Screaming in the Cloud - DevOpsy Security with Jam Leomi
Episode Date: November 10, 2020About Jam LeomiJam Leomi is a penmaker who just so happens to computer. When not found ranting on equality and equity in #infosec and beyond on twitter, they're found doing their day job as L...ead Security Engineer at Honeycomb.Links ReferencedHoneycombJam's Personal BlogFollow Jam on TwitterConnect with Jam on LinkedIn
Transcript
Discussion (0)
Hello, and welcome to Screaming in the Cloud, with your host, cloud economist Corey Quinn.
This weekly show features conversations with people doing interesting work in the world
of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles
for which Corey refuses to apologize.
This is Screaming in the Cloud. and various silos. New Relic wants to change that, and they're doing the right things.
They're giving you one user
and 100 gigabytes a month
completely free.
Take the time to check them out
at newrelic.com,
where they've done away
with almost everything
that we used to hate
about New Relic.
Once again, that's newrelic.com.
This episode has been sponsored in part
by our friends at Veeam. Are you tired of juggling
the cost of AWS backups and recovery with your SLAs? Quit the circus act and check out Veeam.
Their AWS backup and recovery solution is made to save you money, not that that's the primary goal,
mind you, while also protecting your data properly.
They're letting you protect 10 instances for free with no time limits, so test it out now.
You can even find them on the AWS Marketplace at snark.cloud slash back it up. Wait, did I just
endorse something on the AWS Marketplace? Wonder of wonders I did. Look, you don't care about
backups, you care about
restores. And despite the fact that multi-cloud's a dumb strategy, it's also a realistic reality.
So make sure that you're backing up data from everywhere with a single unified point of view.
Check them out at snark.cloud slash back it up. Welcome to Screaming in the Cloud. I'm Corey Quinn. I'm joined this week by Jam Leomi,
lead security engineer at Honeycomb. Jam, welcome to the show. Thank you so much, Corey.
So I want to start by thanking you for taking over the guest authorship of the newsletter,
well, this week when this gets aired, but at the time we're recording this, you haven't actually done it yet. So it's great to sit here and thank you now for
a thing that you haven't done yet, but everyone listening to will have already been aware of
because yeah, time is weird and is no longer linear like anything else in 2020.
I mean, what is time?
Exactly. It's such a good year so far, and it's just getting better all the time.
So let's begin at a high level, I suppose.
Who are you?
What do you do?
What's your story?
So what am I?
I am a black, genderqueer, security-turned-ops-turned-security-engineer. security turned ops turned security engineer.
Interesting.
As far as the ops turned security engineer,
very often it feels like the common path in tech is the opposite direction,
where it's, oh, I'm going to do security,
and then, you know what?
It turns out that I don't like aspects of the job,
and people want to often broaden out into other arenas.
So it feels to me, at least historically, that most folks go security to ops. Counterpoint,
that's also the path I took. So there's a heck of a selection bias here.
Yeah. But well, also for me, like you have to realize that most security people don't
actually start off in security.
I think I'm the exception because my degree was in security, but I couldn't find a job in security.
So I had to do something else.
There's an almost unfortunate tendency that I see a lot, which is that people who get a degree in something believe, because they are told, let's not mince words about that, that, oh, what your degree in is now going to define what you do in terms of your career.
It's going to set your trajectory.
So then we are basically asking a bunch of 18-year-olds, in the common case, to, yeah, figure out what you want to do with your life.
I'm damn near 40, and I don't know what I want to do with your life. I'm damn near 40 and I don't know what I want to do with my life yet. So it feels like it tricks people into believing they have to go a certain way.
Oh, but I was smart about it though. So the reason I went into security was specifically because the security degree program that I was a part of taught me so many things. So I was like, well,
if security doesn't work out, I can always jump into something else in technology. Like I went in
as an 18 year old thinking about this. That must've been nice. I mean, I was never an academic.
I am effectively someone who graduated from high school through an unaccredited organization. So on paper, I have an eighth grade education. And this gets back on some level to what you said
in the beginning with your introduction, that you are a black genderqueer ops turned security
engineer. I am a cishet white guy and society is built in such a way that it takes people like me
and always picks us up and dusts us off whenever we stumble, as if I'm somehow entitled to take up as much space as I possibly want.
And that's a travesty, because on some level, don't you kind of want everyone to be able to have that freedom to experiment, freedom to fail, alternate paths to success rather than prescribed ones?
It just, I'm sorry, there's so much about society and the way
it is structured that I do not pretend to understand. Yeah, I'm in the same boat with you.
And I wish I had answers to that. There are definite answers when we talk about white male
privilege and the patriarchy and things like that. But I'd rather focus on,
while there definitely is pain in the industry from being a Black, genderqueer, female-presenting
person, especially female-presenting, I think it's also prepared me to always try to seek options.
And it's a blessing and a curse for me to be always kind of thinking ahead
and risk managing. And this is almost certainly made no easier whatsoever now by the fact that
it is 2020 and so much has changed in a relatively short period of time. I feel like if there were a
time warp and one of these podcast episodes slipped through
to just a year ago, what the hell are you talking about? And here we are now working in a time of
COVID where everyone is more or less trapped at home, except to be honest, some of the worst
people in the world and everything has changed. It's sort of a weird segue here, but it's a weird year. During the course of this entire event, you've started working at a new job. You have effectively, as have the rest of us, tried to find a new normal. What has your experience of working in tech been like during these changes? How has COVID life changed our industry? I think COVID life has changed. It's changed our industry, but I don't
know how it's going to suss out. Right now, there's the obvious thing of pretty much we have everybody
working from home right now. So that can be kind of an isolating change. Some people are working
with children, which that can be also a change and a change of dynamic of managing energy.
But for me personally, it's been it's been slightly isolating.
Usually I'm used to working remotely, but I'm used to being able to go to the cafe and and work there or go to a co-working space. And so now I'm having to think up ways to manage the normal ways I get
connection through different avenues, whether it's making phone calls, making more use of Zoom calls,
or just trying to, in the most safest way possible, because, you know, your sanity is needed,
trying to find ways to socially distance and socialize as well.
It really has turned an awful lot in its head.
What I'm trying to figure out is at some point,
a new normal is going to hit,
regardless of what that looks like.
And we're not going to be in pandemic stages forever.
What's going to go back to the way it was?
And what's going to be, I guess, forever changed?
Well, my hope is that the pool for
employment in tech and the equity in tech changes to not just be on the coast and be more across
the boards available to everyone. Now, that could have negative consequences.
That could mean less people in cities and more rural areas, though I think rural areas should
have a shot too. Like, I come from Kentucky, which, like many states, I came from a city,
but I was also surrounded by rural communities, and I grew up around, have friends from rural
areas. So I want them to have a shot just as much as I do.
And many of the times they don't, or you have to tell these people,
hey, we want you to move halfway across the country away from your support systems, family, friends,
and just get adjusted and come work for us.
And I feel like people shouldn't have to make that decision in order to make a living or in order to follow their dreams or their heart.
That is one of the most aspirational answers to that question, because usually people tend to go in a direction of, well, I don't know if tech conferences are going to have quite as much swag anymore.
You're talking about making tech entirely more accessible to folks who, for example,
might not live in eight square miles of an earthquake zone and calling it disruption.
There's something to be said that is incredibly valuable for finding folks who have gone through
alternate paths to get to where they are now. It winds up providing a diversity of experience,
and that is incredibly valuable.
As it turns out, maybe that some totality of human existence isn't embodied by a bunch of people who went to Stanford together, just as a random shot in the dark. Yeah. Again, this is like
in terms of there's many conversations in making tech more equitable and making businesses more equitable. And it just can't be in specific places.
Yeah, I'd say that one of the saddest days for San Francisco was when you moved away.
To give a little insight back into, I guess, how long we've been talking to each other,
I remember back in 2016 when I was running a DevOps team at my last quote-unquote real job,
and you interviewed for a role.
And you were a terrific candidate.
We extended an offer, and you were on the fence between this role and another job.
And you and I went out and sat down and talked for a while,
and at the end of it, my recommendation that I stand by was that you take the other offer.
And you did. And when I tell
people versions of that story, there's always two different responses. One is, well, yeah,
of course that's what you do. And the other response is, wait, you did what? And I've never
understood people who take the second perspective. Yeah, simply because, especially in this day and age,
we're no longer in an era where somebody stays at their job until they retire at the age of 50 or 60.
You are constantly, especially in the startup world, you're constantly moving jobs because
for some people, especially who look like me, you have to do that in order to get ahead.
So on that same vein, tech is small. People know each other. So like it behooves you,
especially as a manager and a leader to have good relations, even if the choice is not going
to be beneficial to you. It's funny that you mentioned this idea of being more mobile in our careers and life
extending beyond the next job.
But it's amazing how everyone loves to pretend that in job interview stories that, oh yeah,
now the average tenure in tech is of course 18 to 24 months.
But once you start here, you're going to work here for 25 years.
You're going to wind
up leaving with a pocket watch and a pension. And it's this ludicrous fantasy. We'd even take it a
step further where the stories we tell about someone leaving unexpectedly are always, they
get hit by a bus, the bus factor. Great. How about someone else offers them a 30% raise somewhere else that's aligned
more directly with what they want to be doing? Because, spoiler, I've had a lot more colleagues
leave because of a better offer than ever got hit by a bus. Yeah. I'm also trying to wonder,
who are you talking to that are offering pocket watches and lifetime?. Cause I've, I've, I've never heard of such a company.
Oh, they're, they're all over the place in the 1960s, which is where a lot of that interview
advice seems to have come from. It's, Oh, you want to go ahead and get a job? It's easy. Just
walk in the front door, have a firm handshake and ask for a job. Be sure to call the boss, sir.
What if the boss isn't a man? I have no idea what you're talking about. It's this old-timey advice where you expect every video of it to be in crackly audio with black and white,
where it's this ancient 1940s approach.
Ugh.
No, thank you.
Yeah, pensions are also hilarious fantasies that are gone.
Yeah.
And just, I feel like a lot of the humanity, not to say that there was any humanity back in the 1940s.
There was probably some for some people more than others.
But I feel like even more so now there's kind of less of it because you're talking to a person who's been through two recessions already and also
been through the Enron scandals as well, as well as many other scandals related to misuse of funds.
Oh yeah. I love the idea of, oh, just put your entire retirement in your company stock.
It'll be fine. What I always love is finding people who give that type of advice and talk
about how, oh, I work at Google
or I work at Amazon and, oh, all of my retirement is invested in my company's stock. And, well,
that seems to be centralizing an awful lot of risk on that company doing well. And they'll come back
with a whole suite of answers about this. And I see where they're coming from. They're arguing
in good faith. The counterpoint is that everything that they're saying, without exception, could have been said by an Enron employee right before
the collapse. Now, for legal and moral reasons, I do want to point out that I'm not insinuating
that Google and Amazon and the rest are fraudulently lying to everyone, that they're
falsifying audit information, etc. My point is not that they're engaged in malfeasance,
but rather that you never know what the future's going to hold
for any given company and nothing lasts forever.
So decentralized risk.
But, oh, does that rub some people the wrong way?
Yeah, and it's also just like you want to make sure
you're very diverse about your company.
You kind of want to be diverse about your stocks.
Like, don't have all your things in one pot
or your investments in one pot.
That's like something I've even got
from my financial advisor.
Oh, yeah.
I should probably disclose this.
I don't do it quite often enough.
Everything I own in equities
is part of a broad-based index fund.
The single exception to that,
I own six shares of Amazon stock that I've held for years
and will continue to hold indefinitely,
not because I view this as a long-term financial play,
but rather one day I will manage to shitpost
via shareholder resolution.
Wait for it.
It's going to be amazing.
I just need to find the joke worth doing it for.
That is so great.
You know, we all need stretch goals, and that's one of mine, because I make terrible life
choices.
Oh, no, you don't.
So tell me a little bit more about your path.
You're one of those folks that I get to catch up with from time to time, and I love every
chance that we get to sync.
But it always seems like there's a lot to catch up on.
Where did you first enter tech, and where did you go from there?
So I first entered tech, it's funny, I entered, if we want to say when I entered tech,
it was when I was probably about 12 years old. I joined a computer club at school. It was a
program that I was a part of until I graduated
from high school called the Student Technology Leadership Program. And from there, I learned a
whole lot about computers. This was back in the day when computers were starting to become a thing.
And I really started the journey of doing more technical work when I was in high school and they were taking
computers apart at the high school that I wanted to go to. And I was like, I want to do that.
And so that kind of started me on my, my journey of doing more deep dives into technical things.
One of the, I guess, strange things that I found is that when I talk to folks who've been in the space for a while, they always come from something into a new area, and then we have conversations around these things. the sysadmin ops story. And those jobs, for better or worse, seem to be drying up as more and more
things move in a cloudy type direction. So I find myself spending an awful lot of time wondering and
having conversations about the topic. Where does the next generation come from? Where does the next
series of cloud folks wind up originating from?
Because the terrible answer to this is,
we're just going to wait until the cloud providers start sponsoring public school curricula,
and then they're going to start teaching eighth graders
how to wind up spinning up elastic beanstalk
or God knows what.
And I don't think that's the answer anyone wants,
and I'm hoping people have better ones.
I don't think it's going to come from the children's.
I think it's coming from the people who are entering the industry from other places.
Like one thing I kind of have an issue with is so many of these big companies are like,
well, we don't have a pipeline, so we're just going to push it to the children, push it to
the children, push it to the children. Meanwhile, I'm seeing so many people being like, man, tech is paying some money. So
I'm going to transition into that. And you have so many of these people either transitioning into
support roles or transitioning from support roles and trying to get higher up from different
industries in the past five years. And so I think those people are going to tell us what is next. I don't
think we have to wait for the kiddos to get, you know, 10 years in and be the next generation. I
think we already have some of those people here, and I think they're going to push the needle and
tell us what's next. I sure hope that you're right. There's a definite hope that I have that this is going to turn into something
that's, I guess, lasting and transformational.
And I don't like the idea that,
oh, so the only way to now get into this space
is to stop doing whatever you were doing before,
whatever it might be,
and then go to a boot camp.
Possibly a boot camp then winds up
doing an income repayment
and they'll send you straight to collections if you're unable to pay.
And almost these predatory for-profit institutions
that tend to not, I guess, really be focused on outcomes
other than making money for investors.
And I worry that there's going to become this, I guess,
artificial gatekeeping story where you need to either have a degree
or go to a boot camp.
For someone who was able to talk their way past
not having either of those things,
because, well, honestly, look at me,
I'm incredibly overrepresented in this space,
that path is not available to everyone,
and it makes the existing biases that we have in this space
worse, not better.
Yeah, and I feel like the bootcamp thing
is kind of changing because what I am seeing, and this is something I saw a few years ago,
you're starting to see people who have degrees going into bootcamps. And I think universities
are starting to notice because these universities are now trying to create boot camps as well.
I don't know whether it is to get in on that money or whether it's trying to do some more
career extensions to their already vast portfolio.
But I think that's something that's kind of helpful, too, especially as the traditional
idea of degrees, especially in the land of COVID,
is going to go in a completely different direction.
This episode is sponsored in part by our friends at Linode. You might be familiar with Linode. I
mean, they've been around for almost 20 years. They offer cloud in a way that makes sense,
rather than a way that is actively ridiculous by trying to throw everything at a wall and see what sticks. Their pricing winds up being a lot more transparent, not to mention
lower. Their performance kicks the crap out of most other things in this space, and my personal
favorite, whenever you call them for support, you'll get a human who's empowered to fix whatever
it is that's giving you trouble. Visit linode.com slash screaminginthecloud to learn more
and get $100 in credit to kick the tires.
That's linode.com slash screaminginthecloud.
I want to be very clear, because I've been unclear on this in the past.
I am not in any way, shape, or form saying that a degree does not hold value,
that if you have a degree, you've made a poor decision,
or even that degrees are not absolutely necessary for some roles.
What my position is and remains is that it's not going to work for everyone.
And having a prescribed path for many roles
that artificially requires a degree
is not doing anyone any
particular service. Now, if I'm going to hire an attorney or I need an anesthesiologist,
yeah, I have some degree requirements for those people. That is not really the type of
role that lends itself to, I'll figure it out as I go. How hard could it be? Yeah. I think the only reason that
I myself have a degree is that as a black person, that is the only way that I can get my way into
the door. Or at least that was the only way I could get my way into the door 10 years ago.
I think bootcamps are slowly changing that to give people the experience and the street cred to do that. Do I want it to go
away? I hope so someday. And I hope that we can get back to a way of having people do more
apprenticeships, kind of do the old school, old school way of having people try out jobs and learn
skills. But until we get to that point, because again, we're still trying to think
about more equitable ways. And unfortunately, the people making the decisions, the gatekeepers,
do not look like me. Until that changes, we're working with what we have.
One of the best descriptions that I've ever heard for helping break down those gates and making things more accessible comes from Stephen O'Grady over at Redmonk.
And it's, send the elevator back down.
That mindset is how I try to live my life.
I mean, the reason that I have a career at all is that people who had no requirement to do so did favors for me when they didn't have to.
And you can't ever repay that. You can only
ever pay it forward. And I try mightily sometimes with Nick's success to wind up doing that. And I
hope I get it right more than I get it wrong. But what I don't understand is the people with
the attitude of, well, screw you. I got mine. Yeah. I don't get those people either, but our industry is kind of saturated with that.
But at the same time, it's slowly changing from the past 10 years when I felt like I saw that.
There's still like beacons of people like Jennifer Davis, who helped mentored me and was a sponsor for me, as well as other people in the
industry who I feel like have kept me on a good path, especially in security, like Kirsten Breger.
I absolutely love her. And she's one of my favorite Black female security people. And I
admire her so much. But just to be able to talk with those people and really get their wisdom and stuff is super helpful.
So I'm glad for her as well as you, Corey.
Oh, please.
I did a remarkably small amount of work until somewhat recently in any of this.
I'm learning as I go, like anyone else.
It's one of those looking back moments where it's, huh, I could have done a lot more than I did and I feel bad about it. All you can really do, unless you have somehow the ability to change the past, is do better
moving forward. I think that's something that people often give up on, where it's, oh, I didn't
do such a good job in the past. Well, too late to fix it now. Oh, well, and nothing ever changes.
Yeah, and I think that's the thing about time, which has no meaning in 2020. There's always hope for moving forward and always changing things. And I think people was more kindness in the accountability. I can understand
why some reasons why you can't have the kindness, because there's so many people who are hurt and
there's so much trauma everywhere. I'm a person with PTSD. So like, I understand how triggering
it can be. And I have hope that it can change to a place where, you know, you can have more empathy. I sure hope so. I mean, one of my greatest fears is that when we look back at this recording in a
few years, we don't look at this through a lens of, oh yeah, that was a dark time in our history,
but instead, oh yeah, those were the good old days. That's what scares the hell out of me.
Oh, look how naive we were. We didn't even know about the comet yet.
Corey, don't, like, don't do that.
Don't put that juju on people.
Like, come on, man.
So back when you were applying for your current job, what were you looking for?
What was it that mattered to you from a, I want to work with these people or that company or that technology perspective?
So for me, it was actually funny because when I first decided to take a break after my last job,
my plan was, okay, I'm going to take a break and then I'm going to come back out and I'm either
going to see if I can work for a VC firm and see if I can do like security advising for them because I wanted to do more of a leadership role in that or I wanted to do some consulting.
And at first I did actually look into that.
And one of the final companies that I worked for was a consulting firm.
It was between a consulting firm
and the place that I work now. But the reason why my current job worked out is that for two reasons.
One, I always love working at places with cool products and Honeycomb had a really,
really cool product and idea that I wanted to dive more into. And the second thing is, is that I love working
with cool people and Honeycomb had all the cool people. I really admire all the people who work
there. I admire all of my coworkers. They're awesome people. And I think that is what attracted
me there on top of the fact that there was the third thing, which is there was the opportunity
for leadership experience and security and growth there,
which I don't think I would have gotten in consulting.
Wholeheartedly agree.
Honeycomb is a fantastic company.
Let's not kid ourselves here.
And of course, in the interest of full disclosure,
they've been a good recurring sponsor
for a lot of my nonsense,
but they're also a reference client for my consulting business.
So even if I didn't like all of you folks, I think at this point I'm contractually obligated to lie about it.
I kid.
I love what you folks do.
I think there's a tremendous value to the industry across the board in about four different axes.
And it's hard for me to think offhand of a company with a better internal
culture. Yeah, that is super, super true. I wish I could digress into it, but I can't.
No, I completely understand that. But yeah, since I've joined, I feel like I've really
been able to make a mark and some impact and really just challenge myself in new and different ways.
So I'm excited to see where my career goes from here.
I am too.
I look forward to our next recording
where we wind up catching up on,
oh, here's the changes since the last time.
So talk to me a little bit about why a company like Honeycomb,
who does observability and or yelling at people for saying
don't deploy on Fridays, depending on your taste, hires a lead security engineer. Judging by
everything else I see in the industry, security is this thing you bolt on after the fact and
apologize for while saying how much of a priority it was, even though it clearly wasn't. How does
an observability company need a security engineer?
Well, here's the thing about technology right now. In the past 10 years, it has changed in that
most startups need to, side note, this is my personal opinion and not the opinion of my company,
and side note. But for a whole lot of startups that I've seen, a lot of them are,
you know, selling to enterprise customers and enterprise customers have that requirement
called compliance. And they have certain compliance standards that they need in order
to have you as a vendor. And so we're starting to see more companies who are trying to market
to these big money enterprise customers.
And they are needing security people to get the work done because it is becoming a thing where at some point you just can't bolt it on.
Like you have to have a security person in the room doing the work and telling you, okay, maybe you should do this differently so we can stay secure instead of doing the very, very security risky thing, for lack of a better term.
Increasingly, it seems like the security risky thing is not hiring security folks.
And I guess my problem with cloud security, and I can very rarely bring this up on the podcast when I'm talking to folks who work for one of the cloud
vendors, is that they take a simple concept such as the idea of the services themselves are basically
secure 99 times out of 100 or more. Any mistake is going to be something you have misconfigured.
But rather than saying that sentiment that fits in a tweet, instead they call it the shared responsibility model, and then they turn it into this 500-word article at an absolute minimum, and an incredibly complicated slide, and it makes people miss the point.
Is that just me having no attention span whatsoever, or does it feel like they're overly complicating a relatively basic concept. I think it's they're overcomplicating a very, very simple concept.
And at the same time, they don't want to be held liable, which I can understand that.
Yeah, good point.
I mean, at some point you have deniability and you want to be able to point at something
larger and complex when you're getting yelled at by one of your customers for their own
misconfiguration that goes beyond, it's your fault.
That is not a helpful sign to point at
when someone is screaming at you, as it turns out.
Yeah.
But at the same time, I do wish
that the industry would make things more usable.
Oh my God, yes.
Even for beyond, like,
one of the things I like about
having a more holistic security practice is that I do want to try to be more DevOps-y with it.
I do want to try to be more collaborative and not just let security people in, but for other people, for developers and other stakeholders of the business to understand.
And sometimes it's super hard to make people understand if they can't see what's in front
of them and so much of the tooling that we've had thus far have tried to inch closer and closer to
it and I'm starting to see some new players in the game to make that more usable but for some of the
bigger providers it is still like man what are you Like, this is such a big space and you
have so much money. You could do some acquisition that's super cool. Like I've seen and been a part
of companies with some products of being like, for lack of a better word, Amazon could buy you
and stretch their security games so well. But instead I have to do stuff where security is just basically unusable by even security people.
Like one example is, and I hope it's changed in the future, is Cognito.
I've had so many tussles with Cognito.
Oh, don't get me started on that.
I really, really hope that by the time this episode gets published, Cognito is better than it is right now, but today it seems almost like it is an
incredibly well-executed advertisement for Auth0. Yeah, Auth0 or just some of the other ones
available too, but just, it is, you just want it to be that because it is an integrated service,
but it's just, it doesn't do some of
the things that you imagine it would do. But it's also like it's, you know, it's Amazon. So
it's Amazon, it's free, and all the security shouldn't be up to us, which is a great thing.
And at the same time, yeah, I just wish it were better.
One other thing that I've never fully understood,
one of the most depressing InfoSec experiences I've had
was wandering around the RSA Expo floor.
And first, I don't think you're allowed to sell anything legally
if you don't have the word firewall somewhere in it.
And two, I understand that security is not something you can buy,
but holy crap, do a lot of companies want to sell it to me.
What's the deal there?
I think it's that people know that security is always going to be a need and it's ever
encompassing and ever growing. The thing is, just as people have many different ways of engineering,
there are also many different ways that people do security because everybody needs it,
but nobody knows the specific security that they want or need. So I think the issue that we run into right now is that because we don't have somebody telling us what the best,
or they're telling us what the best should be, people tend to get stuck in their tooling
and don't realize until it's too late that it doesn't work for them.
Yeah, on some level, you sort of have this dream that if you buy the right tool or hire the right
person, suddenly all of these issues go away. But it doesn't. I wish it did, because if there
were a product that solved this, I would love to sell it. But it doesn't work that way. And I don't
think it ever will, because it's people. It's not always about the tools and it's not about the technology.
Yeah, I feel like the view that people should have on tools,
whether they're security or operations,
is that it's an extension
and support for people to do their best work.
And so, especially when evaluating
vendor tooling right now,
because it comes up in my current job
and I also have to keep track of it,
you know, for trends to see where the industry is going, both technology wise and security wise.
But when looking at this, you always have to keep the business operations in mind. And I think some
security people forget that and jump on, oh, we need the shiny new toy for compliance instead of
thinking of, hey, does the shiny new toy match up to our operational goals?
It used to be DR if it wasn't compliance, or it used to be, ah, redundancy.
There was always a reason to just hurl money at some project or whatnot where you're never done,
but depending on the story you tell, you can unlock massive budget.
Yeah.
So I'd like to think of it in a new way of being like, okay, does this align with our business values?
And is this going to help further our business?
And I think security people should keep that more in mind when they're evaluating tools.
If people want to know more about you, where can they find you? So if you want to find me,
I can be found on Twitter at jamfish728. That's right. We are in fact birthday twins. Yes,
we are birthday twins. Way to tell my secret about my handle. And yeah, that's pretty much the only
place that I have right now. I'm thinking about maybe restarting my blog up. I have a blog at
blog.gm.fish that I haven't updated, but I might update it more because I'm starting to get antsy
about doing stuff beyond Twitter. Yeah, that's sort of what pushed me to doing a whole newsletter and blog post
and podcast series and breakfast cereal next,
for all I know.
There's always the idea of creating more content,
but it's a burden because now, oh great,
now you have to update it.
But regardless, we'll put links to those in the show notes.
Thank you so much for taking the time
to speak with me today.
I really appreciate it.
Of course, Corey.
Anytime. Let's do course, Corey. Anytime.
Let's do this again soon.
Deal.
And thanks again for covering me for the newsletter
so I can enjoy time with the newborn.
Yay!
I want baby pictures.
Absolutely.
Jam Leomi, lead security engineer at Honeycomb.
I'm cloud economist Corey Quinn,
and this is Screaming in the Cloud.
If you've enjoyed this podcast, please leave a five-star review on Apple Podcasts or your
platform of choice. Whereas if you've hated this podcast, please leave a five-star review
in the same place, along with an angry, ranting comment about how your degree makes you a better
person than me. This has been this week's episode of Screaming in the Cloud.
You can also find more Corey at screaminginthecloud.com
or wherever Fine Snark is sold.
This has been a humble pod production
stay humble