We Hack Purple Podcast Episode #1

Melissa Benua


In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Melissa Benua, to learn what it's like to be a Director of Engineering.
Subscribe to our podcast on YouTube or your favourite podcast platform!

Melissa Benua can be found here: Twitter
This episode sponsored by Ubiq Security! Twitter

Transcript:
welcome to the we hack
purple podcast where we teach you
all about how to find your career in
information security
today as our guest we have melissa Benua
with our sponsor
Ubiq security awesome
thank you so much for coming on the show
this is the we hack purple podcast i'm
Tanya Janca your host this is our first
week and today our very first guest ever
of our inaugural first podcast
number one is melissa benua
did i say that right benua benue there
you go
perfect! welcome to the show thank you so much
um i am just going to mute the nice
person that just joined us on the
webinar so some people have decided to join us
live on the webinar and some of
them are watching live on youtube either
way welcome thank you and
the point of this podcast is to
help you find your career in information
security there are a lot of different
jobs out there
and a lot of you might think oh i want
to be a hacker
but turns out there's actually like a
whole bunch of different jobs and
they're all very different
and there's defenders there's i want to
say
offenders but there's
offenders and sometimes you do offend
but what we're going to do today is
we're going to talk to
melissa and she's going gonna tell us
what it's like to do her job
so first of all welcome melissa thank
you i'm excited to be here on the number
one
episode number one yeah
so i would like to ask you first of
all if you could
tell us your name and any sort of handle
that you have online because i'm
assuming people
are going to want to follow you yes so
my name is melissa benua i am a director
of engineering at a startup called
mparticle
and you can find me online under the
handle queen of code
twitter github website is
queenofcode.net it's pretty simple
pretty easy to find so you have a really
very interesting job title director of
engineering
what does that mean like could you
describe what your job is
yeah so my job is because i'm at a
startup it probably sounds like i do
like i have more of an organ i do have a
very small org but i have an
organization that reports underneath me
and i'm responsible for some of the
initiatives that that team does so
for example i run a couple of
engineering teams and then i run a team
called our dev test secops
squad so i do you know hiring
strategy figuring out what we're
going to do
next right how we're going to keep our
developers writing code that is
safe and high quality and as secure as
we can reasonably try to do
that's awesome and we met at a
conference in seattle
we sure did tell people a little bit
about the conference and your amazing
talk you did there
yeah so we met at defence last year
almost exactly a year ago
um i did a fuzz testing talk which
actually i'm doing again
uh this weekend as a matter of fact a
conference called not pink con
security conference from argentina yeah
i'm gonna be final
i'm gonna be apparently live translated
into spanish which is great because i
don't think i could talk about fuzzing
in spanish intelligently
i don't think it would be asking for a
disaster
um but yeah so i gave a talk about
buzzing over the course of my career
i've done
a lot of different roles i was a
developer i was a tester i spent some
time as like a security
hybrid dev test person
one of the things i did is i ran a
service that provided automated scale
level fuzzing for
um for our web service at a large
company some of you might have heard of
i don't know
i might have heard of it daniel maybe
knows a little bit about what it was
maybe just a bit it was microsoft i
worked at microsoft
[Laughter]
so what is a day
in the life like to do your job
like if i am a person i've never worked
in this field before can you tell me
what it's like
yeah so which i'll describe two of my
three jobs
because i do a lot of jobs because
the
combination of director plus startup
means you wear many hats
um but so the management side of my job
involves a lot of meetings involved so
many meetings meetings with my directs
to make sure that everything is going
okay right both in their work and in you
know to make sure we're supporting them
especially now with cobit in their
personal lives as well that we're giving
them the slack when they need it and the
interesting things that they need to
work on when they need it
um involves coordinating the work
that's getting done making sure the road
maps are aligned making sure things are
on track
typical managery stuff
my focus is you know always on number
one on supporting supporting my directs
right there's nothing people quit
managers they join companies and they
quit managers
right it's it's very true yeah so
making sure that they feel like they are
in a good place and they're supported
and they can grow
um so that's half of my job and the
other half of my job is pretty directly
running my
devtest secops group and that looks
very different the jobs don't look
anything like each other
it involves doing gathering a lot of
data doing a lot of research
you know what what's current industry
best practice how what's the delta
between what we're doing what industry
best practices what are the best tools
um
what's not working in our flow right now
what kind of bugs are getting to
production what kind of things are we
finding
when the flaws are available how can
we patch that hole right whether it's
making a process change or a tooling
change or
both sometimes i actually write code
still
it's very exciting for me when i get to
write code and make a commit it doesn't
happen very often for me anymore
sometimes we use a tool called sonar
cube so sometimes i'm
reconfiguring certain cubes sometimes
i'm looking at reports from sonar cube
sometimes um
you know generate in github instead
looking at you know looking at our
dependable
really it kind of spreads the gamut from
very low level things to pretty high
level strategic things
cool you kind of make me want to come
work for you honestly
it's a lot of fun if you don't if you
like doing lots of different things i
can say that the start
you know mid-stage startup is a good
solid place to do lots of different
things
oh that's awesome so i feel like you
probably need lots of different
personality traits
in order to be able to do quite that mix
of
of types of responsibilities and
activities so what types of personality
traits do you think are needed
to be good at your job so i think
probably the most
important trait for my job in particular
in engineering in general
is empathy empathy for the people you
work with empathy for your customers
uh being able to put yourself in
somebody else's shoes right that's a
that's a useful security skill it's a
useful development skill that's useful
product manager skill
right being able to think like someone
else and have empathy for what they're
going to do
um probably the most important thing and
then secondarily is probably curiosity
right being able to ask ask good
questions
and find and chase down the answers
right don't take no for an answer
well maybe take no for an answer but um
don't don't get stopped by a simple road
law find another way around
right to get to get the answers you need
to get so maybe perseverance too
is required perseverance exactly yes
and also maybe creativity
to come up with all those solutions yeah
but you notice what i didn't say is i
haven't listed any tech skills
oh yeah you don't need them but because
they're secondary
actually anybody like if you have the
aptitude to learn tech skills you don't
need to worry that you know tool x or
tool y or you know language a
or language b because you can learn it
um
but the traits the the i don't like
calling them soft skills but that's sort
of the most universally understood
understood term for it those are a
lot harder to pick up you can't just
read a book
and then be empathetic you can't get
empathy out of a book
like maybe emotional intelligence as
opposed to
like eq instead of iq yeah that's a good
way to put it
because you wouldn't be a good manager
if you didn't have
any emotional intelligence you would
just be a bossy boss
yeah you'd be you'd be you you'd be the
kind of person that throws the director
under the
under the under the bus for a promo
right nobody had a person that people
quit
i know i was just gonna say that you'd
be the person that people run away from
and find new jobs because of exactly
so those are personality traits what
types of
aptitudes do you think that someone
would need to have so
when i say that i mean like attention to
detail ability to hyper focus
uh i once read a job description where
they're like you must be able to lift
50 pounds by yourself and i was like
yeah i can do that
that is i mean yeah that's
that can be important to lift emacs i
don't need to lift
anything for my job i do not need 50
pounds thankfully
it's one of the few requirements i don't
have um
let's see so i think you need to have
apps i mean you have to have an aptitude
for tech you don't have to have specific
skills necessarily but you do have to
have an aptitude for it right you can't
be
confused by how to turn on your computer
or how to run
updates right you should have an
affinity and a curiosity for tech
um even if you don't have you know a
very specific skill a or skill b
um and you should want to poke things
right that was where i started i started
as
a tester i came from a strong test
background because i really like to poke
things
and see what happens
if i said that's actually how i veered
took a hard turn into my uh fuzzing
service that i ran
because i ran this scale traffic
testing service and it was interesting
but i wanted to know what
what happens if we poked things more
because we would just replay normal
production you know
sanitize production data into our test
environments and that was fine
but what if we just messed with the a
little more
and so i started doing craft you know
hand crafting xss exploits because
that's what you did
at the time it's not like you can go go
grab fuzz db's exploits like you can
now yeah so what if i and i would inject
them
quasi-manually into the fuzzing into the
into the the traffic t-system before we
had the fuzzing service
um and that was interesting and so from
there came
you know i found some interesting it
poked it and interesting things fell out
so then i got authorization to write
some code to poke it a lot harder and
way more interesting things came out
yeah sometimes i call it punching it in
the face
yeah like like this is your app this is
me yeah
[Music]
we have another person coming live on
the webinar who i am going to mute
hi angela thanks for joining us you have
to be on mute though
we've invited some guests to kind of
come hang out in the chat with us
in the webinar if you want to join the
webinar next time you can register in
advance but this time it's too late you
just have to watch live on youtube
or watch your recording after i feel
like melissa to be good at your job you
would need to have the ability to
multitask
like and be able to just switch
like contact switching like a ninja
constantly it's exhausting you have to
be
so honestly having small children has
prepared me for that more than pretty
much anything else in my life because
i'm constantly contact switching with
them
um medium function with your attention
constantly fragmented has actually done
a great job of preparing me to function
with my attention constantly fragmented
you're like how i became a superhero
like
lead director of engineering small
children
small children having to deal with small
children all the time
so we've talked about kind of like the
types of personality traits and the
aptitudes you need to have what about
technical skills like what
like if someone is like okay i think i
have
those other aptitudes i have some
emotional intelligence going
what types of technical skills would
they need to be a director of
of engineering because that's huge
you're like the technical boss of all
the technical brilliance
yeah sort of i'm sort of a technical
boss um
we've actually siloed it up so that i'm
not in charge of technical direction
for my reports i'm in charge for helping
them grow
right so i have to know because i've
there's a thing as a manager that as you
spend more time managing you spend less
time writing code and your technical
skills
degrade a little bit so i'm
i've now spent a couple of years as a
manager and i'm now at the inflection
point where i'm crossing below where
everybody else is coming
up so my expertise
it's aged it's not that i've never done
it is that i don't do it very often
anymore
um so you know i'm not the person to go
to and you're like we want to implement
we want to wire in apache pulsar into
our code can you tell me the pros and
cons and do a performance analysis and
like oh
maybe
that's why you have a team right and so
they help explain the pros and cons to
you and then you can make the decision
because you have lots of experience
right so so my technical skills now are
more around understanding
and being able to do research to bring
myself up to speed not so much that i
can be the expert developer but to
refresh sort of those neurons that have
gone cold
um enough that i can have an intelligent
conversation
and that i can review even if i'm not
setting right not implementing
what what types of training do you think
someone could take so that they could
try to strive towards being
a director of engineering someday like
what types of courses or types of
things do you think they should try to
learn i think they should try to learn
whatever it is they're passionate about
and follow their passion
into leadership right into the
leadership of whatever right if you're
passionate about
i don't know whatever it is your pet
friend in development back in
development you're passionate about
security development you're passionate
about
devops development follow your
passion into something
and then find your voice right because
being confident enough to lead people
come from being confident in yourself
that you know what you're talking about
and so
i don't think it matters so much with
the specifics of what you pick if you
can be
somebody who's never left javascript has
never never left react and you could
still
become a director because you've got
confidence in what you're doing and
you're able to then
parlay that into leadership of other
people to inspire confidence in other
people
do you think that so i have i have the
opinion that management and leadership
are not the same skill set and that
we're just super lucky
if we can find someone that's in
management but that also has amazing
like management and leadership skills
and it's true
so we actually sorry no no go go
um so the way we've actually separated
out as our org is we i certainly have
people who are excellent technical
leaders who are not
particularly good people managers and so
they have a different role right the
the uh the latter we the ic ladder we
consider it splitting around
you know around mid-career like if we've
got you know eight stages somewhere
around four to five
um it splits and you either become a
manager or you become
you know like a leader a leader i see
there's nothing wrong with being a
leader i see the the letters are
considered equivalent right you can
go all the way to the top being um
a leader i see like an architect type
type situations you don't have to be a
people manager in order to
succeed right you can still be and if
you if you're passionate about you know
being a people manager is mostly about
helping other people learn and grow
you're at the service of the people
who report to you
i really i love the things you're saying
it makes me want to come apply
i mean i have a job but if i didn't i
would be very
you know i have three head counts open
right now and my org is only like 13
or 14 people it's not very big
okay at queen of code i'm just saying at
queen of code my head comes
very nice i have a technical leader i
have a people manager and i have
uh an entry level roll open i have all
three oh my gosh that's awesome
what type of work experience would
someone need i don't mean so they could
specifically
take your job but a job like your job
like what types of work experience would
help lead them there
so spending some time is as an ic like
getting your ic expertise underneath you
you know like five five to ten years
you know it depends everybody's
different spending some time really
understanding what it is to develop and
ship a software product
is is a foundational part and then
getting some even if it's not people
management but starting with
um because it can be weirdly hard to
break into people management actually i
found it difficult
for somebody to give me a role to manage
people if i hadn't managed people before
um nobody wants to be the first so it
can be quite hard but a nice
sort of intermediary step is doing team
leadership technical
technical lead meeting a project even if
you're not somebody's people manager
can be a nice intermediary step if
you're having a hard time you know
getting
going straight to people leadership um
spending a little bit of time there and
i'll say it's
you don't have to stay right if you
decide people management isn't for you
doesn't mean you can't go back to
technical leadership
and do something you know people manage
was not the only way to be
to get something done i i have done that
dance many times melissa
where i got pushed into management and
then i was like
oh this makes me crazy and unhappy
and then i would step down back into
technical and then be happier and then a
year or two would go by and they'd be
like you know what you would be a great
manager and i'm like i don't know and
they
yeah i would and i did that a few times
before eventually i was just like
no and so then i decided to start my own
company and then inadvertently i am now
people manager
manager again so clearly
i mean some of us can't make up our mind
and that's okay
there's nothing wrong with that no
there's nothing wrong with that like one
of my uncles did that and i remember him
giving me a talk he's like it's not a
step down it's a side step
to do the thing that you love that makes
you happy and excited to go to work
all day like he's like you spend a lot
of time there
you should do the thing you like while
you're there not the thing
that makes you want to pull your hair in
i used to joke with some of my staff and
like this gray hair is named after you
this gray hair is named after you
yeah you like your day you should like i
mean i know it's a
tough thing to say in the middle of
coven and it's a very difficult
economic situation so if you got to do
what you got to do like that's okay too
but everybody should at least aspire to
being able to enjoy what they're doing
during the day
i could not agree more could not agree
more
this is the middle of the podcast where
i very quickly
thank our amazing sponsor ubiq security
they provide an api-based encryption
platform that's built for devs
i really appreciate them sponsoring the
very very first number one
of all time we had purple podcast
also to celebrate this i'm wearing um
a superman shirt i felt like a pink one
because i like pink and purple yeah
obviously
i wanted to celebrate because you know
start big
yes exactly i should have i should have
i should have worn my defined con shirt
but
alas i love that so much
i loved defendcon that was it there was
a conference in seattle
and it was all
women and non-binary speakers and
it was eighty percent of tickets saved
for women and twenty percent for allies
and i have never felt so comfortable and
also recognized so many humans that i
know
at a conference crazy if you're
listening we miss you we'll help
you yes princess is going to be on this
podcast i'm so excited
yes so she just got a brand new job and
she is the senior principal security
engineer of iot
and i'm so excited to dissect the iot so
this is tracy martin
that we're talking about if you want to
follow her on twitter
um i believe her name is currently
regrettably smee
like i think it matters
i think you're right she's awesome
and also she has purple hair it's funny
it's the only conference that i've gone
to
where people are like how can i tell
which one is you and usually i'm like i
will be the one who's
a woman
i'll be the woman with purple hair and i
now i'm like
like at defend con i'm like i'm not even
the only one
at this table
like it's like mecca it's it was a
fair lady okay i have more questions i
have more questions i want to know more
about being
a director of director of engineering
like at a security startup okay so what
type of learning path could someone try
to follow
if they want to get into a job that's
similar to yours so let's say
i'm a software developer and i'm like
looking up at melissa and i'm like one
day
on a b you know i want to point my
career towards that because that's what
i want to do someday
what type yeah learning
um so i took a really crazy route here
that i don't
i don't recommend i went through a lot
of different
i had a lot of different job types
um what type of learning let's see so i
would say
it can be on the job learning too
sometimes i take a job because i want to
learn that skill
yeah so actually i would say take you
know do a couple different jobs and get
a feel for different
parts of the industry right i've worked
in gaming i've worked in
uh search engines i've worked in
hardware manufacturing actually i worked
i've
i helped make some airplanes i've
worked
all kinds of like all kinds of places
all kinds of different environments to
get a feel for what worked and what
didn't
right you you know you know microsoft
you know the stack rank tanya
knowing what the stack rank is and how
i'd never want to do that to anybody
ever has helped inform
my management process knowing how
startup hires versus how a big company
hires has informed how i've designed our
hiring process like what worked and what
didn't what kind of biases i found as i
was
interviewing with other companies and
also that i've
seen from my fellow interviewers as they
were interviewing candidates
um i would say a breadth of experience
like try different things
you don't have to be there a long time
right you have to be ten years at one
place in order to
really understand what they're doing but
a breadth of experience to find out what
works for you and what doesn't and what
you
like and respect as a practice and what
you don't right i will never stack rank
by employees ever i was asked to do
it once not at my current company and i
refused
uh it's complicated we got into it
didn't
we as well for being what back ranking
is for the people who haven't previously
worked at a place that employs that
ah so stack ranking is the practice of
performance rating wherein you take all
of the employees
and you put them in order of best
quote-unquote
to worst and then you know
a manager has to do this and then the
manager joins their staff rank with
their other peers at their level
and then that goes up and up and up
until you have a list of every employee
against the other managers for you yes
they have to fight it out each person
and so weird politics happen in stack
ranking right like you have
a manager of managers who's like well i
can't have all of my direct report a's
people be higher ranked than all of
direct report fees people
even if one team is high performing home
team is low performing i can't have that
political battle so i need to interweave
them a little
weird like weird things unrelated to any
individual's actual performance
comes out of there so i mean for
instance let's say that
your manager is fierce you have the
ability to get a much
larger bonus than for instance if your
manager
is very sweet and kind and understanding
and has great emotional eq
but also is soft-spoken and is not going
to
fight for you yeah because it all comes
down to
basically two hours in a conference room
like your whole year comes down to two
hours of managers fighting in a
conference room and whoever
did nothing with managerial skills
necessarily of who wins
um and then once you have stack quick
you get into forced attrition and that's
even worse
right when they say ah well we're going
to cut the bottom 10 percent of the
company
well if you've been hiring for all good
people who's to say the bottom 10
percent
are underperforming the industry what
kind of garbage are you going to be
doing when you you know if your bottom
10 percent is still
in the top 25 of the industry like
that's unreasonable
demoralizing and unreasonable makes it
gives you a terrible talent problem
so things i learned that i don't like
that i won't do
yeah it also means that like let's say
there's x amount of bonus money
and then that means if i get a really
good
bonus that the people i work with
every day who i care a lot about
aren't getting one or they're getting
way less yep
and then you feel crappy
i mean there's the realities of budget
there and that you know you have to stay
within a
budget and i understand right but
dividing that budget equitably in a fair
and reasonable manner per
per team rather than artificially you
know i know somebody
who their manager went in and they said
this person
was extremely low performing last year
but they've improved to a mediocre to a
mid-level performer
they were given the same rewards as
somebody who'd been an outstanding
performer all year because oh because
they had such a great magnitude of
improvement
right that what kind of message is that
and i you know don't fault the person's
manager for doing that but on the flip
side it's not fair to anybody else
you're like you said everybody knows
and so now you should have an average
bonus not an amazing one
that's right i've seen people reward
improvements or you know not
so should back up stuff and i've seen
way too many cases of
unclear rubrics behind which
assigned value and assigned bonus right
improvement is
great and something to be celebrated a
low performer becoming an average
performer
that doesn't put them at the same level
as a high performer
i also don't like getting into you know
low performer high performer average
more complicated than that because i
feel like you're either
you're doing your job you're doing your
job super well and you're ready for
promotion to the next level
or you're not doing your job
it's pretty simple right i don't like
slicing hairs and making you know ah but
30
of your employees should be in bucket
too that's
that's not always true how life works
especially at the small scale maybe once
you get up to the 10 000 employee scale
like
not you know the law of large numbers
starts applying and those things make
sense but
they don't really make sense you know
the 5 10 20 person
organization big kind of size
people where they are and you know
you're doing your job you're doing
fantastic you're going to get a good
reward for it
you're doing a great job you're ready
for promotion to the next level
fantastic or
you're not doing so well you know you're
not doing so well we're making a plan
making a plan to help you improve
you know and here's your more modest
rewards to reflect you know that you're
still adding value to the company
yeah yeah exactly
well melissa as we're talking about
money
does your job pay well in your opinion
so
we are interviewing people that do all
sorts of types of jobs
and people who are considering you know
becoming a pen tester or
a reporter or like a reporter that
specializes in cyber security
or a difficult engineer or a director
of engineering they want to know
is it you know am i going to have a
three-bedroom apartment or like am i
going to live in a bachelor apartment
you're going to have a nice apartment
you're going to have to be a good
apartment
i mean the company size matters so i'm
not going to claim that you're going to
be making as much money as a startup as
you would at like
google of course um
but it's a good job right you're gonna
try
as much cheese as you want every week at
the grocery store is this what i'm
understanding
such cheese every single day if you want
seriously i remember the day where i was
like i'm gonna buy two different kinds
of cheese and i was like i thought about
it i'm like i can afford it and i was
like
i'm rich i'm so silly but like
i grew up not rich at all and then like
i was like
i can buy two different types of cheese
this week and enjoy both of them
and like not be like worried i'm just
like i'm officially rich about two
different kinds of cheese
yeah that was the thing that did it for
me that i was like i've made it
yes when you can buy whatever cheese you
want in whatever quantities you want
seriously okay
i like fresh oh mozzarella good have you
had buffalo mozzarella oh my god smoked
buffalo mozzarella
on a pizza i die oh my gosh i have not
had that now i feel like my life's
incomplete
you need smoked buffalo mozzarella like
oh yeah big like big globs of it on a
pizza i mean it's fine with
other things too but big like the big
chunks where it's just a huge gooey blob
on a pizza
style pizza i need to order this because
i can't go to my grocery store it's like
what's buffalo mozzarella i'm like
i'm leaving because stop my feet what
are you doing
because i live in a little farming
community so i live outside the really
big city in like a little farming
community because i wanted to start a
little farm
you have some excellent squashes yeah i
really i have
you didn't even see it i picked like
eight last week no
i have like a farm okay
so do you feel that there's lots of
opportunities
for your type of job like if someone has
your amazing skill set do they have a
lot of job opportunities
and is it only like once in a century
that a director of engineering comes up
or is this a thing that like
with the right skill set you can
definitely find
look at my linkedin dms yeah you're like
they're on fire
yeah there's a lot of there's there's
a lot of
opportunities but it's
dependent right it gets very i don't
want to say competitive but
director means a lot of different things
right and there's different companies
have
very different views of what that is um
and a lot of politics can start coming
and do it you know thankfully not
you know where i worked but other
companies can have a lot of politics
come into it
and so the world the title is
all i don't say meaningless but it's
almost meaningless because it can be
such a different job from company to
company to company
based on actually i completely agree
with that
yeah most job titles honestly like
the titles are garbage i was talking to
someone fresh out of college who
like i want to be a pm what p what p
for what definition of p and m
because you could be a product manager
or a project manager for a program
manager and good luck differentiating
between the three job descriptions
oh yeah oh yeah and also each place is
so different like
i've definitely worked at places where
it's just it's just not the same
it's just not the same
one company it's not the same yeah
yeah and and sometimes also just like
the person that does the job
like there are people who are like a
rock and they kind of sink to the bottom
and there
there are people where they just shoot
for the stars no matter where they are
yes i have a friend and she just got
a promotion to a new place and they're
already trying to promote her to the
next level and i told her this would
happen
and i was like you're completely amazing
and the place where you work
weird stuff's happening and like they
don't have any open positions above you
but they
like they depend on you for literally
everything yep
except this promotion and like she's
been there i think five or six months
and they just keep doing more and more
things and she's like
i expect a promotion within 1.5 years
and they're like oh we're not going to
make you wait so long
like it's a good event she's that person
that she's to the stars
and i'm like you're going to own that
place like in like two years from now
you're going to be like the big boss
shut up but you know what that's very
place dependent as well right the fit
matters
so yeah a person with a lot of potential
but if you're not in a company
where you're a good fit and you're given
the right opportunities to grow
you'll stagnate right i had a company
who
said i wouldn't be a good manager they
don't want me to be a manager
probably because they don't want me to
lose me being a dad which i understand
right it was hard to hire devs at the
time
but they're like no we don't think it's
right for you we're gonna do
you know where i encourage you to stay
on the ic track
yeah i worked somewhere once and um
we had a director that decided women
weren't technical
yeah so he switched me over into a
non-technical role
and made me a manager which i did not
like but then things kept catching fire
because tanya wasn't there okay and
it just got worse and worse and then i
quit
and like two or three months later i
went for beers with like all the guys
from the team and you know we're
drinking hanging out etc
and then like at around one in the
morning you know most of them have gone
home
and one of them went to the bathroom and
then the other one looks at me and he
puts
he puts his hands in his head he's like
everything
sucks since you left i knew you did
everything but i had no idea
and he's like we want to take that
director and throw
rotten tomatoes at him he's like these
are crashing this is broken no one even
knows how this used to work
and i was just like this is so
satisfying
yeah and i i'm pretty sure that when i
had the problem right they had the
opposite problem was they had certain
metrics to maintain of the number of
women engineers and i was the only one
and so i would have tanked their
diversity of numbers if i'd switched to
management so they didn't do that
they didn't want me to they would have
been evaluated badly
which is actually harder than it sounds
yeah i know
i know i'm hiring now it's harder than
it seems
i've had three head counts now around
like this one this is gonna be the one
um and it's one thing if you're
microsoft like you don't have an excuse
if you're microsoft because you're big
enough that you could source people but
i'm tiny
and sourcing you know it's much more
complicated for me
i should ask everyone at the next vosak
chapter because you're the leader and
stuff you could probably do it
i did do that i didn't do that
we talked about other people's openings
too everybody gets to talk about their
openings
reasonable we're not biased we just want
all the awesome cool ladies to work with
us
i mean what's wrong with that do you
know
tanya that i've never worked with
another woman before another woman oh my
gosh
i've never started a woman and i've
never worked i've worked with i think
one or two pms
not okay i shouldn't say never i haven't
in the last 12 years
i had almost never got to work with
other technical women
like it was very very very rare until i
joined elections canada
and i kid you not our giant tech team
was one-third women
and all of them were like fierce and
like
awesome and the director she's like this
little asian woman
who had climbed every single giant
mountain on the planet
and she's like oh yeah like i've i've
climbed that one twice like that one's
old and i just like you're amazing and
i kid you not during our like team so
like i was the see so
well no actually i wasn't the ceso yet
um i was like the head of the dev team
we would have these weekly meetings and
she'd be like
well now obviously and then she would
serve chocolate
during our like director meetings and i
was just like
it's like i felt like she was a goddess
in hindsight that is obviously a thing
that should be done
right i was just like you're a brilliant
genius
yeah and she's like i just i want to
enjoy the meetings so i thought
i should make everyone enjoy it so like
i bring chocolate
yeah she is awesome i wonder what the
clover equivalent is of that
we did snapchat for a while everybody
could be potatoes
my question nailed chocolate to a lot of
people recently so one of my staff
members we had like a weird thing happen
and i wanted to make sure everything was
still cool um
and so i actually like mailed her a
whole bunch of chocolate and she was
like you didn't have to do that oh my
god thank you
she was like oh i knew everything was
fine but i wanted to make sure it was
extra fine i don't want anyone quitting
yeah i need you i need that
that's a good idea yeah it really worked
well
that's a really good idea yeah it made
sure
that she definitely knew i was thinking
of her
um and it didn't cost that much and it
was totally
which is my problem with my other planet
i'll just send everybody whiskey but
alcohol is complicated not everybody
drinks but everybody eats chocolate
well in canada we have this company
called purdys and they actually make a
chocolate survival kit
so i recently sent that to my mom i was
like i heard you're having trouble with
like coving so i sent you a survival kit
and she opens it there's just chocolate
inside all this different chocolate
she's like oh canada
how do i get anything you open the
survival kit it's just all this
different type of chocolate
oh man of course you said this
okay okay back on track yeah i knew this
is why i booked extra time and like the
podcast is 30 minutes but i will book 60
because i am verbose this is my fault
but who doesn't want to know about
chocolate
right and purdy's chocolate is out of
this world it's a canadian company and i
know like i
i am canadian you've probably heard me
say about at some point during
this call but they're oh
so only i could go to vancouver again
well
i mean as soon as it's allowed these we
would love to have you
yeah we're uh persona
touring i don't blame you
i don't blame you
you it's yous
yeah but but that said what do you like
what do you like best about your job
because there's probably like certain
things that are like
the best and it might not be the things
that people know
yeah so what i actually like best about
my job is making everybody else's lives
better oh yes and that's both actually
both faces of my job it's both the
management part right i like making
my employees lives better right giving
them the slack when they need it giving
them the growth giving them the nudge
um helping them line up a career path to
meet their career goals
like i really i really enjoy that and
then on my my dev test set up squad side
i really enjoy because we affect the
whole org not just my org
we affect the entirety of the
engineering organization with the
practice that we do and so we make their
lives
materially better right when i cut 30
minutes off the build time
that makes everybody happy so happy
right when i put a new when we do a
sonar cube update when we update a bunch
of rules
or turn on some new rules right we float
a bunch of
potential vulnerabilities in the code
before it goes
live everybody's much happier than if we
caught them
somebody else caught them live it makes
everybody's lives happier
makes it more productive makes it easier
so that's really what i enjoy doing
is helping other people helping the
other people in my org be
uh be more successful would you say
so there's like a follow-up question is
what makes you feel the most pride
in the work that you do and do you have
a specific story
like that you're allowed to share and
that you that you want
to share um
so the most pride i felt honestly is i
had um
i had a higher uh a while ago higher who
wasn't performing maybe
to their potential right we knew they
could perform really well they were
having trouble
integrating with the org just you
know
stuff that happens and
i was able to you know between some
coaching of them
some coaching of the the team you know
the team lead that they were on
um we were able to not just turn around
but make a star performer right make the
employee
truly live up to their potential like
like top performer the you know the the
rock of the team
um just with coaching and understanding
um and relationship management
that's awesome that was like awesome a
huge amount of pride with this person
who
had so much potential in this was being
wasted
i yeah i had a similar situation once
where i had a
i got transferred in somewhere and i had
actually like a really really bad
employee that made a lot of mistakes and
one day we sat down and i was just like
what do you wish you could do and it it
turned out he was a network
engineer and when canada had changed
around the way they run the government
and take in all the network people and
put them at shared services
they wanted to keep him because he was
so good but they weren't allowed to give
him a network engineer job anymore so
they put him in a software development
job
and he'd never code it before and he
hated it
and he's like honestly i just wish i
could be a network engineer like i know
they
like me here and they really wanted me
to stay here and i love my colleagues
like
don't get me wrong but like i've tried
dev for like over a year now and i'm
miserable and i was like do you want me
to transfer you
so you do yes and then like
his new boss was like thank you thank
you
so much this guy is the best
and i was like how am i going to fire
this dude
he like deleted half the stuff and sort
ins and version control
no you've done so many giant mistakes
where i had actually just
locked him out of version control and i
was like we need to have a talk like
what do you really want
and then he just like was honest with me
i'm like i can't believe they did this
to you and he's like well
i loved working here and they said we'll
just arrange it so you can keep working
here i didn't understand like
i thought maybe i could code because i'm
awesome at networks
and yeah he was so happy and they were
like he's amazing and then i did not
have this nightmare of
a grown ass adult who i felt unsafe
letting touch any code
yeah yeah and nobody wants to
infantilize an adult
right an adult who are paid to do a job
yeah exactly and so it really worked
out turned out like
using your ears can like really help i'm
so glad that you got to have that
experience that's
awesome yeah so now so i have a tough
question for you now though
what do you like least about your job so
obviously you're not going to be like
there's this one guy and he's the worst
but
would you like let me tell you about my
boss no i love him
he's great which is not something i've
always been able to say
so i don't say that lightly um
what do i not so i miss a couple of
things right i miss writing code
i miss you know solving a hard problem
and
writing you know being being deeply
deeply technical and being
you know the deep technical expert i do
miss it um
and i don't like
so i don't like it's weirdly often
there's not a lot of politics in my job
now but i don't like having to navigate
the politics especially when i'm not in
the room
um it really i really have disliked that
and honestly the other thing i just like
is i just like how few women i work with
yeah okay yeah
for the longest time i had this thing
that i had adopted into my personality
or i'm like well i'm not you know you
know the type i don't like other women
because i'm a guy's woman
and you know women are girly
and i had adopted this you know i picked
up a bunch of masculine traits
um i guess it's a survival like a coping
mechanism
and it took took years for me to realize
that this a wasn't
who i was and b i didn't like this
person
either and i being able to work
with you know to just be around be
comfortable being around
other women became very important to
me so i work you know i do work with
some women now they're not they're not
engineers but they're
you know still smart women and it's
important it's important to me
um have you ever been told
to not wear a dress when you are in a
more technical role or been told like
you know go buy a pair of jeans so
no because i would have wouldn't have
been caught dead in a dress
until from the ages of probably 16 until
the age of
i don't know 31 32 i wouldn't have been
caught dead in a dress
or with you know makeup very reluctantly
jewelry very modest
you know wearing a bunch of makeup now
because that was part of the persona i'd
adopted right i was not
you know those things weren't for me i
was technical i'm a guy you know i'm a
coder
i'm not you know girly things are not
for me it's not okay to be
because that was all the message i had
around me right was this is this is what
this is what a coder looks like this is
what an engineer looks like so i made
myself look like an engineer
i actually had repeatedly managers tell
me
you're not like wearing a dress at work
and go buy
blue jeans because even if i wear pants
i hate jeans
like i think they look great i think
they're uncomfortable
and like like i yeah just over and over
again like
no tanya you're you're making other
people uncomfortable
wow and they're like go get some
t-shirts
so that's what i avoided with my choices
right deliberately because i was afraid
of that happening to me
you know deep down i was afraid being
called out for being being other
yeah and and also like you do get
treated
totally differently you get treated so
differently if you
do your hair and wear makeup versus like
if you wear jeans and a t-shirt
and like especially like a loose fitting
t-shirt right and
loose fitting jeans and like i used to
joke i would have programmer here
because i would not be thinking and i
just
end up posting a bun on my head out of
the way
and then they treat you like one of the
guys and then you can get your job done
so easily
and that's what i wanted so that i
became one of the guys i wore a ponytail
i wore tech you know
conference shirts jeans very little
drawing
and i was for i don't know the first
three quarters of my career that was
what i did
um but that cause it was you know a
source of unhappiness for me i didn't
cutting that out of my life was was
freeing right sometimes i
still wear jeans and a t-shirt because
i'm a lazy person but i'm not
because those are like they're easy to
put on actually don't wear jeans over
leggings now because those are easy oh
yeah leggings is where it's at
never wearing real pants again leggings
and a con t-shirt
like those are fantastic but on the flip
side right i'm not
afraid to sometimes put on makeup or you
know when i feel like putting in the
effort because it's my choice
to put in the effort or not yesterday i
was in a in a bunch of zooms i i was
recording a a different talk
and i had this hot pink dress on and hot
pink lipstick and my hair done
and everybody popped open so i popped up
unzoom they're like
are we allowed are we allowed to say
that you look like you put a lot of
effort into it today and i said yes
you're allowed to comment honest one
standard deviations worth of obvious
effort
[Laughter]
oh my god i love it i love it
but it's nice to know someone else has
felt the same things as me
because it is it is so true i've even
met some women where they would go to
strip clubs with the men even though
they were wildly uncomfortable and
really didn't want to
wow and i was like oh no way man
that's a lot of whiskey and beer
thankfully not strip clubs but yeah
that's what you need to do and to be
fair i do
actually like whiskey now but i got
into it not because i thought oh i might
like this but because that was what was
expected right
of the persona i had adopted oh if
you're going to be a cool hacker person
you got to be into whiskey you got to be
not care about your appearance you got
to i swore like a sailor for a while i
still have to watch my mouth
um around my children and or on on video
i was unsure if i should list this
podcast as
has explicit words in it or not because
sometimes
my inner programmer still comes out
yeah sometimes if especially from coding
actually or if i spend a lot of time
coding i'll still drop a bunch of
f-bombs
i feel like we should change it from
swearing like a sailor to swearing like
a programmer
right programmers swear like crazy
okay i have i have three questions
three last questions and
the first one is what actionable advice
could you give someone
if they want to one day be a director
of engineering like what what would you
advise them
i would advise them to get into a job if
they're not in one already
where their leadership believes in them
and is invested in their growth
yes oh my gosh matters more than
anything else
okay so everyone ever follow melissa's
advice
um you're gonna you're gonna burn out
and you're gonna hate your job and
you're gonna hate the industry
yes we should all listen to melissa and
if you didn't know
you could follow her online at queen of
code just in case you missed that
earlier
also we will be attaching information
about it
um okay so second last question
do you do other things outside of
infosec outside of your nine-to-five job
that you want to share so tanya
i own a horse i own a lipid sonner named
jade and i ride classical dressage
occasionally i post pictures of her on
twitter not too often because
because it's it's kind of a non-sequitur
if you look at the rest of my profile
like it also
i ride this horse no i try not to pick
like send a hundred pictures of my
garden farm
thing because i'm like this is an
infosec feed i should tweet about
infosec
but also i harvested 20 squash today
yeah i got a bunch of zucchinis the size
of my forearm
yes i do a little gardening
okay so here's the very last question it
is
probably the easiest but i should
probably tell you it's the toughest
because that would be the most fun
if someone wants to know more about you
where can they find you do you have a
website do you have events you're going
to be at do you have any links that
you'd like to share because i bet by now
people really want to know
i have i have so many things so i have a
website uh queenofcode.net
um follow me on twitter at also queen
of code
i'm going to be at a bunch of
conferences coming up this fall so i'm
going to be at not pink con
um on saturday like day after day after
tomorrow
um doing my thoughts testing talk and
i'm going to be at a conference called
star west which is a software testing
conference i'm one of the organizers i'm
doing a bunch of talks and tutorials
which is at the beginning of october
that's going to be virtual
usually at disneyland so i'm very a
little a little heartbroken about it
being virtual but
survive and then i'm going to be in
the beginning of november um
at a conference called agile devops
talking also about
many many different things oh my gosh
that's so cool
i have seen her fuzzing talk that's how
we met i saw it and then i was like
you're amazing
i want to be your friend honey it's very
not subtle
you caught me into running a wolf
chapter though yes i did
i did do that i do that in every city i
visit you'll notice since the pandemic
there's been no new woestek chapters
and then brought them in join women of
security meet lots of cool women
have fun and brunch
we do have fun and brunch we managed to
get one in before the pandemic shut us
down oh my gosh we got one in right
before the pandemic as well but we've
still been meeting virtually regularly
virtually but it's it's different having
brunch virtually i know
i know sometimes i actually eat brunch
during our meetings
and everyone's like wait you're having a
frittata
like this is a zero mile frittata oh
i've only had whiskey so much whiskey
well i approve of that too because you
want to have fun
you want to have fun that's what
women girls just want to have women just
want to have fun
it's true men probably do too everybody
wants to have fun
right thank you so much for being on the
wehack purple podcast
i feel like there's a lot of people who
are going to benefit from the
information that you shared
and i love just catching up with you so
thank you so much melissa
and thank you again to our sponsor and
is there anything
you want to say before i play the
amazing credits
um just you know thanks so much tanya
it's
really honored to be podcast number one
um and hopefully we'll get to we'll get
to
be able to get together soon in person
we owe each other a brunch
i agree i a hundred percent agree
and it'd be so much more fun to be at
the wosec meeting in seattle
in person instead of virtually next time
100 we're basically neighbors
basically until next time this has been
the we have purple
podcast thank you so much for joining us
today we learned from melissa Benua how
to find your career in information
security and thank you so much to our
sponsor Ubiq security
thank you again to you the listener for
joining us today
hope to see you next week