Our host Tanya Janca learns what it’s like to be be a security strategist, and an amazing human being, with Allie Mellen! We had a very refreshing and honest conversation about the best and worst parts on this type of work, how to be an excellent communicator, how to connect with people, and so much more! Watch or listen to see why this episode was so great! .
welcome to the wehack purple podcast where each week we interview a different member of the information security industry to learn about their super cool jobs we started this because basically i'm just ridiculously curious i'm tanya jenka i'm your host and i just love learning about all the different types of work that people do within our industry and especially like how does it work what is it like how did you get that job what's the best part and so i invite really awesome humans on that i admire and this week the person i invited on is none other than ally mellinson melon sorry i'm saying your name wrong already welcome thank you thank you so much for coming on the show um i really like you so i'm very excited i really like you so i'm very excited too i'm super awkward i forgot to mention i'm an awkward host um so please introduce yourself and tell us your job title and like a little bit about what the heck that job means yeah so um my name is allie millen i've been in tech for a decade um i am a computer engineer by training and i've spent the past 10 years in various tech roles i started out doing a lot of mobile app development specifically for ios applications and um moved into my own consultancy really consulting on mobile app development and engineering more generally before finally getting back into the security space i started in the security space actually with some internet of things security research which culminated in a talk at black hat which was just such an incredible introduction to the community everyone was just like so incredibly nice and i couldn't get it out of my head so i had to i had to stay in security and um so yeah i spent two years as a security strategist at a endpoint detection and response company and that's the role that we're going to be talking about today so um yeah okay so please explain what that job is and what that means because the average person is like that sounds cool i don't understand yeah i like it because it's like a fancy title anything strategist sounds cool but really what it is um i spent a mix of time and that's one of the things that i really like about it is i was able to spend half of my time on the actual um security team within the organizations doing both product security and infrastructure security oh i just bothered you for a second could you repeat that last little bit i just lost you for a second yeah definitely sorry about that i don't know my connection's usually okay but with the snow that we're getting here and everything you never know so yeah so uh what's really interesting about the security strategist role is that it's really two different beasts on the one hand you work on the security team at the organization so i spent a lot of time doing product security and infrastructure security really working cross-functionally across the organization and doing a lot of the communication and just making sure that everything was running smoothly and wearing a lot of hats because it was a small team and oftentimes security teams are quite small um but the other half of my time was really my favorite part which is basically advocacy and evangelism so really talking about the security space really promoting security and the importance of security and trying to communicate it in a way that makes sense to other people that maybe aren't as technical because i think that from what i've seen and actually something that i really admire about you is that um it can be very challenging to communicate security in a way that makes sense to other people so what i think is really cool is that people like you and me are able to do that and have the opportunity to do that because it's really important and especially in such a technical field it can be quite challenging yes yes i agree i also just realized i forgot to thank our sponsor threadfix and i want to just thank them right now because they're awesome and they're ridiculously supportive of wehack purple so thank you so much but i'm going to continue now because obviously i have more questions for you what is it a day like in the life doing that work like is it lots of meetings is it hacking all the things is it like having to jump through hoops in front of customers like what is it like yeah it's a big mix one of the things that i really like about the role is that it gave me the opportunity to do a lot of different things and not just be like it just so many different opportunities throughout the day so um at the peak of that role i was doing two to four presentations a week whether they were conference talks or webinars or whatever um panel talks just really trying to get the message out there and trying to communicate to as many people as possible and luckily but not so luckily the pandemic really made that possible because all of a sudden i was able to just like communicate over video instead of having to fly somewhere or like spend a whole day in a different city or in a different country um so that really enabled me to do a lot more presentations than i had been able to before and then on the other side on the security side it was really day-to-day um the security team that we had was very small so there would be days where i would be coordinating with the product team trying to build that relationship so that our product security engineer would be able to actually get things fixed that he needs to get fixed there were other days where i was actually evaluating um evaluating companies that we were considering working with and evaluating their security and doing third party risk assessments so that was like very cool because you really get a good overview of really the work that a company has to go through in order to work just work with other companies from the security perspective um and it's also very like very nitpicky which i tend to be very good at so like i love reading ndas because i like to find all the mistakes that was like a really good fit for me for for a little while um and then on the corporate security side on the really infrastructure security it was a lot of trying to communicate and build communication channels in a strong way with the employees in the company i was really proud to be a part of a team that was very much so led with this idea that security serves the business especially in an enterprise setting and so things like communicating effectively with the employees and making sure that they understood the security fundamentals were really important and really valued which was cool um there was one other thing i wanted to mention oh yeah occasionally i would also jump on customer calls learn more about their experiences talk to them about our approach to security and those were always really interesting because it's great to hear about their pain points and where we're able to help them and be able to give them advice and also take advice from them it kind of sounds like you had to do five different jobs did you get five paychecks is that how it works no you know the answer to that i do know the answer to that just like it sounds like a lot um it was a lot um it was also i was definitely at a point where i wanted to like do all the things and learn as much as i could so it was simultaneously a lot and i do not want to go through it again and also amazing and an amazing opportunity to learn so i'm very happy that i did that my feelings are the same my friend like oh my gosh i'm so tired now yeah right oh my god i've been getting up for like 5 30 am heating for too long i need this to stop oh my gosh i really like sleep like a lot i love sleep right sleep's the best so yeah i'd like to do it a lot more like eight nine-ish hours per night can you imagine what happened well now i work for myself and now i get to do that it's pretty sweet i'm like i don't take meetings before nine unless i'm getting paid thousands of dollars i just don't do it yeah they're like boundaries yeah they're like can we have a meeting for this i'm like are you gonna pay me 1 000 or more dollars then the answer is no like i did one meeting in like the middle of the night last year because i got paid 2 000 american dollars for 20 minutes i'm like i'll be there for 20 minutes totally worth it yeah and 2000 american dollars is like five zillion canadian rupees so like it's a lot okay i'm making fun of canada so what type of personality traits do you think would make someone like good at this sort of job like if someone was gonna have like an aptitude or like a certain type of personality so that so that they would like the job more and so that they would be better at it like do you have any ideas on that yeah um it's a really interesting question because i'm personally an introvert and um as you can imagine that much interaction with other humans can take its toll i think that extroverts would be really sensational at this job because it does give you so much opportunity to connect with other people um at the same time as an introvert i can kind of say that i do enjoy it because i think that first of all i'm very curious about other people kind of exactly like what you're saying earlier it's just it's very exciting to learn new things and to to meet new people so i do enjoy that and kind of like fight through that with my introvert self but also um really i think it takes someone who um just has a passion for what they're working on and is able to like show that passion to other people that's really critical yeah i agree i just put a note in the chat that if anyone has questions for ali you are allowed to ask and if they're nice i will ask them but everyone's always super nice in our chat like everyone's always so encouraging and we have some you have to ask [Laughter] also usually at this point i ask everyone to click the thumbs up button but everyone watching already has so thank you everyone i really appreciate that so i have obviously i have way more questions though um so what type of technical skills would someone need to do a job like that because it sounds like you have to have some technical skills to be good at explaining and understanding yeah so i'm i feel kind of like in a weird spot answering this question not not because of you but just because i have that technical background and i came in as a computer engineer so it's easy for me to say like you don't have to be technical to do this for your degree to do that you know um but i really do think that non-technical people can succeed in this role because i think that actually this is one of the things that i really like to talk about and i'm really um a big proponent of is security needs more non-technical people and security needs more perspectives period so maybe you're technical in a different space and you can bring that information and that learning to security but it's so critical for more defenders to actually be able to come in and say that's not how i would do this i would do this this way because that's what the attackers are doing every day so i think it would be really cool for someone who maybe doesn't even have any technical skill to come in and give their perspective on what this role should look like i also think that this role while it can have technical components it's really your playground and you can choose how technical you want it to be um and a lot of it is really just about that communication and being able to foster that communication and over time ultimately i think that you can start to pick up on the things that are technical about the role and kind of like grow into it if you're really passionate about it would you say so like i'm constantly preaching that you can't really like you can't be really good at application security unless you have basic level like decent social skills and decent communication skills and it sounds like you need better than decent for a role like yours would you say that's true or yeah i so i um personally i definitely did not hit my stride in this role until i really started being introspective about my behavior with other people just generally not with like oh i'm i'm wrong for this or whatever but just being able to iterate and improve on the way that i'm talking to people being able to pick up on social cues um being able to understand where they're coming from and listen to them especially not just like talk about whatever i want so i 100 think so i also think that um and this is something that i really want to do some research on but we'll see um security maturity um being measured by eq of the people of the team the security team i think that there is probably a lot of correlation there um that maybe is undiscovered but so i think that really hopefully for any role in security people are trying to become more like socially capable and more able to hold these conversations um but it also shouldn't hold you back like i definitely started and i was like i'm just gonna do whatever and kind of grew into it and i think that that's one of my like life lessons this is i just really have no fear just jumping into things and i'll tell people like i don't know what i'm doing here but i'm here you know and it's um you learn a lot that way and also attitude you go down which is always good so someone in the audience just asked a question that i was going to ask and could you explain what eq is because i know and i know you know but we don't know that everyone listening knows yeah so it's basically to boil it down it's all about your emotional capability and and how emotionally grown you are and like how effectively you're able to communicate with other individuals so it's just an indicator of your um emotional state and your emotional growth and and really your your social skills as part of that so the premise that i am trying to make behind security maturity really linking to eq is that i think that in order to do security well you need to understand that it's a business function it's not just about like finding all the cool things and protecting against all the cool things um and as such you need to be able to aid the employee experience and make it better and you definitely cannot do that without positive social skills and like real maturity as an individual i wanna just applaud loudly um so i'm gonna do some jazz hands for how much i agree with you so i when i was a developer advocate there was a small percentage of the other developer advocates where they wouldn't listen to what the other person was saying and they would just say the thing like the speech or whatever the thing they were planning to say like i had dinner with a bunch of my teammates and one of them said we should do a live ctf and like live stream ourselves doing it i'm like actually like i'm sure i'm not supposed to say this but i really don't enjoy ctfs like pen testing is different than ctfs and i find like a lot of the challenges in ctfs are super like they're trying to trick you on purpose and like i go in with this work mindset if i'm going to secure the app and so i look for those things and i don't enjoy a puzzle um that's intentionally meaning to trick me and i'm like also there's a lot of pressure on me because i'm like a public figure in this space so if i don't do well it will look bad and he's like you just have imposter syndrome and then he gave me a lecture for 30 minutes about how i'm like i don't have posture syndrome i'm awesome i'm like yeah i'm not good at this specific type of thing like dude i is a professional pen tester and now i can say i literally wrote the book on absec i'm very confident person but i'm also confident in the things i don't know or that i'm not great at and also like i don't love doing ctfs and there's nothing wrong with me and he just kept going on and on and i was just like so i constantly was like can i join your team and i'd just be like if you hire him i quit i can't work with this person like i can't even tolerate him at a dinner and yeah like and there were other ones where they would just they only talk about themselves they're not listening to the customer they're not listening like when someone comes up to me after i give a presentation i want to hear what they want to say i already just spoke an hour dude i've done enough talking i have two ears for a reason it's my turn to listen to them and so i love that you actually said it out loud thank you ali thank you no and you know what that i'm so sorry to hear that that guy was like that to you because that's the type of thing that like does not help someone's imposter syndrome if they have it like having someone just tell them like that like it's and that you're overreacting and that you're not allowed saying no and it's like oh actually you can go to hell don't know if you knew that like why did someone think that was helpful i know and that's the word well and i i feel like um just like that person is not gonna excel in the role because the whole idea of developer advocacy is to actually hear what the customers need and want and really desire because sometimes they'll say i want this feature but it's like okay so what do you actually need and let me know and then there might be an even better thing we can do for you then like i want a button that does this it's like maybe i can like magic up a whole bunch for you i don't know until you tell me what you truly need right and it sounds like you've got that i like it i mean also what's really cool about um listening is it does give you that opportunity to learn so if you're not confident about something then just ask questions ask a million questions the more questions you ask this is what i've found which is so counter-intuitive but the more questions i ask the more like confident i come off and the more um like like i know the subject material i come off you know and they're always like oh that's such a great question and i'm like oh thank god because i thought this was so dumb you know but if you ask the questions it really is it's just a positive experience um so i definitely definitely recommend listening and i'm glad you do too um would you so if someone wanted to try to get into a role like that is there like training that they could take or is there like specific ex work experience they can try to get to try to build up to a role like that besides using both your ears to listen yeah i think that um it really depends on where you're coming from if you already have a technical background it will probably be easier than than if you don't but at the same time i think that a great place to start if you don't have a technical background but you're interested in a role like this is just joining a marketing team any any role in a marketing team and you're going to learn about the product for security vendors specifically i mean if you join a security vendor on the marketing team then you're going to learn about the product you are going to learn about the messaging you're going to learn about the industry and it's really what you put into it so if you're trying to get into a role like this that can be a great place to start another great place to start is the opposite end of the spectrum where you join a security team as an analyst and just kind of work your way up on all of the like really miserable stuff because being an analyst is the worst job in the world but ultimately like you are gonna learn a lot that way and like get really in the weeds and really understand what you're what you're talking about um the other thing is regardless of where you start public speaking training is critical for this role because you do spend so much time talking to customers and talking on podcasts and various various webinars and having any public speaking will help you in these talks but also in day-to-day life and just navigating day-to-day life i also this is kind of like i don't know i think it's becoming less taboo but i highly recommend therapy just because you learn a lot about yourself and you also learn and kind of like can hear how other people communicate and really learn like okay i said this in this situation but maybe this wasn't productive or maybe i should have like really given myself a different frame of thought on this issue so that's the one that's probably the help helped me the most but i know that that's not um some people don't think that that's an option for them so if public speaking training at least i totally think all of us working on ourselves is a smart thing and yeah there are a lot of um good books on like how to communicate better how to kind of like discover stuff about yourself and i i have to say that personally a weakness of mine has been understanding why other people make the decisions they do um and i read this book called um give and take by adam i want to say adam smith but i think i'm wrong because that's such a common name i'm like can it really be that but it was about how some of us are givers some of us are takers and then almost all of us are matchers and so for instance like i asked for help with something on my twitter feed so i was at defcon and i'd given my badge to someone so that they could go in instead of me because i had to catch a plane and i was leaving so i was like i might as well let someone go have a fun afternoon at this conference and i i paid for the space right so why not let them and um but then i realized that my so my friend rick was like there's like a t-shirt for me at the oauth table that i really want and i was like i literally can't go back in so i tweeted like would someone be willing to get it and give it to me and all these people volunteered and i was like oh that's so nice and i was like i didn't understand why someone would want to you know leave the talk they're in and then go pick up a t-shirt and then walk like 200 meters with it and hand it to me outside the gate and so some wonderful human did that and then i was like can i give you a hug and he's like oh my god yeah i gave him a big hug because i was like this is so sweet thank you um and then i gave him a high five because i really like high fives and then he went back in but then when i read the book it explained so like if you know so you and i for instance we share a lot of knowledge we met at a conference where you gave a kick-ass talk and so then i liked it and you did it so then like sometimes people who are matchers are like i would like to do you know let's say that your talk taught them something like really important that help them at work they're like i'd really like to do something nice for ali and then if you were at a conference and you asked this simple request it's like i got this right because yeah it gives them a feeling of satisfaction and makes them feel good and i'm like that's awesome and i was always like oh my gosh i shouldn't ask for help from anyone because like they probably won't like it but it's like no actually it turns out if you've already done a nice thing for this person it makes them feel good and i so now i don't like feel guilty if i ask for help i'm like if someone has offered it's okay and i didn't understand that before and so like i'm a giver i'll just like endlessly say yes my my team at work say no for me because i'll just say yes until i'm working 24 hours every day because i'm silly and so i have like a gate system because i don't understand the word no and so that's good that i understood i needed that does that make sense so they're like you can't do five or ten talks that are free per week so you're allowed one one free per week okay and then that's it we're cutting you off because you you need to sleep and stuff i'm like and i rarely break the rule like hardly ever but like i feel like a lot of people don't so like your advice is so good like seriously public speaking so that you can learn how to communicate well and clearly and like feel confident to stand up and speak your truth and then also like therapy so you know what your truth is yeah no that so i love that story um that's it's just so nice and like heartwarming and like real human connection so that's that's really cool um and also all it reminds me um a really great book to read yeah if you haven't read it that helped me with a lot of things was um the subtle art of not giving a by mark manson i read that you read that okay awesome any of the viewers you would enjoy it that and oh the other one which i loved and so worth it is non-violent communication which i think that you may have actually recommended to me yeah it was at last con because i was on stage were you on stage with me and where there was a panel and this one man had said a thing that was um a bit prejudiced and i was like oh no no no no and then he made some excuses and i was like no um because i'm like i can't publicly just be like that's cool yo and then he was like well i don't know what to do and i was like actually there's this awesome book and yeah it really has helped me communicate so like if someone's really angry at me i can think like why is this person really angry at me or why would this person do this and it's like maybe i need to explain like the repercussions of their action um like someone in my company did a thing without asking me and volunteered me to do a lot of work um and i found out about it in my newsletter this week like the public newsletter yeah and i was like oh you decided to start a program where i have to do all the work and so then i but rather than like getting like really angry i was like so the problem isn't that you had a great idea for an awesome program the problem is that you explained to all of our subscribers that we're gonna do this work when the person who actually will be responsible for answering all of those questions is going to be me and i currently work 10 zillion hours per week and do i think this is a good idea yeah it's a great idea but we have to cut a different thing if we're going to add this and so you don't like if you want to announce the thing that you're going to do the work yeah fill your boots like if you but i we all know you're not going to answer the ask me anything abset questions we all know it's going to be tonya that's what's going to happen and and tony's tired and so i was able to explain it in like a fair way and like not be like because when i read it i was just like i made like the hulk face um if it's unexpected that's like oh god like what am i now signed up for i know so much work right and and the book non-violent communication for those that are listening um like really helps me explain like to get to what my feeling is and why i'm upset and then explain it quick because they're like no but it's a good idea because of this i'm like yeah it's a great idea i'm not saying that you're not like you're super creative that's why i hired you you're brilliant yeah the problem is that you i made an announcement publicly though asking me first and they're like oh well it's just a little extra work i'm like no backup right and then like explaining like really clearly and fairly and then it's like okay so promise from now on you're not gonna make it out right and then and then it was good and i was like have i like offended you like are you okay and they're like yeah i'm okay and i'm like i don't want to talk to you in a way that makes you feel small or bad and they're like it's okay so like i always try to check in because sometimes i can be extremely direct and i don't want to harm someone's self-esteem or think like i'm fuming and really angry it's just like i'm frustrated and like here's why and like can we find a plan to do this better in the future and it's like cool i mean if it happened the same thing happened five times in a row it'd be a different discussion right but like but people make mistakes or errors totally or they just don't consider a thing and life happens i'm sorry i'm talking way too much i want to hear more about you no no i think you're making great points it's all like it's good and that's like such a healthy boundary to have and like conversation to have you know because mistakes are gonna happen but yeah it's how you react recover from them that matters but i feel that if all the security people out there could read the book and like take it to her because honestly when the book started i was just like i don't need this i know everything i know me too but then as it continued and it continued by the end i was like i love this man and i want to give him a hug he's so bright the end was like heart-wrenching but really good just lovely and giving yourself the space to step back and think about a thing before we react because that's life-changing invite not even kidding that's life-changing advice um so like once you hear it it's like oh i can do that and then you start doing it and it's like oh my god like this has this is really beneficial for me you know have you ever sorry have you ever as a security person just kind of like lost your cool with someone like where you're just like no before you think or like you you give someone you're like like have you have you done that yeah it feels bad it feels bad it feels really bad i don't know how people can continue to do that because the first time it's just like oh my god i feel gross yeah and then i don't know about you but then like later circling back to that person's desk and being like so can i apologize because i was a jerk earlier and after thinking about what an idiot i am for four hours i want to tell you an idiot i am no totally because it it's also one of those things i think security is a really it it's surprisingly important to be like kind to other people because if you don't what happens if that person gets hit with some malware and they're too afraid to come to you and they don't know what to do that's just going to make the problem worse yes and so you need to like build connections with people or at least not make enemies would you okay so i have i have so many questions for you okay first because i'm i definitely need to thank threadfix i want to tell everyone that threadfix makes the most stupendous vulnerability management system this side of the galaxy i told them i would say whatever they wanted and i have to say that's the best sentence ever that i get to save for work it's the best galaxy yes it's awesome i like that i get to say something fun and also i love working with the people from thread fix okay so i have so many questions so so a thing that we talk about a lot on the podcast so there are a lot of different types of jobs in our industry and they all pay very different amounts would you say that your type of job pays well so i'm not saying like tell me how much you make i'm saying does it pay well in general and you feel like it's good compensation for the effort involved in general yes i don't mean your specific employer paying you specifically on your team that's not what i mean but like if someone's going to go after a job like this like it's a good paying job yes absolutely and like definitely because because we had like startup founders on and i'm like does it pay well they're like no it's the worst right and i think it's really important we had a journalist on and she's like no the pay is uh right and so i think it's really important that people understand like you know if you do a job like this you're going to be able to pay all your bills and then go the grocery store and buy any kind of cheese you want you can buy pre-cut mango if you want right you could buy well so ally and i had dinner once and um and there was there was sushi and so like so much sushi yeah so so i'm not gonna tell you how much our bill was but i've never had a bill even half that much in my whole life before um and we didn't have to pay because someone else was with us who had an amazing expense account but like it's not like i have an expense account and i can buy 700 worth of sushi level right it's like it's like i can go and i can totally buy 40 worth of sushi and smash it in my face and be like haha but it's not like 700 worth of stuff that was crazy it was delicious it was crazy that was such a good time that was really good and like 10 000 piles of rain oh my gosh so much just like you walk out from the to the it's like you're outside four seconds it's like you looked like you just jumped in a swimming pool we were covered it was like coming down oh my god i couldn't believe it yeah so like florida amounts of rain but it was in texas i know i thought that texas was desert tea and stuff but yeah what gives what gifts um okay so what do you like the best about having that type of job what's the best part the best part is yeah i'm so sorry i'll put you off please say it again i'm so sorry no no it's okay no it is a hard question but definitely the best part is the learning um i am a lifelong learner it's just it's who i am at this point and um it's you learn every day in that role and you have the freedom to learn really what you want to learn which is so cool so um yeah i love it and you get paid to learn to do that yeah and that's like crazy to think about that's it's yeah it's it's those are the best jobs to me the ones where you can just like learn and kind of have the freedom to learn and yeah that's so cool okay so difficult question number two what is the worst or least favorite part about your job or that job not like specific like joe's a real jerk i mean like as like a thing as a thing i think it's just the hours it's very long um especially if you want to like excel in that role like you can do it nine to five but it's it's a hustling job like you are hustling and so it's long long hours and that's exhausting after a while and it's just i think it's tough to manage the burnout so that's the thing that i would be wary of i remember one week i flew 70 hours and i gave two keynotes and i worked like a week in that week like it was ridiculous it was 70 hours of travel yeah and i was just like yeah yeah it was just beyond exhausting and also um i don't know how you feel about this but i felt that i could never complete my work ever like i could never complete it there was always four more things and it's like oh well you know this customer saw you see this do this talk here and they'd like really like to meet you i'm like i'm gonna die i can't do this right now like this person thinks you're cool i'm like you know who else thinks i'm cool my friends and family who haven't seen me in nine months like like and then that's when you know it's time to retire from that role and find a different role when you're snarky feeling instead of grateful feelings i got a business i think that that's the scary part is like the potential for burnout you kind of always feel like you're on the edge of burnout and that's very rough um especially like with travel like that yeah so i have more questions obviously i can't help myself um i'm okay so i have to do a marketing thing so work so we hack purple is giving away free mini courses um we're giving a course away i believe starting next week for free called scaling your team so how to scale your appsec program and your appsec team without extra apsec dollars and if you want to get the course for free the mini course for free you just need to sign up for our newsletter which is newsletter.wehackpurple.com so you sign up for that you'll get an invite and then um you'll also get all sorts of other stuff but that is the main thing and it's free and my marketing team should now be impressed with me okay next so what makes you feel i know i'm so bad what makes you feel the most what makes you feel the most pride from your work like what is the thing where you're like i feel so good about doing that okay this is the easiest question um by far the best feeling in the world is when someone from like for example the marketing team comes up to you and says hey can you explain what ransomware is to me that is like it's so cool it's so cool and because it's it's not just like explaining ransomware to someone it's like they trust you enough that they'll go to you for that and then they think that you're gonna be able to like have a conversation with them where they'll be able to understand and get something from it like that's just awesome and yeah that's by far the most gratifying feeling i've ever had in this role you know well and i feel like they're saying like i trust you and also like i really value you as like a source of knowledge and like as my colleague oh i like that yeah yeah that's really cool yeah it's a good feeling okay so now more extremely difficult questions like we've been going through the whole time so what advice could you give someone so like let's say someone's watching this and they're like ally for whatever reason i'm like doing like 90s slang this week i've said rules like 44 times i don't know what's wrong with me but anyway so someone's like ally totally rules i want to be just like ally i want to do a job like that i'm super interested in that like what type of advice could you give them to try to move towards that type of role yeah so first advice i'd give them is um that job's taken being allies but you're in luck but you're in luck because you're a super cool person and you have so much to offer that's unique to you and it's going to add value because it's you um so that's the first advice which i actually stole from um a news anchor who was on good morning america she's the best i can't remember her name um it'll come to me but the second piece of advice that i would give is just um choose an area of security that you're really passionate about and learn about it and just learn a lot of things ask a lot of questions i highly recommend like if you are currently at a security company or even not a security company and you're not in the security team ask the ciso if you can tag along to some meetings or just spend some time in the sock they will not say no unless they're jerks and then you should go somewhere else but you can learn a lot just by sitting in the sock and i also highly recommend checking out um organizations like trace labs which is a really really cool organization that does a missing person ctf so you can use open source intelligence in order to find actual missing persons and help the um help police officers actually do that work so it's really cool trace labs yeah it's really cool and it's also free and what's really awesome about it is you don't need any hacking knowledge to actually get started and that you can just be like searching on facebook for these people it's it's not something that you need hacking knowledge but you can really like start to understand more about hacking by doing this and it's just like there is such a great feeling to participate in that especially when they find someone it's like oh oh my gosh this is like really impactful work so highly recommend that like engage your passion that's awesome i i saw a thing on twitter where someone was saying oh the fbi is wondering if they could help find and then it's like the inter twitter this is his name this is where he lives this is his favorite type of milkshake his dog's named this and like it's just like ridiculous like just the internet boom boom boom boom boom we're like we got you people are really good at it like just normal people can find anyone it's amazing did you see that thing where there was a person that had been hoarding toilet paper and all of this other stuff and then a woman who works in open source intelligence gathering also known as osint she publicly live tweeted her finding him and figuring out exactly which warehouse all of the stuff was in so he was like um charging like a hundred dollars for toilet paper and stuff right at the beginning of the pandemic and she's like and then here's a picture from the it was like from the video camera of the police taking the stuff out she's like got this and i was like that's awesome don't mess with myself twitter for real that's some good life advice in general oh my gosh so i want to tell everyone to follow you so i follow ali on twitter and if you want to follow her so i'm going to put it up on the screen but i'm going to spell out her handle to you because you might not say it correctly so it's hacker x bella so it's hacker h a c k e r and then x like the letter x and then bella like beautiful in italian b-e-l-l-a and then her website as you might have guessed is hacker x bella dot x-y-z so that's right it's not dot com it's not xyz because she's gonna mess with us i just feel like that's like a a danger zone type of extension and so i think everyone so i i hope everyone's learned at least one thing that they need to follow you they need to read the book nonviolent communication they need to read the book give and take what was the third book that there was another book that you'd mentioned i believe or maybe that was it subtle art of not giving yes that book by mark manson and then they should go to tracelabs at dot org and try to help find missing people they should take some speaking lessons or practice public speaking and trying to get better and better at it we should all work on ourselves and work on our emotional intelligence and sometimes therapy is a thing that not only makes us way happier it makes every person around us happier and basically we all need to join the we hack purple newsletter newsletter.we have purple.com um we should all probably buy this book alice and bob learn application security also check mark tanya doing the marketing um thank you so much for being on the podcast it's like six minutes to seven so i'm supposed to wrap up so i have one more question um and i'm like so i have i have lots of questions but i have like so many that i i want to ask so i'm gonna ask are there lots of opportunities to work in our field and specifically in that type of job in our field oh yeah oh my gosh uh the last security company i was at they pretty consistently had over a hundred open wrecks at one time so lots of opportunity um for very like very different roles so totally we need more people um for the specific role that i'm talking about i think it really depends on the organization and where they're at and what they're interested in um there are different variations on it i think depending on where you go and like ways that you can like directions you can take it like if you want to do more of like a like a sales engineering route and kind of like be this like technical advocate for people or if you want to go the developer advocate route as opposed to like more enterprise um strategist so there's definitely options available and there are a ton of different roles that you can get started in for sure do you think that all the people listening should definitely come work in infosec with us yes i definitely do thank you if they're listening they're clearly interested right you know that's a really good point if they're listening they probably are interested thank you so much for coming on the podcast today it was such a pleasure to have you and it's now time for us to wave goodbye because we are at the minute mark where i'm supposed to hang up thank you for having me thank you so much bye and thank you for listening to the we hack purple podcast this week we had allie melon she's awesome you can follow her at hackerx bella on twitter and lots of other places and we learned what it was like to be well amazing but also a security strategist and developer advocate which is like we kind of tied those two together the we hack purple company is an academy where we teach you how to become an application security professional it is a community which is going to reopen in four weeks and we're going to welcome all of you into it who aren't in it yet we are this podcast where we try to help people learn about how they can get into information security and what all the different jobs are like we also have a silly swag store where you can buy bright pink security hoodies um called shop.wehackpurple.com but most of all we are an organization dedicated to teaching everyone how to make more secure software next week we have guest stephanie black and she's going to teach us what it's like to be a cyber security account manager because we need to cover all the jobs and honestly i don't know what that job is like the following week we have troy hunton and he's going to teach us what it's like to be troy hunt because there's no other person on earth like troy following that up we're going to have barbara i'm sorry barbara if i'm saying your last name wrong shashner and she's a security architect and i definitely i know we already covered this with marie galloway and she's totally awesome but i want yet another perspective on security architect because it's such an important role after that we're gonna have davine jackson on and he has his own awesome podcast and i'm gonna be on his podcast two hours before he's on my podcast and we're gonna like switch it up and that's march 4th and he's an apsec pen tester and he has his own podcast he has his own newsletter he's like pretty darn awesome and you should probably follow everyone that's going to be on our podcast so we have people booked all the way throughout the year and all of this is in hopes to basically bring more and more people into our industry i want to thank you for listening i'm tanya jenker your host thank you for your time thank you for your attention and thank you for securing all the things