We Hack Purple Podcast Episode #2

Mario Platt


In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Mario Platt, to learn what it's like to be a Director of Strategy.
Subscribe to our podcast on YouTube or your favourite podcast platform!

Mario Platt can be found here: Twitter
This episode sponsored by Ermetic! Twitter
More links! The post on the map I mentioned, is this one
Links to the sessions I gave at Open Security Summit this year: – OSS User stories for ASVS
– Strategy development with mapping (applying concepts)
– Using Wardley Mapping for Security Strategy and Architecture
– To DevSecOps or not to DevSecOps, is that a question ? (an archetype based model to discuss DevSecOps)
– Sense making with Cynefin framework (Applied Complexity thinking to Cyber Security)


Al of Mario's talks
Transcript:
welcome to the we hack purple podcast join us for episode 2 with guest Mario Platt this week with our host Tanya Janca we are going to learn what it's like to be a director of strategy thank you so much to our sponsor ernetic awesome hi welcome hi there thanks for having me thank you for coming on to the wehack purple podcast i'm so excited to have you mario thank you so the wehack purple podcast is well the first season is about finding your career in information security so we want to talk about different types of jobs and you have had every type of job and so you're you're oh it's going to be so good so let's start off with please tell us your name and your handle so that people could follow you online maybe yeah so my name is mario platt i in terms of social networks i mainly do twitter so my handle is m a d plat mat so yeah what is your job title so right right now my job title is a director strategy for practical devsecops yeah and i do a lot of work around strategy i do a lot of talks and try and create as much content as i can on the topic of security strategy that's totally awesome yeah your job sounds pretty fun it is it is so i know that you just described your job but you have done many jobs is there a chance we could go a little bit off script and then you could tell me like the types like a bunch of different jobs you had and kind of like what they are because people who are watching might never have heard of some of these jobs that we were talking about earlier yep sure so um kind of uh the probably the simplest ways to make a journey through my career um would probably be the the best way to go about it so i started i got interested in hacking in the late 90s um and um my first full-time security job was in the early 2000s as a penetration tester um so it was kind of a mix role because even though mostly what i did was penetration testing i also didn't i worked directly with the marketing company so i not only had the chance to um to to do penetration testing for some of our corporate customers and so that included everything from helping the the sales opportunity um so would go with the with the marketing team and supporting them on um trying to understand what their needs were what they were trying to to secure um and then also doing the technical parts of the the assessment um so in those early days that was around the time where google hacking was starting to become a thing i think i still yeah the book is still out there from those days um so there was a lot of the typical vulnerability assessments trying to identify things on um a lot of google hacking trying to understand what google already knew about organizations and then trying to do the more active parts of the assessments um against their infrastructure against their their their services um and then the writing of reports right which was usually the more um the less fun thing right the super exciting part uh no no there was most definitely not um and then it still had the layers of management uh review before being delivered to the customer right some things had to to be said many different parts did you have to like i've heard some people say that they have to like present their reports with like a formal powerpoint presentation and like present it to management and the management is always like ah i thought we were perfect is that true yeah it was part of what i did most of the time particularly when um so we would always share the um the reports in advance and then usually um the account managers because this was a big the biggest telco in portugal and they because they had a proper account management etc they always wanted to sit down with the customer uh mainly to identify the other opportunities to upsell uh there was the the commercial driver behind it and so we would then talk about some of their findings and the services that we could provide to them um to try and mitigate some of those but there was usually not necessarily a powerpoint presentation but a walk through um the um kind of the executive summary of the reports and i would typically find myself with them not only with the management on the side of the client but also their technical staff which were then spent at least half an hour to an hour trying to say that the vulnerabilities i had found were not vulnerabilities and me trying to convince them that they were so those were very fun days i'm laughing because i have also had to do what mario has done yeah and i'm laughing because i'm like that's so true yeah it's what usually happens right people will try and justify particularly from a technical point of view they see it as as features not bugs many times right and we didn't try to explain to to them what the security implications are or could be so what is um tell us about someone because you have had many many different jobs and so another part of my role at that particular team was also a product testing um so because i was a part of the marketing team and there were a team of four people that did security product management and so what what happened is um i first started uh by doing basically i played with toys right everything they wanted to add to the commercial portfolio to sell as either managed services or or as appliances etc i would do all of the testing between different comparisons i would compare products etc and then sell them so at the time this was early 2000s the main thing was ips there was the new thing coming on the market so uh for one of the projects that i had for about six months was to trial lots of different vendors from ips for us to then select one to add to our portfolio um to threaten the managed services etc and so it was really good fun was that interesting like did you find that fascinating to be able to compare all the different services or was it dull or no it was brilliant so particularly at that age people that are more technically inclined that really like to uh to mess with the technology because it gave me a chance to to to do everything right i didn't have to worry about a production environment so i could just reboot things in the middle of the day and do whatever i wanted with it i could attack it at will so i usually put some um some web servers behind it it was really like playing games from it was probably the most fun job i i had it was just playing right and then um trying to put that into something coherent for people to read as a report of i think this is a better technical solution than than the other one but there was a really really interesting job particularly me that i really like um the technical parts of it um i that was probably the most enjoyable role that i had because they're in that particular scenario there are no preoccupations about um about keeping the system up right there there's no concerns about production you can do whatever you want and you're just testing stuff and it's just fun all day there's no down time there's no someone change the firewall rule and uh our whole platform is down right that doesn't exist and we need a really good you do have to do that right yes exactly very careful so not that pen testing isn't still fun yeah so one of the the the most interesting ones i had was um at six a.m in the morning having um calling a customer a bank because their servers were down because they had an ssl vulnerability on their iis that broke the ssl service and i had to escalate called the the guy that was on call three times and escalate to his manager at 7am because he was arguing with me that his servers were down and i was telling them they weren't and i had to call his manager because at eight a.m i knew there were services running that uh it was going to go horribly wrong so i had to go over him and call his manager look he's not believing me and he doesn't need to restart the services because otherwise it's going to be difficult forever so what is so right now you're the director of strategy of where practical dev cycles so for people that don't know about practical devsecops my friend imran mohammed founded that company and i know that they're technically our direct competitor but muhammad's my friend imran's my friend i don't care they're awesome so what is a typical day in the life for mario being the director of strategy like what would a day be like what do you do so there are different parts to uh to the role um so one of them is um in the that also goes back to to the ethos uh of practical deaf cyclops so we are very much believers in open source uh were believers in democratizing access to information and that was also part of the reason why um imran and myself we get along really well with each other and we found that the way we're trying to approach security uh him more on the technical side of things and me these days more on the the strategy strategy and the program management etc and that we had the same ethos which is um look we don't have anything that we're trying to hide right we're just trying to expand knowledge and we know that if we do a good job at an uh talking to the people about this subject that uh business will come to us right um we just want to do the best we can for our communities and we know that um business takes care of itself when you're doing good things for other people and that was the the type of ethos that that brought us together um so on that um a lot of the of the work that i do i can really combine um a lot of good things um that i really like to do so one of them is uh the the research side of it and so trying to to understand whether where the market is going whether how our competition is offering and the type of content that we have on our courses and so one of the things that i've been working on and it's going to be released in the in the next three weeks is a new course that we're delivering which is um a cdl um certified devsecops leader um because um for instance one of the the the things missing on the market not just on devsecops but also on devops is that there's a lot of technical information out there but not really much information on how you manage uh a function that's such a good that doesn't exist agree and there was um and there was uh something that i as part of the role that i do that i've identified that is something that doesn't exist on the market so let's create a product for it and i try to distill a lot of them of the things that i do uh that we do with consulting um with our consulting engagements on trying to advise on strategy try to define a sick uh um a security program and trying to to to help them understand what risks they have what um what are the the things that are mostly affecting their particular industries or their particular organization in trying to come up with them help them define their own security strategies and in that usually what i'm what i do a lot what i like to do is combine these two things so on one hand i've got time to do the research on the other hand i can then build up the the knowledge that i can advise my the business side of it that i can then advise um uh our consulting customers on um how they can improve their their current situation so there's a bit of both the part on helping people with the problems that they have not just the problems right um a a big part of the of the problem in strategy and this is overall uh strategy not just the security specifically is that um people do too much um what i like to call a reports and not really understanding what are their internal capabilities what do their what do their people know how to do how we can leverage what already exists before we start with major transformation programs that um are going to cost a lot of money potentially not be effective because the organizations aren't ready to to absorb them right so that type of more situational awareness in helping with that that's the really the type of thing that uh that i like to do and i get the opportunity to do it cool so as you might have guessed i have more questions because i want to know everything so what types of personality traits do you think someone needs to be good at your job um so i think there are two aspects of it and that's why um um it's a dif it's a slightly different type of role i would say because on one hand you really in my opinion you really need to be a bit of a nerd right so i'm most i'm i'm most happy if you if you leave me with a book for five hours and i don't have my kids around i'm gonna be reading right i either there or watching star trek one of the two things are going to be happening but um so really having the the appetite for knowledge right so that you can be alone with a with a book where the content and you're gonna dig into it and you're not doing it because you've got a deadline you're doing it because that's what you would be doing anyway right you'd be geeking out on some kind of subject that you decided to do right so there on one hand there's that aspect right that you need to be comfortable with them with sitting with yourself with the subject and just studying it because um because you're curious right it's curiosity for me it's always been about curiosity i just i want to know everything it's not gonna happen but um that's just uh i always find interesting new things that i want to learn about um so there's that part of the being curious in the be wanting to do something about it right which is key on the other the other aspect of it is that i'm just having just researching the subjects is not enough you need to be able to communicate them right and there was also part of the reason why i um i'm on so i'm on my last module to finish my business degree um so i don't have a business a degree in um in tech or computer science or anything like that um my my degree is in business because i was already i started my degree already with 12 13 years of security experience right so i didn't do the usual route i started working when i was 17 in it um so because of that i i i believe that that helps me and frame the problems in business terms because i had to for my business degree i had to understand finance i had to understand business operations i had to understand marketing i had to understand hr so i had to to do all those subjects in them and do projects around them right so the the ability to to then communicate to back to business what um what the the outcomes of that research that you've done mean to them or what it can mean that's what i think makes um makes makes or breaks your effectiveness at being a director of strategy but it's understanding not only the having the ability to do the situational awareness so that means talking internally in organizations with people so that you understand where the current situation what they're good at what they're not as good at what um what is it possible what they perceive as um possible as plausible or something that is completely out of their um of their ability to foresee so giving you an example it makes no sense uh going into to help a company that doesn't have any type of tests on their ci cd systems right and go talk to them about ks engineering but it doesn't make sense right their vision of what is possible of what is plausible in the in their reality doesn't have that so if i go in there and say look netflix does all this great stuff that's meaningless to them it's not part of their mental model that they can absorb that information so if i just go in there and say you should be thinking about chaos engineering i'm not helping them i'm just looking smart right it's um and that's not helping anyone so trying to understand really what where people are and etc i think that's the the key parts on how we can help the others move forward have you also found that you also have to kind of tell them to stop sometimes so for instance i like one of my clients once they had me come to a meeting that they had booked with a bug bounty company and that i was explaining to them you don't even have a basic apsec program you don't even have any software developers that are available to fix any of these bugs or triage any of this and your release cycle is 16 months what are you gonna do with the bug bouncy program like are you kidding but i had to say in a really nice way and i'm like this is like a phd but we're trying to learn kindergarten here but that sounds condescending so like how do you explain things like that like um so i guess that leads to my next question is this aptitudes do you need like do you need attention to detail hey for focus do you need to perhaps be able to be empathetic yeah i think that bit is key in in particular in the in the type of role that i do i think that becomes even more important because it is um i think you will agree with me but uh tell me if you don't um is that um a lot of people in infosec don't really understand technology right and that's not a problem in and of itself right there are lots of different roles where you don't need to be technical um that's not necessarily a problem right um but the challenge is if if you for instance let's say that um i'm a non-technical person that only does um compliance right iso 2701 for instance and i've got no understanding of what um what an application looks like i have no idea what infrastructure looks like i don't have any type of technical knowledge so when i go and speak with someone that is on the technical team the best i can do is tell you about what the standard says and hope that you can convince me with your answer but i if i don't have the understanding of how things work on at the technical level i can't help you fix your problem i can only tell you what i need to see and then you try to try and fix um and hopefully you can try to convince me that you're doing something about it but that leaves you in a in an ideal situation right because um building the the trust um with the with the person that is in front of you that you understand um the operational constraints that that you exist in that you understand um the the technical architecture and that when you provide the recommendation that you do it from a place of understanding what the problem is and what it will do um to to their operation right to the production environment puts you in a position to be trusted that helps you um again in the future trying to to be empathetic that helps build the type of trust where people will actually tell you the the truth right they're not going to tell you what the book says and what you want to hear they're going to tell you this is how it works and then you can make your own judgments and that's a type of thing that builds over time right so even that's why i usually say even if you come from an untechnical background it's still go spend 15 15 on a udemy course on docker or something like that right go go into a bit of an effort to at least understand what people are talking about right when when technical people see that you are making an effort to understand what their day-to-day looks like that what the technology looks like then at least you've got the vocabulary to to understand the answers right and that's the main thing he's having a shared vocabulary that um a lot of people in infosec don't have with uh with our engineering teams oh my gosh that is so true i totally agree so since you brought it up what types of technical skills do people need to have in order to become a a director of strategy like do you need to know how to code do you need to know how to write exploits so uh i think it depends um so from from my point of view um so i'm not um the one type of role that i've never had is a direct tapsec right i'm not a developer so my background is infrastructure so i spent a lot of time in telcos with network infrastructure and building my own servers building my own kind of core cisco routers called firewalls that type of stuff at the isp level so really big stuff um so my that is more of my background when the world changed more from appliance based stuff more to um devops type thing luckily i already had at least 12 years of engineering of messing with with linux boxes of managing my own radius servers that type of stuff that i could that i could leverage right in order to understand what the new world looks like and how to do security engineering in um in a devops world right but um if you i would say that depending on the the needs of your of the organization and depending on the types of stakeholders that that you deal with having um a basic understanding of the infrastructure side of things really helps uh particularly in the devops world right because um one of the things that we talked about on the the course that i'm now building is that i'm from a security perspective a ci cd system in the version control system so a git lab or a github or jenkins etc they're systems of record right um you you can go look into them if you don't have a big issue with let's say back doors where people are making changes directly on the assets that's your version of truth things will uh today are version controlled if you know how to navigate how to open a a git lab or jenkins and you you can understand look i'm going to look at the the last 10 commits and trying to to understand what it is then you're halfway through um actually being able to have a meaningful conversation because you're going to be able to to read them uh the comments someone left on the on the comment um on the code review right you you have the ability to even if you can't read the code which ideally if you can that would be good right but if you can't at least you you know how to navigate the the system of record right and and i think that is probably what i'd call the minimum viable knowledge right to to to really understand what uh what is going on uh and then it depends on on each uh on each company right so if you're a terraform house maybe again even if it's a 15 [Music] udemy course and you spend four or five hours just going through the course even if you can't write the code yourself at least you'll be able to understand what it looks like and then be able to read the snippet of code and understand what's going on and i think having the the ability that ability just to understand what's going on around you is the kind of the minimum of minimum viable knowledge right i don't think you necessarily need to to to be a full-fledged developer and know how to um to develop exploits for some companies that maybe i know seasons that um that can do that right and then it's good for them um but um that's that's not really the type of thing that i do so giving you an example when i go into into organizations and help them with the with stuff so some of the things that i've talked with devslope etcetera is compliance as code it's something that i that i talk a lot about oops [Laughter] um so one of the things that i do is i usually try and help companies to start the journey of going down compliance code right but the really complex stuff i can't do it it's not within my skill set i'm not a developer right but but i can show them and i can help them look let's um look let's implement a basic baseline uh let me help you develop scripts to check your cookies or to check your [Music] that type of basic stuff and because that's what companies need help with mostly is the introduction of the practice right because after you introduce the practice look there are people at the customer um who i'm working with there will be um i've had a lighting problem here um there are people over there that know how to code much better than me i'm not going to try and do their job right what they need my help with is to start to introduce the practice right that's what i'm there to do and if i just focus on the the minimum stuff that i can that i can help them with then it's going to make me effective they're going to get the benefit and i don't need to be a super duper developer and i don't i don't need any of that right i need to to to help the organization embed practices start developing the practices knowing that um the company if they're developing products and services they themselves have the ability to take it from there right i just need really to to help them uh with their their initial part i think that so i agree with you a lot but i also think that this might be a chance for us to show off our t-shirts so here's the thing is that before we started mario and i were both comparing our t-shirts and he is wearing one of his favorite t-shirts to show show it off lego yes and i am wearing a wosack women of security shirt and i think it's in reverse but anyway we had a big capture the flag contest locally before covid so it was okay um and we made custom t-shirts for it and it was super fun and um so i was like we have to show off our t-shirts at some point during the show and i'm sorry you're having lighting problems but i still think that sometimes you just have to do the best you can on a live show and that's okay it's okay don't worry about it i have many more questions for you so let's say that i am a person and i just graduated university i am so excited to start my career and can i just become a director of secu of strategy right away or if not which i think the answer is no you can't walk into a director role um what types of work experience would i need so like let's say i want to aim for that in my career like what types of jobs would i need to get there i ask the hardest questions don't i oh i can't hear you i see what is i see what is happening i thought that you were just smiling at me don't worry about it he will come back in a second but in the meantime i want to take a moment to thank our sponsor so our sponsor this week is hermetic or medic security they are from israel and they do policy automation and specifically least privileged automation in the cloud and what that means is basically we often give way too many privileges on so many things we have trouble actually applying all of our policies and so their system goes into aws and then makes all of that happen and i've seen it and it's pretty cool are you back you know yeah i could hear you you sound good okay brilliant yeah so all of the technical problems saving themselves for for yeah as they do right so um yep so that's always been um again i think i i probably had it um easier because i always thought about the the concept of leveraging and that's what i would always say to to everyone starting in the agreements out in security which is if you if you're starting appreciate that it's going to be um if you really want to to do this it's probably gonna you're probably gonna be here for a long time right so careers usually these days you're gonna get to a point where you've been at this 10 20 30 40 years but that's usually how it goes so the idea that unfortunately i see a lot of people even people that i work with 15 years ago they still have the same type of they do the same type of thing that they did 15 years ago but that was never me right i get bored more than anything and and i think there's a there's real benefit in um forcing yourself to to to do different types of roles right and the the idea of of leveraging what you already know to do something that you could do i think is the the key um thing to to do i would always suggest before going into any type of governance role um so i mean what i mean by that is more kind of security governance risk management compliance and to spend at least at least five to ten years on more technical roles whether that is on on a sock or security operations or any of those roles that give you more hands-on experience because that is going to pay dividends for the down the line because a lot of people that don't do that don't have that type of background or didn't go early in their career um to to a more technical world then they they feel uh later on that they're missing those skills and then they're missing the vocabulary again um to to have meaningful conversations with the technical teams right and even with the the with the advent of devops let's say look back in the day in the early 2000s when i did security when i started on doing security engineering we were already managing linux boxes we already had clis we already had all of that the rule the rules of gravity haven't changed we just have different ways of doing things right um we dealt with sql injection problems back then we're still dealing with them now right so the laws of gravity haven't changed right well i'm sad that that one didn't change yeah but um but even there the in that kind of goes on with them that's actually a a good point etc with regards to the evolution of things so for instance if you had a code based on php 10 15 years ago and you now have mostly um a code based with react you know that just because you're using a better framework um cross-site scripting is no longer a problem right so just by changing the framework um you there's a whole class of vulnerabilities that you now don't have to worry with so even if you come from a development background that is probably something else so trying to to understand what are the the new types of frameworks that are coming that i do things more securely in trying to focus on them early on while the rest of the market hasn't catch up that will make you preferable they will make your skills particularly unique in the marketplace so that um the customers that you want to work with will find you right and that is also a big part of the reason why i use uh worldly mapping right so one of them the the maps that i've created was um a map of skills um at the end yes again listening to the live stream yep so i wrote about a blog post on that so but the basic idea is that everything evolves from being genesis to being a commodity right so for instance what i call commoditized um security skills these days are things more like traditional compliance so spreadsheet-based um testing that type of um traditional sdlc those are things that are skills that are commoditized right so everyone in security can do them so if that's all that you're bringing to the table to an organization these days you have a strategic disadvantage but because um you may be keeping the lights on but that's not what the market is asking for if you go for the market the market is asking for threat modeling the market is asking for upset the market is asking for their secops um you're on mute oh i'm sorry someone rang my doorbell and i was just asking someone else in the house sorry to go handle whatever is happening right now sorry sorry i thought you were talking to me no no no it's okay okay um sorry ever who delivers things at 6 30 p.m at night [Laughter] i just i just waved at them okay the dude he's han i'm just like i can't do this right now i'm kind of busy sorry about that no noise um so but but the market is now asking for for the types of things they're asking for you to understand agile they're asking for you to understand what version control systems are it's asking for their secops from those kinds of threat modeling those are the things that um if you go to most job descriptions these days they are asking for those things but there's also a new set of er so sorry for just one no noise they're just wandering around like no one has and i don't want them to leave i don't yeah never mind my representative has now greeted them life is good okay but um so those are the things that the market is not asking for right so they're worth good money right and um in the it's also you know that you um if you focus on those you are building a skill that um that you know that the market needs now but that's not where it ends because we also have the things that are in the genesis phase things that are still ramping up on their adoption in that most employers still haven't realized that it's their own future there are things that they're going to need next right so it's a if you're using a soccer analogy it's not if you're focusing on what the market wants now you're passing the ball directly to where someone is but if you're thinking a bit further ahead you're passing the ball to where you know the the person will be right um so you're not passing it to where he is you're passing it to where he's going to be right you know and i think that's a that's a good analogy so things such as compliances code uh resilience engineering um threat modeling as code those are all practices that are still on the emergent phase right there they still aren't widely adopted most companies are still aren't asking for it but um and again that's the type of work that i do he wants to do threat modeling as code and i was like oh my gosh yes that's also and that's also the type of thing that um so the the people that usually follow me on social media etc they follow me because i talk about these things because i've made that map i've i've i have an idea of where i see the industry going and personally i only blog about things that are in the genesis phase that are still emerging for two reasons the first one is the customers that i want to work with they find me right now and i only work for the organizations that are looking for the type of things that i want to talk about you know in in five years the rest of the industry catches up i'm gonna have five years of content already written on the subject right so it's a strategic not only from a business point of view but also from a personal career perspective when the market catches up on some of these things that aren't uh yet widely adopted um i'm gonna be one of the people they're gonna find that it's been talking about it for a while i like it wait wait obviously i have to ask will you share a link to your blog so that we can put in the show now yes sure don't worry we're not holding out on you you can have the blog yes securitydifferently.com very simple love it i love the name of your blog that's awesome okay so now i have a sensitive question does your job pay well in your opinion does being the director of strategy at a startup pay well so there are two so any startup doesn't pay well right but yeah exactly telling the truth yes thank you speaking truth right i'm the ceo it doesn't say well it's an investment in the future right but that's where um so so i have this partnership with practical deaf psychopaths and i'm also um um a consultant um so i do work through practical dev check-ups and also in my individual name right and i think that's that's also when um when you are building your career um you you need to think i like to think uh hard about what i'm doing right and that means that um for a while you're going to have to build a name for yourself right you're going to have to acquire the skills and do kind of do the the grunt work right it's part of building a career right there's no escaping it if that's what you want to do so having a approaching the way the way that i did which more focus on the experience and the bitless on the money um the money comes eventually but so between what uh my consulting and the the role in practical dev cycles etc um then that leaves me in the position where i can um where you can kind of name your price right in terms of the the type of things that um that you do if you're doing something that is not what the the market has widely available again if you are bringing gen um uh not not necessarily unique skills but if you're bringing unique perspectives or things that aren't what everyone else is saying right so i'm not if i'm doing a consulting gig i'm not grabbing a gartner quadrant the 2y2 and saying you should get that one right um there's no value in that that's a commodity anyone can do that right and if you're if you focus on building the skill set that you're bringing unique perspectives into the organizations that you work with um the the problem um sorts itself out right but but again this is not something that you wake up one day um and it's there right it's something that you work with over time so i've been working in security my first full-time security role was in 2003 right so i've been at this um and i had some three years working in it prior to that so more system administration and that type of stuff and so i have over 20 years in the yeah only for the last two have i been able to three have i been able to be in this position right um so it's not something that um it's something that takes uh effort over time yeah it's not you're not going to roll into it right after school no but or if you do you're you're putting yourself in a in a situation where you're going to suffer more with with imposter syndrome we all will do right but if you put yourself in the in that situation um it's even worse right because you may be put yourself in situations talking with stakeholders um that really know their thing and people will test you right your peers will test you your managers will cast you your peers around the organizations will test you right that's what happens right uh people power dynamics are a real thing in organizations so if you haven't built that that muscle memory and that type of skill set that you can handle yourself in those types of situations and you're gonna make mistakes and you're gonna learn from them and that's how that's how this works right absolutely so let's say someone has listened to the spot that like this podcast episode and they think you know what one day i want to be a director of strategy could you give us one actionable step that they could try to do towards like working in a startup towards eventually becoming someone who could apply for a job called director of strategy right i have two friends that have this title and i have to say they're both badass and awesome and so like besides being badass and awesome like what action because there's no like actionable step be awesome right so what would the actionable step be towards that so the the main thing is to truly understand business and that may mean uh doing a business degree as i did um because even in this comes from from experience working with uh lots of heads of infosec and cesos even those that um that talk a lot about the business they don't many don't really understand it right they never own their own business they never had to they they wouldn't know how to balance a balance sheet right it's that type of i think business acumen that you don't necessarily need a degree right you need the knowledge the in 2020 there are many many different ways to acquire the knowledge right you don't necessarily need to go to um to a traditional university to to to get that type of thing but understanding business operations understanding marketing understanding so it's acquiring that type of knowledge that when someone uses their own jargon when you're talking about security what it means to them you understand the language you can reply within the same type of vocabulary right i think that's the key thing that um that makes me effective at my job is that i'm i can if i'm talking with the manufacturing manager i understand the words he's using i understand what his kpis mean when he shows me his reports i can understand if i look at um at the financial report i understand what everything means right now i'm not seeing anything that i've never seen for for the first time and i think that's that's the the key part is that when you can frame what it is that you are talking to in the language and the vocabulary of the stakeholder that you're trying to influence right that's the the the key i love that i'd say and literally as you were saying it i was like um i should take business courses i like this maybe i was gonna book i wonder if i could get an audio book and i'm like listen what are you saying tanya this is the point where i ask all of the people listening please subscribe please subscribe to our podcast if you are subscribed to our podcast please write a review and hopefully the review says yay it's awesome um if you are currently watching us live please subscribe to our youtube channel and now i have more questions for you okay more questions and they're super hard so the first one is do you do other things outside of security and outside of your nine-to-five job that you want to share brazilian jiu-jitsu it's the thing yeah so martial arts i've been um yeah i really love brazilian jiu-jitsu i'm just a blue belt so i've been doing it for about three for three years i'm a newbie you're doing great but um yeah it's really the thing that um that i think these days keeps me keeps me grounded so having that um well kovid we are still doing training no contact here in the uk etc but um it's really the the thing that um lets you live in the moment so nothing like another human being trying to choke you for you to kind of be focusing on the moment right i'm gonna use that there's nothing like another human being trying to choke you to get you to focus um so no it's it's really good it's in its mom so i've done other things in the past like boxing etc but um it's a bit more violent and you get more violent people in jiu-jitsu you get more people that are there too for self-defense more kind of more martial artists less fighters right and it also builds a good type of community and you meet real you meet really nice people and yeah it's really good environment i love it cool okay so now last question also very difficult if someone wants to know more about you where can they find you do you have a website a blog events or links you want to share and they'll all go into the show notes but please tell us all about them so i would say um so my blog securitydifferently.com um so i've posted so lately i've been doing a lot of digging into safety engineering and resilience engineering so i'm starting a series of blog posts about that which is also content that we'll be adding in a few months to the certified their psychopaths lead the course um in them [Music] so there is one of them the other part i would suggest uh looking at the open security summit particularly this year's so i've done about six um sessions two hours each almost where i talk about security strategy i talk about kennen framework which is since making dealing with complexity worthy mapping developing which is developing security strategy so if you want to to learn more about all of these things as i mentioned at the beginning and the reason why i've decided to to work with practical devsecops our ethos is one of sharing is not um is one of democratizing access to knowledge um so yeah i do all of these every year i do these sessions for open security summit to share what i know right hopefully other people will benefit from it but there's at least eight hours of me speaking this year eight to ten hours um that you can get for free on youtube on open security summit uh channels as well awesome i will put all of this into the show notes so that people because when people find that they're immediately gonna just wanna know more and read more stuff from you so this is excellent thank you so much for being on the we hack purple thank you thank you very much i was really happy when you said yes and also that you're at the beginning i really want to have imran on as well from practical devsecops um yeah i think you should sure for sure thank you again and with that i am going to play the outro video which i don't have music for but i swear i will soon until next time bye thank you so much for joining us today on the we have purple podcast this week we had mario platt the director of strategy and we learned all what it was like to do his amazing job thank you so much to our special sponsor hermetic and also please check out our brand new course application security foundations level one available at rehabber.com