Microsoft and the negative against Microsoft. They convinced me to at least speak to Microsoft. I went into the interview process. During this process I was convinced that Microsoft is actually a really great employer and that you could really have an impact also on security worldwide. That was when I joined Microsoft as a Premier Field Engineer, which is some kind of consultant. You go to customers. You have different tasks. One of my tasks was to assess their environments for security flaws, for example, active Directory Security Assessment or Windows Server Assessment or other security assessments. I also had some permanent customers I regularly worked with and, depending on your work, we also had some freestyle engagements that I worked with. After this role, I worked as a Program Manager for Defender for Endpoint. Back then it was still called Windows Defender for Endpoint and Microsoft Defender. This was basically the role that, I was told, is the only role that you could work with Corp or in Corp. This was a Corp role from Germany. I was told this is the only role that you will ever get when you want to stay in Germany. It was already a dream role back then because it was a great role. You had a lot of challenging tasks and got to see so many environments and got to work with so great customers. My dream was quite a long time to get back in red teaming or to become a security researcher. This was when I literally tried and brute-forced my application in. As a human brute-forcing. I applied to every security researcher position I could find within Microsoft. I applied, applied, applied. I got denied, denied, denied. Basically, it was always the question are you willing to relocate to Redmond. For me it was like no, I don't want to relocate because I have my family and friends here in Germany. I applied a lot. I think I applied for more than two years. In the end, at some point, one person that already interviewed me got promoted to be a manager. It looks like I convinced this person in an interview before. When he became a manager, he asked me hey, do you still want to become a security researcher? I was like oh, I'm Jamie. My heart just stopped a beat. I was like, of course, yes, I had to go through the entire process again and got interviewed again. I had the lack that also the interviewer had the impression that I might fit into the team. I was so obsessed with this role Somehow. I was really really lucky that my manager and also his manager and everybody in line was up to make an exception for me to work in this role. I was really really lucky, combined with a little bit of human brute forcing.

Speaker 1: 22:00

Yeah, that's great. It's such a huge ask for someone to uplift their life and move to another country. For me it would be another state, but that's a huge, huge ask. I feel like in this current modern-day ecosystem that we're in, where everything can be remote it was really well proven out with COVID it's almost unreasonable to ask someone to have to relocate for a role, especially if you're not an executive. You're not an executive, you don't have to talk with the board, you don't have to talk with other executives. It's not necessarily a collaboration thing, even. It's just different, if that makes any sense at all.

Speaker 2: 23:03

Yeah, so don't get me wrong, I really love visiting the states, but I just did not want to leave my family and my friends. That was no option for me. You said it. We just proved it with COVID that it is possible. And I still don't really understand what so many companies are still trying to force that people relocate. So I was really really happy that it worked out for me in the end and I think now after the pandemic also, Microsoft got a little bit looser with the relocation policies.

Speaker 1: 23:48

Yeah, that's good to hear, because in security you hear about other companies, like Amazon, demanding a three-day workweek and internal memos coming out saying that it'll take years for them to get back to a five-day in the office workweek. It just doesn't make any sense to me because if I was to work for Amazon, they have a Chicago office. I would go into the Chicago office, but how many other people on my team are going to be in Chicago? So if that answer is none, then why am I in? Because everything else can be solved over a meeting. It would be any other time. The logic isn't there and I hope that companies are catching on to that in some regard. It sounds like Microsoft has. Microsoft is probably one of the few big tech companies that I haven't heard of a real big push to go back to the office, which is it's refreshing because other companies really take their lead off of big tech and what the big tech guys are doing and what these other smaller companies should be doing and whatnot, because they're really trying to keep up and keep their talent and whatnot.

Speaker 2: 25:11

Yeah, but I still think it will take some time until also the smaller companies keep up, because usually it's hard for them to just have the same policies and not only work policy-wise, also security policy-wise or something like that. So they also need the people to get the work done and to have the trust in their employees also. Maybe.

Speaker 1: 25:50

Hmm, so what's the day-to-day like as a security researcher? Is there any cool security researching areas or topics that you have dove into that just like blew you away and really opened your eyes to something, or what is that like?

Speaker 2: 26:10

So, basically, every day or every project is different, so you can't say this is 100% security research, and even every role at Microsoft is different. So I, for my part, I work in the Microsoft 365 Defender Research Team, so we are the ones behind the Microsoft 365 Defender correlations and everything that is related with this area, with this topic. So if there is more than one, I used to call the sub-product pillars. So, for example, defender for Endpoint, defender for Identity, defender for Office, and so on, I used to call those products pillars of Microsoft 365 Defender. And as soon as there is more than one pillar involved in this project, this is our team who is working on it. And yeah, so there were many, many cool projects so far, and one of the latest is also related with AI. So, yeah, for example, co-pilot, but I cannot tell you too much about it.

Speaker 1: 27:30

I'm sorry. So something like Defender for AI is potentially coming or being researched, looked into in some way.

Speaker 2: 27:40

No, that's not what I say. I don't know if that is something that is coming, but so Security Co-Pilot was announced as your AI helper to help you to answer questions or to just help you to see with one glance what is the problem in your environment. Because there are many companies that have too few employees and also not the knowledge, because knowledge is expensive and so they need the employees that they have to do all the work, also security-wise. But what if there is a really huge incident that you would need hours to get an overview on? And using Co-Pilot, it can help you to get an overview within minutes, within seconds, basically, and yeah, that's really interesting.

Speaker 1: 28:46

You know, with Microsoft, I look at their security stack, I look at their tech stack and I try to picture how it evolved over the years and overall it seems like Microsoft's security is like night and day compared to what it was even five to eight years ago, which is really saying something you typically don't see. Whole companies kind of revolutionize how they do, an entire pillar of their business, slash something like security. And even eight years ago it was kind of laughable if you said, oh, I have Microsoft Defender. You know, like everyone's just like, oh, OK, that's not going to do anything for you. But now you know that whole perception has completely changed within the security community even is like, yeah, I have Microsoft Defender and I'm protected, Like I'm significantly protected with this solution and whatnot, and it's, I feel like Microsoft creates a very interesting scenario where you can go as far into Microsoft, like as you want in terms of consuming services and, you know, providing your whole tech stack for you, and they do offer other avenues to bring in your own tech stack. But it's just interesting to me that Microsoft offers, you know, so many different services and whatnot. Do you ever find that challenging internally, potentially to, I guess stay on top of everything.

Speaker 2: 30:34

Oh, yes, so I don't stay on top of everything. So what I immediately thought about was, when you mentioned all these technologies, was the time when I went out as a PFE, so that some kind of security consultant at Microsoft and I went to customers to assess their environments. So basically I was focused on one technology like Active Directory security or Windows Server security, and the challenge, or one thing that I found funny, slash challenging, was that when you come to a customer and you have the local Microsoft on your back, they immediately assume that you need to know everything that Microsoft ever did, that Microsoft ever released and you are the expert of it. And so when I came to customer and they were like, oh and, by the way, I do have a problem with my team's installation, can you help me? And I was like I have no idea about teams, so I never worked with that. Sorry, I use it only as a user. And they were like but you are Microsoft. And then you had just to explain that, yes, but you are specialized, so you have your areas of expertise and you don't know everything that Microsoft ever did or you are not an expert in everything. So, yeah, so.

Speaker 1: 32:09

Yeah, that's a really good point. You know, even as a security professional, I feel like sometimes we just assume right, like when a big tech consultant is in the office it's like, ok, this is the time to bring up. You know, absolutely everything that's going on, you know like, but that's not the best way of going about it. I have found, you know, from being on the other side and actually providing services to customers is to, at least you know, point them in the right direction. You know, for me at least, right, I'm sure, at Microsoft it's so much more difficult to even do that because you know it could be a team within a team, you know, that handles this one little thing that they know about right, like it's just a complicated problem to even just do that, I would think.

Speaker 2: 33:05

Yeah, so sometimes you don't even know who is responsible for what when it's another product. You know your peers. You also might know, if you have worked with someone in the past, that this is somebody you can go to and say hi, hi, remember me. Great talking to you again. I want to work with this product that you are currently working in. Can you help me to find the right person? And this is basically the only way that you get the right person. Or you ask people if they know people who know other people, or you just browse internally if you find some key words connected with some other projects. But, yeah, so Microsoft is huge, and if you don't know the right people, or try to connect to the right people, yeah, you don't find it.

Speaker 1: 34:02

Yeah, yeah, it's going to be a very difficult time for you and you won't be able to provide that like that next tier of support and service. You know it's networking is a critical part. That you know I bring up a good amount on this podcast is because you know, it's not always about what you know, it's more about who you know, and that's not necessarily. You know. Who you know is, you know, getting you the job or anything like that. But it's like you know you could be in a situation where you know a customer has a question about something that's like, well, I'm not the right person, but I know the guy, like I can get you in front of them and typically, you know, maybe they have a, you know, a backlog of like a month, right? So you can't get on their calendar for a month. It's like, well, I can get you in, you know tomorrow, right? And those sorts of things really make the difference, because you're not only leaving a good impression within your own company for doing that right You're raising the bar for your own company but you're also leaving a really good impression with that customer, you know. So you're making connections without even really having to do that, which pays dividends. You know, is that something that is kind of taught at Microsoft or instructed upon at all, is that you know developing your network and making sure you know that you're maintaining it properly, and things like that. Is that ever talked about?

Speaker 2: 35:29

Yeah, so during my onboarding but this is sometime ago so during my onboarding there were a lot of sessions where they really advised us to network, to get to know other people, to keep those connections alive. And again, so when I, when I got involved with all of this, yeah, I found it at first hard to have those enforced networking sessions that they said, okay, go out and network. But in the end it really made sense and keeping your connections in your network is really beneficial. So, as you said, it's not forgetting the job or something like that, but it's to get things done and sometimes it can be. It can make the difference if a request just yeah, just sinks down and drowns, or if you can fulfill the request or it's also a matter of time. So, if you are really eager to fulfill the request, the request, and if you don't know anybody, it can still work out. If you just do the work and, yeah, just browse for who can do that and ask who can do that, but if you already know the people and have sense of direction, that is way faster than just asking around. So therefore, yeah, it's really beneficial to have your network, to know your people and, yeah, it was encouraged in the beginning, but I only found it's worth during the time and I never I never networked for any reasons. I try to keep it real because otherwise you don't, it's not authentic, and you know what I mean. I really try to keep authentic and genuine connections and not just for the sake of it, because that's not not how I do it.

Speaker 1: 37:36

Right, I think you know what important factor with networking is being yourself. You know, not trying to be something that you're not, or someone that you're not, or trying to emulate someone else. you know that stuff comes off, as you know, disingenuous and yeah people will pull away, you know, and not want to, not want a network, not want to be a part of your network and whatnot. So it's extremely important to really, to really just be yourself, right, and then live in the moment. I guess you know you brought up that you work on the 0365 Defender team. Can you? Can you tell me anything at all about the, the, the? What was it? The Microsoft Outlook breach or attack that happened a couple weeks ago? And I'm not asking for anything, any internal information, right, like because I, for me, right, I didn't even look into it myself, I just saw that that happened and it's like, okay, well, I'm heads down in this other thing, I can't worry about that. Can you talk to me about what it was or what you saw or anything like that?

Speaker 2: 38:48

I'm sorry. I'm currently on parental leave and so also for the last weeks. I just saw it, but I did not really dive deep into it because my little one just does not leave me any time Completely understandable. Yeah, you are, I think, also a father and you know how it is. And yeah, I just have some. I just have some beautiful time with my son, and so I need to catch up when I come back. Yeah, yeah maybe we can cut that part out.

Speaker 1: 39:26

It's fine, it's not a big deal. I mean, you know, I bring on former spies, right, for instance, and I'll ask them a question. They'll say like, oh, I can't answer that, you know, it's just onto the next topic. It's not, it's not a big deal, right? So you know, miriam, I also saw that you put together a book pretty recently. It was released. It's a PowerShell automation and scripting for cybersecurity which you know I find really interesting because you know, I'm not a developer, right, I'm not a coder or a scripter, really like. I can read it most of the time, but, man, if you put me in front of a terminal and say, go create this thing, I'm not going to be able to do it. You know, I just don't have that skill, probably because it hasn't been, you know, ingrained into me and at one point in time in my career I was actually I really put a lot of effort into learning PowerShell and PowerShell seemed to be probably the easiest I guess, you know, scripting language or whatever might be right to learn for me to actually pick up. And so I always, you know, really enjoyed doing anything in PowerShell, and the power that PowerShell actually gives you on a system is enormous, right and you don't realize that until you start diving into it. So what made you want to go down this path? And one, why did you want to write a book? Because that's a huge undertaking right there. And why did you choose this topic?

Speaker 2: 41:00

So basically, this is also something that I just stumbled in. I never planned it. I always thought that it was really cool writing a book and I thought I will never achieve it. I thought this is really really big. And I was very active in the PowerShell security community. I presented at conferences like Blackhead or PSConf you are others and I also wrote some open source tools using PowerShell which I also presented at those conferences. And somehow I think this was my footprint in the internet. And one day I was contacted by the publisher, pact, and they were like hey, we saw that you do a lot with PowerShell security and we find that really interesting. Would you be willing to write a book for us? And I was so flattered at first and so I'm still flattered that they chose me or picked me and approached me. But my first thoughts were like oh, I'm gay, I will never be able to write this book. There's so much knowledge that you need to put into that book and I don't have that knowledge. At least, that was my first thought. And then I just thought about it longer and longer. So I really took my time to think about it, and the more I thought about it I was like, oh, I would really like to read that book and basically what would be needed for this book. And I already structured it in my head and at some point I was like, okay, basically you already have a lot of knowledge regarding PowerShell security and there are, there might be some topics that you need to research, but they are not it's, it's, it's, not that much. And so I, yeah, sometimes I say I made the worst mistake in my life and agreed, but basically I'm still really happy that I wrote this book, but it was so much work that it just joke sometimes that I made the mistake and agreed and when I agreed I did not know how much work there will follow. And then, yeah, I just started structuring it and creating a table of contents and just thinking about what could be in the book and in which order, which structure, and in the end, during the process, this also really changed Not too much, but in the end I added two chapters that I initially did not think about and I, when I was writing it, I could just add so much more information that was not necessarily PowerShell related, but security related, and at some point I was really, yeah, just burning to write down all the knowledge and but in the end you just have to make yeah, they cut at some point and decide what belongs in this book and what doesn't. And if there was some information that does not belong in the book, because otherwise it would have become huge, and it already is really really huge. So I think almost 600 pages, 574, I think, or something like that Don't don't pin me on this, but it's already really really big and I would have also I could have added more months to just make it even bigger. And if there is some information in there that I think is, or might be, interesting but not relevant for this book, I also mentioned it and linked it or mentioned some other sources.

Speaker 1: 45:33

So so you dive into a lot with that, but I really kind of want to break down the, the decision and what was going through your head when you were offered this opportunity. Right, because there's a lot of people out there I mean probably, you know, 95%, if not more of people would have probably said no. You know, I'm okay, that's too hard of a task for me. I don't know what that entails, or you know, there's a million different excuses you come up with to get out of that. Right Like. I don't know what that entails. I've never done that before, and this and that right, but you won't know until you do it.

Speaker 2: 46:14

Yes.

Speaker 1: 46:15

And jumping into that unknown water is it's scary, to say the least. You know it's it's scary. You know. I remember when I accepted the contract to create my first cybersecurity course on the three clouds and how they compare to each other and whatnot, and you know I stayed up that night, the night that I had accepted it, and I was like why did I just do this? Like this is dumb, I just made a mistake. Now I'm bound by contract to complete this thing, Like, I don't know how to create a table of contents, I don't know how to create an introduction or like anything like that. Right, and I got through it. And you know it's funny. I look back when I was recording my course and I was, I was such like a nervous recorder, you know, I didn't want to record or be on video or anything. Now I have a podcast and I talk to people about things that I know nothing about. You know, it's such a night and day difference. And now when I record courses it's it's totally different. You know, it's easy. I get through them pretty quick now. But you know, what was that like for you? Did you like also, you know, sign the contract, essentially? And I was like, what the hell did I just do? Like, what did I just sign?

Speaker 2: 47:36

Several times, not only after signing. So after signing I think I felt really good, but the next day I was like, oh gee, why did I do that? I'm not able to write that book. And sometimes you really had those doubts in your head, and not only at the beginning but also during the writing. You had some really really deep, lows and I was thinking, okay, I will never be able to achieve this, to finish the book. And at some point I also had the thoughts about just, yeah, just throwing it off, so that I just lay down the project and say, okay, sorry, I can't finish it or whatever. So, but in the end you can get yourself motivated again and it's basically those challenges that you need to overcome. It's all in your head. So it's not that you are not able to do it, it's just in your head. And that's a tricky thing, because your head plays tricks on you and you feel like you are not able to achieve your task. And when you just look at it it looks so big. But in the end you just need to start. And if you just sit on your computer and don't get distracted by, for example, your mobile phone or anything else, then you just sit at your computer and you just write one word and after that word follows another. Or if you don't, if you are not in the mood for writing, you maybe think about the illustrations for your book. And suddenly you are there. If you just said for yourself okay, I'm so demotivated today, but I just have to just work at least half an hour on it just to check my box, to check my checkmark. I just need to work half an hour on it and then I can just let it be and finish my day. And then you just get started and work half an hour on it and then you just hooked, you are right there in the writing and then you are like, okay, now I can't finish, I need to finish what I have started, and then you are in the floor again. So sometimes you really have bad days, days when you can't concentrate, but somehow you just need to pull through and sit down and just get the work done.

Speaker 1: 50:28

Yeah, that's a really good point. You know, I wonder, when you so when you, when you embarked on this journey of writing the book and now you have finished the book, you've published it when you look back on it when you started it, how much of the book did you already know? You know how much of that knowledge did you already have and then how much when you were going through it, where you're like, oh, I need to research this a little bit more before I put this into the book and, you know, kind of get that information right in my head. I would assume you know you probably had somewhere around like 70, 85% of it of the knowledge that it was required and the rest of it is probably fine tuning and adding a little bit more color and things like that to it. Is that, is that correct, or was it a different process for you?

Speaker 2: 51:22

That's a very good assumption. So I think there were two topics that I thought, okay, I really need to research them, and the rest I already had knowledge about them. But while you're writing, you are writing down your facts and then you can either demonstrate it in your environment or, if there are some background facts that you at some time may be a heard of but you're not 100% sure, if that really was the case, then you just have to get a source for that so that you can say, okay, yes, All the content that I wrote down in this book is 100% true and or yeah, so at least I hope so I have some good technical reviews, I think, and I did my research to make sure that everything I wrote down is 100% true. But, as I said, even if you have the knowledge, sometimes you just need to research to also have a source in your backhand. But for the actual research part so knowledge versus research I would say that 80, 85% is a really good assumption. So, yeah, as I said, I think there were two topics that I needed to research. I had some basic knowledge about it, but for going deeper I needed the research and the rest. Yeah, I think was knowledge.

Speaker 1: 53:15

Does Microsoft offer, like a authors group to internal employees or anything like that? Because I asked? Because I would assume that there's been several Microsoft employees that have written books on topics that are well-respected topics, you know, and well-respected books even, and you know, when I look at some of the top authors from within Microsoft, right, mark Rusunovic is right at the top of that list. You know, the value that he provides on the Windows Internals series of books is it is extraordinarily valuable, right? Like, yeah, I mean, I have it, you know, behind me somewhere as well. It's one of those books where, like, if you're in IT, like you need to pick it up. You know, even if you're not going to read 80% of it, that 20% that you do read, like you're going to understand that aspect of Windows so much more. Is there anything like that at Microsoft that kind of supports new authors or, you know, authors that are soon to be published, or things like that? Because I would assume that Mark Rusunovic, you know, has a lot of experience that others could use and utilize and whatnot, and I think that that would be helpful if something like that existed.

Speaker 2: 54:44

So I don't know if something like that exists, but if it does, please let me know if you find out.

Speaker 1: 54:54

Yeah, that would be. That would be hard for me to find out, especially on the outside of Microsoft.

Speaker 2: 55:00

Sorry, I don't know honestly. Oh, no worries yeah.

Speaker 1: 55:04

Yeah. So, miriam, you know we're right at the top of our time here and I'm trying to be very conscious of everyone's. You know schedules and whatnot. But before I let you go, why don't you tell my audience, you know where they could find you if they wanted to reach out to you, where they could find you know, your book and any other resources that you may want my audience to check out.

Speaker 2: 55:25

So you can find me on Twitter and Miriam I will just send link to you later and on my stoton I'm MW at Infosec exchange and on LinkedIn you can find me on the Miriam or Miriam see like on the book. And you can get this book on Amazon or in the bookstore of your choice. And as we speak, I don't know when you will release this episode, but now in October, until the 31st October, there is Cyber Security Awareness Month, launched by PACT. This means that you can get my book, as well as other cybersecurity books, for 20% off with a code 20 cyber books, I think. Let me just check. I will send the code to you. Let me check. Yes, 20 cyber books, it is.

Speaker 1: 56:35

Okay, awesome, well, thanks, miriam. I really appreciate you coming on and I hope everyone listening enjoyed this episode. All of the links that she mentioned will be in the description of the episode.