We Hack Purple Podcast Episode 5
In this episode our host
Tanya Janca (also known as
SheHacksPurple), talks to our guest
Ashish Rajan,
to learn what it's like to be the Head of Security AND Host of the Cloud Security Podcast.
Subscribe to our podcast on YouTube
or your favourite podcast platform!
Ashish Rajan can be found here: Twitter
and here
Sponsored by ThreadFix!
Watch THIS episode on YouTube!
Transcript:
welcome to
the we hack purple podcast
where each week we introduce you to a
different and new guest
who's a member of the information
security industry
when so i'm the host i'm tanya janca and
when i joined information security i
found it really hard
to figure out which basically which job
i wanted and what the options were and
how to get training and what training
did i need
what job experience did i need what job
was right for me i ended up becoming a
pen tester because that's what my
professional mentor was and that's what
i thought i wanted and then it actually
took me
over a year or two to figure out you
know what this isn't what i want i
actually really want to work in
application security and then it turns
out i love
it and so we at wehack purple
started this podcast to try to help
people figure out where they fit
and so we are inviting all sorts of
different amazing people
including today we have Ashish Rajan
and i want to tell you just before i
reveal him to you because it's really
exciting when i reveal the guest
this um this episode is sponsored by
thread fix which is also partnered with
denim group and i want to thank them for
being our podcast sponsor they're our
sponsor mostly for the rest of the year
and i
really really appreciate it but now what
you have been waiting for for 20 minutes
because we started late
ashish rajan so let's say hello
to him all right wait wait and
wait wait i'm trying there there we are
all right we are both set up
yes he's here this is the best i'm here
finally
so glad to be here and the crowd goes
wild
yes oh i'm so pleased thank you thank
you thank you for everyone who waited
we really appreciate that and we're
sorry we're a bit late
sometimes the internet is just dumb so
raj i've shared the updated link on
youtube for uh for your folks on twitter
and linkedin as well they're just new
links so
they'll they'll get there eventually yes
thank you
so the tables have turned i have been on
your podcast
so many times and now you will be on
mine
i know like i feel like i should do the
simpson where i just go slowly go back
and just like
cartwheel myself out of the picture
i know that's exactly right like maybe i
should be
nervous but she's a friend as well so
she'll be nice
she will but she has to tease you a
little bit
do you remember that yeah you me and
terry showing her muscles
so i'm now showing that to the audience
this is from appsec day in australia
last october so almost exactly a year
ago when i met a sheesh in person for
the first time
and you can see that obviously terry and
i have really
really really big muscles but it's
nothing versus ashish's muscles
okay and they'll stop teasing you and
stop showing that foot and the crowd
goes wild again
it's like don't take the other picture
that's such a good photo i have it on my
wall i actually like
i really love that photo it's so funny
oh thank you
thank you appreciate that it came out
really well thank you
it did so i have some
interview questions for you are you
ready
yes i am none of them will involve math
equations i promise
uh i'm gonna disappoint all my brown
folks if i don't have any much sure
there's no map it'll be really
embarrassing it's like there's no mats
how can i be the indian guy with the
last questions
basically how all the brown people on
your part on your podcast have just
dropped off they're like that's it no
matt
i'm not interested in this no please
don't don't worry guys
i i i scored out i'm really good with
geometry i think
i'm really good at math i loved calculus
really
oh there you go wow you're tanya you are
multi-skilled and
clearly super smart
okay so i have a bunch of questions
and they're all pretty much easy since
they're about you you will know the
answers
hopefully yes but it's like a
conversation so feel free if something
makes sense to just add it in okay
yeah yeah for sure okay so the first
question is what is your name and if you
have a handle online what is it
sure my name is ashi shojan it's the
same as hashish without the h
and my online handle that's why is
hashish john
with the a
[Laughter]
i was surprised when i was looking you
up i'm like why are there so many people
named ashish that aren't the one that's
my friend
i'm just like too many twitter handles
all of you go away you are not the one
i'm looking for
that's this was the only way i found out
i could stand out because
no one else uh could link that hashish
choke
but it's so obvious why don't all of you
get this so that's why i started taking
over all the hashish names out there
but then i have to be careful because
that also meant that when people do
hashtag hashish
the kind of images that are coming our
way different that's why i had to go
on my uh live streams these days i'm
going live
with hashish instead of hashtag hashish
so i'm like
because someone thought it'd be a
creative idea to go hashtag hashish on
instagram and linkedin right
but yeah i had to change that on
linkedin so now hashtag live
with hashish on linkedin that's to be
easy and not
provocative hashtags are really
important when i started the mentoring
monday
i felt like that was too many letters so
i just did the hashtag mmm
and well let's just say um no that was
that was a very different topic that was
being not
not for office i guess apparently it is
pictures of
very nice derrieres um
so yeah yeah
have had our it is of this perfect yeah
i know exactly what i found
and i was like why are so many people
destroying this
that is not mentoring monday i'm so
sorry i didn't
anyway okay so the point of this story
is always check
what the hashtag is before you use it
yeah because you might think you're
being super creative but suddenly you
find out there all these other people
who were
equally creative yes and so we've
already learned one important lesson
today from machine
that's right watch check your hashtag
on the internet that's the number one
thing
okay okay so the next question is what
is your job title and describe your job
and i feel like you have
two jobs you have like your day job and
then you have your podcast job so
do you want to tell us about one and
then the other yeah sure
uh so my nine to five is i am a head of
security and compliance for a company
called page up
we are a recruitment software company as
a sas company it's a global tech company
so my nine to five is usually i guess
that's
what i'd spend doing outside my nine to
five i
run a podcast called cloud security
podcast and
uh it as it's kind of like the same
format as what you have it's a live
stream
every sunday 8 a.m australian eastern
standard time based out of australia so
australian eastern standard time
and um yeah you guys can catch it every
week we talk about cloud security
because that's something i'm passionate
about and
that's something that i've kind of found
that i've been able to kind of
share that knowledge with the with the
wider community because i've always felt
that cyber security has
a very gated approach and i always felt
like why
is it because i never met any people
like you know when i met you as well you
and i were so
open about what we know what we don't
know but
for some reason on twitter and
everywhere else people feel that that's
not really
true so that's why i thought i started
my podcast
absolutely free for anyone who wants to
consume and
every cloud security knowledge out there
i can provide to people that's kind of
like the goal
to create a whole cloud security
community and bring the value that's my
outside i guess that's what i'm doing in
the midnight i guess
i love it i love it that's awesome
and head of head of security sounds
really good
head of security and compliance and i
was like i just i just i've got the
crown picture right here just for that
like that's my
if one day when i get my house this is
going to be the picture on the wall art
my wife's already agreed to it
but uh just waiting for that day if i
can have that space
do you feel like you should add the
covid beard to the picture i think i
should
yeah hopefully covert goes away by then
i can get rid of this and i can actually
go to a barber shop considering we're
in curfew mode because barber shops are
not open as well
and we have in melbourne we have a
curfew where
we can't go outside the house between 9
00 p.m and
5 a.m and no barbers are open so
yeah that makes things better
challenging i guess but i'm hoping for
by the time i get my house and that
picture would actually be me as well
or i would have to make another one i
guess or maybe have one more on the
side as well i i have the same problem
i mean my bangs are they're just like
they're they're out of hand oh
that's why i started sweeping it to the
side because i'm like i can't see
anymore
uh well uh don't let me pull my hair
down as well
although my wife has been really nice
and uh let's say our marriage depended
on the haircut she gave me
i think your hair looks great i i was
actually joking with my friend i'm like
i have to let you go i have to do my
hair because my guest has really great
hair
oh thank you that's uh all kudos to my
wife though she definitely did a great
job of
giving me a decent haircut if you would
have seen me out two weeks ago
yeah i'd definitely look like a bushman
i like her better
there are a lot of people that look like
that and it's not just you don't feel
bad
oh thank you though thank you but i have
a reputation to maintain when the crowd
goes wild they don't go wild for a
bushman
oh my god it's like screaming and
running away it's different it's not the
same oh yeah
it's a different kind of wild yeah true
it's the other kind of uh vial that
people are going
not the kind you want
okay so i have a question
what is a day in the life like to be the
head of security and compliance
like do you do you walk around slapping
people's hands with sticks
please say no uh well i wish that was a
joke but thanks to covert that's been
avoided but
i'm just kidding uh i
as the head of security i feel like my
most of my days are usually
planned for for the week um
and i think i know we will probably talk
about some of the skills that required
as well
but i've planned for the week usually
because it's kind of like a varied thing
where
um it can be a mix of talking to a
product team or it could be talking
about instant response or it could be
talking about something is a low or a
high risk
so it i feel like i kind of work better
if i plan for it on a monday
or actually usually sun turns out to be
sunday night after the podcast is over
but i decided to send me a request
saying i think i found a bug
like so responding to those or
you talk about risk um anyway that's
kind of like the mix but it's i think
it's a great role where i get to do so
many things uh
based on the experience that i've
gathered over the years
do you do you feel that when you're
explaining the risk to people that they
understand or
do you have to use a bunch of different
ways to explain it
or do you have like sock puppets that
you just kidding
oh i wish i had those uh i have kind of
you see i i found one of my skills
has been the fact that i've been able to
kind of explain security in a very
layman
way like for example when i talk about
security and
why people should care about security i
talk about um
the level of maturity that internet has
like i think i did a presentation
yesterday internally about online safety
for everyone
which is different to us we have a
security awareness training as well but
it was different to that
but the goal behind that was the fact
that when you go on the roads
it's a sign board for this is your speed
limit you should slow down
it's a school zone slow down there's
nothing like that on the internet
nothing goes on the internet and tells
you
tanya by the way the website is going on
there's a virus on it so you should not
go there
like google tries to do a great job at
it by having that small the site has
been hacked
but it doesn't really uh like it's not
proactively looking out for you
whereas we i i feel like we haven't
matured in that
context so i tend to when i talk about
risk i tend to use that as an example
where
if i can relate it to something that
they see every day like i consider them
i consider security guard rails as
airbags for my car
like i know i'll never use them but if
they're there then i
i know i'll be safe i love that
i love that especially because everyone
understands car habit
it's like five seconds it's totally not
sexy
but when an emergency happens they can
actually protect you against a whole
bunch of things or reduce the harm
of so many different types of attacks
it's like one line of code usually
unless
it's csp which is like very hard and
complex but
still worth it yeah
or yeah i i think so as well and i think
one of
our jobs as security folks are
is probably that that you should be able
to explain something to anyone
like otherwise if we would just talk
like for lack of a better word talk
nerdy all day
we would not be making many friends
apart from more nerdy friends and
probably
it'd be a really small cult group that
we'll have uh
but we want this to be a wider thing
because it's everyone's safety online
not just ours
that is the i love that it's everyone's
safety on the line not just ours
i feel like t-shirts t-shirts should be
yeah we should totally uh have the
t-shirts out someday
uh actually maybe we should probably
copyright it before someone else makes a
t-shirt
yeah well we're actually the we hack
purple company is like making a swag
store
and so we're actually planning to make
t-shirts and mugs and stuff so we've
been like thinking about
all the different slogans we could have
oh nice like
we'll hack for coffee on a coffee mug
oh that's a good one well you got just
got another contribution for your
uh swag store as well it's perfect
speaking of uh awesome swag this is not
a great segue
i'm trying um i wrote a book did you
know that
oh i wonder what's the book called it's
called alison bob
learn application security and oh
it could be alison bob or where's the
other way around alice and bob i was
going to say alison morbid like alison
bob
i feel like i should be allison you
should be bob however bob
bob's a white guy and alice is a nice
looking brown lady
so i feel like we've got all the bases
covered between the two of us
oh yeah we definitely have that covered
for sure yes we may have just switched
the gender for this context but we
definitely have the bases covered
yes well basically both of us know lots
of apsec and so that is the main base
that the book covers
and yep and my publisher told me
they're like listen you've sold like 74
books
and your book comes out at the end of
october and the record that we have set
for pre-sales
for a technical book is 300 books and so
i am extremely competitive
i have no doubt about it so anyone
listening to this you just look up alice
and bob learn
application security and check it out
and i'm very biased but if you want to
learn how to make secure software
i believe it is a fantastic i may be a
bit biased as well but she's a really
good friend and she talks security so
you would definitely learn quite a bit
just saying it out loud right now
go buy it i'm actually on amazon right
now i think i might have bought it sorry
[Laughter]
so it's a hint that's on amazon as well
if you guys want to go with it
yes someone just added buy one for
yourself and for your friends
yes i agree absolutely with ahmed
he is the best listen to him
but now back to like actual questions
about you
um so being the head of security
there's a lot of different types of
personality traits
and aptitudes that someone might need
and i'm wondering what types of
aptitudes and or personality traits that
someone might need to be good
to be the head of security and
compliance
sure um i'll probably start with
something that's probably not
taught in unity much and i had kind of
had to pick it up
as i went along as more soft skills
right really to be honest
i always felt that when i started my
career i always felt like i needed to be
the best programmer the best pen tester
the best
this admin but i kind of realized slowly
that all that kind of withers away after
a while because
there's always the next thing like you
would be a php expert but right now only
facebook wants you i guess no one else
wants you
um but uh that is if they still use it
like no
things like that um and i still know for
sure
that empathy uh is probably one of the
skill that i would definitely recommend
uh people look into and and i don't
mean empathy in the fluffy sense more in
the context that
you should be able to work with people
in other
parts of the company you should be able
to understand
what the goal of your company is so you
have some business context but at the
same time
empathize with that oh this is probably
not the right time for me to bring in
this conversation about
the super security uh super important
security
project that i think is important when
the company doesn't
i think that's for me is probably the
more important skill and then you can
add
few layers of compliance knowledge as
well as
some technical knowledge about the cloud
and other things in there as well but i
think i definitely feel empathy is
probably the
biggest one because you can work
effectively with other team members as
well
so that's the best answer um
i feel like almost everyone every week
says that but not
in a way where i'm like oh that's a bad
answer it's because it's just so true um
yeah yeah you're not even dot this as
well right you kind of have to like
pick this up as you go on the job and
someone
and i don't know why people don't like
write it down somewhere
number one skill for any job in security
because you have to work with other
people even if you're a pen tester
because you start to explain to someone
why something is important in a layman
term you need to be able to emphasize as
to
when they come back at you and say no no
this is not a problem you
i should worry about it's a low risk
it's not a high risk as you mentioned
you need to be like no no this is high
risk you can't like stand your ground
there you kind of need to take a moment
go okay
explain to me why it's low risk let's
just talk about it
and empathize from that put yourself in
their shoes
well and sometimes for instance you have
to
like if you chain a whole bunch of low
vulnerabilities together they become
a critical vulnerability or if you're
revealing a whole bunch of different
information suddenly it becomes
sensitive information because it's a
combination of things
and do you feel um
since you're the head of security do you
feel that leadership skills are required
i definitely feel leadership skills are
required but
i i've always looked at leadership as
more for
i'm i'm serving the team so i look at
leadership very differently
i i feel and i know there's a lot of
definition in the industry about what
leadership is and what management is but
for me
i think it's all about their
it's about working together as a team so
my most of my conversations leadership
yes 100
but probably the definition of
leadership for me is more com more
being their friend and understanding
where they're coming from rather than
uh i'm going to be leading the leading
example of
um i don't know insert really awesome
task over here i guess that's good
i couldn't think of an example but i
think 100 so empathy leadership but
leadership in the context of insert
awesome job here
no i think i really loved how you said
um like that you kind of serve your team
because i kind of feel that way too like
i'm always like i don't want to be a
bottleneck like i'm here to enable you
to get your job done and if i'm not
responding when you need me then i'm
sucking at my job
yeah yep and sorry i was just perfectly
add because
you may ask them to do a job but if
they're not comfortable to the
to do the job then kind of goes back to
the empathy as well you need to be
unable to say that
oh i enjoy pen testing but you want me
to do what again you want me to do
compliance
like maybe not because you want to
retain your team
as well right and not just go
this is what i want you to do so because
this is what the directions company is
and not
understanding i feel like that's kind of
where um yeah you 100
on the money there leadership is a lot
more complex
they're just serving the people it's not
about
being in charge it's all about being
serving so yeah the higher you go the
more people you have to serve
i feel oh wait i muted
yes no no i
i really really agree with you quite a
bit actually i love it when my guests
say the thing i'm hoping that they'll
say
um so we actually have a question in the
chat
do you mind doing a lot of questions
that cool no no no problem yeah
okay so um oh
okay so first of all there's a quote
from gandhi which i really like
there go my people i am their leader so
i must follow them
i think that's really beautiful yes and
has to be a brown guy
as well thank you yeah um okay
sorry i can say i can i can say that
sorry i i probably should have clarified
i can feel like i'm being a brown guy
as i mentioned mahatma gandhi's brown
guy as well okay so
we have a question from david o'brien so
how does the head of security make
development and operation
teams care about security that's a great
question
that is and he's a good friend as well
david hi david by the way
uh yeah the i think the way at least
it's different from all
different organizations the way at least
this works
for me currently has been getting
involved in conversations
where initially it was because
i feel it's a bit about knowing the
person who's leading the team
and getting their buying on how much do
they know about security
or do they care about security and it's
been a really interesting conversation
where
all developers want to write good code
no one wants to be known as the person
who wrote really shitty code
i don't know if i can say [ __ ] but yeah
people can you can i guess i've already
said it yes
um but yeah it's too late already it's
already the the cans
all as they say in texas the horses are
out of the barn already i guess
i don't know where i got that from but
someone from texas told me that
um and um but the the
the one thing that i feel is in in there
all
developers want to write good code
because they know when it displayed in
front of another senior developer they
don't want it to be like oh my god you
missed this you missed that you missed
this
um so if i get an understanding from a
senior developer or
i guess their team leader that they have
that mindset as well
and their experience i tend to find it
as an
easy conversation for me to introduce
concepts like the whole security
championship like i'm running a
security championship program in my
company at the moment we're trying to
introduce
some kind of software composition
analysis tool in there
and it's really interesting yes i know
uh it's really interesting
how it kind of had to be trickled
through because not everyone may see the
value instantly
but you kind of have to find some folks
you so you talk to your i guess whoever
the team leader is to find out who these
people are who are really passionate
about security because they all stand
out
every time they see a bad piece of code
they're the ones who are saying nah this
is wrong
i cannot make this work this way and i
think
tanya you mentioned this in my podcast
as well but but you were working with a
few people and you kind of almost walked
away from the job as well when
they didn't like listen to what you were
trying to say so i know
there are a lot of people like that in
every company and it's all about finding
them
and you and basically working with them
to drive
security initiatives because the reality
is
there is no company that i know of which
has a big enough security team to serve
the entire company
oh my gosh that's so true
so you have to work with them empathy
again i want to make a t-shirt that says
i
am the security team
and everywhere i've worked it's like hi
i'm the security team it's just me
[Laughter]
yes that's the sad reality of our field
but
hey it's a great feel if you love
laughing and want some fun
uh you get paid to find out bugs within
the company so it's perfect
yeah i love our field okay
i need to ask the audience a very quick
favor if you
are watching this please click the
thumbs up button if you are enjoying it
and if you are not already subscribed
please consider subscribing
because we have lots of other guests
coming on in the future
which i will tell you about later but
for now if you could just click the
thumbs up button that would be awesome
and now for the next question it's very
tough question
what types of technical skills do you
feel
someone needs to do your job and also
like what types of
training do you think could help get
those
and i don't mean like name like this
specific court like
obviously you're like oh tanya you
should get her to teach you but
what i mean is is like what types of
things do you need to learn
to get your type of job sure and
um i'll definitely start so something
that i've been passionate about recently
and that's why the whole cloud security
podcast and cloud security academy
whatever but
i think for me i feel cloud skill has
definitely become quite important
for this kind of a role because a lot of
people are moving into cloud or they've
already moved into the cloud like my
current company is fully in cloud
we are in multiple clouds uh that's
becoming a new reality for a lot of
people
so having an understanding of the
security controls
that can be available for you from the
cloud provider which are cloud native
or if they're not available or to be
able i think
to be able to ask the right questions
from the cloud provider
and and when you're trying to secure
your own cloud environment that's
probably number one
technical skill unfortunately there's no
official training per se that's why i'm
trying to create one or at least i have
a beta program going on for one because
i couldn't find one which is
officially saying that if you do this
you'll be secure
or this is why you would be actually i
do know someone i was she's a common
friend terry
she has a cloud security train that she
runs
another one that i can think of is scott
piper i had another guest
on my show alexander he'd so
but i can count them in my fingers
basically that's the number of people
who have
uh courses which are really out there
talking about cloud security in a way
that it should be done
um so i would definitely say as a skill
know about
cloud um you don't have to be like a
super expert just snowball cloud
you don't know about application
security because everyone's developing a
product
and if you check out alison bobler on
application security probably
it's a great starting point just a sweet
plug in there
and it's a and i think if you i've
kind of done um tanya's application
security 101 version which was the
previous version
i've kind of gone through that course a
bit so it's very good to have that
basic understanding because you may not
be the best developer
but when you do talk to a developer to
get their respect you kind of have to
have
some understanding of why someone should
fix something
uh but maybe if or at least have enough
of a technical understanding that you
can explain it to someone
now granted if you're a big team
you would have people who would do it
but i prefer knowing it myself as well
that just
i guess the kind of nerd i am i guess
but
definitely two kind of skills i've seen
i feel product security
uh cloud and sock which is instant
response
oh my god if you have those three
covered risk and compliance is usually
uh something which is already there and
you kind of have to call someone
external for that anyway so i always
feel that you can always call someone
from
from an external company to come and
guide you on it
so you don't have to be an expert unless
you're trying to be an auditor um
someone at a
as a head of security you just need to
have a basic understanding of what do
you need to comply by
and what do you need to notify your
executives on if you aren't breached off
that's how i see that there is a
question from the chat
from darpan so how do you find a good
balance of tech skills
you know cloud containers kubernetes and
certifications
and management and soft skills in order
to be the head
like in the the role of head of security
right but i know darpan as well thanks
darpa for that question
hi there but uh he's been my guest
actually both david and darpan have been
guests on my show very previously
and uh great question as well i think
the way i
find so uh maybe it might help if
if i just kind of start with where i
started i started in the identity and
access management field
um because i kind of thought that
initially i thought pen testing would be
super cool
i got into it then i have to read a
manual i'm like this is not for me
now this i just cannot read a manual for
the
for the life of me for two hours
so i backed out of that really quickly
and i started off with an internship in
identity and access management
which is really fun because identity is
a new king of clouds so it works out in
my favor
i can ask identity questions as well as
well as cloud questions
but um i kind of felt that i kind of had
to go through different
the way i kind of planned for it because
i always wanted to get into this role
i've been
on this trajectory for the last six
years
i feel everything that i did was almost
strategic to the point that i ticked off
identity access management
uh and the previous company before this
i take off sock i knew about instant
response i knew why it was important
i spoke about risk with executives just
to understand what that's like
i feel like you don't have to be an
expert
in one but as you do something more you
kind of
and this is just me personally i feel
like in certain things i love being
super detailed or but
in some things i love just being
superficial just knowing enough that i
can have a conversation but i don't have
to be an expert in it
that's how i've approached this and it
seems to have worked for me so far where
i've been able to go
um or i started off with an identity
access management went into a consulting
firm
which is probably i normally recommend
people go into a consulting space
just because it gives you insight into
so many different industries as part of
your job
that you get to see oh this is how the
media industry works so this is how the
telecom industry works this is how
i don't know something with an
operational technology kind of
technology it works
a bank like you get to in you get
introduced so quickly to so many
different things
and you get to talk to people and find
out oh this is why stock is important oh
this is why risk is important and
because a lot of these things
unfortunately not taught in uni which
unfortunately
they just tell you that uh this is how
you do identity access management this
is how you do pen testing
good luck and next thing you know you
figure out yourself
wait do i like pen testing or is it just
the idea that i can hack something that
i like
i could not agree more with you also
they don't teach pen testing over
where i'm from yeah in school oh i mean
we don't have one i only had one subject
i did a master's degree in information
security because that's where it was
called back then
but it was one subject in a semester for
pentesting
okay i don't know how you how do you do
that that you just
you can't learn everything been testing
in one subject
so let's just say i
i thought it would be great the more i
spoke to the tutor who was
who used to work for a bank back then
and he was saying yeah i mean this is
just
not even scratching the surface you
basically
ticked off one box in like a list of 30
items
like oh great so i do i have to read the
manual for all 30 of them
he's like yeah i'm like okay then i
guess what i don't want to thank you so
much
[Laughter]
that's an awesome answer though that's
a plus and also i agree with like
everything
um so i would like to take this moment
to
thank our sponsor threadfix they are the
most stupendous application security
management platform
in this part of the galaxy or the whole
galaxy
if you you know have done more exploring
you'll see that all the other galaxy
vulnerability management platforms not
that great compared to thread fix
just so you know elon musk is just like
wait there's another galaxy no there's
totally tons of galaxies come on science
nerds let's do that
yes okay so let's say
someone wants to get a job just like
yours they would like to one day be the
head of security
so i want to ask what type of learning
path could they take to get there and
maybe what types of work experience
you would suggest they try to get so
that they could one day aim
for where you are sure um
i would definitely depending on the
person whether if they are already an
auditor or they want to start so
there are quite a few and i love how
someone once told me this security is an
inch
deep and a mile wide and
you can isn't that hollywood the
suspicion
an inch deep in a mile wide oh i thought
it was like
but somewhere it came from but i kind of
like that because i feel
like we have risk management where we
talk about risk and governance then we
have so that's grc
then we have sock then we have identity
and access management
and then we have the whole network
security you can just keep adding layers
and i would say it's definitely not
possible
in one lifetime to go through everything
i'm pretty sure they're people out there
but
i don't think i had i've i would have
had the patience for it
so the way i chose the path was once i
got into identity access management i
knew
if i wanted a leadership position i
would have to have some exposure to risk
management so i started looking for
opportunities in risk management space
what that allows you to do is be more
i guess have a conversation with an
executive because no matter where you go
at unless you're unless you're working a
cyber security company
no one else would want to know about
cyber security unfortunately
you would have to be that person to
change your point i am the security guy
the t-shirt you kind of would have to
walk around with that t-shirt so like oh
what is that
like just to get just to generate some
interest from people to they're like
there's this guy walks around with a
security t-shirt i don't know what he
does
like i think it's kind of those ones so
you would find
yourself unless you want to be that guy
who's in a basement somewhere i mean
totally fine if you want to
but if you want to be out there like you
know tanya has got a heck but
purple i've got i've got just like this
beard going with like a
thing on the background if you want to
be out there and talking about
like what you're really passionate about
you kind of have to be you don't have to
color your hair purple or
make a portrait out for yourself but you
at least need to be able to go
and explain to someone who probably has
the money to support your initiatives
then this is why this risk is important
or this is what the risk is
um so i kind of choose our path that was
my second kind of
entry okay so i need to take that box
somewhere and as i was going through
that process i kind of
started getting uh involved with pen
test activities
and i realized the importance of when
talk been talking about
different vulnerabilities in the company
they don't understand cross-hat
scripting
or crosshair requests for audio like
what is that is that like a technology
should i buy it like uh no you don't
have to buy that
it just comes free for vulnerabilities
in your software i guess
um so from that perspective uh it it's
always an easier conversation to have
with
uh easier to kind of have a conversation
with but with risk so i did identify
access management and i started doing
risk
which introduced me to the con to the
concept of cloud pen testing
and sock i dug deeper into
the cloud space because i realized the
moment i saw it like oh
this is going to be this is where people
are going data center is going to be
just basically left behind and so i
doubled down on it
basically for the next five years after
that i was primarily working in the risk
and the cloud space any project that i
could find which was in
cloud or about security in cloud or
risk management i'll just be all over
that [ __ ] against that [ __ ] again it's
like
a stranger oh my gosh now it's like your
fourth time because then you apologize
for saying [ __ ] yes i know it's like
probably should have a counter going the
entire like if you if you were i would
make like a make like a short video you
just have like a
counter going for the number of times i
said [ __ ] i guess
i would be fun videos the editors can
have a lot of fun it's true
that's right yes uh just so that they
can uh
like why this guy keeps saying [ __ ]
they're going war
so i have a question and then there's a
question from the audience from ahmed
yep so first my question because i'm the
host and i can do that
so a thing that a lot of people want to
know
that they don't know how to ask is
is does your job pay well in your
opinion
so so like when i first
realized that i'd made it in my opinion
was when i went to the grocery store and
i was like i'm gonna buy cheese and then
there were two types of really fancy
cheese that i really wanted
and then i realized i'm like i'm so rich
i can buy both
and so then i was like i am upper middle
class now
look at me with my two types of cheese
and so
does your job well haven't you seen my
background like really i've got plenty
of money hanging around everywhere it's
like i've got my own portrait
i've got every everything going on for
me so um
to answer your question yes and i it's
funny um one of the
panels that i was part of uh for
students and we were talking about
uh why should someone go into cyber
security like it pays well
i said bloody hell you should go into
this like why would you want to go for a
job that doesn't
pay you well and especially if you're
working you might as well but
um obviously the range varies based on
the organization you work
for but you definitely get to buy as
many varieties of cheese as you want
you can actually go to the point of
saying actually do you do i like the
smelly cheese whatever that cheese is
called i
i or do you like the blue cheese or do i
like the french bread
or i'm not i'm not a cheese person i
guess i kind of am a cheese person i
don't mind goat cheese is probably my
extent of exquisite cheese i guess
one of my wife is definitely into her
cheese i guess
blue cheese is our favorite oh i love
cheese
so there are a whole bunch of people in
the chat that are saying
so every time you swear you have to buy
a book and then they've been counting
and so they said you have to buy eight
books
[Music]
uh that's uh i have to be really careful
now it's gonna be an expensive
podcast episode for me okay
so the the question from the chat is
what is a technical issue that you are
currently struggling with in your job
that is both frustrating and exciting
and i know that you know most security
people sign non-disclosure
agreements so try to think of one that
you're allowed to share
and then and then give her
yeah um oh sorry what's the name of the
person who asked the question
uh so it's ahmed that asked it and um
just so you know giver
is canadian for like just go for it
because we said we say everything's
right and then i realized
no one knows what i mean yeah yeah uh
and so yeah i'm trying to think of a uh
so thanks for that question ahmed it's a
good question
and i'll probably say the problem that
i'm dealing with
right now and probably exciting for me
as well
is the it's cloud security because i
love the
cspm space i don't know if you guys know
much about csv but cloud security
posture management
and i love the space because it's it's
equipped the security guys to come out
and
have some visibility on the cloud
landscape that they have in the
environment
and the challenge that i'm facing right
now and the challenge that i
feel a lot of other security folks
should be excited by as well
it's kind of like taking a step back
from cspms which is just telling me that
i'm compliant
to cis i'm complying to iso i'm
compliant to blah blah let's insert
compliance degree here
they're not making me ask the right
questions they're not making me go
should this really be public or should
this be private what's the architecture
like
like i mean if i were to walk into an
organization
and i'm just i just buy cspm
probably great move because you just get
instant satisfaction that yes i've
got coverage across all my cloud but
what it doesn't do
really well is something asset
management like digital asset matching
to precise
a lot of people still have excel
spreadsheets as asset registers
and i feel this is we live in the 20th
century or 21st century whatever century
we are in
it's surprising when azure google cloud
and uh all these other people have
they haven't thought about the fact that
uh we should probably
and these by the way they're great
solutions out there for this already so
i'm not
trying to create something new over here
i find it really interesting how
we don't go into the into that
conversation so for me cloud security
was kind of like okay
let's talk about assets first and what
do we have so that can at least talk
about
uh csp and i think it's not the fault of
the cspm as well
it's actually the the right way to go
forward because you want to know
instantly
what's wrong you don't wanna like i'm
just gonna do this fluffy
asset management because my compliance
requirement or whatever
and i think that's been really
interesting challenge and
i feel it's something probably not the
market is ready for
at this point in time because there's
not enough maturity
for cloud security yet but i i
definitely see it coming so
that's an ex that's a challenge that i'm
excited by but i
also do know that it's not right now
that people are okay with it people are
going to be okay with it in the same
three years or four years when they can
start everyone would be asking for it
and then there is like
i'm sure there'll be like an amazing
product that will come out and solve
that problem
um so the audience noticed that i
when you were talking about asset
management being tracked in
microsoft excel uh so ahmed was
commenting
so when you're nodding your head so hard
tanya during the excel asset management
that's pretty awesome but it's so true
it's so true and it's very frustrating
and i feel like
the cloud providers lots of them have
provided these really amazing tools some
of which are
free free like if you're paying to
subscribe
it's perfect subscription cost right and
i'm just like
turn them all on if it is non extra cost
if it does security turn it on please
yeah
i get i give workshops and training on
azure cloud security so i'm just like
please turn it on
okay so i have another question
but first i'm supposed to tell everyone
we just released a new course
at wehackpurple.com so please check that
out
marketing complete um so what do you
like
the best about your job and what do you
like
the least about your job
i think the best part about my job is to
be able to work across
um different areas every week as i was
saying earlier about the monday
uh flying day and the sunday night nine
days i i love that part because
i am i guess this is probably the
corvette thing as well but i'm actually
a lot
grateful that i get to work in such
different spaces within security
and i feel a lot i definitely feel
grateful for that opportunity so that's
what i love with the most
i am solving a different problem
sometimes it's a human problem that i'm
trying to solve
but sometimes the technology problem
that i'm trying to solve and
uh the least favorite part is
actually which is slowly turning into a
good part is
talking about budget to vendors
initially i used to be like
um i would not be comfortable talking
about money but
the more i've kind of matured i'm like
actually enjoy this now i'm like
i i would bargain for a dollar now like
so i kind of i probably didn't answer
the question directly but i think like i
started hating it initially but now
i've kind of gone i kind of enjoy this i
should uh do more of this
can i have more budget so i can i don't
want anything more
but i just want to be able to talk to a
vendor so i can
you know just grill them for a bit this
is not a good price give me a better
price you should do better
you know what i love haggling because in
canada we don't do it but when i travel
even if i know i can afford the price
i'm like no i want to haggle and so now
my company
we're always having people try to haggle
with us and i'm like yeah let's hang out
this is going to be awesome and it's
sort of
like fun i think so as well i i
and some people like uh some people i
know they would particularly hate it
they just want to pay the money and walk
away but i'm like
but how often do you get to have this
conversation
it's like you're not haggling at
mcdonald's
but i i think i think they're like tanya
get out of here
stop your haggling yeah it's like a wait
so you want to hang it for a two dollar
burger
and you what sorry two dollar happy meal
you don't really want me to be happy do
you
i think my my favorite one has been so
far where
i went to a cafe and i asked for a
discount
and she said oh do you work in this
building like yeah yeah yeah i
was like oh okay then i did not know
this but apparently people who work in
that building if you or if they order
coffee from that place
they get like a dollar cheaper and from
that day onwards every morning when i
walk to the office this is when i was
walking to the office i would
go past that yes and they remember me my
name they think i work in the building
i wasn't really cheating per se but i
mean it's kind of like
i felt like like what i would did i did
tell them one day that
look i don't work here then she's like
that's not my money anyways so it's not
the owner all right okay cool
if you don't mind i don't mind let's
just continue keeping that secret which
is out in the public now
i can i can talk about it because we're
in covert times and i'm pretty sure
i'm not going to the city anytime soon
for that coffee
[Music]
i love it okay so we just have a few
questions left so if someone wants a
role
like your role and they're they're like
she seems awesome i want to have a job
like him
what advice would you give them to try
to get there
like maybe an actionable step or two
sure uh i will definitely start with
um knowledge of cloud first and i feel
that the reason i say knowledge of cloud
as a actionable step is because
the more you expose yourself to
i guess going into a role where you're
working for a tech or a product company
and it would kind of become obvious that
a lot of people are
expecting security to be technical not
technically in the context that you're
writing code
but technically in the context that you
would understand
the network of a cloud environment you
would understand
the nuances of your cloud environment
you don't have to be able to just do a
full devops pipeline and
like i mean if you do that it's awesome
like i can do it but that doesn't mean
that i would do it every day
it's just not my thing like if i were to
tell someone
i i would probably prefer the security
aspects of it so how to design
it and maybe some nuances i really i'd
write really bad
um i was gonna say [ __ ] but i didn't but
i say it again
uh i really i write really bad
uh python code uh so i would not even
put myself in that
in that bucket but i think
i feel that knowing cloud is probably a
great practical skill to have
uh if you're trying to get into a
product space as well just because
it's for me if i were to look for
replacement for example anyone who's
listening right now and
if i were to look for a replacement for
myself my absolute important
would definitely be more than risk and
compliance would be
some knowledge of cloud because it's so
much in there and
a lot of the conversation that i'm
having with people is around the nuances
of cloud
or a particular cloud provider you can
pick any doesn't have to be you have to
be only aws
or you don't have to know all three i
feel it's a bit unrealistic to know all
three
uh although darpan who's listening to it
he's done all three he's done oracle
cloud as well so he's amazing like that
but
i feel like this that's that's
definitely a rare breed it's not
everyone who can go
all cloud because it's almost like
knowing
i don't know if you you're knowing
something
php like a really good php and then you
really get java and then you're really
good at
python you're like that's just not the
case
at least i haven't met someone like that
i feel that's the same case with cloud
as well
you do one really well and you're able
to transfer most to the skills from that
age to the other one that you learn
so that would be my actual advice get
some knowledge in cloud
learn some empathy give some hugs
security hugs that's right that's right
oh my gosh another mug get your security
hugs here
we hack purple oh yeah that's right yes
basically i'm just like i'm gonna go
over this episode and steal everything
you said and then make mugs out of it
and then i'm gonna make
hundreds of dollars
[Laughter]
okay i have two more questions before we
say goodbye
and then at the end i'm gonna read some
reviews of the podcast
because so obviously everyone listening
has subscribed
to the podcast but maybe they haven't
reviewed it yet did you know that i
believe in bribery
and if you review our podcast and then
you send
us an like a link to your review we will
mail you physical mail cute stickers
that's right i'm so not above bribery
i'm i'm below bribery i don't know i'm
okay with it in regards to stickers and
podcast reviews
but before i read them to you oh no
someone says you have to buy me some
cheese
[Laughter]
that would be too expensive we can't
afford afford the cheese
okay so i have two questions so the
first one
is do you do things outside of infosec
outside of your nine-to-five job and i
guess probably your podcast
but first of all do you want to just
give a pitch for your podcast
and then tell us another thing that you
do outside of your nine to five
yeah sure um so cloud security podcast
started in
jan 2020 and
on the podcast it's a weekly podcast
live streams every week on
linkedin youtube twitch and periscope
and
each week we basically talk to a cloud
practitioner
about different topics so the topics may
range from
application security devsecops cloud
security
infrastructure security and chaos
engineering who would have thought i'll
talk about chaos engineering as a thing
that
um and threat intelligence is another
one that we've covered so
yeah if you are someone who probably is
interested in that field
you don't have to be an expert you might
be someone who just wants to get into
the field
and just are curious about what's that
feel this
we have a lot of episodes where we talk
about
some of the basics on where you can
start around
what kind of questions you should be
asking and some episodes we go really
i guess quite deep as well to go into a
bit more uh deeper understanding of what
something
i guess if you want to secure something
in cloud what you should be doing uh
if you can follow that all on
www.cloudsecuritypodcast.tv
and um yeah that's kind of where
my most of my nine to five is but sorry
most of my post 95 is outside of that
i'm
massively into i guess men's fashion
and that's why i thank you comment about
the hair and
like i blow dry my beard like to the
point that like i did not do it did not
realize the investment that i'm taking
on with my covert beard that i have i
have to blow dry not just my top hair
but also my beard
so that's something that i do outside my
nine to five which is google
how to maintain a good looking beard
that's pretty much what i did i love
your beard you look great
i mean you look right without a beard as
well but
your beard's looking awesome trust me i
have seen some pretty scary looking
rugged coved beards
and not rugged like they're outside
doing things like rugged like i don't
take care of myself
i'm gonna pass this to my wife as well
someone else i also appreciate about the
fact that i'm maintaining because she's
like
why do you spend 15 minutes on your
beard like then you just like i'm like
it takes time honey like all the hair
strength
uh yes so that's something else that i
do outside my nine to five
i was thinking of putting on a nicer
t-shirt i just like work
can't have t-shirt but i was like i
should change because
she's just going to be there but well i
mean i
i wrote my cloud security podcast
t-shirt so yes
oh that's such a good shirt oh i love it
yeah
thank you i just like had to be bright
so the like you can thank the wife for
the design
she's a creative one oh really it's good
i like it
i also shared a link to it because we
want people oh thank you
well but of course um okay so the last
question and then we say our goodbye and
then i will read
podcast reviews and hopefully they'll
say nice things
um oh someone says tell her that you are
representing her so you have to maintain
the beard and look good
and also you are the best dress cloud
security consultant
all around oh in the galaxy in this
galaxy
in this part of the galaxy so like we
haven't checked the other parts yet so
you better hold your breath
yeah that's right i'm like i was going
to say in every galaxy but then i
realized oh there are other galaxies as
well
like yeah maybe in this galaxy let's go
with that there's another ocean another
galaxy
it's probably like blow-drying his beard
right now and he's like
i'll get that ishish i'll
[Laughter]
okay so the last question because people
probably were like
okay this guy's awesome i need to follow
him so
where can they find you do you have a
website or an event coming up or any
links or anything that you want to
promote
sure um so i usually hang mostly on
linkedin just because that's where uh
where the livestream happens but
the second place that i hang out is just
ashish rajan over there
second place that i hang out at is on
twitter but
if you're not looking for i guess
you're looking for episodes for me you
can probably go to my youtube channel
everything can be
seen on www.ashishan.com
uh including my artwork if you want to
buy that i
i've made it a point so apparently on my
patreon program someone wanted my um
a picture of this on my uh on a mug i'm
like sure
i'll uh i'll give you this one a mug so
if you want a mug with that picture i
can totally make it happen
on my patreon program but sure uh that's
kind of where you guys
can find me just go to ashisha.com
oh i'm i'm giggling and i'm muting at
the same time so that doesn't work okay
so i'm just sharing it on the screen so
that everyone can see it and everyone in
the chat can see it and it will be
permanently there i just found your
website and it is
wonderful okay so thank you so much for
being on the show
i really appreciate it i feel like the
time passed so fast so like
the time was very slow while we were
technical
troubleshooting and we were trying to
connect i felt that that was about
four weeks and then the time once we
started it's like it was super sped and
then it was like only a few minutes
thank you yeah i know we got we got the
image either i think
i probably should tell we should tell
the audience we were just going to be
act cool if it worked in the first five
minutes we're like
totally we were just this is like we
were just doing celebrity entry we were
just coming late that's pretty much it
yeah we're just like fashion cool
showing up late
because we don't that's right respect
our audience no that's not true
like that was that was us five minutes
into it
that ten minutes into like oh [ __ ] this
is gonna take a while but
that just went down very quickly you
have now reached double digits of books
you have to buy
that's right so you're going to have to
be like cannot pretend to be
fashionistas anymore can i have to make
this work
they put the nerd hat on oh my gosh
okay well thank you so much for being on
the show my friend
i am going to now do the wrap up so
goodbye and i will see you next time
probably on your podcast
okay hundred percent foreign
you should listen to me if you're
listening to me you should probably
listen to her as well so just go to
alice
bob learn about application security
that's it
thanks so much for having me my pleasure
and everyone subscribe to his podcast
too
thank you all right bye the uh
okay so now i'm going to read to you
first of all tell you who's coming up
next
so up next we are going to have on this
podcast
mary moay that is the woman who hacked
her own
heart and she is going to be on at a
very special time
if you want to catch the live show it's
going to be tuesday september 29th
at 10 a.m pacific time the reason for
this is
she lives in another country and her
time zone was really weird
and obviously i wanted to have the woman
that hacked her own heart
and then next thursday at this exact
time we are going to have juliette
you occupy and she is the ceo of a cyber
security company and she's also
ridiculously funny and charming
i saw her be the host last year
for the women's cyber jitsu awards and i
was just like
you're amazing and can i please be your
friend and then she wasn't weirded out
and didn't run away so then i asked her
if she would be on the show and she said
yes
the following week we will be have tracy
martin
she is the founder of defend con a super
off awesome conference that eyes on and
that is october 8th
and she's a principal security engineer
for iot
and so that's pretty cool and then the
week after that october 15th we're
having katie paxton fear
and she's going to talk about first of
all what it's like to be a phd student
because that is wicked hard and then
also how to be a bug hunter
and the week after that we have dominic
west and she's gonna talk about what
it's like to be a cloud security
consultant
you might know her from security and
color it's a podcast
um also there's a website and there's a
twitter feed and there's all sorts of
cool stuff around her and we have a
whole bunch
more guests coming up and you can find
out about all of them
at wehackpurple.com
podcast.html yeah that's right old
school.html
now i'm going to read for you just a
couple of the podcast reviews in hopes
that you think that maybe you want to
review a podcast too
so um the first one is
from nav s15 from india is that a
podcast i wanted the name she hacks
purple
in infosec community is well known and
probably we
are all waiting for insights from tanya
and some other great folks and i was
happy to hear from melissa
the queen of code knowledge from the
people who make appsec interesting is
great
looking forward for more amazing cons
content thank you so much another one
just says
we hack purple and it's from colin brd
from the netherlands thank you
um another one from ray ken from the
united states
awesome career advice tanya is well
known in the industry
and really good at what she does the
director of strategy is a tough role
that was mario platt and it's a tough
role to get into there were great
insights into the role and expectations
highly recommend this and future
podcasts another one
from abhivan from india
so one of the best infosec podcasts
tanya certainly knows how to make
learning fun this podcast is an amazing
place to get going and if you're a
beginner you should definitely give it a
try thank you thank you
um we have another person sf hummingbird
uh the it says amazing if anyone's
looking to get into the field or want to
move upwards this podcast is for you
tanya jenka has such is such a great
influencer when it comes to sharing
knowledge and connecting folks to
mentors thankful this podcast
exists for the security community and
the last one xander from
india great podcast for those who want
to get into infosec
i definitely recommend these to all of
the infoSec-ers out
there thank you so much we really really
appreciate it when you give us reviews
thank you and like i said if you send us
a screenshot and a mailing list
mailing address we will actually send
you a real live sticker
to say thank you so much i really
appreciate you tuning in
thank you again to our amazing sponsor
threadfix who has sponsored most of the
rest of the entire year
i can't tell you how appreciative we are
i appreciate the guests
and again i'm tanya
again i'm tanya Janca thank you so much
for joining the we hack purple podcast