We Hack Purple Podcast Episode 3

Mari Galloway


In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Mari Galloway, to learn what it's like to be a Senior Security Architect.
Subscribe to our podcast on YouTube or your favourite podcast platform!

Mari Galloway can be found here: Twitter
This episode sponsored by Ermetic! Watch this episode on YouTube! We also spoke about Women's Society of Cyberjutsu AND an awesome book called Dare To Lead. Check BOTH of them out!

Transcript:
working hi and welcome to the we hack purple podcast and this week we have the mary galloway and we have no sponsor this week which is awesome because that means we hack purple is sponsoring our own podcast so i'm going to tell you about us we are a learning academy a training academy we have an online community and we have this podcast and basically we just want everyone to create more secure software and we're trying to help them do that but let's not talk about that instead let's talk about our guest marie galloway let me figure out how to make you there we go yes now we can see you even better welcome thank you so much for coming on the show i really appreciate it and as you might have imagined i have like a bunch of questions and a script that i was going to go over and basically the first is please tell us what your name is and if you have an online handle and a little bit about yourself so mary galloway on twitter i am i think it's just mary galloway with an i so it's pretty easy to find um same thing on linkedin uh i am a senior security architect in las vegas for one of the large casino companies out here i got my start about 11 years ago as a network engineer and i kind of moved through the government sector for about seven years and i've been out here for the last three and a half almost four years doing security work for the casinos is it wicked hot so you know it the temperature changed was today the 10th like tuesday so it was like 115 degrees on monday and then like really cloudy and foggy from all of the smoke and stuff from california and then the next morning it was kind of cold so it's been really nice okay so that's awesome then because i kind of thought you might be melting because it's been like a heat wave and then not heat wave and yeah so this is good i am glad you're not melting because i have a pool so it works out that you know if it gets really hot we just go in the backyard and like hang out by the pool so oh that is nice okay so this is a podcast about basically different types of jobs in the information security community our sorry industry and basically there's all sorts of different types of jobs lots of people are considering joining the cybers which is what we in infosec call what we do for people that don't work in infosec so they understand because for some reason everyone's grandma knows the word cyber but they don't know the term information security and so yeah so marie has a really interesting job and i was wondering if you could just repeat your title and then kind of tell us about your job so i am a senior security architect um i can't go into like super detail just of course don't break any ndas don't tell us secrets right but basically what we do is we're the strategy behind the security that goes into the casino we work with different departments in here to help them figure out what kind of products and tools they need to be more successful at their job and protect the data of folks like you that come to the casinos that want to gamble they want to eat that want to shop all of that good jazz so it's kind of a cool job it's more of a strategy job i went from operational type of work so like stock type of work into more risk management into strategy and so that's what i do now strategy could you briefly tell us what sock work is like and then briefly because i'm like oh she's had many jobs i've had a lot of jobs in there so working in a sock environment it's really fast paced you know you're looking at alerts all the time like you're trying to see what's happening in your environment and you're trying to triage what's going on so with phishing emails coming in you're trying to triage to make sure those aren't you know anything hasn't happened and spread around the environment um you're looking at infinite handling you work with the forensics teams to kind of triage even harder issues like if you see malware in your environment so it's really fast-paced it's a lot of moving parts in there and then you kind of move into engineering where you're engineering tools so you're like a master of a tool or multiple tools and you're engineering it so that the stock analyst can use it and get the information out of it and then you go into a senior architect or architecture where you where you're looking at the bigger picture of what's going on in your environment and how we can enhance the security so it's kind of like a really really busy all the time like hair on fire all the time to okay let's move slowly let's uh let's chill out let's do these things and that's like a natural progression if you're in you're still technical um i started as a technical person so my background is still very technical um but now it's just on the strategy side so i can look at stuff and unders okay this fits in here this way or that way cool um oh so someone just put a question in the chat what does soc sock stand for so it depends security operation center um most organizations will say that so security operation center so basically it's like the it's like the security hub of an organization if if they're big enough to have one nice very nice um so you're basically helping people be secure while they are shopping gambling doing all of the cool things that are in a casino and basically vegas is the absolute best at casinos like well i mean certainly on this continent that's for sure they're very very excellent at it but there's lots of there's lots of risks and threats i'm sure associated with it that i don't even think about which you might not be able to tell us about but could you tell us what a day in the life is like being a security strategist so if folks have heard of architecture and other organizations so like a solutions architect or um a product architect they focus on one specific thing so if you work for like a titanium or apollo you're focusing on that product that you have for us we focus on a lot of different products so typically in a day i have a lot of meetings because i have to the stakeholders it's about relationships in our in our our business right um and just in general you have to have those relationships with it with the business units um the front desk with even the beverage folks to so that we can make sure that we're getting stuff done that needs to happen um so lots of meetings um i can see a lot of different demos i get emailing me all the time so i get to see tons of new technology that comes out which is really kind of cool um what else do i do like i said meetings demos i get to design architecture i get to do operationalization of tools once we finish the project then we have to operationalize it and make sure that who's supposed to use it is going to use it so that's a part of it there's a little bit of project management in there so we have project managers but you're also helping them to manage the project and make sure that it meets the deadlines and it's under budget um and if there's any issues that arise you you um you're letting the right people know that they need to fix something or to jump in um day-to-day though it's not like the most entertaining but it is fun because you get to learn new things you get to see different things and then you get to be the one responsible for implementing that solution and so there's a lot of responsibility on your shoulders when you get to that level okay that's awesome well i i don't know like so the idea of sitting in meetings all day doesn't sound like you're not very fun but it sounds like you get a lot of stuff um it sounds i'm just gonna turn my volume down apparently i'm really loud um it sounds like you get to make a lot of big key decisions do you end up having like these big planning sessions or all the time all the time and it sometimes they last until the middle of the night because we have properties overseas and so we have to work it's a global company and so we get to work with our international partners all of the time to figure out okay how do we make this a bigger and better organization um lots of planning uh we get to do a lot of tabletop exercises with vendors proof of concepts if you're interested into that the architecture role is more of a like you don't come in to cyber as an architect unless you were like nit and you worked in i.t for a while and you kind of have that info you know that those skills under your belt um this is one of those things where you work into it so i didn't start an architecture when i moved here i was actually in vulnerability management as an engineer okay and so switching from engineering and wanting to be hands-on and like always in the tool to being an architect and still being in the tool but not as much it's kind of an interesting transition yeah it's a little bit hard but it works out nice so you mentioned a tabletop exercise and you mentioned a proof of concept with vendors is there a chance you could explain what those are for some of our audience that might not know so typically with proof of concepts vendors will if you're not sure if a vendor will work in your environment they'll typically say hey give us you know five gigs of your data or 500 gigs of your data or whatever and we'll give them some data and then they'll put it through their tools and we can see how their particular tools will actually work with our data what kind of what it looks like to get that back for our sock analysts to see if it's actually a tool we want to purchase um and basically it's it's a proof of concept so it's saying okay here's the proof that i can do what you're asking me to do um and then tabletop exercises are typically typically you see those like in management level areas and it's they work they walk through an incident to say okay this is what's happening what do we do and they look at their incident response handbooks if they have them they look at their you know business recovery documentation or their drps and all those fancy buzzwords from cissp days to see if if an incident like this was to occur in the environment do we have the right tools in place and the right resources in place to address this issue quickly and effectively oh wait i just i just pressed the mute cool no that sounds really cool i think that um a lot of people don't necessarily know all those terms um so actually someone um tolasi thank you for putting the definition of sock into the chat i appreciate that so people might ask questions in the chat and so i am paying attentionish because i'm kind of also trying to listen to you and that's better no offense to the chat so what types of what types are personality traits do you think that someone would need to be good like a security architect that's a lot uh it's it's a lot it's it's a lot of responsibility no matter where you work in the industry so you have to be a team player right you have to be willing to work with everybody on your team you have to also be willing to work with folks that are kind of like security they don't like security or they're like scared of implementing something because they won't be able to do their work so you have to be able to understand and hear that and then help them feel more comfortable with what it is you're trying to do right um you have to be a really good listener because you have to listen to what their pain points are you know if they have an issue with phishing emails coming in and they don't have any tools to put in place but they're scared they don't know the budgets you have to be able to hear okay it's phishing but what else are they having issues with you have to be able to listen to that kind of thing um you have to take initiative so i had to come into work so i've been working remote all week and i had to come into work because i needed to do something on my work computer that's here and it's almost seven o'clock in the in the evening and so you have to be flexible as well sometimes because customers may have issues after your regular work hours um and then you have to you have to be a strategist you have to think you know going forward okay how can i help them be successful not just now but in the future as well and how do i work with them to get them to that finish line what types of so there's a there's a question in the chat but first i want to ask my question so what types of aptitudes do you think someone needs to do their job well like do they need to have really good attention to detail or be able to like zoom out and see the big picture or kind of hyper focus or more i don't know so you definitely have to be you have to be attentive to details you definitely definitely do because if you present something to somebody and something's wrong or you know the ports are wrong or uh the the way the traffic is going is incorrect that could cost hundreds of thousands of dollars sometimes millions of dollars of time of equipment of anything so being attentive to detail is really important because it depends on it oh my gosh typically from what i've seen from this position here and from what i've seen um in other roles that i've talked to other folks about you do have to be technical um so that you understand um like you can't put a firewall you don't want to put a firewall in a place where a firewall should go so you have to be technical enough to understand how networks work how the environment works you don't necessarily have to be hands on keyboard but that helps to be able to demonstrate to the customers the client this is how the product tool works and this is what it would look like if it was in your particular space uh what else do you have to have in a lot of case you've got to have initiative so you have to take initiative um because in this role they're they're expecting you to be responsible for those major projects and they don't want to have to come to you and say i need you to do blah blah blah they want you to just know this kind of thing needs to be done cool okay so we had a question in the chat and so i actually really like threat modeling and find it really exciting so i'm like yes a threat mulling question it's not me oh i'm also turning my volume down because apparently i'm too loud okay so the question from a telesee i'm hoping i'm saying that right to lassie how do you currently implement threat modeling and what is the best approach in your opinion so i guess you're probably supposed to say the one you're currently doing is the best approach because otherwise your boss is like hey mary honestly so i we don't i don't do anything with threat modeling per se that's more of our our um our sock team that does that kind of stuff um but probably the best approach is this is a cliche answer what works for you and it depends on how big your environment is i know for casinos in general if somebody wants to attack us they're trying to get personal data and they're trying to get money right um something that i learned from the gaming industry that's written in all of their documentation and all of their um this is across the board from the gaming the nevada gaming board um if cameras go down in the casino the whole casino could be fine it has to shut down you know if your elevators and stuff go down or if people if the ac is out the casino has to shut down which in turn you lose money right yeah exactly for the casinos because these buildings are freaking massive and they house a lot of people and it has a lot of expensive equipment and um so understanding what threats affect your what the bad guys are looking for as far as your business will help you understand okay i need to focus on these types of threats uh ics stuff scada people don't realize that but hvac elevators um generators that's all ics stuff those are huge targets and so knowing that you have that in your environment will help you understand how to figure out how to do threat modeling oh my gosh that's so cool um so i'm going to take this moment to ask all the people that are watching us live or if you're watching this later please click the thumbs up button because that helps us look cool and also if you're enjoying it that is a way for us to know that that is occurring so thank you what is it like so how how is it so i'm not someone that has spent a lot of time in a casino so i don't understand there's probably so many intricacies but what would you say is one of the main differences of working in a casino versus i don't know a software development company pardon me so i came from the government um i was back on the east coast and doing a lot of government things one of the biggest differences um between the two is working for the government you're concerned about national security working for the casino you're concerned about profit like our work will make sure that the casino makes money because when the casino makes money we get paid in the government it's not that it's it's different so the focus is the focus is different yes we're going to protect our secrets yes we're looking to protect the data that you know is stored in our environment etc but it's different than protecting secrets that could potentially set off nuclear bombs or start wars or stuff like that it's it's more fast paced out here um stuff is a little bit faster private sector because there's less um regulation less oversight with the government you can put in to do a project and you want to implement i'm going to take this back old school i don't even know if it's still around but you want to implement our site right old schools and in four years we'll have it ready for you exactly you know and it's like but wait they've already upgraded like five times and now there's you know splunk out there and there's this that in the third and so um it's a little bit slower paced as far as implementing technology um i'm i'm hoping that they've gotten a little bit better with that but obviously the government runs off of what the president and the congress says and when they give out the budgets and they do all that stuff then they can do what they have to do yeah i worked in the canadian government a long time so i feel your joy and your pain mary there's job security over there however it's forever to get anything done oh my gosh it requires a lot of patience so what types of technical skills if any do you feel someone might need to have in order to do your type of job like security architecting um so my i have well actually i think yeah actually most most of the folks that i've talked to they have a networking background um so having having some experience doing networking even if it's just a year um not just the certification because i have a ton of certifications by the way so i love certs don't get it don't get it twisted however um having a networking background is helpful um also i've i've noticed that because i don't have a cis admin background specifically there are some things that i just don't know and i have to ask someone so maybe having a system administration background is helpful one of the things that i've seen in the industry specifically is cloud right so there's a there's a need for cloud architects so having having hands-on experience with implementing cloud implementing applications in the cloud troubleshooting applications in the cloud is really really helpful oh yeah there's plenty of businesses out there aws or google if however they want to do their stuff but having that is definitely helpful that'll that'll make you well-rounded and then on the flip side of that um having some ability to manage projects is helpful because time management is very very important for like every job in infosec this applies listen to mary time management is important important important because if you have a project that's five million dollars and it's it's supposed to be done tomorrow and it's you tell them hey i can't have this done for another three months and it's gonna cost another two million dollars as a problem so time management is really really important there is a question from the chat there's another awesome question so i'm trying to like put it to the screen so assuming the casino doesn't have a security engineer from the beginning of an application i guess like they mean the system development life cycle how do you convince an engineering team to prioritize and remediate vulnerabilities in legacy applications well you're asking all the questions mister yeah i feel like they work with me they're gonna like come find me there um that's where your relationships come into play so it's really important uh i think in cyber security in general and infosec in general um just having those relationships is very important um and being able to articulate the importance of fixing xyz right so do these legacy systems protect some really important information are they just out there in the wild not really protecting anything that's how you can prioritize um what's the level of criticality for the data what's the criticality of the system itself like if this goes down will your entire operation stop right and so when you when you prioritize it that way about you know what data is on it and whether or not the system going down can cause a catastrophe that'll help you relate that information to your engineers to say go fix this if you don't and then you just use the old adage if you don't you're gonna you're not gonna be working here anymore we'll find somebody else you can't really do that but i mean really speaking if you if you put it in a nicer way they'll start to see the picture and then the other way to get them to prioritize and fix things is to show them their wins right so you can send them all of this bad stuff say fix fix fix but as they're fixing it applaud them for fixing it and show them hey you went from from 10 to 5 over the course of a week that's really good keep up the good work and that'll keep them motivated to want to continue to prioritize and fix well i like that answer i'm all about secure system development lifecycles yes yes yes okay so now i'm going to ask a question that's off script please tell us about women cyber jitsu yes so for those that don't know i am the ceo and founder or founding member not the founder that's lisa jiggets of the women's society of cyber jitsu uh we are a 501c3 national nonprofit we actually have um some stuff happening internationally soon hopefully in like london and in singapore um but we do cyber security training for women and for girls 98 of our workshops our trainings our study groups our events are going to have a remote feature so anybody anywhere can take a training a class participate in a networking event we actually have a happy hour next week on friday which yeah i might have to reschedule but because i have to work however you feel whatever you identify as it doesn't matter we just want everybody to come to the community together to network to learn about each other to build a more inclusive environment for everyone to thrive in cyber we're also looking for teachers and volunteers all the time cyber jitsu we just had our cyber jitsu conference two months ago three months ago which is really cool but yeah we're just a big community of like-minded uh mostly women however like i said we do have male members that just come together and want to learn and grow and just be super badass at cyber security and information security i love it i'm a big fan that's awesome thank you for doing that it's a big job his big job is a lot and a lot of work and you're helping a lot of people but it's not easy it's hard work it's it's it's a it's a full-time job in addition to my full-time job but i have a great team of people behind me that you know that are awesome volunteers the board the leadership team um our social media folks our webinar folks all of them they're freaking amazing and this we wouldn't be here without all of them and so i contribute our success to them i love it i love it okay so someone has asked a follow-up question to the previous chat question so they said okay so wait legacy vulnerabilities and legacy apps is one thing but how do you keep up with current zero days to continue working on schedule i'm so tempted to interject that like zero days are not what get you it's just not ready to say that i was just getting ready to speak look at us agreeing but you tell them you tell them why so zero days are great right um but typically there's no exploits for them when they first come out right so what people are really going after are those low hanging fruits those things that are super easy to exploit um super easy to get into that then you can navigate around once you're in um nobody i mean people focus on zero days i think they're great however um that should only be a priority if there's some kind of exploit already for it and i guess it wouldn't necessarily be a zero day at that point um well the zero day is like when there's a fix for it as opposed to an exploit but but i feel like it's like this cool buzzword that c-level executives heard and just like how we have to blockchain everything even when it doesn't make sense i feel like they're like but the zero days i'm like dude they're gonna go after that thing that should have been patched four years ago they're not going to go after a fancy no because because they have to they have to figure out how to go after it right and that takes time so why don't i go after this over here that's going to exploit you know windows xp versus something that's going to exploit windows 10 because i know that the navy has windows xp devices in their environment still don't tell anybody i told you guys that but you know they're not they're their focus up front is not going to be on exploiting zero days it's going to be on exploiting stuff that's not patched yeah yeah old versions of frameworks oh you're running struts 1.1 it's like that's what's going on they're not like and also like when you look at zero days some of them are so hard like spectre and meltdown and like it took like six phds an entire year to exploit it i don't have six phds that hate me that much i'm going to dedicate a full year of my time no they have stuff to do i want to go get your money now and i want to wait that is the best way to put it i want your money now that's why i use crap that has already been on the internet forever there's a nice metasploit module made for me to explain exactly i'll worry about that other stuff later but there's a lot of tools out there that they sell the whole yeah these are the zero days but it's still going to be based on you know what priority so if there's there's a zero day that might be on your system that's behind eight layers of security you're not gonna prioritize fixing that you're gonna fix the thing that's you know behind one layer of security that needs to be fixed right now because that's gonna add you know give you access to other stuff so i agree a lot also the people in the chat are like lol we know that xp is insecure your secret safe with us okay so i have more questions so let's say i want to become a security architect what type of training could i potentially take or things would i want to try to learn so sometimes i don't mean like name this course from the school but like what types of things so so i'm going to be completely honest with you um i don't know what type of training specifically for security architecture it's just been a it's been of like my training and background is different from one of the other guys on my team their background right they came from a t they had they've been in it for 10 years here at the organization and they they just kind of know how it works how things run et cetera um so while there are trainings specific to like enterprise architecture and things like that it's really just kind of like a how do i put it it's kind of a conglomerate of all of the learning you've done over the course of you know five six seven years um because i think i got this role i had been in the industry for probably about nine years and i honestly i didn't expect to even go into an architecture role um my goal was to be a ciso like it still kind of is but recruiters listen yeah it still kind of is but really my goal turned into wanting to help organizations build out their security posture and so in our doing that as an architecture like a consultant you're consulting with people and trying to figure out their stuff and so that's kind of how that played into that but yeah when i moved out here there was no i didn't even consider doing architecture work like that at all so there's not really a i didn't take a training i've done some leadership training that helps but nothing specific to architecture okay so my next question is sort of similar what types of work experience do you feel so let's say that i am a junior in infosec and i'm super excited and very very interested to one day become a security architect what types of work experience could i try to seek out so that i could aim for that goal um so my boss told me my boss told me this when i first started here having an understanding of operations so having maybe a job in the sock or doing engineering for stock some network engineering type of experience if you can get that you can typically get that if if your stock and your knocker one and you're like everybody's all together you're kind of getting all of the experience you need um vulnerability management risk so understanding risk governance and risk type of stuff so that you know that if i put my firewall here and i open up you know port 80 to the to the internet and you know vice versa that might pose a security risk if i don't have any other tools in place to mitigate anything that happens i'm so understanding risks and how applications work and how they work together is a really good thing i think it's it's grc in the regular world um we call it something different here um but honestly i you if you're really good if it's something you really wanted to do you could potentially do it in five years yeah you could get the need in five years because you're gonna get into the role you're gonna get taught you're gonna learn like i learn something every single day from my teammates every single day from my boss um just about strategy and um all of that stuff right if you've owned a business let's say you've owned a business and then you transitioned into cyber security um having that business knowledge and that business experience also is very helpful it's not required but it helps you understand that bigger picture i get asked a lot why diversity matters in information security and i always have a smart ass answer um do you feel i feel like you're literally explaining the reasons with your answers yeah um so diversity is important representation matters um i think the reason i never thought is thought of an architect role so funny story when i went to college 20 years ago when i started college 20 years ago i was an architecture student not like security architecture but like build architecture like little towns and models and draft you know autocad and all of that stuff um and then i went away from that and got a business degree and um in information systems but it kind of came full circle but i never really saw anybody that looked like me that had the same skill sets as i did that had the same journey to say oh i could probably do an architecture role i had to tell my boss that i this is my goal i want to do xyz and he talked to our boss and they were like oh well she should just go into the architecture team because she'll get that experience that she's looking for and so that's why it matters that there's diversity so you can see because had he not said that i would have probably still been an engineer on the vulnerability management team doing that stuff i would have never stepped out of that particular comfort zone into something different i think you're muted i'm on mute i also feel like all these different jobs and experiences that you've had have me like probably make you 10 times better as a security architect than if you just did this straight line right can you tell that can you say that louder for the for the people in the audience to hear just in case no but like all these different experiences all these and also all these different vantage points like the time before last then i that i was at hacker summer camp i ended up helping someone manage an incident and his entire team was all weight dudes and i tried to explain to them why an app that would show just anyone where my physical whereabouts was was terrifying right no and i would tell you in advance of where they would be so it would tell you different events that they are going to and you could look them up by their email address which means ex-abusive stalkers would and so they had like this bug reported to them they're like this isn't a bug this is how it works it's awesome you don't have to log in to search for this stuff and then i had to give this room full of you know 20 something wait dudes this big talk about this and they're like one of them said oh shit this is actually why the reason why diversity matters not to be fair but because otherwise we would never know this because they're yeah and it's just like oh my god mean especially with the way that technology is moving with ai and um internet of things and all of that you have to you're inherently going to program it with the bias because that's just who you are like i'm going to program something from my vantage point as you said right because i don't owe any other perspectives but my own yeah and that's not a bad thing but you got to have other folks involved to say hey wait a minute yeah that doesn't that doesn't help the whole that you're trying to help yeah and unless you realize that you have like certain advantages or that your vantage point is this so like i'm really tall and one day a friend that was not tall explain to me how so i'm five foot nine and that's average height for a man and so literally everything everywhere i go is perfectly designed for me i can always reach everything nothing ever hits me in the head like life is fantastic if you're five foot nine but if you're like six five or five one it it's very inconvenient a lot of the time and when someone pointed that out to me now i'm just like oh yeah that's why i can put like everything it's literally the plan that's built for me and don't get me wrong i'm not like i'm enjoying my tall person privilege but like it was a good example but then once i told the dudes like listen like women don't want people like there are some men that don't want that but there's like a lot of women that we just don't want someone to physically know where we are and then once it clicked for them i'm sure they never need to have someone tell them that again but yeah it's just like you won't it's just right you can't secure systems properly if you and you are dealing with casinos and you better believe it every single possible way people are gonna try like there's all those dumb movies um what you just get you just like meet a bunch of really awesome actors and then you know just put money in the bag and walk out and look i mean i i think the the biggest way so i don't know if you guys record remember this but a couple of years ago um one of the casinos on the strip i don't know if i don't know which casino it was but somebody hacked into their aquarium yes i knew about that it was an iot device on the internet that they hadn't secured they couldn't get to anything but that i mean that probably would be one of the ways that they could go in and exploit and kind of hang out and chill pivot persistence in the fish tank but you definitely gotta have that was the funniest thing and i was like are you kidding like what do you think like they could iot like they could exploit the fish tank and then like boil the fish and be like don't use this casino go the other casino they're so cruel to fish we we talked about that i don't know i i i couldn't tell you but it was just kind of an interesting it's interesting that technology is moving that way and so if you don't have if you don't stay up to date if you don't you know refresh your skills with any of the free training or even the inexpensive training out there you could get left behind quickly i agree so much it's almost like the devops people are right with their continuous learning yeah you have to continuously be learning staying up to date uh staying on top of whatever it is that you're you're doing because you'll look around it'll be 10 years later and it's like wait a minute what happened yeah where did you go i we have another question in the chat so when a security tool or scanner finds a high severity issue and the dev team is saying yeah but can you prove it can you exploit it if you can't then i'm not fixing it which i have i haven't really received that very many times what's the best response as a security engineer and and they like saying slapping's not appropriate just kidding i added no slapping no um so i haven't i haven't experienced that either you'll typically get pushback only because they don't necessarily want to fix it but if if you have to show them how you can exploit it then you just have to show them right um if you get audited so most private sector companies will get audited whether it's for socks for hipaa for pci for any of the different uh regulations out there and a lot of times a lot of those um those uh regulations require an external pen test to come in and they actually have to come in and do the pen test so you can let him know hey we found this with our scanning tools this is an issue it's a vulnerability can you fix it or look into it and then you let them know we're trying to prep for an audit right that we don't get things for these kinds of things and so let's work together to try to figure out what's going on i mean if it's really a true if it's really a false positive then then so be it maybe it's time to tune the tools but trying to work with the development team and try to trying to fix the issue can go a long way they want you they're busy right they're totally freaking busy they don't have time to do anything else they're like nope it works it's not an issue but if you go out of your way a little bit to try to help them they're more receptive to wanting to look into it and try to fix it cool excellent question from the chat thank you okay so i always ask so i'm not asking how much you make but in your opinion does your job pay well depends where you live i live in vegas so the cost of living is like how what is it 26 higher in dc than it is than it is here or something like that um i do make over six figures i've made over six figures for a long time um i negotiated that salary like when i came out to vegas i wasn't going to move to vegas unless i made a certain amount of money um so security engineers do typically are security engineers well engineers can make a lot of good money too architects typically make pretty good money as well we we don't necessarily work remotely um so that could be a factor that plays into decisions on salary right now we are obviously because of covid but it the salary is pretty good and if you have cloud experience like you're a cloud architect somewhere i think the salary is like even better plus plus you get bonuses so we get bonuses here and then not only is your salary it's not just about salary we also have really good benefits in the casino and so they feed us twice a day you know 401k matching they've got some really really good tuition assistance those kinds of things so that also plays into what your overall package looks like yeah but yeah i'm not hurting awesome yes we have a pool boy so yes that comes out every week well not not every job in infosec pays really well and i think when people are going to aim for something it's really important to know like when i go to the grocery store i can get as much cheese as i want or i can only get one kind of cheese or i'm now a vegan against my will i think these are important things yeah so i can definitely buy all the cheese i want that makes and all the bacon and all the meat and all all that good stuff all the good if you drink all the good expensive liquors um it's definitely worth it you know but with that kind of salary comes great responsibility so yeah and and in most states your your employment's at will and if you don't perform you're out and yeah so cool so would you say there's a lot of opportunities in the field doing the types of work that you're doing yes every product company um from the big ones to the small ones they all have well they call it solutions architects but some of them call them security architects or technical architect or something like that but all of the product companies have them um actually i think all of our casinos out here have them i don't know if they're i don't know if they have them in the government but in the private sector there's a lot of opportunity to do architecture if you like strategy if you like to you know talk to customers and help them build out their environments and consulting type stuff there's definitely a lot of opportunity out there so let's say someone is listening and they're sold they're like i definitely want to do exactly what she's doing or something very similar what advice would you give them and what first actionable step do you think that someone could take to try start networking with folks that do the work so if you're on like get on linkedin no doubt just get on linkedin and start looking up um you can type in architect you can type in solutions architect you can type in security architect and start to see who those people are and start you know connecting with them and networking with them um that i think that would be the first biggest step because then once you start making those connections you can start to see okay well they have these skill sets i wonder if let me talk to them and see if this is something that i need to do they can help guide you into the direction of security architecture and they can let you know hey you might like this but you might be a better fit for something like this that's a little bit more of your personality you as an architect you have to you can i guess you can be an introvert but you really can't be an introvert because you have to constantly have conversations with people um so you have to get out of your comfort zone and so if you're willing to make that effort and make that change then definitely but yeah the first step i say would be to network with others that do the same kind of work and then start building from there that is that's good advice i was like what do these cisos have there's like oh they all have like this risk and compliance thing it's like oh i guess i need to get some of that experience and yeah that's how that works we have one last question from the chat and then i i have two more easy questions oh so first of all everyone who is watching i am supposed to tell you to subscribe to our youtube channel i forgot that earlier please subscribe there's a button that's probably right here um but if it's not there wherever it is click click the button please and then also click the thumbs up button if you haven't clicked that or if you're watching it later all those things okay done my marketing awesome okay so question from the chat okay so as a security engineer what's the best approach if you want to actually move towards a management role so are there certifications that you absolutely need or what how do you do that um so the only management certification i have is cisp um i did however go to e cornell's um executive leadership training to kind of learn some training that way honestly i don't know if there's any like you can take management certifications or training that'll teach you how to run a sock um but it doesn't really teach you how to interact with people like there's not really any kind of training like that so um if you want to move into management which is i'm still trying to move into management even though i'm an architecture role it's not necessarily management where i manage people i just manage projects um but if you're looking to do that there's a book um called dare to lead by brene brown it's a really good book awesome if you listen to it on audio she sounds amazing um there's also like the traditional ones strength finders and emotional inspire emotional intelligence reading some of those books to kind of understand how people work and interact will help you um and then finding a mentor finding a mentor i think finding a mentor either in your environment that's at the level you want to be at or outside of your environment or both that can help guide you into those roles and have you do tasks and stuff outside of your traditional roles that can help you for management that's a good way to get started that way that is such a good answer oh also someone commented that the book that you said is absolutely amazing yes it is oh my gosh i love that i want to i'm going to listen to it again because it was so good afterwards remind me so i can put it in the show notes so that everyone that listens to this can you just like have a link right away so they can read the book thank you definitely okay so i have two questions left they're totally the toughest of all the questions and the first one is do you do things outside of information security and if so like that you want to share and if so what of course um so while i love cyber i love information security it's not my like i used to go home and do all of things until like one in the morning cyber i don't do that anymore um i do my husband and i like to go and make wine so we go and make wine here in las vegas um red wine grape expectations if you're ever in vegas they're right next to the vegas valley winery the only winery in las vegas uh we also like to do i do crochet so i make blankets i make clothes some when i can um cross stitch stuff i also love legos so and i probably need to send you i'll send you the photo but i built the um the biggest lego set that lego has the millennium falcon 75 pieces i'm not even a star wars fan but i freaking was like i love the challenge and i want to do this and so um and then i travel a lot there's a lot of places to travel around here we do a lot of pool parties uh barbecues cookouts things like that so i definitely get my time in outside of cyber security that keeps me balanced yeah balance is really important people have told me that's a thing i should you totally consider take some time for yourself i take mental health days from work probably once a month just to like rejuvenate and drink some wine and like watch random ratchet television stuff on lifetime or whatever and it totally helps me feel better and get through things nice okay so the last question which is probably on everyone's mind if someone wants to get to know get to know more about you if they want to follow you on social media if they want to you know follow women's cyber jutsu all these things where do they find marie the marie galloway so twitter linkedin both of them are open uh you might be able to find me on instagram i don't know yet um i need to i need i need to decide on the instagram one not sure how i feel about that um and then obviously we're all on uh cyber if you just type in cyber jitsu j-u-t-s-u you'll find our website um all of our social media stuff i'm really active on linkedin and twitter so you can find me there um and then you can shoot me an email mary.galloway at women's cyberjitsu.org we can talk let's chat i'm open if you're in vegas look me up you know bars are closed right now but the restaurants are open so we can go to the restaurant and still hang out so let me know awesome thank you so much for being on the wehack purple podcast i really appreciate you having me so normally i play this exit fancy but instead what i'm gonna do is i'm going to thank you and then i'm going to show the sponsor page so um let's do the wave goodbye and then i will do the thing and then we'll stop streaming thank you so much