We Hack Purple Podcast Episode 4

Kim Lamoureux


In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Kim Lamoureux, to learn what it's like to be a Senior Security Risk Analyst.
Subscribe to our podcast on YouTube or your favourite podcast platform!

Kim Lamoureux can be found here: Twitter
This episode sponsored by Sonatype! Watch this episode on YouTube!

Transcript:
welcome to the we hack purple podcast we are a weekly podcast where we teach you all about the different types of careers that you can find in information security and today we have a special guest kim lameru and she's also known as gadget squirrel on the interwebs and we are sponsored by sonatype today and i want to tell you thank you so much for coming and i want to hi i am tanya jenka and i am the voice and my guest kim hi thank you so much for having me thank you so much for coming i am very pleased to have you here and um i am pleased to guests that i know on the podcast but who all don't do the exact same thing for a living because infosec has a bunch of different types of jobs and it's not only appsec all the time if you invite people other than just tanya okay so i have a list of interview questions which i very wisely tweeted before this meeting um so first of all please tell us your name and your handle and how people can find you online or what what they would call you online um so my twitter my twitter handle is gadget squirrel so you can find me um on twitter i don't tweet much these days i do a lot of retweeting um but i do i do a lot of um i i love the infosec community on twitter and that's where i learn a lot and that's where you and i met um before we you know we met in person so you know it's a great resource for information and networking um and um bro is my name as well um you know find me on linkedin but i you know i'm more i'm more of a human on twitter than i am on linkedin i think that's true of everyone actually if i think about it so this is a podcast about different types of jobs so i was wondering if you could tell us what your job title was but then kind of like try to describe your job to someone who's never done anything in your area before yeah so my my current title is staff security analyst um that's a little general um but i i work in governance risk and compliance so um we are um not everyone's favorite people but uh we you know it it's um i would say that govern governance risk and compliance is like is a requires a lot of different hats um you know my my day-to-day is you know on paper risk management so what we do is we um we are the resource for you know engineers developers or you know even our own security department we're the resource of whether or not um they want to implement an application or if they want to build a new thing whether or not it meets security requirements security um policies um because a lot of times security policies either are too vague or maybe they're they are very prescriptive and don't follow what they are trying to do and so our role is to try to guide them through that and to evaluate you know the risk of them you know pursuing an avenue that may not be um you know something that that's been you know quote-unquote allowed in the organization um we also do third-party uh risk which requires you know any any time um an engineer i'm just saying as an example an engineer developer wants to buy a new thing um from a vendor um our job is to um ensure that um contractually you know they are protecting our data um and our customers data and um that they also you know adhere to security policies and procedures that protect our customers data a lot of you know breaches occur the majority of breaches do occur due to security incidents from a third party vendor and so that that is our arm as well um and then the fun part the the c in grc um compliance um i also you just wait you just called see the compliance the fun part i need an explanation kim it's the fun part i so i'm like kind of a masochist i like doing things that people don't like to do so um i i i run the pci program um for the company that i work for and um pci is um the payment brand um standard for you know credit card you know credit card customer compliance so i do that as well and so you know i i say that in a funny like tongue-in-cheek way that compliance is fun sometimes it's not fun it's not fun to tell people um you know that they are doing something they're not supposed to be doing they have to fix it well i mean i was i have to say just imagining you like a little bit with just like go do this like kim walking around like this overlord you have big stilts obviously so you stand above everyone yeah yeah yeah well no you know it's interesting you say that so you know i i have an audit background as well so you know beginning of my career i was an i.t auditor and i learned early on in my career that um you know being an internal auditor now being working in security in grc is you have to work with you know the people that you're you're you know on stilts like you know i could be the bad guy and like being like you have to do this but i have to work with them and you know i have to work with them for years and years and so if i want to maintain a good working relationship um it has to be more of a partnership and less of a you shall do this or you cannot do that um so i you know i take pride in building relationships with people and learning from people around me i don't know everything i don't you know a lot of times my job is to provide requirements say for um you know a developer or a um you know an an infrastructure engineer or um or an apsec application security um you know you know is building a scanning tool so um i don't you know know everything and so a lot of times it's like you know walk me through this process tell me how this works and then being able to methodically provide you know guidance around you know what i know which is you know security standards and policies and compliance awesome and the guidance around that so i used to be a coder and i would literally sit at my desk and code and just like zone into the code it's like time would just pass without me and i i would realize that i had all these empty coke cans around me at some point and i had not like gone to the bathroom in five hours and i was like i need to like walk around the block and then i remember when people were like oh you should be a project manager and then i asked them what is a day life in the project manager job and i explained basically like you have to do lots of meetings and when i was younger i was not as social as i am now and i was just like no screw that that's not for me um and like i i like other people but the idea of being in meetings like eight hours a day i was like no i i can't do this so what is it like to do what you do like what is what's the day like when you come to work is it email now i email for a living that's why i tell people i'm a ceo and i literally send emails all day yeah so um optically my day involves meetings um a lot a lot of meetings and um but more of behind the scenes a lot of it is tons of slot conversations yeah um so in between you know like you know emails that come in and requests and jira tickets that come in um requesting things um i'm in the background a lot of times getting information or um getting groups of people together in group conversations to kind of tie you know tie together um you know possibly gaps or like loose ends and so um my my job requires a lot of multitasking a lot of times what i plan for the day ends up not being what i intended the day to be like um so this is not for somebody that is um you know very methodical in in how they they plan their day you know like you know i expect to you know achieve these five things by the end of day today and that's it you know i i have that but a lot of times priorities change because we're also you know you you speak a lot about shifting left right so by shifting the left and and and integrating security early on that means being in tandem with the business and so that means that i'm not you know i'm not that gate at the end where you know it's something that can be scheduled i can schedule it out and that's something we do at the end a lot of times i'm part of the creation process and i'm i'm part of the thought process either it be you know they're thinking about bringing in a new vendor or they're thinking about you know implementing a new thing to solve a problem right and so with that being said you know that there's you can't plan for stuff like that you can't plan for you know um things that change or you you can't plan for a last-minute vulnerability that needs to be patched and oh my gosh it's not that easy to catch and we have to try to figure out how to um you know build some controls scary to make it yes less scary reduce risk less scary less scary yeah that's awesome and also that's good for me to understand a bit more because i feel absec is a lot like that there's a lot of weird informal conversations that end up with like huge value later yeah and sometimes sometimes you don't see that it's not visible in like you know you were talking about coding it's not visible in pull requests it's not visible in tickets it's not visible but a lot of it is like behind like behind the scenes work it's a lot of conversations a lot of collaboration um you know a lot of anticipating you know some some of sometimes the work i do is oh hey like i just learned this new thing i wonder if this other team knows about it and kind of looping people in so that um you know you're not working in just one like just one silo yeah great minds think alike we're both like silo yes yes so did you hear that um i wrote a book i did yeah and i i've heard about it during one of our lift rights [Laughter] in california at appstack county perhaps kim and i met for the first time at a conference called apsec cali well we met on the internet but then we on purpose met in person because i was like this is awesome yeah this is you know nowadays it's normal to meet people on the internet and then meet them in person yeah but it used to be weird but now it's called infosec yeah so yeah so i wrote a book and it just went for sale and it is on amazon and all the other places and i was told to tell people about it and so i am going to take one minute and tell everyone about alice and bob learn application security it is a book and is on all the places where you can buy books and you should pre-order it i feel like that is me i'm awesome at marketing did you know that when does it launch when when does it so it ships october 27th yes oh awesome yeah just in time for halloween i know i know um yeah so i'm really excited about that and uh i was told to tell everyone so i just did that check mark you're like you're really good at marketing tanya i'm trying yes okay so i have way more questions that are about your job okay so i feel like different types of jobs require different types of personality traits and so what types of personality traits do you think someone needs to be good at your job like do they need to be empathetic do they need to have strong leadership skills do they need to i don't know have great attention to detail or all the things all the things um i i think that um you know you and i have talked about this a lot is um i think a lot of times you know companies hiring managers they focus so much on the technical and i even hate calling it soft skills because i feel like these skills are still technical like having attention to detail that's a technical skill yeah i don't consider that a soft skill it's more like a personality trait yeah like you like you just have to like not follow a formula you have to just always notice um one one of my strengths i i took i took a personality i'm like a personal personality test taking addict i like taking them um and one of one of my qualities is pattern recognition um and i never really thought about that until you know after i took the test i'm like oh i think that makes sense why i'm able to kind of tie things together and why you know with the job that i have now why like things just kind of click for me because i notice it doesn't matter what the content is right but if i notice certain patterns i'm still able to reach conclusions or i'm still able to like ask the right questions to get me to where i need to be to provide some guidance right so i think like definitely attention to detail um and attention like paying attention to what people say and being able to connect to kind of like file that for later um you know i i find that that that people who struggle with being able to like retain um you know certain trends that occur like in the business or whatever to be able to kind of like connect the dots um you need to be able to kind of have your eyes and ears open and kind of connect things um because a lot of times people don't know maybe sometimes they don't even know what they're um asking for like yeah they don't they don't really spell out the whole thing for you yeah so so you kind of have to play um almost like an interview you kind of have to kind of dig a little bit or learn being able to master the ability to ask the same question in a different way to get the same result um i was having i had a conversation with a coworker i know a couple months ago and i was talking about how i am able to um change how i ask for things depending on that person's working style or personality and he was like what how i don't understand how how do you do that and i'm like yeah you don't do that and he's like no what like tell me more and so i think being able to just know how to read people like i find i find that if you if you take the time you know empathy you take the time to understand you know um what the other person's working what their goals are what they do right so i'm a risk person you're an absent person and what do you do all day you know what is your work day like and being able to ask for something from you in a way that's not completely disruptive from your day-to-day work you know i think that's also important too is that my job is not more important than your job right yeah so um just having that like you know it's so important to just i can't stress enough like relationship first with working in in any security role i think is is your role is to educate and to guide and to collaborate um not dictate yeah okay so i wish every security person ever could hear what you just said and then like adopt it as their new mantra because i'm just like i'm like don't act too excited like don't freaking out how much you agree we have a really good question from the audience um so what's one skill that you developed in your job or like working you know in in this type of role that you didn't anticipate you'd need in information security the people skills yeah yeah yeah the the technical stuff like you know you can you can take classes you can take tests right um but the biggest thing is the the people skills and um i like i used to call myself we talked about this i used to call myself like the developer and dba whisperer um because it was like a challenge of mine to get through because there were certain departments where um you know and this this was you know prior company too you certain departments where you just can't break through they're just a wall they're just they they don't like auditors they don't like risk people compliance people it's just a wall right and for me it was always like challenge accepted i will win you over i will i will yeah we will we will co-exist and we will work together um and so i think that was something that i didn't think would be like before i transitioned to security you know i thought you needed to be you know this super technical person to to succeed in security but i also found that yes that is a good guilt but if you're a jerk yeah no one's gonna listen to you yeah nobody nobody they will just tune you out or they're gonna think that you you know don't know what you're talking about or you know if you can't speak the same language also like you know i've been in rooms where a super technical person is just rattling off stuff and talking a mile a minute and not reading the room and realizing everyone's like what what's going on um so i would say that would be one one thing you know and that's something that you can grow into it's something that you i was not a um i was a very shy person i mean i still consider myself somewhat you know shy but you know it was something like when i was in consulting back in the day like i had to really practice because my my boss would drag me to these um sales meetings these lunch meetings with with potential clients or current clients and i was like please don't make me plea please don't make me have awkward at this awkward lunch with people i don't know and he like i i just kind of learned to ask questions and kind of you just kind of learn how to um approach people and you know um get conversation started oh i know you're good at that kim's very charming oh oh yeah so um i okay so first of all i'm supposed to ask everyone to click the thumbs up button if you are enjoying this that is a thing if you're watching it after please also click the thumbs up button because that's awesome and good things to do and then hit subscribe but more importantly if you were to move your hair slightly could we see your shirt yes what is this organization that is on your t-shirt why tonya i didn't think you'd ever ask this is the electronic frontier foundation and i usually um when i go to defcon every summer i usually go to their booth and i sign up for my annual membership and i get a t-shirt and because um defcon was virtual this year i donated online me too and i got this shirt and then i got um the um 30th anniversary shirt as well which i wore yesterday so i decided to wear this one today and it has um the defcon oh nice yeah and it has a little cura qr code in the back oh my gosh don't click don't load that qr code it can't be good no um and so so this organization i i actually have um i've i've crossed over into my personal life so whenever so you know i have kids that are learning virtually right now um there's a lot of parents out there with questions about you know not only virtual learning but like game online gaming minecraft roblox things like that um and so i share a lot of articles from eff um you know a lot of questions that they have about um data privacy privacy for children i'm a huge advocate you know for protecting our children's data um and i you know made a huge stink about it at my kids school um about um you know ensuring that uh we you know protect our children's information when we use zoom um you know for a classroom thank you so yeah so eff i love them i love i love what they stand for i love the information that they share and everyone should donate i did i got a hoodie because canada is slightly colder than california where you live yes yeah yeah i i can i can be in t-shirts until at least the end of this month at least mid-october oh that's so good okay so let's say someone thinks okay so this is awesome i want to do what kim does that sounds great and so what type of like training path could they take to get actually let's start with are there some types of technical skills that they need and then what training would they take to get to your job technical or not technical yeah so that's a hard that's a hard question because um i i didn't um get into this role in the traditional way i mean i you know didn't have a degree in information security i was a biochem major um kind of fell into this kind of transitioned into security through through certain opportunities um but i would say one one one way is if you are currently if you're you know currently in security doing something else either you know if you're a pen tester or um you know or in application security or any other type of you know security arm or vulnerability management and you're interested in drc is you're already doing a little bit of what i do it's just your own you know you're already assessing risk if you're you know vulnerable you're in vulnerability management you're a pen tester you're already risk ranking your findings um and so just honing in on that and part maybe partnering with your existing um you know grc person and kind of like a lot of i think the most value with with getting into the role that i'm in is just on the job learning and on the job opportunities um you can even be your own like your resident you know i've always had a a vision that like every arm in the or in an organization should have some type of grc person because i i feel like risk should not just be you know burdened to just one team or one group i feel like everybody should understand how to assess risk with what they're doing everything that you do has risk yeah abstech people have to do that too yeah yeah so i think just you know if you want to transition if you're currently in a different role and then traditionally i know um you know if you have a degree like if you you know went to school you're going to school right now bachelor's degree in cyber security or masters you know that's entry level that's bare minimum requirement to get in to have a degree um or certifications um i know cissp um cisa i've seen that a lot um is a certified information systems auditor it's uh it's uh provided by isaka and so um it's usually the standard for an auditor and i suppose so when i was in i.t internal audit um that was the standard certification that you get um but also those certifications you need five years experience yeah so how does that work oh gosh that's you're like it doesn't know i have that's a whole separate podcast right i feel like i fundamentally have opened can't you know it i don't know i would say gosh it's such a hard question it's such a hard question because i feel like it's the companies are all over the place as far as their expectations some companies are more open-minded about your background and willing to look at like your experience and how it can relate to risk i know when we look at um resumes for open positions you know in our department i'm not looking for you know how many certifications they have i'm looking for experience i'm looking for what type of problem like what type of thing would be good like job experience like help desk help uh i would say um any engineer like gosh i would never never really met anyone that's wanted to go from engineering to security but let's say they did so if somebody had like an infrastructure background right or networking background you know right now it's so it's such a huge deed you and i had this conversation i keep saying that because we've talked about this stuff before and now you need to report it i know that's why i invited you on um so you know we talked about how developers really need to understand network security like networking um and networking controls you know somebody that has like if if somebody was a developer and they wanted to be in grc for some reason that would be amazing because they understand um how apps work and they would under like if they were able to um you know be in the risk role they could actually speak that language to other devs yeah and get on board with why you know encryption is good and yeah i know i went from dev to apsec and being able to speak dev has been the most valuable possible skill and then being able to read code number two yeah that's huge yeah i think reading like having um automation is a big thing um you know a lot of what we do is manual a lot you know a lot of it is you know document documenting things and writing things up and it's not so glamorous you know yeah um you know documenting procedures or documenting security requirements um but there are certain things that the the grc field itself has so many opportunities for automation um you know shifting away from that old school like okay we're gonna put this in the drc tool and then file this in in this database um you know my my other vision of like the future of grc is being able to like build automation into what we do so we can tell an app team in real time hey this is a risk stance of what your application looks like from you know a vulnerability standpoint a configuration standpoint um a code code security standpoint and be able to give them a score um like a risk score so they understand like what like what it you know how risky it is in their environment yeah i'm gonna turn on my light office light real quick okay i am so into risk measurement i know you might not think that but like i literally was recording yesterday as part of our new course for we hack purple i did a section on how to do an in-house risk analysis like how to rank it and what you should rank that score on so that you could rank all your different apps so that because you can't be like oh this cve is totally the same as you know this high or whatever like and then you have things like oh yes that technically is a really bad vulnerability but it takes three phds four years to be able to exploit it so i don't care that you think it's a ten it's actually a two so go away yeah and i feel like it actually it applies to every single area of infosec but for some reason like people are like oh well that's over that's grc that's that's that's do that we don't do that no you can absolutely do that and that's what i mean is that you know grc is so so cl grc is everywhere like risk is everywhere even my day-to-day life parenting is risk management oh my gosh that's so true parenting is thinking of like how many ways your child could perish like that was like the first like five years of me being a new mom was like me going through all these scenarios of ways my kid could die oh my gosh i i want to make a meme out of you it's like parenting is risk analysis and then every single day is my child going to die yeah prevent every risk yeah oh you're amazing that would be no that would be such a good meme because every parent would be like i don't know what risk analysis is but i'm an expert at it pretty much oh my gosh you're amazing okay so i want to take a second to thank our sponsor sonatype is tonight's sponsor thank you very much they make a software composition analysis tool so it checks all the third-party code in your app they also have a tool called firewall which will block traffic um from your code repository or not your code repository your package manager repository so you can't download insecure third-party dependencies in the first place and i love that they published or that they um sponsored our podcast because then that means we can make more free content yes yay thank you yay so pardon i said yay sponsors yes okay so now i'm gonna ask the tough question which has a little bit to do with cheese so one of the ways that i learned that i was middle class was i realized i went to the grocery store and i was like i kind of want to try this cheese i kind of and then i realized i had enough money to buy both cheese and i was like i am no longer lower class yes i'm middle class um and now i can actually buy up to three types of cheese if i want so i personally consider myself upper middle class and the reason but are you buying reserved cheese the reserved well so this is the question for you because we want to know if this type of job pays well so can you buy the reserve cheese because i can't right now i work at a startup i am only allowed ramen oh man um so i hmm i would say i would say it depends on the company you work for okay um what about government is it the same with government i'm i'm not sure actually um but i would say even in even in in the like non-government world like the salary ranges it ranges it depends on where you live so you obviously i live in san diego but if you live in the bay area like you're gonna maybe be able to afford cheese i don't know because you're also because you're home it's either these are rent i don't you know like do i eat cheese or do i you know get to make rent at the end of the month but yeah um so i would say the salary like varies because i've you know worked for you know a smaller company and a larger company and and a lot of times you know grc is at the bottom because it's not like coding like you're not expected to co you're not a coder you're not in operations um you know a lot of you know security engineers you know security ops engineers you know they're on call and they're you know expected to you know be available when things break and so in my type of role like i don't i'm not on call and i don't you know i'm not expected to yeah so that's one of the advantages so i know some people are willing to take a pay cut to work in grc because they don't they the on-call life is not for them anymore and it can be that can be taxing you know um would you would you say though like because you're making it sound like it's really low more than help like it would be a like payment wise way above help desk though right it would be about help desk i mean because it is it is attacking they are expecting um you know certification so i would say and so entry level i guess could range between i'll have to i it'll be us dollars not canadian dollars okay um no one knows what those are this is mcdonald's money so i'm told because it's a rainbow that's how we roll down here or up here um i would say like eight you know 80 eighty thousand dollars eighty to a hundred it's amazing level i'm i'm that's way above a software developer entry level yeah i think so or i mean maybe i'm just old and i haven't been a software developer in a long time but i'm pretty sure that in canada like a senior software developer could start at like 80 90 or 100 in canadian dollars not even american dollars so like yeah that sounds real no i'm not good america weird about sharing salary information so i'm just facing my that number based on you know friends and canadians are weird about it too but i've learned that when we keep that a secret the person who wins is the boss and not any of the employees and so the cool yeah yeah so the cool thing about california and um i i learned this i started doing this in interviews is in california now um employers potential employers they have to share with you the salary range of the job that you are applying for and so whenever an hr person or hiring manager asks me you know what is your expected salary what are your salary expectations for this job i say well whatever is within the range that is listed for this add five to the top number can you yeah exactly can you tell me what the range is and then they can't say no they have to share with you what that salary arranges that's awesome i have not had to negotiate how much i make at a job for a while because i work for me yeah so that is the the i guess the not the trick but that is the um you know just just something to ask especially you know we talk a lot about women getting under you know underpaid um that's a really good way to get a gauge for you know what what is their expected salary range for that job position so that you don't give them a number that's way below what they have listed and then they're like yes yeah yeah so then when we offer her the bottom of the range she's gonna think it's great yeah yeah yeah i worked for the canadian government for 13 and a half years which means there is no option for a negotiation however i remember a bunch of men and i having a discussion about this and they were saying oh well tanya like you know there can't be any sexism because of this i'm like i got promoted so late i was running everything as like a level two like managing other employees doing all this stuff and they would say oh well you're the most amazing too i'm like yeah because i should have been a three years ago that's why and i i mean i'm not modest and yeah i just it's very frustrating very very frustrating yeah so i know and so i i always i agree with you i think that we need to not make salary you know such a big you know taboo thing to talk about because i think that it's so important to also set realistic expectations for people too who are thinking about going into this industry yeah um that's why that's why i'm asking the question because people like never talk about this and there are some jobs in cyber security that pay really well and there's other ones that just don't and if you knew that from the beginning you might think okay so it sounds very exciting to found your own startup training company but it turns out it doesn't pay really well um to work at a startup because you pay everyone else and then you pay yourself but but there's also like you know if you're a pen tester and you're you know people are like oh they bill out at 1 000 a day yeah but they don't work every day and this and that and so that's part of why i wanted to make this a part of the conversation of the show because a lot of people they have no idea they have no idea that you know this pays way more than that yeah this is definitely not pen test money but it's you know it's it's above um well i don't really know i i've only heard so i don't know if it's a fact or not i i i think you know sock analyst work is you know i know a lot of times it's hourly and you know a lot a lot of roles are um we are going to have someone on that does that oh yes oh yeah okay i'll answer those questions oh yeah it it is a way to sneak into cyber security yeah it's a good way too you learn a lot oh yeah that's what i tell everyone to do we have a question from the audience yes would you agree that having a good handle on your intuition is important in risk management um yes uh and i want to crack jokes here because i always i actually joke at work about my um my my risk management magic eight ball because a lot of times you know you can go you you know you can be like oh well that kind of feels like a high risk you know that kind of feels [Laughter] um it it having having intuition is important but it's equally as important to be um being able to like anticipate um realistic like scenarios if that makes sense yeah like like it's important to like because a lot of times you know there's i call it like textbook risk management when you're like oh well you know theoretically somebody could you know compromise those credentials and be able to take down that entire application right but are you taking into consideration you know like where those credentials are stored and how often they're rotated and the detective controls that are in place that would be able to detect if somebody were to break through to that particular network where that application is sitting so you kind of have to like think about like all of the moving pieces and all of the existing um like realistic environment and like what what that means right um and then also a lot of times like we get things in you know early like we get requests and to look at things and being able to anticipate oh like does this new thing have impact on this other thing that's kind of unrelated but maybe could be related because they're not talk people aren't talking to each other right now and maybe they should have a conversation because they could be duplicating efforts um has this happened to you i i don't know just saying theoretically no um so yeah so i think intuition is good but i think having being able knowing what to do with that intuition mm-hmm um being able to take action on it and being able to to like do something about it because you can have intuition about stuff or you can you can be like oh yeah that's a terrible idea and just say it but yeah you have to have yeah no one's going to go just on that they want more yeah i hope that answers the question no no it does that was really good that was here's an awesome question there's an excellent excellent answer yeah good question okay so let's say someone in the audience they're like kim's awesome and grc sounds rad i would like to do some of this what is an actionable step that they could do to try to work towards that as a job so let's say someone in a different area of i.t and they're interested in grc and by that we mean governance risk and compliance just in case someone missed that earlier um so i'm i'm thinking i'm trying to think of a logical answer without cracking jokes um because i'm thinking why would anybody want oh do you do you like what you do i do i like i'm actually really good at what i do um but i kind of fell into it it wasn't like i woke up one day and i was like huh i think i want to be a grc you know i think i want to work in governance risk and compliance that's because you didn't see this podcast and hear how cool it was from my friend kim um so so i guess so here's here's a way um if it's possible is to encourage like if you work for an organization that's siloed you know present to your management an opportunity to collaborate this is an opportunity to collaborate with like cross-functional security departments and think of a way think of a project you know that you can work on that involves a grc person um and being able to kind of learn from them and and show your value and you know if they have an opening um a lot of times you know that's the easiest way is if they there's an opening in the department and you express interest but the biggest thing is being able to i think a lot of times um and i've had this happen i've had um people with very strong pen test backgrounds you know apply for grc role and i always tell them up front i'm like listen you know there's going to be no coding right you have a brain you have a brain like you like to break things like pen testers love to break things right you can't break things in this role you can hire people to break things and you can tell other people to break things but you have to tell people how to fix them you can't touch anything or break anything like are you gonna have a problem with that and they're like no no it's fine it's fine and then like five like 10 minutes into the interview they're like this song yeah i like big things a lot um so so yeah i i don't have a good answer i i would say i would say getting like the hands-on experience like getting like working with the grc teams and like getting that um like getting it getting a like feel for how they do drc because different different companies made like different companies do drc slightly different you know their their scoping range can can vary um you know i in my last grc job i was doing i was doing vuln management scanning and running change control board and doing security awareness and doing compliance that's a lot and it was a yeah but i was in a grc role right um so like i guess it really depends on what your company like how they they function how their grc role functions and how your skill set can enhance that department um i like my best answer no that's a great answer thank you i really i also think that if you could reach out to the department you're interested in no matter where you work that so like if you work somewhere they do incident response you work somewhere they do you know whatever the thing is if you're really interested you should definitely go talk to that team and be like yeah what's up that's how i got on the security team i kept constantly reporting security problems and then eventually they had a security incident and i was like hey can i come and they're like fine and then i was like oh i can read the code oh that says select star from um and you know it went like that and i just kept you know being helpful until they're like do you just want to come work here yeah for sure yes yes thank you okay so we are nearing the end of the podcast so i have two very serious questions they're so serious kim do you do things that you are willing to talk about on this podcast outside of infosec that you want to tell us about perhaps there's an organization that interests you um like wisp like with eff um i yeah i you know what this pandemic has actually um i'm so i'm gonna give the little backstory before i answer my question so this this pandemic has actually brought so much balance balance back into my life like i you know uh and as a result i don't i've scaled back on you know the non-profit work and scaled back on you know a lot of the the stuff i was doing like outside of work and family and um you know i'm i am taking advantage of the fact that you know i don't have all of these social obligations or things that that that are normally in our orbit orbit and so um you know outside of work right now i i don't do much but um it's not an organization but i've started um i've started baking again although not personally because it's been so hot but um you know i so i have a i have a bio a biochemistry background and so baking for me is takes me back to my lab days and like follow a recipe and measure things and put things together and create something and try to make it perfect so you know when you get to eat it way better than just science true yes and so yeah so i've been i've been baking a lot and trying to i'm trying to perfect my buttercream um frosting recipe oh my god can i come over absolutely that sounds so good yeah what do you put buttercream icing on um cupcakes or um i so i started putting frosting on brownies chocolate frosting what about banana bread chocolate chips yes see this is right we're friends yeah mini chocolate chips because i don't like them too big they're like small enough and so they kind of like hide in with the banana chunks yeah oh my god that sounds so good so basically i'm gonna travel to kim's place now i'm gonna i'm gonna break the law and cross the border just for that that sounds so good okay i thought it was the other way around i thought that we weren't allowed to come across the border but you you would be alone yeah so i can go to your country but then i can never go home ever again so i feel like if i visit that visits imply that then you then you go back to where you're from yeah that's why you're welcome to stay and you can help me bake so and you can you can post your podcast from my office from california i feel like i would definitely have to put some blonde streaks in my hair to like fit in permanently in california because you know no i think purple's good purple is the new blonde oh i like that i like that okay so we have one more question but before that everyone is listening if you have enjoyed yourself please press the subscribe button and if you're listening then you might be subscribed if you're already on a podcast and then i would like to ask you to leave us a review because reviews help other people see that we are worth listening to and also if you send we hack purple on twitter or linkedin a screenshot of your review we will mail you stickers in the mail i am so bribing people for podcast reviews i'm aware and tanya has the raddest stickers yes on the bottom right hand corner of this screen they can see what one of the stickers will look like there will be a tanya a she hacks purple sticker and there will also be an owasp sticker yeah that's right all sorts of bribery from tonya today oh there is so there's one more um there's a comment in the chat now you're talking another language i can understand i worked at a as a baker in a british restaurant for a few years nice jacob yes baker's yeah yes i do gluten-free baking and tonight after this actually is banana bread time and maybe you could send me that uh that recipe for the icing i don't usually put icing but i don't know i feel like a rebel yeah oh i have a great recipe for yeah for sure okay yeah so i have one more very serious podcast question before we say goodbye and this is what if someone wants to get a hold of you kim what if they want to see more of you is there a place where they could follow you perhaps on a site called twitter yes you can follow me on twitter my handle is gadget squirrel and um i have my dms locked to only people that i follow so send me a follow request um but yeah that's the best way kim's totally happening and she's a super wonderful friend just like completely unrelated to this podcast and she even says yes to be one of your guests right at the beginning when she's not sure if your new podcast is going to be good or not she trusts you and says yes yes no this is great i i was so excited this is i was like i was nervous for you know you know i'm always nervous when i do these things but i was so excited because i have not done a you know like an infosec chat or event like with a friend so this was really cool because we like we know each other and um it's like a a public like conversation like like a broadcast conversation that you we might even have to go out and get some because sometimes you have to you can't just talk you have to walk the walk yes thank you so much for being on the we hack purple podcast and now come on thank you okay so now i am going to show the amazing image that we made for today and we are going to say goodbye so thank you so much for coming to the wehack purple podcast today thank you to our sponsor sonatype and thank you to our guest kim lameru and we will see you next time thank you so much