Episode 20 with Guest Brian Anderson

Brian Anderson

In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Brian Anderson to learn what it’s like to be an Information Security Officer\Service Delivery and Operations Manager! We had a really great time, discussing everything from not having time to get snacks inbetween virtual meetings, to how extraverted you need to be to have a job like his. He also provided excellent guidance on how to succeed in InfoSec, and life in general.

50:29 Shownotes

Transcript

welcome to the we hack purple podcast where each week we interview someone from the information security industry about their super interesting job we hack purple is a training academy an online community plus this awesome podcast this week’s episode is sponsored by thread fix which is powered by denim group and our guest this week is brian anderson and he’s going to tell us all about what’s like to be an information security officer as well as a service delivery and operations manager and i know what you’re waiting for you’re like tanya just bring the guest out oh yeah i’m tanya janca i forgot i’m your host and here is brian anderson welcome brian hey thank you for having me oh i’m so glad that you could come on the show and you might have noticed that we have very different lighting this is because i have twilight turned on to take all the blue out of my screen but brian has the opposite where he is in 80s tv land i was born in 80s tv land i grew up on mtv so here we are awesome so could you tell us a little bit like you know what your title is and then what is it like what is your job like i guess so i have an interesting job that has changed quite a bit over the last couple of years so i i started as a systems admin for a luxury brand in new york and uh it turned into becoming the information security officer information security manager and now i’ve kind of come full circle i’ve added service delivery and operations manager to my title which makes me both the head of the it infrastructure team all the sysadmins the help desk and all of them and i manage the security side of things which makes life complicated would be the best word for it sometimes i feel just a little bit schizophrenic i’m not sure which answer to give uh the the sysadmin engineer answer or the security answer but i try to give both that’s usually my job okay i love it um yeah so you kind of have almost like a conflict of interest with yourself just a little um the way i tried to describe it was i was given advice when i became when i really got into security which was buy the operations manager lunch and so i took it quite literally and i do it every day now um it is sometimes very difficult to know where to draw the line um but at the same time i think the rewarding and positive part is i’m able to bridge the gap that often happens between infosec pure infosec and i.t uh you know i try to i try to tell myself all the things that really bothered me when i was in security do the opposite of that uh and and then you know i try to do the same thing for the other side so i sort of meet in the middle and i try to treat both of the teams with some independents i try to make sure that they each have the power to do what they need to do for their own uh for their own success but i think you know the positive is usually a net win for security because i almost always will make sure to ask and involve you know what’s the security team think about this where are we going with our strategy uh my job is a lot of talking you know talking between teams and talking to the business about both subjects so what would you say like a day in the life is like for you like when you go into the office because a lot of people were really surprised when i explained that an apsec engineer needs to be super duper social but a pen tester actually needs to spend a lot of time by themselves i i have um you know i think the the the the thing i wake up to every day and then have to kind of really get ready for is i’m a mix um a lot of my job is in front of the business being the information security manager and an officer i’m generally the management face of the security team so i’m the one who is talking to the business about security risk i’m the one who uh helped develop the security awareness program if there is an incident generally i’m the one who’s trying to relate it to the business outside of what the an analyst team and what the incident handlers are doing so i’m sort of doing the translation for them um on the operations side it’s a lot of project management and making sure everybody is getting things done day-to-day but also trying to make sure that i’ve got enough resources to focus on some of the things that security really gets bugged about like patching and you know i i i’m glad that i have the ability to say you know security guys i got this we’re gonna go patch we’re gonna go do these things because that’s you know part of the job so it’s so it’s a win but it’s wearing a lot of hats it’s you know being able to do a little bit of everything i don’t always want to be social but i kind of have to sometimes and then there are times where i have to push everybody away and say okay now i have to focus on you know the behind the scenes you know let me sit down with you know an analyst and figure out what’s going on with this packet capture kind of thing so it’s a little bit of everything when you start doing two jobs because i’ve had this happen to me before so they’re like oh like this person left and now you’re gonna do all of their work did you start getting two paychecks i asked yeah that was certainly a a concern and you know i would not turn it down today if i if i had both ryan’s open if you want to send more money like he is okay with that yes absolutely absolutely um but i i guess to be fair the opposite uh was when they offered me the position it was i i i can’t go into detail about all of the the planning behind it but i remember the call i was on the way into the office and so it was really early in the morning and i get this call and they say can you stop by hr and you know as soon as you get in and so i had the opposite feeling it was not you’re going to get offered a new position it was oh god i’ve been fired i gotta call my wife everything that you’ve done recently it’s like that didn’t seem that bad what did i do wrong it’s like oh no we just want you to do more work oh wow um okay good work rewarded with more work uh but you know it’s it is rewarding um it’s sort of getting told that i’ve been doing a good job on two fronts because like i said my background coming into tech was you know started on a help desk i don’t know 20 years ago um and it was becoming an engineer becoming an exchange admin and then getting into security getting into networking so i’ve come full circle and it feels a little bit like they’re saying hey way back when you started this you had a good idea we kind of want you to keep doing it and so it does it does feel pretty good sometimes have you worked there a long time it sounds like it yes um i’ve been there um i’ve been there for a long time a long time but it wasn’t really the beginning of my tech career uh before that i was in chicago i did some consulting work that i started on a help desk for an insurance company a lot of my experiences with small companies which i really specialize in and my company despite the brand is still it acts like a small company and i like that yeah okay so i have more questions so what types of personality traits do you think someone needs to be good at your job like a good listener or like lots of leadership or maybe they need to be good at punching just kidding i’m not good at that so i i would fail miserable uh miserably i i think uh one is communication uh really being able to translate really complicated concepts uh and break them down into something that’s digestible it never gets simple uh because when you try to get too simple people really kind of miss it uh and and they want to boil it down to incompetence or what went wrong and it’s not that it’s not that simple uh i think for me a lot of it is i look for a good communication skill which includes listening um it requires a lot of multitasking um you know it’s it’s never the same thing every day um and you know even early on before i became a security manager i was often working in environments where you were doing multiple tasks you were both the analysts and the incident handler and you were trying to develop something on uh you know for some sort of educational benefit and you’re trying to teach a little bit and you’re trying to do this and you’re trying to do that uh so you know i i really look for uh the ability to multitask to take off one hat you know take a deep breath and say okay i’m gonna switch gears and do something really uh different uh than what i was doing just a few minutes ago um and i try to take advantage of being able to learn quickly you don’t have to know it all but you do have to pick up from others especially new concepts or new ideas or new ways of doing things in a really short period of time because there’s not a lot of leeway when things go wrong seriously oh my gosh it feel it feels like um you have to be able to handle a lot of different things at the same time well be organized and also you must have to make a lot of decisions yes decision making is important i think the biggest decision to make that i advise and and i’ve been really talking a lot to some of my team members to try and empower them to make decisions is the decision is when to delegate to someone else a task that i don’t either don’t do well or that i just simply don’t have time to do and i’ll be honest it’s not easy to do i i know i’m the kind of person yeah i kind of if it’s mine it’s i’m i’m going to hold it kind of close to my vest but it want it’s been kind of beaten out of me in in at times where you know either deadlines slip which is not good um or the opposite really that you know people don’t feel like you trust them and i i think that’s really really important trust is critical with a team uh insecurity especially yeah we have to trust each other yes and so in in french so i speak english and french because i’m canadian and some of us do that and in french we say i take a decision but in english we say i make a decision and sometimes i feel like to be a leader you have to take the decision if that makes sense because you have to be especially if you’re doing incident management sometimes like you have to be like this is the decision now let’s go do it and some people just can’t you know like those people where they spend 10 weeks buying a pair of pants you’re like you can’t lead a security team because you can’t do that with security yes yes yes um i think yeah i i think you’re absolutely right um i i i think one of the most important parts especially with the security teams a little different with operations uh you want to sort of foster that creativity and let people debate endlessly until you come to the right decision with security time is a factor and so at a certain point you know you let everyone talk you want everybody’s voice to be heard you want that diversity but at a certain point one of you is going to have to say okay here’s what we’re going to do next and it’s you know you can always go back and ask more questions about other ideas you don’t want to throw anything out um but there is there’s a certain point of authoritativeness that’s really important um and and you know afterwards i tend to have to go back to my team and say hey i’m sorry i didn’t mean to cut you off it wasn’t that wasn’t you know i want to hear more about that idea when we’re not doing this because there may be some value uh so it’s it’s uh yeah that’s that is a big challenge oh i love it okay so we have a bunch of people watching and i want all of you to know that you should click the thumbs up if you’re enjoying this i did just kidding i will after because i’m busy talking to brian um but also if you want to ask brian a question you can put it in the chat and i follow brian on twitter that’s how we met basically i was just like it’s like brian says everything on twitter that i’m too afraid to say like my thoughts like i’ll have a thought in my head i’m like oh brian just tweeted that yep and then i’m gonna like it but then be too afraid to retweet it but i’m like oh he’s so spot on so often i i i feel a lot of pressure now no but like you say a lot of really good security things you say a lot of things about politics so because i’m canadian i tend to only comment on canadian politics but our countries are neighbors and you know i look across the way and wonder what’s happening sometimes um but i try not to comment because i know that when other people from other countries make comment about our politics i’m like back off you don’t understand blah blah blah like someone that i like made yeah someone was making some comments about gun control in canada and i almost lost my crap on him i was just like actually and he’s like it’s a right i’m like no that’s in your country go go home you’re drunk um and we’re still friends but um so i know i can feel like very like we have a different culture right and i shouldn’t comment on their culture but i like reading brian’s comments and so i’m going to say his twitter handle out loud for people that are listening so it’s at b like brian t like tanya anderson and then 72. so also you could just like tweet at me and say yo how do i follow brian or you could go to our podcast show notes which are at wehackpurple.com [Music] podcast.html we’re getting a new website soon so it’ll probably be somewhere else in a few weeks but for now it’ll be there but that said i am supposed to promote something on behalf of we hack purple we are just like i am not in charge of marketing now so someone else is in charge of it and they have good ideas and so we’re giving away two free email courses so basically like for one week we’ll teach you a thing for free and the first one will be incident response and the second one will be scaling your security team so the instant response one will be about like how to respond to like a software security related incident and then scaling your team like how to do a security champions program like what you should delegate and what you should not delegate because you’re going to screw that up um and so if you want to sign up for this haha the trick’s on you you have to join our newsletter so the newsletter is newsletter dot wehackpurple.com pretty obvious right okay i’m done my marketing now brian for now then i’m gonna talk about thread fix later so when i have more comments and more questions so your job now you might not think it’s super technical but you’re able to make a lot of decisions easier probably because you’re of your extensive technical experience what types of technical skills do you feel someone needs to have or experience that they would need to have to be able to be good at and can you explain it for like each different job because you sort of have two jobs in one would that be okay sure no that that’s absolutely that’s absolutely possible um i am by nature a generalist um i love all of it uh and what i found from a technical level for both jobs is that understanding a little bit about everything helps because especially nowadays all of our technical experience is intertwined we’re rarely on a team of people who just do one thing and uh so you know i try to i try to encourage people to have the broadest base of technology that you can learn a little bit of coding learn a little bit of engine network engineering learn you know a little bit about systems and software and operating systems so that you can be cross-functional because i think it’s very very difficult now to find a i.t department or a security department where we’re not crossing boundaries all the time my dev team currently is very small and if i need coding help i have to you know either figure out how to do it myself or go to others to do it so you know it helps me to have a little bit of understanding of how to do python and how to work with this and how to work with that you know a lot of uh integration so what i really recommend is grab it all because you don’t really know until you’re in the environment and into the job which is going to be the strongest part of your skill set that you’re going to need for that particular uh organization or operation you might go in thinking i went in thinking i was going to be an exchange administrator and now they don’t let me touch email at all except fishing they let me do fishing that’s it so you click on the fishing emails i you know i i set them forget that i set them up and then um and then i nearly clicked them and it’s not but then if you follow my twitter you know that i don’t find fishing tests to be all of that all that uh helpful um in terms of education i have there are some benefits to them i really do believe that you can get value out of it just not you know i try not to punish people for oh no no positive reinforcement rather than punishing for failing faux show i mean for sure no absolutely i mean you know that’s i think one of the other skills that i really push for from people is compassion really understand that the people that we work for are just people they’re good people they’re bad people uh they’re competent they’re scared they’re insecure they’re uh you know sometimes they’re sorry can i say that but mostly you know you have to figure out how to set up a program that incorporates all of them uh and and all of us so there’s not really a single skill or a single technology that i would say everybody must learn uh something but i think you know find something that you’re happy learning about um because you’re gonna have to do it for the rest of your career whether you want to or not that is so true i would like to note that i agree with like basically everything brian said uh and i really like the idea of trying to get the broadest technical experience you can so that you can see things from the other side but also so you can make the absolute best decisions for your organization like both so that the solution you find is good but also that you pro like the solution you find is secure because sometimes you have to be super creative and understand another way to do something so it can actually be a good solution and a secure solution um someone was tweeting at me earlier today tonya is reading your book allison bob learn application security you can get it on amazon um but they’re saying to me oh like you said you know users don’t like captchas and that we should use a cross-site request forgery like an anti-sea surf token instead but that doesn’t stop against brute force attacks i’m like okay so you’re only on chapter two if you keep reading we’re going to talk about like defense and depth and layered security so you could do like a c-surf token but then you can also you know set up resource quotas throttling alerts and all these other things so that you can catch the bots so that you can slow them down and annoy them and like just cut them off also like you can block ips like there’s so many things you can do but like captions still suck from a user experience perspective but if you don’t know there’s these other options of things you can do instead you’ll be that security person that says you have to use a captcha because brute force and you’re like actually there’s like multiple ways to solve this problem um and so like what can we do that is a good solution but also a secure solution yeah i i 100 agree with you 100 agree i think one of the things that when i talk to my teams about it is about user experience that uh you know you know we’ve really started trying to capture metrics about it like how do we explain what people are going through when they’re using the application or the platform and you know we asked the question outright how much multi-factor is too much multi-factor and we haven’t gotten the answer yet but we’re getting there because we realized yeah i mean the security answer is put multi-factor on everything and i do agree and so i look at my phone and i’ve got four different authenticators and i can’t remember which one is for which one and then i’m like struggling to find which one is the one-time pass and then it times out and i have to do it again and then by the time i have to do it that second time i’m done i’m not using that application and then it’s like well yes it’s secure but nobody’s going to secure i can’t do the user i don’t want to use it and uh you know and that’s where you know i think my job having both the operations side and the the security side really is a benefit because i think i now have a lot more understanding of well you know we’re looking at perform system performance on the operations team and we’re saying well how come nobody is using our application and then you turn and you look over and there’s the security team and we’re all proud and we’re like oh we’re the ones that are making this you know not work so uh so now we’re really working to create that balance to make good solutions as opposed to just secure ones um and it’s it’s it’s helping i think i think you know as an industry we have to look towards that what’s the experience yeah i believe that is the security team’s job to enable everyone in the business to do their jobs securely yes and if we remember that like oh i’m disabling this dev from doing their job by sending them a link to nist and saying figure it out yourself when they’ve asked for help and this is when they roll their own encryption or write their i’ll just write my own session management and authentication and authorization because i’m not aware that the one in my framework is probably the best one for me to use i’ll definitely write my own i know better than all the people that designed this framework right but it will never work but we have to we have to support them because because they have a job to do right they’re like i need to authenticate my users like i need to do that and i’m still gonna do it whether you help me or not and you might not like the way i do it yes that is absolutely true um one of the things that i learned before i started in this role you know as a consultant a lot of the clients that i was working with had no security team at all and so i was kind of doing security as a value add to the consulting job like i may not have even been brought there to do it uh but the thing that i i tried to do with you know and got from them was a lot of people feeling like they weren’t getting good security advice and it wasn’t that they weren’t getting any they were just getting to a point where it was very frustrating you know they were and they were going to do what they needed to do to do their job and i think the thing i got from them was they had a different risk matrix than what they were putting on paper when we talked to them about risk they were thinking about the organizational’s risk uh you know the the the you know loss of reputation the loss of income and revenue uh you know work stoppages and so on and they were putting those all in you know in the matrix and it made sense what was missing was the individual who was saying yeah all those things are true but if i don’t do this i’m afraid i’m going to get fired and that’s a bigger risk for me and that was a real turning point you know people were going around security not because they didn’t believe in security but because their risk was i don’t want to get fired i want to be productive i want to do my job i want to get my paycheck i want to go home and if you make that hard i i you know i get insecure and i get nervous and once i started to see it that way i i start to see it that way you know i’m a little worried when things take too long and i’m not being as productive and my bosses how you doing on that well yeah yeah i oh i was explaining um so i had like a meeting with a client today and i was explaining to them you know if if they ask us for help and then we send them a pay like so i’ve i’ve seen this where security teams send a link to nist or they send a link to the canadian equivalent which is itsg33 or they will send a link to owasp’s asvs so application security verification standard which is an 80 page excel spreadsheet for pen testers and it totally kicks butt if you want to do pen testing um but i’m like it’s the equivalent of all of us gathering in a room and then just putting up our middle fingers and then taking a selfie and then emailing it to them that’s what it feels like to receive that email if you asked they asked us for help and we were like nah they know how to use google they know yes that is i i i and and and what we don’t want to admit is that we don’t really like reading nist stuff either i mean i i love their guidance i i’ve read through it but not pleasurably no it’s it’s it’s a lot of of research and and grinding and it’s technical and it’s sometimes overly technical and you know it’s it’s not fun and if it if it’s not fun it will not get done uh i didn’t mean to make that rhyme but it it it’s it’s not it’s it’s not fun if you have to do it uh do it that way and so we have to find ways to communicate in a in a way that makes sense uh to the business into the organization that we’re working with so now that we are halfway through the podcast i’m going to thank our amazing sponsor threadfix they make the most stupendous vulnerability management system this side of the galaxy and they’re extra wonderful because we just signed a deal with them to sponsor basically until we don’t have guests anymore for the podcast and so next week is ubik security but from then on it is just going to be us and thread fix partying all the time on the wehack purple podcast and i want to thank threadfix for basically they’re completely unending and generous support that they have had if we hack purple they do so many nice things for us like more than just sponsor us so thank you dan thank you sheridan and all of you you’re great um and also uh i want to note that um we just got swag so we now have a swag shop and uh i told brian that i would like just like pretend to like drink out of it i also have t-shirts but i couldn’t think of like a non-awkward way to just like jump up and be like everyone look at my chest because i i was wearing a superman shirt one week and then i was like everyone look at me and then some male fans commented that it they had conflicted feelings about that and i was like oh i’m so embarrassed okay so note to self so i may like next week i’ll be like this i’ll be like yeah what’s up from really far away so that people could see my t-shirt um but yes uh all of those things i okay so brian let’s say someone is like i want to try one day to be an information security officer like i would like to try to lead a security team and or they want to do because like anyone can listen to this podcast it’s not necessarily just security people and like maybe someone wants to be the manager of operations and they want to do service delivery and they want to be good at it and so they want to get training and experience to lead up to that what types of experience should they try to get or training might be good so that they could be prepared and be excellent at this job slash apply and not get screened out that is a really good question um i i love it it’s it’s uh and and a few years ago i probably would not have been able to answer it because i really didn’t know i really didn’t know what it would take uh to be a security officer so i you know i’m i i i think my experience has been um the first i think is to never sell your own experience short i really like it you know particularly in security seeing people bring their non-security experience to the table because our job is to relate to the business and most of the business is not security unless you work for a security company you’re not doing that um you’ve got to explain and manage risk for people who are worried about something else um so uh you know the people that i look for are looking for pragmatic solutions and they’re coming bringing those solutions from somewhere else um and and so if you have experience in finance bring that if you have experience in marketing or shipping or logistics bring those experiences because the pragmatism will really do you good in a role as a security officer or a managing operations team it’s a lot of pragmatism it’s a lot of what’s the simplest way to kind of get to a solution because a you don’t have time and b you probably don’t have the budget to do something that is going to be as extravagant as you think it is when you had this great idea uh you’re like i got this great idea and then you go okay but you only have two thousand dollars to do it with oh well then let me come up with something very pragmatic to work on it so bring your bring your skills from everywhere um and i think it’s really important for diversity bring everything that is in you to the table if you’re only going to come in and talk tech you’re going to struggle in a management or an operations role uh if there was something that i wish i had learned before i really was in the job i would definitely recommend taking some management courses and non-tech management courses just how to relate to having a team underneath you of sometimes very diverse and sometimes very opposite uh personalities um you know when you deal with you know i i’m blessed with a very diverse team culturally but sometimes i have to keep in mind that those aren’t always it sometimes is a little push and pull you know sometimes you have to recognize that not everybody recognizes the same holiday so having some training in that definitely helps yeah um you know understanding business in general as opposed to you know the tech side of business is also helpful so i would say those are some of my top hits of things to learn things i wish i had learned before i had the job i definitely agree with you on that um so i am in the weird situation where i have only ever worked in tech and i was a professional musician uh and like i did like comedy and acting yeah it’s like if you look at me up on spotify that’s me um but uh so i have like this weird very concentrated like set of whatever so then as i got older and i was like trying to move it like up the ranks in tech i had to learn a lot of communication skills because i was used to either talking to really drunk people who would come see me play music or um you know just being in my cubicle coding by myself and it was like oh i have to speak at people and i have to like be a little more graceful let’s say than i was when i was younger um like not quite as direct as i could be at times yes brian is laughing because we both like to get to the point of things i yes um i have sometimes said something and it really wished i could pull that back it’s yeah um no i i totally agree uh communication is really important um and and communicating a lot of times on different levels um when i am uh doing in-person security awareness training um i’m not talking to you know i’m talking to people who may very well have come from very different perspectives and you know their their vocabulary their understanding of technology may be very different from mine so i you know and you know one of the things that i’ve learned and i think i said it somewhere once and it became kind of a mantra when i look back at my presentations is look for things that are true but not helpful and then take them out because i’m notorious for it i have gone into and given a presentation and gotten really technical and it’s like when on a security you know you know being from security i’ve said things that were absolutely true 100 true but absolutely not helpful and the faces glaze over and the eyes glaze over and they’re looking at you and then they’re like i hate this oh my gosh brian i teach secure coding and i i got hired to like plan a training program and they’re like oh this is the training we gave last year and there was six straight hours on encryption and like asymmetric versus symmetric and it was like an intro to secure coding for devs and like why are you wasting their time for like almost this is almost a day worth of wasted time and my boss was like but i’m like no they need to know it’s encrypted in transit it’s encrypted at rest these are the settings i want your security headers these are the settings i want your cookies and then that’s it so go home next because i have so much crap i need them to know and you can’t waste four to six hours on this i have stuff to do that i need to teach them and that’s not it and like i looked and it like um so they had hired like this really high paid consultant and then here i was like coming in as a person that had been a dev forever that had just switched to security and i was like no no just like throwing away like we printed it out and i was like tossing the stuff over my shoulder no no no and yes removing stuff that is not helpful like like you might want to dive down like a tiny bit of a rabbit hole like if you for instance you’re like here’s the reasons why using https everywhere is important like here’s the risk but like they all need to know the ins and outs of asymmetric versus like no one cares and like oh yeah like diffy homan this guy you know it’s named after a dude and no one gives a crap they have stuff to do yes yes absolutely um and i mean i i love firewalls i do i i have this weird love for them i you know i started it was one of the first my first introductions to security was was working on firewalls and i’m the same way i will talk your ear off uh about all sorts of things you know and the differences between stateful and all these extra add-ins that have been added over the years and then you realize somewhere about half hour into the conversation that nobody’s following you know they they don’t care even the security people are like yeah okay it’s it’s really important and i you know a lot of times especially in security your boss may not be very technical at all a lot of security teams actually come under finance um because of you know internal controls uh for that organization and if you want to talk to your cfo about uh you know jiffy hellman you have wasted your time you need to drive you need to buy that person a beer yes uh they’ll listen very comfortably and they will walk away my beer’s done i have to go thank you and then you’ll wonder why you’re not invited to lunch as much anymore no it’s it’s it’s true that you know communication is really important knowing your audience is really important um you know translating risk into very different concepts for different people and coming up with new analogies i think i spent a lot of time coming up with a new analogy for how i can explain uh this bad thing that could happen uh is is kind of like an exercise like i should start setting time aside in my calendar and say what’s the new analogy for how i can explain it because it’s a skill and it’s not one that i i think comes easily but when you find someone who has it they’re like dynamic there are people i think that we both follow on twitter that when they when they hit it it’s like oh my god i can’t believe it they just made this so simple for us yes and then i saved that somewhere yes because it is okay to use great examples that other people gave yes i i certainly hope so because i do so now i have so this is the final question and it is a two-parter and so the first part super easy and the second part super hard are you ready i’m ready okay so what do you like best about your job and what do you like least wow that is a very good question and you’re like the people [Laughter] honestly um the the thing that i like best about uh my job now is really almost the cross-functional capability uh i can i i feel like i have gotten people who were not into security into security and i’ve gotten people who were really security heads kind of looking at the performance in the operational side of things and that’s where i feel like i’m kind of a mad scientist and i’m putting people together and then seeing where they you know seeing where they go that’s that’s kind of a neat feeling uh putting people together in a way that maybe challenges them and know that i’m doing it for the good of my organization and for the good of the industry because it’s all really we’re an ecosystem now we’re not isolated anymore um so you know that’s probably my favorite part of the job my least favorite part meetings lots and lots of meetings i i i i i don’t like them very much i’m trying to be diplomatic i’m not sure i’m succeeding i i it’s not that i don’t like you know i like the socialization aspect of sharing of ideas but i i feel like you know in my role now sometimes there’s so many meetings that we never get to do the thing that was discussed in the meeting so we make all of these commitments and we’re gonna do this and we’re gonna do that that’s a great idea we should do this and i’m glad we had this meeting and then it’s like when are we gonna do it i don’t know i got another meeting and then we never get to do it and so i you know if i could do my job and maybe cut the number of meetings by like 65 i would be much happier and i and i think anybody in this role would just be you know a chance to take a deep breath and at least think about whether the stuff that was in the meeting even made sense because it kind of one runs a meeting runs into the next and the next i’m not sure what i agreed to have you have you noticed that since we’ve all started working remotely then a meeting will end and you will literally the exact minute later need to click to the other meeting you’re like i didn’t even get a pee break i don’t like i don’t have enough caffeine at my desk right now yes absolutely um in fact i’ve i’ve started maybe started saying i need to i i need you know i i close every meeting with sorry i have to jump off for another call and i think i need to start saying it maybe two or three minutes earlier so i could go to the bathroom and get a cup of coffee like i was looking at my calendar one day and i’m like like explaining to my sweetheart like so okay so i have like six hours of meetings and then the you know my sweetheart’s like were you going to eat today and i was like oh yeah and it’s like there literally wasn’t a space to do that and i really like eating so eating is i found it to be a necessity right i do it every day [Laughter] i no i i totally agree and i think one of the you know on the flip side of the remote work so both my wife and i are both home i find it just a little bit pleasurable like if i’m not in a meeting in those rare chances i’ll pour a cup of coffee and i’ll just go up and put it on her desk and you know or she’ll do the same for me she sees i mean you know i’ve got my headset on and you know i look up and there’s this cup of coffee there and it’s like oh that’s you know that’s true because yes true love i remember why i married you [Laughter] that’s because yeah otherwise i would not remember to eat or drink or you know you know get from one thing to the next to the next um and it’s important uh you know you have to keep your strength up everybody take care of yourselves please um it’s it’s it’s hard work and meetings don’t seem like a lot of effort but at the end of the day you are just as exhausted and it does take it out of you and i’m learning how to be better at that myself i am with brian on all of this definitely so i hope that all of you were like you know what i should do i should follow brian on twitter and i’m going to repeat his twitter handle and put it on the screen but for people listening it’s be like brian t like tanya anderson and then 72. but obviously he was born way before then because he’s younger than me and i was born before then so you can like you can tell by hit like don’t let the 80s lighting fool you you know youth despite his 20-plus years experience he’s somehow in his 30s the the technicolor was really to hide the gray hairs that i discovered that i had and uh yeah i’m gonna keep doing it i don’t i don’t know what it is but like literally 20 20 i just start getting a ton of gray hair and like i don’t know if it’s the plague i don’t know if it’s like working from home it could be anything yeah i i’m i’m with you i’m i’m absolutely i don’t know when it started i feel like i aged a decade in in just a few months um i’m i’m hoping 2021 is kind of retro and i can go back to you know yeah we’ll all get big hair [Laughter] uh i i love 80s music so how i’ll you know go back to prince in 1984 and you know a little purple rain i could do that yeah prince rules by the way thank you so much for coming on the show brian i really appreciate it thanks so much for having me it’s been a pleasure i hope that every single person goes and follows brian on twitter and then if you’re up for following someone else you could follow we hack purple or me she hacks purple um yes it’s similar that’s on purpose and yes my hair is purple thank you so much and we are going to wave goodbye and then i’m going to do the outro announcement thank you uh and i pressed the wrong button but don’t worry i got the right button now okay thank you so much for attending today’s event and podcast and we love having you here thank you so much for watching thank you so much to brian anderson for being a totally kick-ass guest thank you to threadfix again for being our sponsor we really appreciate it this was the wehack purple podcast where each week we interview a different person from the information security industry to learn what it’s like to do their job because guess what we at wehack purple want you to join our industry if you’re not already in it we have tons and tons of different jobs that need a unique person like you to do them and with that i would like to invite you to join the we hack purple newsletter you will get invites to this podcast you will get free content and if you sign up between now and i believe next tuesday when we’re sending the invites you will get a free online course because my marketing people have decided we’re going to give away courses for free um and so go to newsletter.wehackpurple.com and with that thank you very much i am tanya jenker your host and i will see you next week you