CyberWire Daily - Rachel Tobac: Find a way to laugh. [CEO] [Career Notes]

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Thank you. Learn more at zscaler.com slash security. My favorite movie growing up was Harriet the Spy, which is probably not a super big surprise. I carried around a little notebook and wrote observations about my life and hoped that I could use that. For what, I don't know. I was only a child. But I think that really kind of helped me predict how I would use my skills later in life. I have a very non-traditional path to InfoSec.

Starting point is 00:02:18 I went to school for neuroscience and behavioral psychology. I worked in a rat lab. I was a teacher. I led a UX research team. Now I'm a hacker and CEO. So it's pretty different than people might expect. I was always interested in the human brain and how people make decisions, how they are persuaded. So I knew that I wanted to go into neuroscience right after I took AP Psych. into neuroscience right after I took AP Psych. And I went through all of that pre-med stuff,

Starting point is 00:02:52 which was grueling. And I was trying to figure out what it is that I could do in my career. And I didn't want to work in the basement in a rat lab anymore. I wanted to go out and be in the sunlight with people because I like the human element of everything. So I was like, you know what? I'm going to use my skills and I'm going to be a teacher. So I was a teacher for children with disabilities and I absolutely loved that job. I moved from the Pittsburgh, Pennsylvania area to the San Francisco Bay Area. And I'm like, you know what? I think it's time for a change.

Starting point is 00:03:17 Maybe I want to try something else. And my friend living in Silicon Valley goes, well, you know, you're really close to Silicon Valley. You could work in tech. And I, no joke, go, what's that? Like, did not know what Silicon Valley was. And she was like, are you serious? You live like 10 minutes away from where Facebook, Twitter, Instagram, like all that stuff where all that stuff was built. I was like, oh, okay, let me look into that. Like, that's how much of a tech noob I was. into that. That's how much of a tech noob I was. I applied to 100 tech-based roles.

Starting point is 00:03:57 And I ended up getting about 15 interviews from that, five final interviews and three offers. That was the path. And I ended up taking a job at an ed tech company, which felt like a really fitting position because of course I just came from education. So worked in the ed tech role, started as a community manager, worked my way up to a senior community manager. Then I started the UX research function at the company and became a UX research lead, which really just married a lot of my interest in all the studies that I did in college. So I was able to lead that function there. And while I was at that company, my husband was like, hey, you should come to this cool conference in Vegas. It's called DEF CON. And I'm like, nah, I'm okay. I'm good. And he's like, no, I really, really think you would like it. So I was like, all right, I'll go.

Starting point is 00:04:42 I ended up seeing a few calls and was like, oh, absolutely. I want to do that. So I ended up competing at DEF CON, applied, made a really weird Twin Peaks style application video and ended up getting in and competing and getting second into InfoSec. It was pretty organic, actually. So from DEF CON, people started reaching out and saying, hey, I saw you live competing at DEF CON. Will you come to my company and talk about how you hack and how we can avoid falling for your tricks? So I started doing that and had a bunch of the big names in Silicon Valley as my clients. And I was like, I should probably LLC to protect myself. So I created my LLC. It was first things like keynotes, and then social engineering prevention training, then security awareness training, protocol update workshops to change the way that you verify identity

Starting point is 00:05:46 through customer support flows, one of my main ways of attacking, and then from there, penetration testing. The majority of my week are virtual live programming and events. So companies will ask me to come in and do a live hacking demonstration and walk through with their executives or their all-hands style team or their finance team about how specifically they would get hacked and how they can avoid falling for those tricks and what technical tools to implement so that they don't have to just rely on the human element of security. And then other calls throughout the day that pop up are usually random media requests. Other weeks, it's different. Other weeks, it's things like I have a pen test and I've pretty much blocked off the rest of my week so

Starting point is 00:06:30 that I can actually hack the company. It's kind of silly, but it's like a little bit like method acting where you kind of have to stay within your role. Like if I'm doing that, I try not to mix and match and have to be myself and also my pretext. I try to just be as authentic as I can possibly be. I feel like a lot of people, when they get into a position of leadership, they can get a little stuffy and a little, I don't know, like corporate speak. I try to stay professional while at the same time maintaining my personality because I don't know. I like to laugh. I think it's fun. And like having fun, witty banter with people doesn't make you any less of a leader. I think sometimes people get confused about that. The way that I deal with adversity is through humor, usually. I find I get a lot of perspective when I can take a step back and laugh at something, whether it's like

Starting point is 00:07:38 a meme on TikTok or an SNL sketch or just going and watching live improv or just laughing at whatever's going on in my life in general. I think in the security world, sometimes we take ourselves pretty seriously. And a lot of times it's because we're dealing with really serious topics. And so in the moment, we have to be extremely serious. But when you get a five-minute break in between your crisis meetings, find a way to laugh if you can. Otherwise, you might drive yourself wild. I hope that people look back at the work that I've done and they think, man, it's really annoying to try to hack into companies now. I hope scammers, cyber criminals and even pen testers think, oh, Rachel was here. I can tell because I just tried to call their customer support team or their finance team

Starting point is 00:08:26 or I texted their exec team and I tried to get them to go to this link or install this remote access software or send a check to this different bank and they wouldn't do it. They have a second method of communication and they have a password manager and they have all these MFA tools that they use

Starting point is 00:08:41 and it's just annoying. I hope people see that and they think, wow, Rachel was here. Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.

CyberWire Daily - Rachel Tobac: Find a way to laugh. [CEO] [Career Notes]

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.