Screaming in the Cloud - Digital Security for Humans with Jessy Irwin
Episode Date: July 2, 2020About Jessy IrwinJessy is Founder at Amulet. She enjoys the challenge of translating complex cybersecurity problems into relatable terms, and is responsible for developing, maintaining and de...livering comprehensive ecosystem security strategy that supports and enables the needs of the people who depend on Tendermint and the CosmosSDK.Links Referenced:Â https://twitter.com/jessysaurusrexhttps://jessysaurusrex.comÂ
Transcript
Discussion (0)
Hello, and welcome to Screaming in the Cloud, with your host, cloud economist Corey Quinn.
This weekly show features conversations with people doing interesting work in the world
of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles
for which Corey refuses to apologize.
This is Screaming in the Cloud.
Welcome to Screaming in the Cloud. I'm Corey Quinn. I'm joined this week by Jessie Irwin,
who today doesn't matter at all what she does today because she used to have the best job
title in the universe, Security Empress at one password. I just want to let that sink in for a
minute. Jessie, welcome to the show. want to let that sink in for a minute.
Jessie, welcome to the show.
Hello, thank you so much for having me.
So it's got to be challenging to know that when it comes to job titles,
you have peaked not just as a person, but for the entire industry a couple years back. And it's all sort of downhill from there.
But what are you up to these days?
Yeah, I'm sad that I'm no longer the Empress in my previous place.
But I actually have decided that I'm no longer the empress in my previous place, but I actually
have decided that I wanted to set up my own organization to work on security problems.
So these days, I'm not sure if I'm technically supreme ruler of the Omnibus universe,
but I'm working on my own project where hopefully I can help make security stick better for people.
That's my catchphrase, help make security stick better for people. That's my catchphrase, help make security stick better.
I like that.
You've become famous in small circles,
which is, I guess, probably the best way to put people
who are big deals on Twitter.
But what's always been interesting to me
about your approach to security
has been the human-centric piece of it,
where it's not about trying to talk about
the far future advanced persistent threats,
although you certainly can do that,
but more along the lines of how you effectively
raise the security bar for day-to-day folks.
What got you to focus on that?
So this is the part where I get to tell you
that majoring in art history in college
was basically the best life decision I've ever made. And I'll tell you that majoring in art history in college was basically the best life
decision I've ever made. And I'll tell you why. Art history is interesting because you have to
study objects and images. You have to be able to do analysis, especially technical analysis.
But when you step back, you are looking at objects that represent societies and cultures and lives. And what I remember most about my art history classes
and my time as an archaeologist in college is really that people have been engaging in security
behaviors pretty much ever since human settlement started. We've had to protect ourselves from each
other and from external threats in so many different ways. And risk management is something
we've done long before computers ever happened. Unfortunately, computers make everything easier
to do, especially remotely. So the same problems we had a very long time ago, you know, keeping our
coin hordes safe, for example, we still have those. And it's easier than ever for somebody who wants to
separate you from your identity, your data, something that is valuable or important to you
that's online to do that. And I just, I really think that a lot of times the focus is too heavy
on the technical side. If we're talking about PGP and ZTRP and we're throwing the alphabet soup together, we're really forgetting the part where, you know, somebody just wants to pay their online power bill or somebody wants to log into their bank account and know that they're not giving another person all of their money or all of their personal information in a way that'll harm them. And I think that's way more important and really the core of what we should be doing
instead of engineering these perfect invisible systems
that nobody understands
and everyone has to become an engineer to use.
And that's always been sort of the weak spot of security.
It's not the advanced, super deep dive breaking into things.
It's the fact that someone isn't trained
and falls for a spear phishing attempt
and emails the company payroll to someone.
It's the human side of making it,
people entering their credentials into the wrong website.
And it's always seems like it's never the big stuff.
And in the world of cloud, we see this all the time.
Whereas you have the S3 bucket negligence story
of people failing to secure their S3 buckets
and instead exposing
company database backups, people's social security numbers, et cetera.
Then you also do see the more advanced attacks, like the one that Capital One was subject to,
where there was effectively four or five different misconfigurations that were then
chained together in order to result in something kind of neat. But to the outside world,
those two things look the same, but they're very much not. It comes down to fixing usability. I've spent an awful lot of time trying and failing to find a
legal way to patch humans, and I've never been able to do that. Is this problem ever fixable?
Is this something that we're going to continue to see iteration on the human side without getting
anywhere? Or is there light at the end of that tunnel somewhere? I'm a little optimistic about this. I hope that after realizing that we can only create so many protocols and so many
new whiz bang code things that the code's not the answer is now really starting to hit people
in the face or in the fields or wherever they need to be hit to change their point of view. But ultimately, we have two problems to solve. All security
is actually behavioral economics and policy that you have to stick together and align towards a
specific outcome. And I think right now, every company is essentially its own little nation
state with its own little national security stance, whether they've got a thousand security engineers keeping one of those many
numbered threats out of everyone's email in the morning or whether they're a small business
down the street.
And it's our job to make security into something that is part of your launch checklist or your productivity tool are so normal and so mundane
that it's like the cyber equivalent of vacuuming the house. A lot of people refer to what we should
be doing is, you know, setting up cyber hygiene programs. That's cool, but we also need to make
sure we are thinking about what the people abiding by those programs or following them would actually
need to do. You're going to get realistically 30 seconds of attention from someone. Even on
YouTube, someone bounces from a video after 12 seconds if it looks sort of boring. So when you
think about this problem overall and this war for attention that we've created with technology,
plus all of the new products that come out and all of the
sneaky side menus and configurations you have to know, there's always something more to do.
And there's always another way to like spend more hours of your life trying to secure something that
you should. It would be nice to just have 10 commandments that we focus on. And for those of us
who are in a position to build products and to work with product teams or product managers to
just take the core security stuff, put it at the top of the list and get it done with as early as
we can so that we're not all having to freak out and become firefighters
and incident responders with or without tons of resources.
The challenging part that I found across the board with InfoSec as a whole is part of the
reason that I've always found you to be such a refreshing voice in the space is that by all
perceptions from everything you say online, you have an incredibly rare skill in the InfoSec space,
by which I mean you are not a massive jerk to everyone.
There's definitely an asshole problem in the world of InfoSec,
and it's something that you have never exhibited that I've ever seen.
How is it that it is, first, so difficult to find people
who aren't being obnoxious in the world of security?
And two, how have you avoided it?
I think that everyone has an opportunity and a choice about whether they want to be an asshole or not.
I tried really hard not to be a giant one.
But more than anything, an attitude that has been exhibited to me over the past 10 years I've been playing in security
and the past seven years where I've had direct jobs in security. There's a lot of gatekeeping
going on. I mean, I come from a background with lots of humanities and creativity and writers,
and I love that. But ultimately, the world is a better place when we have more people thinking about these
problems, not less. And the attitude that I've seen come from the community around security,
and a lot of the industry around security has been to use some of the stupidest things you could
ever come up with as a way to intimidate someone from taking a first step into learning
more or getting interested. Because if you have more people join the community or more people
who aren't like you join the industry, people who've been around the longest or people who
feel like they get power from their roles lose that. And I get it. That's scary. But this is a specific problem where we need to be
making friends. Like we should be in a land grab to make everybody think that two-factor is the
coolest thing on the planet. And we've got to be creative about it. Like instead of two factors
of authentication, maybe you need two raptors running after an attacker who's trying to log
into your account if they can't authenticate
correctly. That's way more fun to think about. But everything is so serious and end of the world
all of the time. And I don't know, that just doesn't seem like a group of people I want to
hang out with. And it certainly doesn't seem like the way that we recruit and onboard the entire
planet into making better passwords and changing their behavior online.
One of the most transformative things I've ever done for my own personal security
was getting a password manager that I could just shove everything into and then eventually
spending a very long few days at previous jobs when I didn't want to do my actual job
of going through and rotating everything to a unique password.
The benefit there is I don't have to remember anything except that initial password.
And when one place gets compromised,
I now don't have to worry about changing that password everywhere in creation
across 400 different websites.
What's surprised me is how easy it's been to get other folks
who do not spend their lives working in the world of high technology on board with that.
Things like Apple supporting password managers natively in iOS, where it just auto-fills from a lot of those technology on board with that. Things like Apple supporting password managers
natively in iOS, where it just auto fills
from a lot of those apps that are out there
has been transformative for an awful number of people.
It definitely demonstrates your point of the tide rising.
What's next along that axis?
I mean, you can always talk about how to get folks
who are deeply technical sorted out,
but how do you fix this for, I guess,
the people who have, you know, real jobs? Yeah. So this is the hard part. Essentially,
we have been very good as technologists at developing broad appeal among our own,
but this is actually a consumer branding problem. We have to build a culture around the technology
that we use and we build to make these things
that take a lot of extra time on setup cool and fun and worth it.
And what that really requires is for us to know our user and to know our audience.
The conversation that I have with my 72-year-old dad versus the conversation I have with my 27-year-old little
brother. I think he's 27 at least. Those are two totally different conversations.
And when I have to talk to them about why this is important, their incentives are hugely different.
If you are talking to your family and they can remember a time in your life when you were in
diapers, they're probably not going to listen to you very often, especially in technology advice. It's why Thanksgiving and all
the other holidays can be tough when somebody pulls out a phone and wants tech support. But
we should be able to tell someone who doesn't want to be an engineer why they should do this.
If it's for a mom, more often than not, it's a way to take
care of your family. Grandma likes taking care of families too, let me tell you. If you're talking
to a student who's never had anything completely terrible happen to them in their life, but you're
sending them off to college and they need a plan for taking care of social security cards and
identity documents, really important stuff to do, not for right now,
but making it about investing in their future
and making sure that no one else can hurt them
when they're on their way up in the world
and finding their footing.
We have to be able to talk to everyone
about why all of this technical security stuff is worth it,
even when it fails, even when it's a pain in the butt,
even when you really just want to reuse that one stupid password because the password manager is not working
and it won't generate or fill the right way because some mean developer made your fashion
blog website, you know, completely unusable and mobile. We have to be able to at least
incentivize people to do more of the right thing, and maybe not even the right
thing all of the time, so that we make continuous progress and we see continuous improvement,
rather than trying to get everyone to be perfect at everything at all times for exactly the reasons
that we think it's important. Our threat models as technologists are completely different than
the threat models of everybody else around us. But often because if you're on a security team,
you've seen these advanced threats. Maybe you do get a point of view that the password manager
doesn't work because the attacker is going to hack into your operating system and steal the
plain text out of your memory, blah, blah, blah. But that's not a reality most people face,
ever. Especially in a world of cloud. I mean, it seems to me that a lot of the best practices,
like encrypt everything at rest, that made an awful lot of sense for, for example, your laptop
or for your data center, where there have been numbers of stories of people breaking into
improperly secured office data centers or driving a truck through a wall and grabbing a rack into the back of it and taking off. Good luck doing that with one of the hyperscale cloud providers.
But it's hard to get those edge cases explained across the board. So in many cases, just saying
do it all as a best practice seems to be the path forward. It's giving people fewer decision points.
If you give people three things to do, they'll generally do them. Give them a hundred, they'll do none of them. Exactly. And something that I see a lot, actually,
so I think too much about this, but when you look at health advice, when you look at wellness
advice, sometimes you will run into an article written by a doctor who knows to tell you five
things because you're only going to do two. And realistically,
one of them will stick within a month of reading an article. Other times, there's a checklist of
283 supplements and things you should be eating and blah, blah, blah. And at the end of the day,
what all of these security problems actually boil down to are lifestyle choices in the same way that some of our issues
with healthcare are also lifestyle choices. I can talk to a small business owner and ask them
security intake questions. And just like any other survey, they're going to tell me all of the nice
answers. When I actually get in to do the work, I'm going to see where, you know, they've done the technical
equivalent of having cake for breakfast and fries for lunch and dinner every day. And it's okay.
I mean, that's reality. But unfortunately, I think a lot of us are happy to portray an ideal
lifestyle. And we don't actually talk about the lifestyles that we
actually live on the security front. And again, it sets this impossible standard and it makes it
really, really hard when you essentially have people writing fan fiction about the 283 steps
they take to secure their home and family, when in reality, it's probably like 15 or 20.
And maybe one or two of them, you're a little lax on.
And that seems to be the, I guess,
the message that gets lost,
where unless you're doing all of these different things,
you're going to be in incredible danger.
There was a talk I saw once,
I wish I could recall who gave it,
where it's, there are two threat models to be concerned about, Mossad and not the Mossad.
If it's the Mossad after you, you will die.
I think it was James Mickens that may have made this observation,
but please correct me if I'm wrong.
If it's not the Mossad, well, there are things you can do.
It's about raising the bar for what it takes to compromise someone.
At some point, if people invest enough resources,
they're going to wind up breaking into anything you've got.
The question is, what is that bar?
If your password is the same thing everywhere, and it's just the word kitty, sometimes an exclamation point at the end,
then maybe you should try and raise what it takes a bit further. But past a certain point,
it winds up mattering less and less. Easy example of that would be, I'll ask you this,
is there a material difference between whether I have 40 characters in my password or 50? I would say yes, but half of that difference depends on what is going on on the back end of
a web service you might be using or server infrastructure and how that's been designed.
So maybe you don't actually know as a user and it never comes up to you. On the other end,
like maybe it's no because your extra 10 characters are all zeros or they're the same word twice.
That's really easily undiscoverable.
There's a quality piece there that is really difficult to judge.
There is a numerical difference between the password strength of 40 characters versus 50 characters.
But on the other hand, if you're reusing the same word five times to get to 50
characters, maybe it doesn't matter. Maybe there's really nothing there and it's going to get broken
easily anyway. This episode is sponsored in part by Chaos Search. Now their name isn't in all caps,
so they're definitely worth talking to. What is Chaos Search? A scalable log analysis service that lets you add new workloads in minutes,
not days or weeks. Click. Boom. Done. Chaos Search is for you if you're trying to get a
handle on processing multiple terabytes or more of log and event data per day at a disruptive price.
One more thing for those of you who've been down this path to disappointment before.
Chaos Search is a fully managed solution that isn't playing marketing games when they say fully managed. The data lives within your S3 buckets, and that's really all you have to care
about. No managing of servers, but also no data movement. Check them out at chaossearch.io and
tell them Corey sent you. Watch for the wince when you say my name. That's chaossearch.io and tell them Corey sent you. Watch for the wince when you say my name.
That's chaossearch.io. An argument that I heard once when botnets were on the rise was at some
point you have to begin assuming from a security posture that whoever it is that is attempting to
break in will more or less have infinite computing resource to throw at this. So the answer starts
instead becoming things like two-factor auth, or as you
correctly pronounce it, two-raptor auth. Tell me more about that. Yeah, so the main goal of security,
it's not to keep everyone out all of the time. If that's our goal, we're going to fail at it,
and we should never take any of these jobs or even bother, quite frankly. But the main thing
that's the most important to do from a security perspective, whether you're a farmer 50,000 years ago, or you're the guy holding the keys to the Vatican art galleries, I promise
I'm going somewhere with this. It's important to raise the cost of an attack. What's really
interesting, especially online, is we figured out that passwords are the weakest link. They're a
huge privacy problem. They're a huge privacy problem. They're a huge security
problem. So essentially, we need something else. We all came together and decided that we would
make sure every computer on the planet had two velociraptors that were trapped inside.
And in the case of an attacker coming to try to steal your passwords, they'd be unleashed,
and they'd go eat his face off. Or at least that's how I like to explain it. In reality, we needed something else. We needed
another layer of defense. And the best thing we came up with was, I guess, a rotating six to 10
digit code that lasts for anywhere from 30 seconds to five minutes, that's very hard for an attacker to steal from you
or to take away from you,
especially if you're using a physical security key
that produces those numbers automatically.
I kind of joke that with two-factor authentication,
instead of just one password, now we have two,
because it is basically a one-time use password in most cases.
But we're always going to find that we need to add an extra layer or a something else. It's just
a question of how much of something else will our users be willing to sustain and to do? And when
should we remove the burden of doing something else from them
and integrate it into what we're already building? And that's part of the problem. It's not always
about how to build something new and exciting and revolutionary, but how to retrofit that back to
real-world problems that people have. Now, that brings us, of course, to blockchain. My argument for a while is that it's a neat technical trick that is struggling to find anything approaching a business model for the past decade that doesn't revolve around speculation or scamming people. Where do you stand on this, given that you actually work with it in capacities that aren't just making fun of it on Twitter. Honestly, I agree with that assessment.
One of my most endless frustrations for the past two years of working in the blockchain
space has been watching people pay more attention to coins and their value and their worth versus
some of the fun things that we're actually engineering with code. And the hype
machine is frankly, incredibly annoying. There's some really interesting things we get to play with
in blockchain that I don't think anyone really realizes. We get to play with virtualization.
We get to mess with encryption. We get to do all kinds of exciting encoding and decoding things. I feel like in some aspects, there's actually been a huge contribution from blockchain land to web application security, just based on the fact that we offer built-in bug bounty programs for any code holding coin. There's also, non-joking, playing with distributed networks, playing with the concept of
decentralization, which really gives security properties like resilience and redundancy
to networks, which is really exciting.
But overall, the big disappointment is just watching people try to slap a blockchain on
any problem that exists, rather than stepping back and thinking about some of
the properties that you can get from what exists or how you can tweak what exists to get something
new and refreshing and exciting we haven't really seen before. And that's what's interesting is the
idea of exposing new and exciting things that until now we did not have the capability to solve
is incredibly promising.
And I love the idea.
The problem is, is that so far,
most of those examples revolve around,
well, there's no central authority that we can trust.
Well, we tend to live in societies
where for better or worse, there are parties out there.
We don't agree with them personally,
they are sovereign entities who are empowered to enforce what they want to do, so you sort of have
to trust them. There are stories for removing middlemen from transactions, or middle people
from transactions, that tend to be compelling on one level, but in practice, there are a lot
of entrenched interests that are going to fight explicitly against that. I think that rather than looking to necessarily supplant existing
structures with a complicated buy-in story, finding new and exciting things that this empowers
is probably the right answer, but I see less of that than I would like.
I totally agree. Personally, I might not be salty enough to work in security when I say this,
but eventually you have to trust something somewhere. There's going to be a root of trust
in anything you build, whether it's cryptographic, whether it's reputation based, it's just going to
happen. You make the decision to trust or to buy in based on a something somewhere. These things don't develop
in a vacuum. So trying to watch people basically deny that trust is required and then go build a
trustless universe has been this Kafka-esque adventure that I've been on. But more than
anything, you know, okay, the first exciting application everyone came up with for a blockchain that was sort of meaningful was supply chain, right? who are using blockchains so that when you scan a QR code on a product, you can see where your
lettuce was grown and all the facilities that it went through and how it made its way to your table.
That's really exciting. Do I know if it requires a blockchain versus a transparency tree?
I'm not totally sure, but okay, fine. Keep going with that. I'm totally down with more technologies
that can empower transparency, especially in an end-to-end situation for food or medication or
agriculture, where the choices we make impact the future of our planet and the health of our bodies.
That's fine. But what I think is really being missed in all of this blockchain
cryptocurrency hype is the opportunities we have in some other places. Microsoft has done some
incredible work on distributed identity and decentralized identity. There are so many
opportunities for, you know, tamper evidence and resilience and even sharding identities that blockchain technology
can give people to play with. And especially given how hard identity problems are to solve
in security and in computing, it would be nice to see more people besides just Microsoft
get laser focused on where the opportunities are and what we could build out
of that playground. On the other hand, one of my favorite applications of blockchain has been
watching all of these different mesh networking technologies essentially plug themselves into
blockchains and to enable an entirely new decentralized infrastructure for the internet.
From a security perspective, you know, watching major protocols get hijacked, you know,
watching all of these cloud providers have massive DOS attempts just get thrown at them all of the
time. I would love to see more resiliency and more decentralization of our network so that they
can be tamper evident and more fault tolerant. But I don't see enough people getting excited about
where else we could go with this that has nothing to do with money and more to do with resilience
and making sure that we're not just all making these internet companies and these services that
are too big to fail. And when they get attacked the right way, they fall over and that's it.
I mean, everyone freaks out when Twitter goes down or Slack goes down or Zoom, by the way,
it's like the end of the world. But how cool would it be to say, maybe this internet we've
been building since the seventies needs a rethink. Maybe we should play with message networking more.
Maybe we should think about how we are connecting the rest of the world.
And maybe that model doesn't need to look like what we've been doing previously.
The most fascinating question is, what do those new models look like?
There's a question of, we should build out these new formulas, these new structures, these new approaches. It's just hard to find people that are genuinely doing
it. Blockchain has fallen into almost the category of punchline in the same way that AI and machine
learning is, to the point where when I see someone talking about a blockchain-derived,
machine-learning-powered, serverless organization, oh, you're trying to scam money from VCs. Why
didn't you say so? I know the secret handshake too. And it seems that very little transformative winds up being derived as a result.
It winds up, from my perspective, tarring a lot of good faith efforts with a somewhat ridiculous
brush. I mean, one of my more obnoxious tweets on this was, if I had somehow come up with a
terrific, transformative, legitimate usage for blockchain, I would go
significantly out of my way to avoid referring to it as blockchain so that people would take
it seriously. It's an ongoing problem in the space to a point where it's almost impossible
to have a serious conversation about it without some subset of the population rolling their eyes
and tuning you out. Yeah, this is a problem I've dealt with for the past couple of years.
When I went to talk about what I'm working on, I don't use the B word. It's a bad word.
In the blockchain industry and in the communities around all of these different coins and network
protocols, people double down on that blockchain culture that we've, you know, heard all kinds of stories about, which is really
difficult because it's hard to create broad appeal for people who do want to work on some of the
engineering problems in the space that are super interesting. On the other side, it would also be
great for people to just suspend the jokes for five seconds and think about when we've seen
this behavior before. I remember, what, a decade ago when people started really getting into the
cloud, every security person in the planet was just like, oh, it's not the cloud, it's somebody
else's computer. Yeah, that is a tired trope at this point. It is. And I think about it this way.
The point of security, and I think the point of technology,
is supposed to be that we make cool, creative, amazing stuff happen. Even if it's sort of wild and a little nutty,
and you have to suspend some disbelief like it's some movie.
But on one side, I remember everyone criticizing the cloud out of
existence or so they thought. And I remember the race to the bottom for the jokes and, oh,
who's going to use that? I also now look at the environment in the space and I see security
engineers pulling their hair out because instead of running to the front lines and trying to figure
out how to get involved and how to move things forward and to get security in at the very core,
they just made a bunch of jokes and dug their heels in and thought that saying no was going
to be enough. And from a security perspective, I think, you know, this is a huge industry problem,
but also like you're not going to criticize something out of existence.
On the cloud side, like look at the market cap of Google Cloud and Amazon. Look at all of the
cloud bills people pay. I think I even pay two different cloud providers right now.
That you know of.
Yeah, two that I know of, technically. But I feel like in the blockchain space,
not the cryptocurrency part, but the blockchain part,
there's billions of dollars hanging out over there.
People are funding research and trying to at least have a creative experimental place
where we're trying to figure out how to make things better and play around a little bit.
When that used to happen, you know, when people did it in their garages in
the 70s, it was totally cool. And now it's kind of bad and awful and evil and we shouldn't do it,
and it's a huge joke. I don't quite get it. There's a bit of a disconnect there.
I would agree. But I think this also gets to one last point that I want to talk to you about,
which is how do you, I guess, evolve the mandate from the way that
security currently is from this idea of being top-down, command and control everything,
to being something that helps people get further faster? I mean, how many people do you know who
wind up effectively having a second computer to run the antivirus suite that their company
mandates that they run, and they have something else that they do their actual work on, then copy
it over? I mean, it completely defeats the point. So something I think a lot about is how in development environments and in engineering teams, and even among product teams, the cloud coming after us all has essentially changed how security teams have to work with the rest of an organization. Theoretically, I think it's a major failing
that we take all of the riskiest, hardest,
most complicated things away from our developers day to day
and we shove them onto this team from the side
that's usually understaffed and probably under budget
and never going to be able to get ahead
of an entire organization.
And we make it their problem and
nobody else has to think about it. That is so wrong because what are we supposed to do? You
know, have a 10 person security team in a 500 person company, essentially, you know, split up
and be in charge of enforcing X number of employees across Y things. It's a recipe for burnout.
What we have to stop doing is looking at our jobs
as control and power
and doing the things that are not great.
So many security teams that I've interviewed with
have said, hey, actually, we're so powerful,
we can stop a product release.
And I don't know if that sounds like power or if
that sounds like being a jerk, because frankly, if somebody's worked for two years or a year or
however long a product cycle takes to ship something and you had no involvement in it,
or you had minimal involvement in it, but at the last minute you can throw your foot down and
stop it, nobody's ever going to want to work with you again. What we have to get better at doing
is building coalitions, making friends, aligning our incentives with one another. And we also a
little bit have to get to know the people around us. We can't just all hang out with our hacker
buddies at conferences and think that we're changing the world. We need just all hang out with our hacker buddies at conferences and think that we're
changing the world. We need to go hang out with marketing because they control reputation and
reputation is kind of a big deal. It's a huge asset for a company. We need to go hang out with
operations. We need to go hang out with finance and all of the critical functions of business
who, you know, maybe need IT support or who are going to always be looking for
shortcuts because they're understaffed as well.
And we have to learn how to advocate for them.
We have to learn how to make things easier for them.
And we have to not shame the crap out of them if they get something wrong.
Security teams get it wrong all the time.
That's why we have all of these issues with data
leakage and data breaches from AWS buckets. Yeah, they might get shamed by their colleagues on
Twitter, but everybody else is probably too afraid to speak up and to try to advocate for change with
them. We have to be better ambassadors and we have to be better at building teams and collaboration
or we are going to fail so miserably that at some point it's just going to be better at building teams and collaboration or we are going to fail
so miserably that at some point it's just going to be too expensive for anybody who's not a company
with their own cyber military to actually go online and do business. And that's not okay.
That's not what the internet was for. What's the role of your CISO? Mostly to sit in an office
and play with a desk toy until the next data breach, and then they get ceremonially fired and replaced. That's not a viable outcome,
even though that seems to be some company's actual strategy.
Most people that I know who have been in a CISO role, especially actually in blockchain space,
they get asked for policy all the time, as if writing down a bunch of rules is going to be
what protects you from an attacker who doesn't give a crap about any of your rules.
Yes, my primary IDE is PowerPoint.
That's usually not the right answer for a lot of these things.
Exactly, exactly.
And it's just really unfortunate that, again, we take these people who do security work and we shove them all on one team instead of embedding them or putting them in a position where they can educate and advocate and also, you know, build in technical reinforcements
and technical support and monitoring and metrics and visibility. Like the answer isn't to, you know,
shove everything into a black box security team. The answer is actually to make the creation process
for whatever you're building
and whatever your business is more internally transparent
so that when an issue pops up,
the humans who are good at identifying risk,
security team or not,
have a place to go and can voice that
because more often than not,
someone closest to a business process
or closest to critical code knows where the bugs are going to live anyway.
And maybe they don't know all of our vocabulary words.
Maybe they shouldn't have to go memorize an infosec dictionary to make a point or to surface
something.
And that's really the mindset that I think more security people need to have.
We shouldn't force everyone into our worldview. We should be able to have someone describe a
situation the way that they might describe an ache or a pain to a doctor and work from there
to diagnose what's actually going on, not just throw a hissy fit and tell them to stop,
I don't know, looking at cats with cheeseburgers
on the internet
because that's where the malware comes from.
I think that it always comes down
to meeting people where they are.
I mean, we see it in cloud.
We see it across the board with user behavior
and these problems aren't getting smaller.
They're definitely getting larger.
If people want to hear more
about what you have to say on this
and countless other topics, where can they find you?
I will resume yelling on Twitter again soon about these topics.
I've taken a bit of a hiatus because I've been in creative build plans and conquer part of the world again mode.
But I blog at my website, jessiesaurusrex.com, though I don't do it often.
And every once in a while, a cool person will invite me to their podcast and I can rant for a
while. Another place to look would be to look for some of the keynotes or talks that I've given at
previous conferences, especially if you don't travel for conferences quite a bit. That content,
I try to make evergreen and helpful.
Thank you.
And I will throw links to that, of course, in the show notes.
Jessie, thank you so much for taking the time to speak with me today.
I appreciate it.
Thank you so much.
And don't forget to turn on your two-raptor authentication
if you don't have it on already.
The dinosaurs will thank you if they are hungry.
Jessie Irwin, former security empress
at 1Password. I'm cloud economist Corey Quinn, and this is Screaming in the Cloud. If you've
enjoyed this podcast, please leave a five-star review on Apple Podcasts. If you've hated this
podcast, please leave a five-star review in Apple Podcasts, and then be sure in the comments to
leave your date of birth and mother's maiden name.
This has been this week's episode of Screaming in the Cloud.
You can also find more Corey at Screaminginthecloud.com or wherever Fine Snark is sold.
This has been a humble pod production