We Hack Purple Podcast Episode 8

Tracie Martin


In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Tracie Martin, to learn what it's like to be a Principal Security Engineer for IoT! We discussed DefendCon, what it's like to hack a SMART Bike and more!
Tracie Martin can be found here: Twitter and here

This episode sponsored by Ubic Security! Watch THIS episode on YouTube!

Transcript:
welcome to the we hack purple podcast where each week we meet a different person who has a completely different job in the information security industry this week we have juliette at caffore and she's going to tell us what it's like to be a ceo of a startup in the security industry and our sponsor this week is threadfix by denim group and basically i want to thank you all back i want to thank you for coming and without further ado here is juliette and now i'm hiding the image it's working okay there we are and we're live welcome hello thank you so much for being on the show juliet thanks for having me so the show is more about my guests than it is about me oh yeah i'm supposed to introduce myself i'm tanya jacob purple um so juliet could you tell us uh your name and also if you have a twitter handle or a handle online that you're known by sure um i am julia rocofor ceo and founder of revolution cyber and uh i'm often on twitter as jules management j-u-l-e-s mgmt i love that i love that and i like how you also told me your job title because that was my next question so can you describe what your job is because people are like ceo so big boss and that's all they know i know and i literally go by chief engagement officer rather than chief executive officer um and and i did that because i i i like the idea of a flat organization i think the title ceo says more about someone else than it does me um mostly because of course i recognize i'm an executive i don't think i need to tell everybody that's what i do but um at revolution cyber um you know part of what it is that we that we're trying to build is really a community around topics related to security awareness and um user experience um and strategic communications around security that's awesome i like that a lot chief engagement officer on internal stuff i have my title as head nerd well when i was at microsoft my i printed business cards that said accept nerd at your service and my boss was like this is so true this is so true they were right they were right but there's but it's not bad to be a nerd anymore so that's actually pretty good oh yeah no no i agree i mean we're the people that make stuff work and so so your company does security awareness can you describe what that is in case some of our audience doesn't know what that means yeah so i i struggle with the term security awareness we we we make people aware of ways to make better decisions but we go beyond that in that we're communicating on behalf of the security team with users in normal english in ways that they understand about why they should should do good things with security and why they should stop doing bad things with the guard security that's really what we do we're we're not a training company either we're mostly focused on how do we reduce the risk associated with user behavior and we will we will build campaigns marketing um we'll build ambassador programs but the idea is around engagement how do we engage users around security oh my gosh that's super cool i like it i wish that so many other places that i worked had had something like that i know it could be really painful i remember as a software developer mostly viewing the security team as the department of no and them coming up and telling me when i did things that were wrong but never explaining to me what the right things were just how wrong i was and think about like when you like were a kid and your parents just told you no with no explanation it was kind of like because i said so how often were you motivated to like do the thing they wanted you to do so my whole premise is why don't we treat people like either human beings or people who can make choices that's that's all it is yeah like with respect or something right a little bit of that doesn't happen doesn't hurt at all so what is a day in the life like of a chief engagement officer um i heard that sign yes it is you know it it no day is the same um and what you're constantly trying to figure out is how to translate what the security team knows into something interesting and engaging for um for the employees so we really act i act all day as an employee advocate um having security teams really consider how people who are non-technical want to receive information so i spend some days doing research online i spend a lot of time listening to you know on security calls i meet with a lot of vendors because part of what my job is is to we act as an integrator so we'll we're partners with know before we're partners with mimecast we're partners with proofpoint um and our job is to pull it all together for the benefit of the organization so i spend a lot of my day trying to figure out creatively how to build solutions around um cyber security and uh policy management as well that is awesome that's so awesome so do you okay so i've had a lot of people be at so i started a company too this year and i've had a lot of people say you know what is what is your job like and i say so i get to do really fun things half the time and the other half the time i have to answer emails and i hate it i don't even talk about the emails i'm checking all day and night yes i agree do you feel like there isn't like a number of emails that is just unsustainable like how do you do it right you know i i miss things all the time i think the only way i do it is with my partner chidi um she'll ping me and say they said they need a response now and and i'll go back and like oh my god because you know some things come in and you say to yourself oh that can wait um by the time you get to 10 of those things it's probably time you turn around and start answering some emails so um i i couldn't do it without her and then i flagged my email box um i don't have you know the xero inbox i can't do that i don't know how people do it i don't do it my email box is messy and it's full spoken like the truth oh my gosh i like though that you're actually telling the truth because i really appreciate that because sometimes people they're like oh yeah it's totally glamorous all the time i'm like no it's not no it's not no it's not no um and and for more truth i'm like wearing partially like i'm dressed up here but have my pajama bottoms on the bottom so like legitimately it is not glamorous this is like cute up top and then it's like bedtime at the bottom but it's like after nine o'clock eastern so i figured you wouldn't judge me yeah no i oh i guess it's kind of late for you well not late but yeah it's true later yeah are you in are you in new york no i'm actually i'm from new york city born and raised in brooklyn i lived in dc for a time but just moved to columbus ohio oh nice very nice columbus is fun is there a lot of nature there i heard that there's lots of kind of beautiful landmarky naturey things oh my god yes so one of the things i did today is and and what's the okay so this is a this is one of the glamorous or the great parts of being a ceo i was stressed out this morning and so i'm starting to do piyo i don't know if you guys have heard of it it's definitely it's like a combination of yoga and pilates oh my gosh sounds awesome yes it is but it's remarkably tough on the arms so i'm in pain now but um after i did that i actually drove to a man-made beach um and it's like it's called allen state creek park so it's a park and i walked around and like started to get my creative juices going and i just stood by the water it was amazing that sounds wonderful i sometimes so i have a farm on my property so i like turn my property into like a very small firm and so sometimes i just like if i have a really tense thing happen i'm like i'm just going to go prune tomatoes for one hour disappear and you're able to get out of your mind like it's good so at this point i am supposed to tell all of our viewers please click the thumbs up button if you are enjoying the show and i'm also supposed to tell everyone that i published a book called alice and bob learn application security and that you should check it out on amazon and now i am done that part of the script it was really smooth right you could barely tell i mean it was like a full-on production like it was hollywood style it was it was great it's not it's not as good as you because so we met at this the cyber security so where they called the women's cyber jitsu like yearly awards or what was it was oh hacker wasn't like it was six it was something it was a hacker six it was like yeah it was a new event yeah yeah and then jules was the emcee and she had me cracking up i literally was crying i was laughing so hard it's like who's this woman i have to meet her i'm gonna try to be her friend and hopefully she'll think i'm adorable and not creepy and it seems to have worked it works okay okay so more questions okay more questions so it takes a certain type of person to become a ceo and like start their own company and personally i think it takes some bravery what types of personality traits do you think someone needs to be a good ceo or a chief engagement officer um huh you know i don't think the goal post is good because i think we can be overly critical of ourselves and i'll tell you whether i'm good at this or not changes from hour to hour sometimes minute to minute what i'll say is you have to be willing to take risks um you have to be a risk taker and it doesn't mean like these big kind of you know you know everything or nothing risks but you have to be willing to take steps without knowing what the end result is and really stepping out without knowing if there's anyone to catch you um and so i feel like a good ceo can do that while building a business and while developing talent which is all a juggle right it really is right because you are probably also the like the subject matter expert at your company and you are the manager of all the people and you're trying to get the business and you're like everyone don't fall apart or run away yes yes it is you know it's so funny that my mother um she was like why would you leave like a really good job to just like go and worry if your customers are going to pay you like why why do that does your mom know my mom they must know each other there's a network because my mother was like so you're going to leave a good job to go do something where you're not sure that check is going to come in i was like no it'll come in it will and eventually it did there was some time but um i just i think i'm just like made for this whatever this crazy chaotic process is i made for this i love it i like i really like your attitude thank you so what types of like aptitudes do you think someone would need to be a good ceo like attention to detail or hyper focus or being able to see the big picture of things the biggest one is knowing your weaknesses the biggest one is if you are able to spot and admit to admit your weaknesses then you can hire a team we were talking about the people you've hired right because there are certain things in business you want to do certain things you don't want to do certain things you really shouldn't even try and do yeah you've got to be able to admit that to yourself early on and then hire for that talent so one thing i'm really really bad at is administrative work and look i'll i'll go ahead and say there's nothing wrong with with work i believe in and i believe in like an admin work and admins and how wonderful they are i am one who supports they they are gods and goddesses oh my completely it is the one skill set god said we will not give this to you you will not have sex so i i literally rely very much on people around me who are very process oriented and very um you know ocd about organization yeah so i'm surrounded by those people and um i have to build systems so i need things to be automated because i am neuro-diverse i'm i'm adhd and gifted and highly sensitive person like i'm a lot happening in here um and so i just i just admit that that's the thing the benefit of me is the creativity and the ability to win business um but it creates a lot of like an admin headaches for the people around me i i feel your pain so much yeah i i think there are many more people like us than people admit oh yeah i also think too that because we're women sometimes people just assume we're good at admin like they just they're like you're a man of course you can just fix this window that's broken and i've i've had so many male friends where they're just like you know that when we're born they don't just like stick tools in our hands right like it's just and then they're just like obviously she knows how to do all these obviously she likes taking notes because she's a woman you're just like no i know i mean i i remember it was the situation i was in a room um with my customer mail and um uh we we gotta we were ending the call and i was like so what would be great is if you take the notes and you can send them back to me i know it he kind of paused like wait one you're my vendor you're asking me to take the notes but i said to him i'm like you're so organized we could spend all day with me in my scribble scrabble why don't you do it and he he understood i mean the fact is my customers understand that there's a bit of crazy in here but there's also a bit of like results oriented and and you know high energy so i i'm not a note taker but there are other benefits and i have a memory my memory is ridiculous oh i remember that's good i have to take notes because i don't have memory it's like also i learned that by taking notes in meetings i could boss people around and when i learned that i was like i will take all the notes get out of my way and then in the notes i'm like action item in bold adam you said you would do this and and then i like send it to everyone and then a few days later i reply all i'm like adam steve jennifer you said you would do these things where are they and i'm like it's in the notes and i do that to like my boss and my boss's boss i'd be like jim it's in the notes i don't know what to tell you it said you have to do it i love that oh my god well that's that's how my partner bullies me she's always just like jules did you read the notes so i'm like oh yeah oh let me you're right let me go let me go look in those notes and then i feel bad because i'm like they're right here just do it i know it's like oh no i know see the power of the notes yeah i'm on to i'm on to it now i know but if i had a memory i mean then i don't know i would trade okay so i have more questions so do you think that a ceo needs to have technical skills and if so which technical skills do you feel that they need because lots of other jobs that we're talking about they do actually have certain technical things they need to know but as a ceo can you just walk around and kind of just be like in the air do this do that and then you're and then you probably need to be like the best powerpoint person ever you like email like a boss no no no no not email like a boss no um see here's the thing there's a difference between being a ceo and a leader right yeah so if you're going to lead you have to be able to demonstrate to people that you're worth following and the way to do that is if you're leading technical people you should have some technical skills some um one just just something you can point to and say yes i've got that skill um what what i did when i first got into cyber security about four uh six years ago now um i sat in the sock every day alongside the engineers and the analysts and um and and tried to understand like what they were doing saying what the language was um so that and i was just trying to sell sell the solution but i figured in order to sell it i needed to understand what the technical guys were saying and i needed to be able to speak their language speak like they did so that they would respect me yeah um and and i think just over time i don't have any certs till today that's one of the things i've said i want to definitely get one cert just so i can say that i have one um but but i i i don't think that that it's required i think a lot of that is a perception management thing for me um and just to demonstrate to myself that i could get a sword i just haven't done it right i don't have any certs and and i now make a cert through my company i love that so you know what i gave myself the cert that my company because i am like well i wrote the entire program all three levels so i guess i'm allowed to be this you might know something about it yeah yeah and so wait so you're doing application security yeah huh so are you familiar with secure code warrior oh yeah oh yeah i know them well they're lovely humans that's so so how do you in them kind of fit um so they teach sort of hands-on gamification lessons of how to write secure code well our first program from our school is like a formal lesson with videos and you have written assignments and there's quizzes and all of this and the idea is is we teach you how to create and launch and run and measure and improve an application security program so from the beginning to the end where you have a super advanced thing it's all measured and everything a customer for you one of my clients would be a great yes i love that okay awesome but yes i i kept seeing that but i wasn't sure how it fit um and like everybody says that they have an academy and sometimes it's really not it's just like a video i know i have seen some really brutally bad courses and so when people are seeing us with like our 4k camera in our studio and like we have animations that come on and words that appear and disappear and then and i'm a really mean teacher so i make you do like big assignments oh someone someone is putting in the chat what no certs i'm the opposite i only have search but no experience or degree because i'm new to the field well siri we're happy you're here yes welcome and look at us we're both ceos of startup companies and we don't have certs so it turns out you are even more prepared than we are in some ways look at that yeah but i think the thing is experience and i think that's the biggest hardest part um so you're doing training and preparing people for um you know the world of app security and i'm doing training on in some ways um as it relates to helping developers just just want to do the thing i just want to i i thought that once you actually teach them what to do um and i think it's it's about soft skills too it's about you know the kinds of things where you're influencing and you know persuading and teaching all of those things are really good um ways to develop the skills that you need in addition to the search people not not getting hired because they don't because of search if they typically don't know how to prove themselves beyond the cert right so that's the biggest issue well i find getting that first job the most difficult and then once you have that first job if you've been there a year or more it's like the world's your oyster at this point you're like people have shown that i know how to do this i think the issue is the gatekeeping to keep people out of the first job there's so many entry level you need five years which is ridiculous totally ridiculous um actually so i'm gonna just thank my client or my sponsor again because thread fix and the denim group are actually hiring junior application security engineers and junior pen testers so if anyone's listening go down to the denim group or thread fix site and go to their careers page because they're like oh do you know anyone that's looking i'm like well i have a podcast and so how many and they're like we have realistic job postings like we want to work with really nice people because we have to work with them and then we can we can teach them and show them stuff and i'm like that's amazing but are they are they hiring any oh and it's remote oh really yeah is it beyond is it like just junior or can you have more experience there's also senior ones and intermediate ones they're hiring like they're hiring a whole bunch of consultants right now so surrey on the chat you should you should apply to um i i should go through my emails and get the link and then put it in the podcast notes to make sure everyone has it because that'd be really good yeah and i shared it from my twitter yesterday but yeah maybe i should share it again because most places they're like oh we want 10 years experience so that you can be a junior and it's like that's impossible like do you understand how math works um and i mean for that reason i'm actually working with a company um what's her name why can't i remember their name luda security oh luna with katie katie who's amazing katie missouri for people who yeah so yeah i mean the thing is that the interesting thing is hiring you know um all non-traditional talent is a major initiative just across the board but i love her commitment and passion um you know neurodiverse women lgbtq you know really young people junior people looking for an opportunity so there's so if you're looking ludo security is also going to be looking as well i'm going to type this just into the chat perfect i can't seem to type and then talk at the same time but like i'm trying so hard [Laughter] we all have different skills okay and i'm gonna put it on the screen now so luna's security and denim group are hiring so now it's like on the bottom i'm gonna put it actually a little bit below so it's like it's not blocking your i'm not supposed to be able to see that right no you're not supposed to be able to see it it's okay it's in um the streaming software as opposed to in our our private chat so like on skype it's private between you and i and then i'm a jerk and i'm broadcasting it to youtube no i thought this was private i actually usually have a script whenever i call jules so she's used to this okay okay can you imagine you're like she's my weirdest friend she also thanks sponsors randomly because she's just such a weird lady i have to thank my sponsor now i'm like okay keep going you're going ahead don't let me stop you okay so let's say someone's watching this jules and they're like oh my gosh i want to be a ceo like jules one day i want to start my own company what types of training or work experience do you think they should try to get so that they would have some of the skills so that then they could be brave enough and and i mean brave because they're prepared and they know what they're doing as opposed to just being not thinking and and um making a poor choice and jumping in exactly someone who makes impulsive choices yes um you know there is no one way to to to become a ceo um i found a lot of ceos have stumbled into it or have had validation from an external source telling them that they should be a ceo um so most people don't know when they're ready but beyond the fact that i talked i talked i spoke at the diana initiative and i talked about um spaces and really focusing on when you know that you've you've outgrown your space i think a lot of a lot of where we are especially with covid and you know um and just the remote workforce you really can be your own boss in this environment and i think there's a difference though between being a um a contractor an independent contractor and a ceo and the difference between the two is one is kind of an individual contributor role where you're like you take projects you manage them someone pays you you know you don't have any um any uh company you know who's paying your salary doesn't come consistently um but if you're a ceo you have to be have leadership skills you have to be able to communicate you have to be able to present information clearly um but i think more importantly you have to be somebody who can um translate information between multiple stakeholders because as a ceo you might be talking to investors you know vendors customers partners you have to be someone who feels comfortable having those conversations across the board that is really good also i'm sharing uh the link to your talk in the chat and on the screen because i remember that and it's awesome and so i think people might want to see it also i'm giving you a thumbs up which everyone who's watching you should first of all like give this video a thumbs up but then you should go to the other one like when this is over and then you should click the thumbs up button and then you should put jules is awesome yes please don't even go there if you're not going to put yours awesome right if you're not gonna do that you know don't even waste your time i mean why do it so your talk was called reclaiming your space in cyber security speak out and speak up oh speak out speak up and speak often yes here's a good one thank you and so now you have one more thumbs up because i was like well if i'm gonna go get the link i might as well actually hit the button you're hilarious thank you so let's say someone is like i want to be a ceo is there like a course that they could take and i'm asking this because i totally don't know the answer and um you know i wish that it was easier to find out the information it really is divided across multiple like agencies like if you're a woman there's women small business administration there's uh there's a number of chambers of commerce that focus i just the information is really divided the the best source of information i have found where it's kind of joined but you kind of give up part of your companies like the incubators oh yeah definitely cue through yeah the process and help you to make some of the decisions that you need in order to grow your startup so those are like guided growth opportunities did you do one did you go to an accelerator i'm wondering though if that's not the next step for me so i'm kind of in this place where i'm like maybe i'll one i think i'm in a position now to put together a board of advisors um and then really start to figure out um if i want to get angel investors and then you you tend to have to explain to them you know what you're doing in the business it it adds accountability yeah yeah i want to maintain control for a while that's my only fear with the incubator is that you know you kind of lose a lot of control yeah i i also feel like if you so our company is bootstrapping because i just do some consulting gigs and then it just pays everyone for the month and we don't get paid a lot and that's fine and then we just keep building the business building the business right and then now we have courses on so then people are buying the courses i'm like awesome that's helping pay everyone's but you know what i mean and then like slowly but people are like you know tanya you could go way faster if you had investment and i'm like i don't know relationships commitment that's it's like you have to you see all the goofiness that we're doing now you have to like run it by someone else someone else gets to tell you whether or not you can can't yeah and they're like tanya you're being goofy they're like jules is mature she can do what she wants tanya stop whatever you're doing stop it [Laughter] exactly oh god i know i know okay okay so i have another question so this is a sensitive question okay does your job pay well i'm not saying tell me how much you make i'm saying are you rolling around in money and you're like gosh i'm getting paper cuts there's just so much cash everywhere that was me a few years ago no um and not because i couldn't um mostly because i've made a decision to invest as much as possible in the business so i do take home a a bi-weekly salary um i am covered with health insurance but i basically made a decision that it was better that i pay other people right i have two daughters so it was more important that i could have time than to have the money because i could have more money but then i'd have less time yeah so that's really one of the decisions that i made i've been doing the same thing except for i haven't paid myself at all yet just oh my god just because some of the consulting gigs i'm like that just goes right into my bank account because it's not through the company anyway right so i'm like i can't wait so how do you handle that so there's one gig that i have that is i could take it through my bank account but i'm like should i get it paid through the company so there's like pros and cons to each and i think it really depends on your client which is appropriate so for instance i didn't want we hack purple to own my book so you do not make very much money from a book however you do make some money and yes so i have gotten checks for my book and which everyone should buy alice and bob learn application security tell everyone you know um who's your publisher wiley books oh yeah so i have the opportunity to pitch wiley and i i can't figure out what to pitch him oh my gosh yes you should it'd be so awesome what am i going to say i'm like what what do i say well you should write a book about how to actually talk to adults about security and actually convince them and get buy-in they actually go and do it yeah definitely and just i mean i know i'm actually the technical editor for another book coming out um so i'm i'm going through the process you know like if you want to pitch us a book feel free and i'm like huh what am i going to say totally should i already have another book ready after this book but first i have to not want to die from all the work so it's a ton of work yeah did you know you shouldn't start your own company at the same time that you are writing your first book but also when there's a pandemic around the world and then also you decide to turn your property into a farm turns out like that's a lot that's not a good idea yeah um i'm going to go ahead and say you shouldn't agree to be the technical editor for a book at the same time you're moving your whole family to columbus at the very same time you're taking on one of the biggest organizations in the world for a customer like i promise you don't do this it's not what you should be doing sit quietly do one thing at a time get it done right and then move to the next thing yeah oh wow seriously yeah it's a it's a lot of work there's a lot of it is a lot of work so that's probably why but but i will i'll pitch it just so i can you know because he they do want me to write one i just a little nervous well i mean you have an expertise so they probably want it to be about that they're probably not like we're hoping she pitches basket weaving they're probably hoping you're going to talk about security i'd love to weave in security with something else where i'm like comparing it to something that's really actually i like the comparison of how we've handled covet to the way security is handled they're very very similarly handled badly [Laughter] yeah that's what yeah that's kind of the thing i think yeah anyway no comment because i'm in a different country than you so i'm just gonna not uh keep it i try really hard not to comment on what other countries do and just make fun of my own country i just eat my poutine and mind my own business are you in quebec so i moved from quebec to british columbia so i am on so i'm not in vancouver i'm in a place called vancouver island so it's the city of victoria so if you know where seattle is there's this little island above it where it looks like it would be in america because it's below the 49th parallel and we got it in a treaty by being tricky so they're america's like that's ours and we're like no it's the capital of british columbia and they're like is it and then we just like rushed some dudes down there and they just like made a little house and we're like that's the capital and they're like freaking canada always goofing off and gotta admit that they're smart that was smart yeah you're not sure okay well we're sure we'll take it we are the only country ever to attack america right like i don't know if you know in the history how like i can't remember what happened something where like some americans burned down one of our buildings so a bunch of us went across and then burned down their buildings and then ran away because that is also a thing we're good as running away from danger and and we like vandalize and we're really dumb and then we're like aha we are the only country to ever successfully attack america and then not be completely pulverized because we're so cute about it in school oh yeah they're like that one time that we actually attacked a country and it didn't work out that badly because we because we don't attack things right we're like where canada just pretend we're not here that is not your country's personality you are not the aggressor yeah at all yeah and it's a good way to be people ignore us sometimes they come visit us there's some tourism but only for half the year because the other half the year it's too cold everyone dies oh they go back to work yeah where they're from i've been to the only place i've been to well actually i've been to montreal and quebec oh yeah and i i will go ahead and tell you i do not like poutine i don't know why it is that you guys eat that i don't it's because we get so cold that we have to have 3 500 calories in one sitting like you want to take it and pour you have cheese on it you got the curds i mean yeah yeah i mean all of the dishes from quebec are a little confusing like there's a dish called aspic and it is i kid you not it is fruity jello with frozen vegetables inside of it and they serve it at dinner like they'll put it next to like a turkey and then they'll have stuffing and they'll have aspic and then like and i looked at them i'm like why are you serving jello they're like it's not jello it's a french canadian dish and i'm like no dude like that's jello and someone spilled peas in it did you tell them that the us version has fruit no because like i well i was out of dinner and trying to impress up i was dating someone and their parents were there and there's all sorts of awkwardness and i speak french but i don't i'm not quebecois and so it just it just didn't fly no matter how much i tried to impress the people just didn't work i was like i even learned your language and i eat poutine and i smile and like please accept me but eventually i was like i have to go these taxes are killing me taxes are 52 of your income and quebec 52 well depending upon what tax bracket you're in so that's before i became a startup founder when i used to make money but not now they're like you can just live for free you popper well that's gotta be a good benefit because the rest of it's crazy i mean at least you get a benefit i haven't found mine yet yeah well we're okay okay i'm gonna be i'm gonna pretend i'm serious and ask more questions what is your favorite part about your job what is the thing you like the best i like you know and and most people struggle with selling yeah i enjoy selling the most um 20 years in sales right out of college so oh well oh i just gave myself away okay anyway i i graduated 20 years ago so don't worry um so legitimately i enjoy helping people and that they pay me to help them yeah that's the part that i enjoy yes and and it also makes me feel good because there's a defined value on what it is that i offer and i enjoy that part because you spend a lot of time in life not knowing whether people care or not when their check clears it makes me feel very good that they value what i'm offering them yeah that's what i enjoy oh i love that i love that yeah i've discovered i'm not good at sales i'm really good at the top of the funnel of marketing and then the very bottom i just get a little nervous since that's why i hired him a sales guy and he's just like it's fish in a barrel tanya you just it's so much fun like literally the like the top of the funnel and i'm good at the bottom of the funnel it's the process in between where i need somebody to organize that part but then i can automate it so it's really not hard well i am glad that you have that skill and i'm i don't know if the word is envious or jealous where you're like i wish i also had that yes no it means it's neither one of those things you just wish that you had that skill yeah so do you feel that do you feel there's a lot of opportunities for someone to become a ceo of a startup um yes and no okay so yes in that the world is our oyster and we can all go out and start businesses no in that i believe that not everybody is suited for this um and i believe that if if everyone was a ceo there wouldn't be companies because you need people to work in the company so it's okay um i also believe that a lot of the market the way the market's set up is designed to filter out people who don't fit a traditional you know like a mold like the most yeah there's a mold there's a startup mold and people expect you to go through the same process everybody else has gone through and really how quickly you can get through those same steps is how you're judged by the market and unfortunately it does not do very well for women and minorities so so part of that is you can but you have to accept that you're kind of starting with the with with the deck stacked against you so you have to be very clear about what you're trying to do when you start a business have you had people so i have had people do this since i've started my business where they try to insist that i do unpaid work for them and they tell me either it's for exposure like this guy was telling me i had to give free training for his conference because i would get exposure and i was like oh sweetheart i'm something called an industry influencer i have literally 10 times the number of of followers that your little dinky conference has and he's like well i'll yank you off the thing and i'm like you've been advertising my name for weeks i'll sue your pants off do you want to continue this discussion i know for a fact that if i'm connected to something it increases viewership and so um i do not there are still things you need to do as a part of the the infosec community to give back so i believe in that i also believe in helping others right but i don't believe i need the exposure like it's like no i no you're not asking me to speak at your conference because i need exposure you need the exposure so i i would say um people i probably did more free things working at my last company than i do now i i'm very clear that i can't afford to just give up my time like that because i have so little of it so when people suggest like like oh my god my friend okay let me tell you a story yeah a friend of mine from college um she was she wanted me she sent me a message on facebook she said jules i want you to to appear in my um weekly podcast and i said okay sure she's seen me online she sees that i speak all the time i'm not desperate for an opportunity she then has her assistant send me a list of things that i have to do to apply to speak one of them is a minute video that belongs to her after i shoot it yeah no no delete i never got it and i mean she knows me we went to school together but i i literally said i'm sorry no like i've testified before congress twice like i i i know what i'm worth so please no thank you do you feel like as a startup founder that you have to stand up for yourself and stand up for your company sometimes yes um especially with customers um if you allow them to customers will run you ragged and they will become unprofitable for you so you have to be very careful i'm teaching my my program managers to push back i don't believe the customer is always right i believe that when they're right they're right but i don't believe that they're always right and the reason why is sometimes your company and the customer can be misaligned right um delivery has a cost to your company resources materials and the customer may not want to pay that that in that in that in that um situation my company has to be what i take into consideration most i can negotiate with the customer but you have to be willing to cut very clear lines and so i believe with customers you're constantly having to say pay me or you know what you have other options i'm happy okay i'm okay if you walk away and then being okay with people walking away from you i feel that that takes some guts and and cocktails and cocktails yeah so so what advice would you give to someone if they're like okay so this sounds awesome i feel like this is me what did like an actionable item that you could give them if they're like i want to try to do this okay and i just i just talked about this um today so i believe in the three-page business plan yes okay so the first page is your objectives and mission so what are you looking to achieve with the business and what is your overall mission what is the thing that will drive you to do whatever your objectives say you say those objectives are page two is what are you selling and to whom are you selling it to those are the things that are critical because those those determine your message your go to market strategy and and really how much your your your market size is your your likelihood of making money and then third page which should not be the last page but it's actually most important there are um your products your inventory product services pricing and then your financing your funding how are you going to to uh um to pay for the company if you can fill in all six sections of three pages with thoughts if it spills onto another page you are ready to at least begin having a discussion about what comes next if you cannot do that you are not ready now i'm not saying that some people haven't started a company with a napkin or they just kind of fell into it i would say that there's enough information out there that you don't have to fall into it and you get to make less mistakes so if you're willing to spend the time to really think it through i think it's worth pursuing at least initial conversations with someone who might want to either invest partner with you or someone who might want to be your customer that's awesome that's such good advice oh my gosh that actually i got that advice before i started this company yeah that's good yes i have um i have three professional mentors that help kind of guide me with my startup process and it's great yeah are they are they also startup founders uh yes yeah and then one of them she's now a venture capitalist oh my goodness yeah yeah and one of so one of them she's a venture capitalist now so she's awesome sauce one of them she just literally like last month retired and she's a two-time startup founder where both times she hit gold so she got really nice exits both times and then one of them he's still in the startup but they're just doing super amazing they just got a huge series b i think and he's super awesome and so they've given me lots of really helpful advice and like with my last startup company because i started a product company last year they were all really instrumental in convincing me to part ways with my co-founder it's like it's okay that you really like each other and you get along well but like you want this and he wants that and before murder happens right like you can both still be good people you can still respect each other and like you know what i mean but like they're like but but you will at some point um and so getting mentors is so good there's there's some stuff in the chat so everyone's saying yes mentors mentors so there's a question for you i believe what top two books would you recommend for self development and growth and the best book for understanding cyber security that's such a good question siri okay so from my perspective um one of the biggest so i believe strongly in empathy i believe that my the key to my success all of it has been my ability to empathize with others put myself in their situation so i would say simon cynic start with why understanding why people do things why something's happening the driver behind things is so critical to making good decisions um my company revolution cyber our entire framework is on um diagnosing motivations behind why people click right so why do people click there's lots of reasons why people click but understanding why this person clicks over that person helps you really figure out how to mitigate their actions and and reduce the impact of what they're doing so you always want to start with why and simon sinek is is wonderful for that so there's one now i have a book it's like a blue it's a really large book and it sits and it used to sit in my office um on top of my my cabinet and it was called the cso compass and the reason why i prefer that over like it and actually you know uh marcus carrie has some you know tribe of hackers i love that book too but if you're like looking to gain like like executive style leadership understanding the business the cso compass gives you a kind of an encyclopedia of cyber security all the terms um all the things you need to know about how it operates inside of an enterprise and so i would say in addition to your security plus your cisp all those good stuff you know i would definitely ask people to take a practical look at this book because it really is um really comprehensive and a lot of your answers to questions are there that is so good also that book is in my wish list the start with why yeah and i looked at it and then i instead um the murderbot series which is like a it's so good martha wills it's a sci-fi series and i also bought so you want to talk about race which is so good i i that's on my wish list so i have to purchase that it is so good because so like i i had so before covid one of the last like lunches i had was like meeting a bunch of people and someone's mom was there and she said a racist thing and so but like i don't understand subtlety and so this book is helping me like respond not like with the f word and stuff and so and it was like this person's mom and i was like uh excuse me i don't think so and she's like oh it's just a thing we say i'm like a racist thing and it was like everyone's quiet like you can hear a pin drop i was like this old lady and i was just like okay so i can learn how to talk about race in a way where everyone doesn't want to die like in the whole room people aren't like ducking out of your way like dropping stop dropping and rolling out of your way yeah yeah you know the thing about it's so funny um these conversations about race these days you know i think i just want to get to a place where we don't shame people um unless they continue to be a host then let's shame them but for the most part a lot of people don't get to talk about race in their families and in their lives so when it comes up it can be quite uncomfortable that's really cool i feel like we just need to find like common ground to discuss i agree too no f-bombs so that's why i'm reading the book because in my family we we do talk about about race but we're the type that would be very offended and then shoot our mouths off and so you're right that's not it's not constructive conversation if you use the f-bomb and so i'm learning i'm still learning about this adulting thing yeah and and being a ceo does require that at least half the time like you got to be an adult at some part of the day yes definitely definitely okay so i have two last questions for you and they're very tough so the first one is do you do fun things outside of infosec that you want to share is there like a hobby or a thing that you do that you just love that you'd like to tell us about i used to love to travel i love to get to know like learn new people places and i travel but i used to love to travel by myself because then i could really get deep into cultures and things um we can't do that now um so i think i've lost that part of myself um in that way but what i also do is now i'll drive to a place and like just kind of explore city by myself but like you know socially distance and everything but i'm now doing more driving trips these days i like that though and also there's there's comments in the audience of for me using the f-bomb sometimes it's okay though and then for you there's that empathy that you're talking about about changing things so i like that i like that i agree with you it's sad we can't travel right now but understandable but i'm really hoping that um we you know the whole world actually just gets organized and we just kick kovit in the butt so just gonna keep waiting for those two weeks where we all just stay inside and behave ourselves in just two weeks that's it i know i know okay so here's the other extremely difficult question so if someone wants to get to know more about you if someone is there like an event coming up or are you speaking anywhere i have listed right underneath you your website address so i thought that was probably a good one yes um so i'll be speaking um october 7th rsa um security awareness panel nice so is that coming up um i'm also gonna be speaking i'm the keynote for b-side seattle awesome come attend and watch me there i i i'm you know just on twitter mouthing off all the time so follow me on twitter wait wait could you say so your internet froze for one second could you please say your twitter handle again at jules management j nice um i follow her so if you can't find her like just tweet at me and i'll help you find her but i've also been tagging her a lot so yeah awesome awesome okay so that is all the questions i have and so now i'm going to do the wrap up although i'm hoping you'll stay on so we can chat after but sure i want to thank you so much for being on the wehack purple podcast this has been great oh my gosh you're so fun you're fun yeah we had a good time had a good time thank you and um okay so i'm going to say goodbye to you because i can be an adult and actually say goodbye so i'm going to disappear jules now so everyone wave goodbye to jules and and now um wait no and i want to tell everyone thank you so much for coming to the weehack purple podcast i really appreciate you being here um up next week we have even more awesome stuff for you we have more guests and we have a great sponsor threadfix thank you denim group for that and i want you to know that we would really like it if you were to review the podcast so i know that this is like super selfish of me but i would really like it if you would give us a review it's so that other people can find us and it's so that i know people are actually listening it's really helpful for us trust me i'm so not kidding um so i'm gonna tell you about the next couple episodes of all the awesome humans that are gonna be on to help you decide you want to be on the show so up next week we have tracy martin she is the founder of defend con and she's also going to talk about basically how to secure iot devices which is super cool we're going to have katie paxton fear on the following week she's gonna talk to us about one being a phd which is really hard and two being a bug hunter and that's super cool following week dominic west and the following week after that we have stephanie black from panama she runs the woesec chapter there and she is a cyber security account manager because there's all sorts of different types of job in this field you can go on to itunes and leave a review there and the week after that we have tyrone wilson who is another ceo and founder of a cyber security company but his company does something different and i'm going to have to share that link of where to review stuff on the page in a second but for now i'm going to sign off i'm going to ask you all really sweetly if you will check out wehackpurple.com and thank you so much for coming to the show this week again it was such a pleasure to have you you