Screaming in the Cloud - Connecting Cybersecurity to the Whole Organization with Alyssa Miller
Episode Date: June 7, 2022About AlyssaAlyssa Miller, Business Information Security Officer (BISO) for S&P Global, is the global executive leader for cyber security across the Ratings division, connecting corporate... security objectives to business initiatives. She blends a unique mix of technical expertise and executive presence to bridge the gap that can often form between security practitioners and business leaders. Her goal is to change how security professionals of all levels work with our non-security partners throughout the business.A life-long hacker, Alyssa has a passion for technology and security. She bought her first computer herself at age 12 and quickly learned techniques for hacking modem communications and software. Her serendipitous career journey began as a software developer which enabled her to pivot into security roles. Beginning as a penetration tester, her last 16 years have seen her grow as a security leader with experience across a variety of organizations. She regularly advocates for improved security practices and shares her research with business leaders and industry audiences through her international public speaking engagements, online content, and other media appearances.Links Referenced:Cybersecurity Career Guide: https://alyssa.link/bookA-L-Y-S-S-A dot link—L-I-N-K slash book: https://alyssa.link/bookTwitter: https://twitter.com/AlyssaM_InfoSecalyssasec.com: https://alyssasec.com
Transcript
Discussion (0)
Hello, and welcome to Screaming in the Cloud, with your host, Chief Cloud Economist at the
Duckbill Group, Corey Quinn.
This weekly show features conversations with people doing interesting work in the world
of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles
for which Corey refuses to apologize.
This is Screaming in the Cloud.
This episode is sponsored in part by our friends at Vulture.
Optimized cloud compute plans have landed at Vulture
to deliver lightning-fast processing power
courtesy of third-gen AMD Epyc processors
without the I.O. or hardware limitations of a traditional multi-tenant cloud server.
Starting at just $28 a month, users can deploy general-purpose CPU, memory, or storage-optimized cloud instances in more than 20 locations across five continents.
Without looking, I know that once again Antarctica has gotten the
short end of the stick. Launch your Vulture optimized compute instance in 60 seconds or less
on your choice of included operating systems or bring your own. It's time to ditch convoluted and
unpredictable giant tech company billing practices and say goodbye to noisy neighbors and egregious egress forever.
Vulture delivers the power of the cloud with none of the bloat. Screaming in the Cloud listeners
can try Vulture for free today with $150 in credit when they visit getvulture.com
slash screaming. That's G-E-T-V-U-L-T-R dot com slash screaming. My thanks to them for sponsoring this ridiculous podcast.
This episode is sponsored in part by Honeycomb.
When production is running slow, it's hard to know where problems originate.
Is it your application code, users, or the underlying systems?
I've got five bucks on DNS, personally.
Why scroll through endless dashboards while dealing with alert floods,
going from tool to tool to tool that you employ, guessing at which puzzle pieces matter?
Context switching and tool sprawl are slowly killing both your team and your business. You
should care more about one of those than the other. Which one is up to you? Drop the separate
pillars and enter a world of getting one unified understanding of the
one thing driving your business, production. With Honeycomb, you guess less and know more.
Try it for free at honeycomb.io slash screaming in the cloud. Observability, it's more than just
hipster monitoring. Welcome to Screaming in the Cloud. I'm Corey Quinn.
One of the problems that many folks experience in the course of their career,
regardless of what direction they're in,
is the curse of high expectations.
And there's no escaping for that.
Think about CISOs, for example, the CISO,
the Chief Information Security Officer.
It's generally a C-level role.
Well, what's better than a C
in the academic world? That's right, a B. My guest today is breaking that mold. Alyssa Miller
is the BISO, B-I-S-O, at S&P Global. Alyssa, thank you for joining me to suffer my slings and arrows
as we go through a conversation that is certain to be no less ridiculous than it has begun to be already.
I mean, I'm good with ridiculous, but thanks for having me on. This is awesome. I'm really
excited to be here. Great. What the heck's a BISO? I never get that question. So no one's ever asked
me that before. It's like the same thing. You're really tall. No, you're kidding. Same type of
story, but I wasn't clear.
It means I'm really the only person left wondering.
Exactly.
I mean, I wrote a whole blog on it the day I got the job, right?
So business information security officer, basically what it means is I am like the CISO, but for my division, the ratings division at S&P Global.
So I lead our cybersecurity efforts within that division,
work closely with our information security teams, our corporate IT teams, whatever.
But I don't report to them. I report into the business line. I'm in the divisional CTO's
org structure. And so I'm the one bridging the gap between that business side
where, hey, we make all the money and that corporate infosec side where, hey, we're trying
to protect all the things. And there's usually that little bit of a gap where they don't always
connect. That's me building the bridge across that. Someone who speaks both security and business is honestly in a bit of rare supply these days.
I mean, when I started my Thursday newsletter podcast, Nonsense, last week in AWS security, the problem I kept smacking into was everything I saw was on one side of that divide or the other.
There was the folks who have the word security in their job title, and there tends to be this hidden language
of corporate speak. It's a dialect I don't fully understand. And then you have the community side
of actual security practitioners who are doing amazing work, but also have a cultural problem
that more or less distills down to them being an awful lot of shitheads in them, their waters.
And I wanted something that was neither of those and also wasn't vendor capture, which is why I decided to start storytelling in that space. But increasingly, I'm seeing that there's a significant
problem with people who are able to contextualize security in the context of business. Because if
you're secure enough, you can stop all work from ever happening. Whereas if you're pure business
side and only care about feature velocity and the rest, like, well, what happens if we get breached?
It's, oh, don't worry.
I have my resume up to date.
Not the most reassuring answer to give people.
You have to be able to figure out where that line lies.
And it seems like that figuring out where that line is, is more or less your entire stock and trade.
Oh, absolutely.
Yeah. Yeah, I mean, I can remember my earliest days as a developer that my cynical attitude towards security myself was, you know, their utopia would be a impenetrable room full of servers that have no connections to anything.
Right. Like that would be wildly secure, yet completely useless.
And so, yeah, then I got into security and now I was one of them. And it's, you know, it's one of those things you sit in, say, a board meeting sometime and you listen to a CISO, a typical CISO talk to the board and they just don't get it.
Like there's so much, hey, we're implementing this technology and we're doing this thing and here's our vulnerability counts and here's how many are
overdue.
And none of that means anything.
I mean, I actually had a board member ask me once, what is a CISO?
I kid you not.
Like, that's where they're at.
Like, so don't tell them what you're doing, but tell them why.
Connect it back to like, hey, the business needs this and this.
And in order to do it, we've got to make sure it's secure.
So we're going to implement these couple of things.
And here's the roadmap of how we get from where we are right now to where we need to be so they can launch that new service or product or whatever the hell it is that they're going to do.
It feels like security is right up there with accounting in the sense of fields of endeavor where you don't want someone with too much personality involved.
Because if the CISO is sitting there talking to the board, it's like, so what do you do here exactly?
And the answer is the honest, hey, remember last month how we were in the New York Times with a giant data breach and they do a spit take?
No, no, I don't.
Exactly.
You're welcome. And on some level, it is kind of honest, but it also does not instill confidence when you're
that cavalier with the description of what it is you do here.
At least in some corners.
I prefer places where that goes over well, but that's me.
Yeah, but there's so much of that too, right?
Like, here's the one I love.
Well, you know, it's not if you get breached, it's when.
Oh, by the way, give me millions and millions of dollars
so I can make sure we don't get breached.
But wait, you just told me we're going to get breached no matter what we do.
Like, we do that and secure like,
and then you wonder why they don't give you funding for the initiative.
Like, hello, you know, and that's the thing that gets me.
Can we just sit back and understand, like, how do you message to these people?
Yeah, you bring up the accounting thing.
The funny thing is, at least all of them understand some level of accounting because most of them have MBAs and business degrees where they had to do some accounting.
They didn't go through cybersecurity in their MBA program. So one of my favorite questions on Twitter once was somebody asked me,
if I want to get into cybersecurity leadership, what is the one thing that I should focus on or
what skills should I study? I said, go study MBA concepts. Forget all the cybersecurity stuff.
You probably have plenty of that tech knowledge. Go understand what they learn in MBA programs. And if you can start to speak that language, that's going to pay dividends for
bridging that gap. So you don't look like the traditional slovenly computer geek showing up
at those meetings who does not know how to sound as if they belong in the room. It's unfair on some
level. I used to have bitter angst about that. Like, why should how I dress matter how people perceive me?
Yeah, in an absolute sense, you're absolutely right.
However, I can talk about the way the world is or the way I wish it were.
And there has to be a bit of a divide there.
Oh, for sure.
Yeah.
I mean, you can't deny that you have to be prepared for the audience you're walking into.
Now, I work in big conservative
financial services on Wall Street, you know, and I had this conversation with a prominent member of
our community when I started the job. I'm like, boy, I guess I can't really put stickers on my
laptop. I'm going to have to get, you know, a protector or something to put the stickers on
because the last thing I want to do is go into a boardroom with my laptop and whip out a bunch
of hacker stickers on the backside of my laptop. Like in a lot of spaces that'll work,
but you can't really do that when you're, you know, at a, at a, you know, executive level
and you're in a conservative financial survey. It's just, I would love to say they should deal
with that. They should, I should be able to have pink hair and face tattoos and everything else.
But the reality is, yeah, I can do all that.
But these are still human beings who are going to react to that.
And it's the same when we're talking about cybersecurity then.
I have to understand as a security practitioner that all they know about cybersecurity is it's big and scary.
It's the thing that keeps them up at night.
I've had board members tell me exactly that.
And so how do I make it a little less scary or at least get them to have some confidence in me
that I'll like carry the shield in front of them
and protect them?
Like that's my job.
That's why I'm there.
When I was starting my consultancy five years ago,
I was trying to make a choice
between something in the security cloud direction
or the cost cloud direction. And one of the things that absolutely tipped the balance for me was the
fact that the AWS bill is very much a business hours only problem. No one calls me at two in
the morning screaming their head off, usually. But there's a lot of alignment between those two
directions in that you can spend all your time and energy fixing security issues and or reducing the bill,
but past a certain point,
knock it off and go do the thing
that your company is actually there to do.
And you want to be responsible to a point on those things,
but you don't want it to be the end all be all
because the logical outcome of all of that,
if you keep going,
is your company runs out of money and dies
because you're not going to either cost optimize or security optimize your business to its next milestone. And weighing those things
is challenging. Now, too many people hear that and think, see, I don't have to worry about those
things at all. It's, oh, you will sooner or later, I promise. So here's the fallacy in that.
There is this assumption that everything we do in security is going to hamper the business
in some way.
And so we have to temper that, right?
Like you're not wrong.
And we talked about before, like, you know, security in a traditional sense, like we could
do all of the, you know, puristic things and end up just like screeching the world to a
halt.
But the reality is we can do security in a way that actually grows the business,
that actually creates revenue, or I should say enables the creation of revenue.
And that, you know, we can empower the business to do more things
and to be more innovative by how we approach security in the organization.
And that's the big thing that we miss in security is like, look, we don't,
yes, we will always be a quote unquote cost center, right?
I mean, we in security don't, unless you work for a security organization,
we're not getting revenue attributed to us.
We're not creating revenue, but we are enabling those people who can,
if we approach it right.
Well, the red team team might if they go a
little off script but that's neither here nor there yeah i mean i've i've had that question
like couldn't we just sell resell our red team services i know no that's not our core i was going
the other direction like oh we're just gonna start extorting other businesses because we got bored
this week i'm kidding i'm kidding please don't do an investigation any law enforcement folks
sec is calling me right now they
want to know what i'm talking about but they have some inquiries they would like you to assist them
with and they're not really asking yeah they're good at that no i love them though they're great
but no seriously like i mean we we always think about it that way because and then and then we
wonder why do we have the reputation of the department of no.
Well, because we kind of look at it that way ourselves.
We don't really look at, like, how can we be a part of the answer?
Like when we look at DevSecOps, for instance.
Okay, I want to bring security into my pipeline.
So what do we do?
We say, ooh, shared responsibility.
That's a DevOps thing.
So that means security is everybody's responsibility, full stop.
Right.
And I agree with you wholeheartedly.
The cost is aligned with this. It has to be easier to do it the right way than to just go off half-baked and do it yourself off the blessed path.
And that means that you cannot make it harder to do the right thing.
You have to make it easier because you will not win against human
psychology. Depending on someone, when they're done with an experiment to manually go in and
turn things off, it will not happen. And my argument has been that security and cost are
aligned constantly because the best way to secure something and save money on at the same time is to
turn that shit off. You wouldn't think it would be that simple, but yet here we are.
But see, here's the thing.
I mean, this is what kills me.
It's so arrogant of security people to look at it and say that, right?
Because shared responsibility means shared.
Okay.
That means we have responsibilities.
We're going to share.
Everybody's responsible for security.
Yes.
Our developers have responsibilities now that we have to take a share in as well,
which is get that shit to production fast, period.
That is their goal.
How fast can I pop user stories off the backlog and get them to deployment?
My SREs on the op side, they're like, we just got to keep that stuff running.
That's all we, you know, that's our primary focus. So the whole point of DevOps and DevSecOps was everybody's responsible for
every part of that. So if I'm bringing security into that message, I as security have to be
responsible for site stability. I in security have to be responsible for efficient deployment
and the speed of that pipeline.
And that's the part that we miss.
This episode is sponsored in parts by our friend EnterpriseDB.
EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now, EnterpriseDB has you covered wherever you deploy PostgreSQL, on-premises, private cloud, and they just announced a fully
managed service on AWS and Azure called Big Animal. All one word. Don't leave managing your database
to your cloud vendor because they're too busy launching another half dozen managed databases
to focus on any one of them that they didn't build themselves. Instead, work with the experts
over at EnterpriseDB. They can save you time and money.
They can even help you migrate legacy applications,
including Oracle, to the cloud.
To learn more, try Big Animal for free.
Go to biganimal.com slash snark and tell them Corey sent you.
I think you might be the first person I've ever spoken to
that has that particular take on the shared responsibility model.
Normally, when I hear it, it's on stage from an AWS employee doing a 45-minute song and
dance about what the shared responsibility model is.
And generally that is interpreted as, if you get breached, it's your fault, not ours.
Now, you can't necessarily say it that directly to someone who has just suffered a security
incident, which is why it takes 45 minutes and slides and diagrams and Excel sheets and the rest. But that is what it fundamentally distills down to. And then you wind
up pointing out security things that they've had that both security researchers have pointed out,
and they are very tight lipped about those things. And it's, oh, it's not that you're
otherworldly good at security. It's that you're great at getting people to shut up. You know,
not me for whatever
reason, because I'm noisy and obnoxious, but most people who actually care about not getting fired
from their jobs generally don't want to go out there making big cloud companies look bad.
Meanwhile, that's kind of my entire brand. I mean, it's all about lines of liability,
right? I mean, where am I liable? Where am I not? And yeah, well, if I tell you you're responsible
for security on all these things and I can
point to any part of that that was part of the breach, well, hey, then it's out of my
hands.
I'm not liable.
I did what I said I would.
You didn't secure your stuff.
Yeah, it's and I mean, and some of that is to be fair.
Like, I mean, OK, I'm going to host my stuff on your computer.
The whole cloud is just somebody else's computer model is still ultimately true.
But yeah, I mean, I'm expecting you to provide me a stable and secure environment.
And then I'm going to deploy stuff on it.
And you are expecting me to deploy things that are stable and secure as well.
And so they say shared model or shared responsibility model, but it really, if you
listen to that message, it's the exact opposite. They're telling you why it's a separate responsibility
model. Here's our responsibilities. Here's yours. Boom. It's not about shared. It's about separated.
One of the most formative, I guess, contributors to my worldview was 13 years ago,
I went on a date and met someone lovely. We got married. We've been together ever since. And
she's an attorney. And it is been life-changing to understand a lot of that perspective,
where it turns out when you're dealing with legal, it's, they are not, everyone says, oh, the lawyers insisted on these things.
No, they didn't.
A lawyer's entire role in a company is to identify risk.
And then it is up to the business to make a decision
around what is acceptable and what is not.
If your lawyers ever insist on something,
what that actually means in my experience is
you have said something profoundly
ignorant. That is one of those, like that is they're doing the legal equivalent of slapping
the gun out of the toddler's hand of, no, you cannot go and tweet that because you'll go to
prison level of ridiculous nonsense where it is that will violate the law. Everything else is
different shades of the same answer. It depends. Here's
what to consider. And then you choose and the business chooses its own direction. So when you
have companies doing what appear to be ridiculous things like Oracle, for example, loves to begin
every keynote with a disclaimer about how nothing they're about to say is true. The lawyers didn't
insist on that, though they are the world's largest law firm, Kirkland Ellison. But instead, it's this
entire story of given the risk and everything that we know about how we say things on stage
and people gunning for us. Yeah, we are going to say we are going to make this disclaimer first.
Most other tech companies do not do that exact thing, which I've got to say, when you're sitting
in the audience ready to see the new hotness that's about to get rolled out, and it starts with a disclaimer,
that is more or less corporate speak for you are about to hear some bullshit in my experience.
Yes. I mean, and that's the thing, like, you know, we do deride legal teams a lot.
And, you know, I can find you plenty of security people who hate the fact
that when you're breached, who's the first call you make? Well, it's to your legal team. Why?
Because they're the ones who are going to do everything in their power to limit the amount
that you can get sued on the back end for anything that got exposed, that got, you know,
didn't meet service levels, whatever the heck else.
And that all starts with legal privilege.
There are reporting responsibilities.
Guess who keeps up on what those regulatory requirements are?
Spoiler, it's probably not you who is listening to this unless you're an attorney, because
that is their entire job.
Yes, exactly.
And, you know, work in a highly regulated environment like mine and you realize just how critical that is.
Like, how do I know? I mean, there are times there is this whole discussion of how do you determine if something is a material impact or not?
I don't want to be the one making that. And I'm glad I don't have to make that decision. I'll tell you all the information, but yes, you lawyers, you compliance people, I want
you to make the decision of if it's a material impact or not, because as much as I understand
about the business, you all know way more about that stuff than I do.
I can't say, I can only say, look, this is what it impacted.
These are the, this is the data that was impacted.
These are the potential exposures that occurred here. Please take that information now and figure
out what that means. And is there any materiality to that, that now we have to report that to the
street? Right, right. You can take my guesses on this or you can take an attorney's. I am a loud,
confident sounding white guy. Attorneys are regulated professionals who have, who carry
malpractice insurance. If they give wrong advice that is wrong enough in these scenarios, they can
be sanctioned for it. They can lose their license to practice law. And there are challenges with the
legal profession and how
much of a gatekeep the Bar Association is and the rest, but this is what it has built for itself.
That is a regulated industry where they have continuing education requirements. They need to
certify and attest that certain things are true when they say it. Whereas it turns out that I
don't usually get people even following up on a tweet that didn't come true very often.
There's a different level of scrutiny.
There's a different level of professional bar it raises to,
and it turns out that if you're going to be legally held to account for things you say,
yeah, it turns out a lot of your answers, too, are going to be flavors of it depends.
Imagine that.
Don't we do that all the time?
I mean,
how critical is this? Well, you know, it depends on what kind of data. It depends on who the
attacker is. It depends. Yeah. I mean, that's our favorite word because no one wants to commit to
an absolute and nor should we. I mean, if we're speaking in hyperbole and absolutes, boy, we're
doing all the things wrong in cyber.
We got to understand like, hey, there is nuance here. That's how you run. No business runs on
absolutes and hyperbole. Well, maybe marketing sometimes, but that's a whole other story.
Depends if it's done well or done terribly.
Right, exactly. Hey, you can be unpackable. You can be breach-proof.
Oh, God.
What's your market strategy?
We're going to paint a big freaking target in the front of the building.
I still don't know how Target, the company, was ever surprised by a data breach that they had when they have a freaking bullseye as their logo.
It's like, talk about poking the bear.
But there we are.
I don't know.
I mean, hey, that was so long ago.
It still casts a shadow.
People point at that as a great example of like, well, what's going to happen if we get breached?
It's like, well, look at Target because they wound up like their stock price a year later was above where it had been before.
And it seemed to have no lasting impact.
Yeah, but they effectively replaced all of the execs.
So, you know, let's have some self-interest going on here by named officers of the company.
It's, yeah, the company would be fine.
Would you like to still be here when it is?
And how many lawsuits do you think happened
that you never heard about
because they got settled before they were filed?
Oh, yes.
There is a whole world of that.
And that's what's really interesting
when people talk about like the cost of breach and stuff.
It's like, we don't even know.
We can't know because there is so much of that.
I mean, think about any organization that gets breached.
The first thing they're trying to do is keep as much of it out of the news as they can.
And that includes the lawsuits.
And so, you know, it's like, all right, well, hey, let's settle this before you ever file.
Okay, good.
No one will ever know about that.
That'll never show up anywhere.
It doesn't even show up on a balance sheet anywhere, right?
I mean, it's there, but it's buried in big categories of lots of other things.
And how are you ever going to track that back without, you know, like a full-on audit of
all of their accounting for that year. Yeah. It's so it's always, I always kind of laugh
when people start talking about that and they want to know what's the average cost of a breach. I'm
like, there's no way to measure that. There is none. It's not cheap. And the reputational damage
gets annoying. I still give companies grief for these things all the time. Cause it's again,
the breach is often about information of mine that i did not consciously choose to give to you and the oh i'm gonna blame
a third party process no no you can outsource work but not responsibility you can't share that one
third party diligence that seems to be a thing um you know i think we're supposed to make sure
our third parties are trustworthy and doing the right things too right i Right. I mean, it's best example I ever saw.
That was an article in The Wall Street Journal about the Pokemon company where they didn't name the vendor, but they said they declined to do business with them in part based upon their lax security policy around S3 buckets.
That is the first and so far only time I have had an S3 bucket responsibility award engraved and sent to their security director.
Usually it's the,
it's the ignoble prize of the S3 bucket negligence award.
And there are also many of those.
Oh, and it's, it's hard, right? Because you're standing there. I mean,
I'm in that position a lot, right?
You're looking at a vendor and you've got the business saying, God,
we want to use this vendor. All their product is, is great.
And I'm sitting there saying, but oh my God, look at what they're doing.
It's a mess. It's horrible. How do we get around this? And that's where you just have to kind of,
I wish I could say no more, but at the end of the day, I know what that does. That just,
okay, well, we'll go file an exception and we'll use it anyway. So maybe instead we sit and work on how to do this, or maybe there is an
alternative vendor, but let's sort it out together. So yeah, I mean, I do applaud them. Like, that's
great to like be able to look at a vendor and say, no, we ain't touching you because what you're
doing over there is nuts. And I think we're learning more and more how important that is
with a lot of the supply chain. Actually, I'm worried about having emailed you.
You're going to leak my email address when your inbox inevitably gets popped.
Come on.
It's awful stuff.
Yeah, exactly.
So, I mean, it's, we, there's, but like everything, it's that balance again, right?
Like, how do we, how can I keep that business going and also make sure that their vendors,
so that's where it just comes down to like, okay, let's talk contracts now. So now we're back to legal.
We are. And if you talk to a lawyer and say, I'm thinking about going to law school,
the answer is always inevitably the same. No, don't do it. And making it clear that that is
apparently a terrible life and professional decision, which of course brings us to your
most recent terrible life and professional decision.
As we record this, we are reportedly weeks away from you having a physical copy in your hands of a book.
And the segue there is because no one wants to write a book.
Everyone wants to have written a book.
But apparently, unless you start doing dodgy things and ghostwriting and exploiting people and the rest. One is a necessary prerequisite for the other.
So you've written a book.
Tell me about it.
Well, first of all, spot on.
I mean, I think there are people who really do like enjoy the act of writing a book.
Oh, I'm not the attentions man to write a tweet.
People say, oh, you should write a book, Corey, which I think is the code for them saying
you should shut up and go away for 18 months.
Like, yeah, I wish.
Writing a book has been the most eye-opening experience of my life. which I think is the code for them saying, you should shut up and go away for 18 months. Like, yeah, I wish.
Writing a book has been the most eye-opening experience of my life.
And yeah, I'm not 100% sure it's one I'll ever, I've joked with people already.
Like I'll probably, if I ever want another book, I'll probably hire a ghostwriter.
But no, I do have a book coming out, Cybersecurity Career Guide.
You know, I looked at this cyber skills gap, blah, blah, blah, blah, blah. We hear about it. Four million jobs are going to be left open, whatever. Great. Well, then how come none of these
college grads can get hired? Why is there this glut of people who are trying to start careers
in cybersecurity and we can't get them in? We don't have six months to train you. So we're
going to spend nine months trying to fill the role with someone experienced. Exactly. So 2020, I did a bunch of research into that because I'm
like, I got to figure this out. Like, this is bizarre. Why? How is this disconnect happening?
I did, you know, some surveys. I did some interviews. I did some open source research,
ended up doing a TED talk based off of that or TEDx talk based off of that. And ultimately that led into this book.
And so, yeah, I mean, I just heard from the publisher yesterday, in fact, that we're like in
that last stage before they kick it out to the printers. And then it's like three weeks and I
should have physical copies in my hands. I will be getting one when it finally comes out. I have a
almost, I believe, perfect track record
of having bought every book
that a guest on this show has written
I appreciate that
Although, God help me, if I ever have someone who's like
So what have you done? I've written 80 books
Well, thank you, Stephen King
You're going to see this number on the revenue
from Orbit at this point with that many
But yeah, it's
impressive having written a book
It's I mean, but yeah, it's, it's, it's impressive having written a book. It's, it's, I mean, for me, it's the reward is already because there are a lot of people who've,
so my publisher does really cool thing. They call it early access or electronic access program.
And where there are people who bought the book almost a year ago now, which is kind of,
I feel bad about that, but that's as much my publisher as it is me.
But where they bought it a year ago and they've been able to read the draft copy of the book
as I've been finishing the book. And I'm already hearing from them, like, you know,
I'm hearing from people who really found some value from it and who, you know, have been
recommending it to other people who are trying
to start careers and whatever and it's like that that's where the reward is right like
it was it's hell it's hell writing a book it was 10 times worse during covid um you know my
publisher even confirmed that for me that like look yeah you know authors around the globe are
having problems right now because this is not a good environment conducive to writing. But yeah, I mean, it's rewarding to
know that like, all right, there's going to be this thing out there that, you know, these pages
that I wrote that are helping people get started in their careers, that are helping bring to light some of the real
challenges of how we hire in cybersecurity and in tech in general.
And so that's the thing that's going to make it worthwhile.
And so, yeah, I'm super excited that it's looking like we're mere weeks now from this
thing being shipped to people who've bought it.
So now it's racing whether this gets published before the book does.
So we'll see.
There is a bit of a production lag here because, you know,
we have to make me look pretty and that takes us tremendous amount of effort.
Oh, stop.
Come on now.
But it will be interesting to see.
Like that would actually be really cool if they came out at about the same time.
Like, you know, I'm just saying.
Yeah, we'll see how it goes.
Where's the best place for people to find you if they want to learn more? About the book or in general?
Both. Links will of course be in the show notes. Let's not kid ourselves here.
The book is real easy. Go to Alyssa, A-L-Y-S-S-A, back here behind me for those of you seeing the
video. I can't point the right direction. There we go. That one. A-L-Y-S-S-A dot link, L-I-N-K
slash book.
It's that simple. It'll take you right to Manning's site.
You can get in if you're still in that early access program.
So if you bought it today, you would still be able to start reading the draft versions of it.
If you want to know more about me, honestly, easiest way is find me on Twitter.
You can hear all the ridiculousness of flight school and barbecue and some security topics, too, once in a while.
But at Alyssa M underscore InfoSec.
Or if you want to check out the website where I blog every rare occasion, it's AlyssaSec.com.
And all of that will be in the show notes.
There's a lot.
I'm looking forward to seeing it, too.
Thank you so much for taking the time to deal with my nonsense today. I really appreciate it.
Oh, that was a nonsense. Are you kidding me? This was a great discussion. I really appreciate it.
As have I. Thanks again for your time. It is always great to talk to people smarter than I am,
which is, let's be clear, most people. Alyssa Miller, BIS so at S&P Global. I'm cloud economist Corey Quinn,
and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star
review on your podcast platform of choice or smash the like and subscribe button if this is on the
YouTubes. Whereas if you hated the podcast, same thing, five-star review, platform of choice,
smash both of the buttons, but also leave an angry comment either on the YouTube video or on the podcast platform saying that this was a waste of your time and what
you didn't like about it because you don't need to read Alyssa's book. You're going to get a job
the tried and true way by printing out a copy of your resume and leaving it on the hiring manager's
pillow in their home. If your AWS bill keeps rising and your blood pressure is doing the same,
then you need the Duck Bill Group. We help companies fix their AWS bill by making it
smaller and less horrifying. The Duck Bill Group works for you, not AWS. We tailor recommendations
to your business and we get to the point.
Visit duckbillgroup.com to get started.
This has been a HumblePod production.
Stay humble.