Connecting Cybersecurity to the Whole Organization with Alyssa Miller

Alyssa Miller, Business Information Security Officer (BISO) for S&P Global, is the global executive leader for cyber security across the Ratings division, connecting corporate security objectives to business initiatives. She blends a unique mix of technical expertise and executive presence to bridge the gap that can often form between security practitioners and business leaders. Her goal is to change how security professionals of all levels work with our non-security partners throughout the business.

A life-long hacker, Alyssa has a passion for technology and security. She bought her first computer herself at age 12 and quickly learned techniques for hacking modem communications and software. Her serendipitous career journey began as a software developer which enabled her to pivot into security roles. Beginning as a penetration tester, her last 16 years have seen her grow as a security leader with experience across a variety of organizations. She regularly advocates for improved security practices and shares her research with business leaders and industry audiences through her international public speaking engagements, online content, and other media appearances.

Announcer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.

Corey: This episode is sponsored in part by our friends at Vultr. Optimized cloud compute plans have landed at Vultr to deliver lightning-fast processing power, courtesy of third-gen AMD EPYC processors without the IO or hardware limitations of a traditional multi-tenant cloud server. Starting at just 28 bucks a month, users can deploy general-purpose, CPU, memory, or storage optimized cloud instances in more than 20 locations across five continents. Without looking, I know that once again, Antarctica has gotten the short end of the stick. Launch your Vultr optimized compute instance in 60 seconds or less on your choice of included operating systems, or bring your own. It’s time to ditch convoluted and unpredictable giant tech company billing practices and say goodbye to noisy neighbors and egregious egress forever. Vultr delivers the power of the cloud with none of the bloat. Screaming in the Cloud listeners can try Vultr for free today with a $150 in credit when they visit getvultr.com/screaming. That’s G-E-T-V-U-L-T-R dot com slash screaming. My thanks to them for sponsoring this ridiculous podcast.

Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it’s hard to know where problems originate. Is it your application code, users, or the underlying systems? I’ve got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it’s more than just hipster monitoring.

Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. One of the problems that many folks experience in the course of their career, regardless of what direction they’re in, is the curse of high expectations. And there’s no escaping for that. Think about CISOs for example, the C-I-S-O, the Chief Information Security Officer.

It’s generally a C-level role. Well, what’s better than a C in the academic world? That’s right, a B. My guest today is breaking that mold. Alyssa Miller is the BISO—B-I-S-O—at S&P Global. Alyssa, thank you for joining me to suffer my slings and arrows—

Alyssa: [laugh].

Corey: —as we go through a conversation that is certain to be no less ridiculous than it has begun to be already.

Alyssa: I mean, I’m good with ridiculous, but thanks for having me on. This is awesome. I’m really excited to be here.

Corey: Great. What the heck’s BISO?

Alyssa: [laugh]. I never get that question. So, this is—

Corey: “No one’s ever asked me that before.” [crosstalk 00:03:38]—

Alyssa: Right?

Corey: —the same thing as, “Do you know you’re really tall?” “No, you’re kidding.” Same type of story. But I wasn’t clear. That means I’m really the only person left wondering.

Alyssa: Exactly. I mean, I wrote a whole blog on it the day I got the job, right? So, Business Information Security Officer, Basically what it means is I am like the CISO but for my division, the Ratings Division at S&P Global. So, I lead our cyber security efforts within that division, work closely with our information security teams, our corporate IT teams, whatever, but I don’t report to them; I report into the business line.

I’m in the divisional CTO’s org structure. And so, I’m the one bridging that gap between that business side where hey, we make all the money and that corporate InfoSec side where hey, we’re trying to protect all the things, and there’s usually that little bit of a gap where they don’t always connect. That’s me building the bridge across that.

Corey: Someone who speaks both security and business is honestly in a bit of rare supply these days. I mean, when I started my Thursday newsletter podcast nonsense Last Week in AWS: Security, the problem I kept smacking into was everything I saw was on one side of that divide or the other. There was the folks who have the word security in their job title, and there tends to be this hidden language of corporate speak. It’s a dialect I don’t fully understand. And then you have the community side of actual security practitioners who are doing amazing work, but also have a cultural problem that more or less distills down to being an awful lot of shitheads in them there waters.

And I wanted something that was neither of those and also wasn’t vendor captured, which is why I decided to start storytelling in that space. But increasingly, I’m seeing that there’s a significant problem with people who are able to contextualize security in the context of business. Because if you’re secure enough, you can stop all work from ever happening, whereas if you’re pure business side and only care about feature velocity and the rest, like, “Well, what happens if we get breached?” It’s, “Oh, don’t worry, I have my resume up to date.” Not the most reassuring answer to give people. You have to be able to figure out where that line lies. And it seems like that figuring out where that line is, is more or less your entire stock-in-trade.

Alyssa: Oh absolutely, yeah. I mean, I can remember my earliest days as a developer, my cynical attitude towards security myself was, you know, their Utopia would be an impenetrable room full of servers that have no connections to anything, right? Like that would be wildly secure, yet completely useless. And so yeah, then I got into security and now I was one of them. And, you know, it’s one of those things, you sit in, say a board meeting sometime and you listen to a CISO, a typical CISO talk to the board, and they just don’t get it.

Like, there’s so much, “Hey, we’re implementing this technology and we’re doing this thing, and here’s our vulnerability counts, and here’s how many are overdue.” And none of that means anything. I mean, I actually had a board member ask me once, “What is a CISO?” I kid you not. Like, that’s where they’re at.

Like, so don’t tell them what you’re doing, but tell them why connected back to, like, “Hey, the business needs this and this, and in order to do it, we’ve got to make sure it’s secure, so we’re going to implement these couple of things. And here’s the roadmap of how we get from where we are right now to where we need to be so they can launch that new service or product,” or whatever the hell it is that they’re going to do.

Corey: It feels like security is right up there with accounting, in the sense of fields of endeavor where you don’t want someone with too much personality involved. Because if the CISO’s sitting there talking to the board, it’s like, “So, what do you do here, exactly?” And the answer is the honest, “Hey, remember last month how we were in The New York Times for that giant data breach?” And they do a split take, “No, no, I don’t.” “Exactly. You’re welcome.” On some level, it is kind of honest, but it also does not instill confidence when you’re that cavalier with the description of what it is you do here.

Alyssa: Oh there’s—

Corey: At least there’s some corners. I prefer—

Alyssa: —there’s so much—

Corey: —places where that goes over well, but that’s me.

Alyssa: Yeah. But there’s so much of that too, right? Like, here’s the one I love. “Well, you know, it’s not if you get breached, it’s when. Oh, by the way, give me millions and millions of dollars, so I can make sure we don’t get breached.”

But wait, you just told me we’re going to get breached no matter what we do. [laugh]. We do that in security. Like, and then you wonder why they don’t give you funding for the initiative. Like, “Hello?” You know?

And that’s the thing that gets me it’s like, can we just sit back and understand, like, how do you message to these people? Yeah I mean, you bring up the accounting thing; the funny thing is, at least all of them understand some level of accounting because most of them have MBAs and business degrees where they had to do some accounting. They didn’t go through cyber security in their MBA program.

So, one of my favorite questions on Twitter once was somebody asked me, you know, if I want to get into cyber security leadership, what is the one thing that I should focus on or what skills should I study? I said, “Go study MBA concepts.” Like, forget all the cyber security stuff. You probably have plenty of that technolog—go understand what they learn in MBA programs. And if you can start to speak that language, that’s going to pay dividends for bridging that gap.

Corey: So, you don’t look like the traditional slovenly computer geek showing up at those meetings who does not know how to sound as if they belong in the room. Like, it’s unfair, on some level, and I used to have bitter angst about that. Like, “Why should how I dress matter how people perceive me?” Yeah, in an absolute sense you’re absolutely right, however, I can talk about the way the world is or the way I wish it were and there has to be a bit of a divide there.

Alyssa: Oh, for sure. Yeah. I mean, you can’t deny that you have to be prepared for the audience you’re walking into. Now, I work in big conservative financial services on Wall Street. You know, and I had this conversation with a prominent member of our community when I started the job.

I’m like, “Boy, I guess I can’t really put stickers on my laptop. I’m going to have to get, you know, a protector or something to put stickers on.” Because the last thing I want to do is go into a boardroom with my laptop and whip out a bunch of hacker stickers on the backside of my laptop. Like, in a lot of spaces that will work, but you can’t really do that when you’re, you know, at, you know, the executive level and you’re in a conservative, financial [unintelligible 00:10:16]. It just, I would love to say they should deal with that, I should be able to have pink hair, and you know, face tattoos and everything else, but the reality is, yeah, I can do all that, but these are still human beings who are going to react to that.

And it’s the same when talking about cyber security, then. Like, I have to understand as a security practitioner that all they know about cyber security is it’s big and scary. It’s the thing that keeps them up at night. I’ve had board members tell me exactly that. And so, how do I make it a little less scary, or at least get them to have some confidence in me that I’ll, like, carry the shield in front of them and protect them. Like, that’s my job. That’s why I’m there.

Corey: When I was starting my consultancy five years ago, I was trying to make a choice between something in the security cloud direction or the cost cloud direction. And one of the things that absolutely tipped the balance for me was the fact that the AWS bill is very much a business-hours-only problem. No one calls me at two in the morning screaming their head off. Usually. But there’s a lot of alignment between those two directions in that you can spend all your time and energy fixing security issues and/or reducing the bill, but past a certain point, knock it off and go do the thing that your company is actually there to do.

And you want to be responsible to a point on those things, but you don’t want it to be the end-all-be-all because the logical outcome of all of that, if you keep going, is your company runs out of money and dies because you’re not going to either cost optimize or security optimize your business to its next milestone. And weighing those things is challenging. Now, too many people hear that and think, “See, I don’t have to worry about those things at all.” It’s, “Oh, you will sooner or later. I promise.”

Alyssa: So, here’s the fallacy in that. There is this assumption that everything we do in security is going to hamper the business in some way and so we have to temper that, right? Like, you’re not wrong. And we talked about before, right? You know, security in a traditional sense, like, we could do all of the puristic things and end up just, like, screeching the world to a halt.

But the reality is, we can do security in a way that actually grows the business, that actually creates revenue, or I should say enables the creation of revenue in that, you know, we can empower the business to do more things and to be more innovative by how we approach security in the organization. And that’s the big thing that we miss in security is, like, look, yes, we will always be a quote-unquote, “Cost center,” right? I mean, we in security don’t—unless you work for a security organization—we’re not getting revenue attributed to us, we’re not creating revenue. But we are enabling those people who can if we approach it right.

Corey: Well, the Red Team might if they go a little off-script, but that’s neither here nor there.

Alyssa: I—yeah, I mean, I’ve had that question. “Like, couldn’t we just sell resell our Red Team services?” No. No. That’s not our core [crosstalk 00:13:14]

Corey: Oh, I was going the other direction. Like, oh, we’re just going to start extorting other businesses because we got bored this week. I’m kidding. I’m kidding. Please don’t do an investigation, any law enforcement—

Alyssa: I was going to say, I think my [crosstalk 00:13:22]—

Corey: —folks that happen to be listening to this.

Alyssa: [crosstalk 00:13:24] is calling me right now. They’re want to know what I’m [laugh] talking about. But no—

Corey: They have some inquiries they would like you to assist them with and they’re not really asking.

Alyssa: Yeah, yeah, they’re good at that. No, I love them, though. They’re great. [laugh]. But no, seriously, like, I mean, we always think about it that way because—and then we wonder why do we have the reputation of, you know, the Department of No.

Well, because we kind of look at it that way ourselves; we don’t really look at, like how can we be a part of the answer? Like, when we look at, like, DevSecOps, for instance. Okay, I want to bring security into my pipeline. So, what do we say? “Oh, shared responsibility. That’s a DevOps thing.” So, that means security is everybody’s responsibility. Full stop.

Corey: Right. It’s a—

Alyssa: Well—

Corey: And there, I agree with you wholeheartedly. Cost is—

Alyssa: But—

Corey: —aligned with this. It has to be easier to do it the right way than to just go off half-baked and do it yourself off the blessed path. And that—

Alyssa: So there—

Corey: —means there’s that you cannot make it harder to do the right thing; you have to make it easier because you will not win against human psychology. Depending on someone when they’re done with an experiment to manually go in and turn things off. It will not happen. And my argument has been that security and cost are aligned constantly because the best way to secure something and save money on at the same time is to turn that shit off. You wouldn’t think it would be that simple, but yet here we are.

Alyssa: But see, here’s the thing. This is what kills me. It’s so arrogant of security people to look at it and say that right? Because shared responsibility means shared. Okay, that means we have responsibilities we’re going to share. Everybody is responsible for security, yes.

Our developers have responsibilities now that we have to take a share in as well, which is get that shit to production fast. Period. That is their goal. How fast can I pop user stories off the backlog and get them to deployment? My SRE is on the ops side. They’re, like, “We just got to keep that stuff running. That’s all we that’s our primary focus.”

So, the whole point of DevOps and DevSecOps was everybody’s responsible for every part of that, so if I’m bringing security into that message, I, as security, have to be responsible for site’s stability; I, in security, have to be responsible for efficient deployment and the speed of that pipeline. And that’s the part that we miss.

Corey: This episode is sponsored in parts by our friend EnterpriseDB. EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now EnterpriseDB has you covered wherever you deploy PostgreSQL on-premises, private cloud, and they just announced a fully-managed service on AWS and Azure called BigAnimal, all one word. Don’t leave managing your database to your cloud vendor because they’re too busy launching another half-dozen managed databases to focus on any one of them that they didn’t build themselves. Instead, work with the experts over at EnterpriseDB. They can save you time and money, they can even help you migrate legacy applications—including Oracle—to the cloud. To learn more, try BigAnimal for free. Go to biganimal.com/snark, and tell them Corey sent you.

Corey: I think you might be the first person I’ve ever spoken to that has that particular take on the shared responsibility model. Normally, when I hear it, it’s on stage from an AWS employee doing a 45-minute song-and-dance about what the secured responsibility model is, and generally, that is interpreted as, “If you get breached, it’s your fault, not ours.”

Alyssa: [laugh].

Corey: Now, you can’t necessarily say it that directly to someone who has just suffered a security incident, which is why it takes 45 minutes and slides and diagrams and excel sheets and the rest. But that is what it fundamentally distills down to, and then you wind up pointing out security things that they’ve had that [unintelligible 00:17:11] security researchers have pointed out and they are very tight-lipped about those things. And it’s, “Oh, it’s not that you’re otherworldly good at security; it’s that you’re great at getting people to shut up.” You know, not me, for whatever reason because I’m noisy and obnoxious, but most people who actually care about not getting fired from their jobs, generally don’t want to go out there making big cloud companies look bad. Meanwhile, that’s kind of my entire brand.

Alyssa: I mean, it’s all about lines of liability, right?

Corey: Oh yeah.

Alyssa: I mean, where am I liable, where am I not? And yeah, well, if I tell you you’re responsible for security on all these things, and I can point to any part of that was part of the breach, well, hey, then it’s out of my hands. I’m not liable. I did what I said I would; you didn’t secure your stuff. Yeah, it’s—and I mean, and some of that is to be fair.

Like, I mean, okay, I’m going to host my stuff on your computer—the whole cloud is just somebody else’s computer model is still ultimately true—but, yeah, I mean, I’m expecting you to provide me a stable and secure environment and then I’m going to deploy stuff on it, and you are expecting me to deploy things that are stable and secure as well. And so, when they say shared model or shared responsibility model, but it—really if you listen to that message, it’s the exact opposite. They’re telling you why it’s a separate responsibility model. Here’s our responsibilities; here’s yours. Boom. It’s not about shared; it’s about separated.

Corey: One of the most formative, I guess, contributors to my worldview was 13 years ago, I went on a date and met someone lovely. We got married. We’ve been together ever since, and she’s an attorney. And it is been life-changing to understand a lot of that perspective, where it turns out when you’re dealing with legal, they are not—and everyone says, “Oh, and the lawyers insisted on these things.”

No, they didn’t. A lawyer’s entire role in a company is to identify risk, and then it is up to the business to make a decision around what is acceptable and what is not. If your lawyers ever insist on something, what that actually means in my experience is, you have said something profoundly ignorant that is one of those, like—that is—they’re doing the legal equivalent of slapping the gun out of the toddler’s hand of, “No, you cannot go and tweet that because you’ll go to prison,” level of ridiculous nonsense where it is, “That will violate the law.” Everything else is different shades of the same answer: it depends. Here’s what to consider.

Alyssa: Yes.

Corey: And then you choose—and the business chooses its own direction. So, when you have companies doing what appeared to be ridiculous things, like Oracle, for example, loves to begin every keynote with a disclaimer about how nothing they’re about to say is true, the lawyers didn’t insist on that—though they are the world’s largest law firm, Kirkland Ellison. But instead, it’s this entire story of given the risk and everything that we know about how we say things onstage and people gunning for us, yeah, we are going to [unintelligible 00:20:16] this disclaimer first. Most other tech companies do not do that exact thing, which I’ve got to say when you’re sitting in the audience ready to see the new hotness that’s about to get rolled out and it starts with a disclaimer, that is more or less corporate-speak for, “You are about to hear some bullshit,” in my experience.

Alyssa: [laugh]. Yes. I mean and that’s the thing, like, [clear throat], you know, we do deride legal teams a lot. And you know, I can find you plenty of security people who hate the fact that when you’re breached, who’s the first call you make? Well, it’s your legal team.

Why? Because they’re the ones who are going to do everything in their power to limit the amount that you can get sued on the back-end for anything that got exposed, that you know, didn’t meet service levels, whatever the heck else. And that all starts with legal privilege.

Corey: They’re reporting responsibilities. Guess who keeps up on what those regulatory requirements are? Spoiler, it’s probably not you, whoever’s listening to this, unless you’re an attorney because that is their entire job.

Alyssa: Yes, exactly. And, you know, work in a highly regulated environment—like mine—and you realize just how critical that is. Like, how do I know—I mean, there are times there’s this whole discussion of how do you determine if something is a material impact or not? I don’t want to be the one making that, and I’m glad I don’t have to make that decision. Like, I’ll tell you all the information, but yes, you lawyers, you compliance people, I want you to make the decision of if it’s a material impact or not because as much as I understand about the business, y’all know way more about that stuff than I do.

I can’t say. I can only say, “Look, this is what it impacted. This is the data that was impacted. These are the potential exposures that occurred here. Please take that information now and figure out what that means, and is there any materiality to that that now we have to report that to the street.”

Corey: Right, right. You can take my guesses on this or you can get it take an attorney’s. I am a loud, confident-sounding white guy. Attorneys are regulated professionals who carry malpractice insurance. If they give wrong advice that is wrong enough in these scenarios, they can be sanctioned for it; they can lose their license to practice law.

And there are challenges with the legal profession and how much of a gatekeeper the Bar Association is and the rest, but this is what it is [done 00:22:49] for itself. That is a regulated industry where they have continuing education requirements they need to certify in a test that certain things are true when they say it, whereas it turns out that I don’t usually get people even following up on a tweet that didn’t come true very often. There’s a different level of scrutiny, there’s a different level of professional bar it raises to, and it turns out that if you’re going to be legally held to account for things you say, yeah, turns out a lot of your answers to are going to be flavors of, “It depends.”

Alyssa: [laugh].

Corey: Imagine that.

Alyssa: Don’t we do that all the time? I mean, “How critical is this?” “Well, you know, it depends on what kind of data, it depends on who the attacker is. It depends.” Yeah, I mean, that’s our favorite word because no one wants to commit to an absolute, and nor should we, I mean, if we’re speaking in hyperbole and absolutes, boy, we’re doing all the things wrong in cyber.

We got to understand, like, hey, there is nuance here. That’s how you run—no business runs on absolutes and hyperbole. Well, maybe marketing sometimes, but that’s a whole other story.

Corey: Depends on if it’s done well or terribly.

Alyssa: [laugh]. Right. Exactly. “Hey, you can be unhackable. You can be breached-proof.” Oh, God.

Corey: Like, what’s your market strategy? We’re going to paint a big freaking target in the front of the building. Like, I still don’t know how Target the company was ever surprised by a data breach that they had when they have a frickin’ bullseye as their logo.

Alyssa: “Come get us.”

Corey: It’s, like, talk about poking the bear. But there we are.

Alyssa: [unintelligible 00:24:21] no. I mean, hey, [unintelligible 00:24:23] like that was so long ago.

Corey: It still casts a shadow.

Alyssa: I know.

Corey: People point to that as a great example of, like, “Well, what’s going to happen if we get breached?” It’s like, well look at Target because they wound up—like, their stock price a year later was above where it had been before and it seemed to have no lasting impact. Yeah, but they effectively replaced all of the execs, so you know, let’s have some self-interest going on here by named officers of the company. It’s, “Yeah, the company will be fine. Would you like to still be here what it is?”

Alyssa: And how many lawsuits do you think happened that you never heard about because they got settled before they were filed?

Corey: Oh, yes. There’s a whole world of that.

Alyssa: That’s what’s really interesting when people talk about, like, the cost of breach and stuff, it’s like, we don’t even know. We can’t know because there is so much of that. I mean, think about it, any organization that gets breached, the first thing they’re trying to do is keep as much of it out of the news as they can, and that includes the lawsuits. And so, you know, it’s like, all right, well, “Hey, let’s settle this before you ever file.”

Okay, good. No one will ever know about that. That will never show up anywhere. It is going to show up on a balance sheet anywhere, right? I mean, it’s there, but it’s buried in big categories of lots of other things, and how are you ever going to track that back without, you know, like, a full-on audit of all of their accounting for that year? Yeah, it’s—so I always kind of laugh when people start talking about that and they want to know, what’s the average cost of a breach. I’m like, “There’s no way to measure that. There is none.”

Corey: It’s not cheap, and the reputational damage gets annoying. I still give companies grief for these things all the time because it’s—again, the breach is often about information of mine that I did not consciously choose to give to you and the, “Oh, I’m going to blame a third-party process.” No, no, you can outsource work, but not responsibility. You can’t share that one.

Alyssa: Ah, third-party diligence, uh, that seems to be a thing. You know, I think we’re supposed to make sure our third parties are trustworthy and doing the right things too, right? I mean, it’s—

Corey: Best example I ever saw that was an article in the Wall Street Journal about the Pokemon company where they didn’t name the vendor, but they said they declined to do business with them in part based upon their lax security policy around S3 buckets. That is the first and so far only time I have had an S3 Bucket Responsibility Award engraved and sent to their security director. Usually, it’s the ignoble prize of the S3 Bucket Negligence Award, and there are oh so many of those.

Alyssa: Oh, and it’s hard, right? Because you’re standing—I mean, I’m in that position a lot, right? You know, you’re looking at a vendor and you’ve got the business saying, “God, we want to use this vendor. All their product is great.” And I’m sitting there saying, but, “Oh, my God, look at what they’re doing. It’s a mess. It’s horrible. How do I how do we get around this?”

And that’s where, you know, you just have to kind of—I wish I could say no more, but at the end of the day, I know what that does. That just—okay, well, we’ll go file an exception and we’ll use it anyway. So, maybe instead, we sit and work on how to do this, or maybe there is an alternative vendor, but let’s sort it out together. So yeah, I mean, I do applaud them. Like that’s great to, like, be able to look at a vendor and say, “No, we ain’t touching you because what you’re doing over there is nuts.” And I think we’re learning more and more how important that is, with a lot of the supply chain attacks.

Corey: Actually, I’m worried about having emailed you, you’re going to leak my email address when your inbox inevitably gets popped. Come on. It’s awful stuff.

Alyssa: Yeah, exactly. So, I mean, it’s we there’s—but like everything, it's a balance again, right? Like, how can we keep that business going and also make sure that their vendors—so that’s where it just comes down to, like, okay, let’s talk contracts now. So, now we’re back to legal.

Corey: We are. And if you talk to a lawyer and say, “I’m thinking about going to law school,” the answer is always the same. “No… don’t do it.” Making it clear that is apparently a terrible life and professional decision, which of course, brings us to your most recent terrible life and professional decision. As we record this, we are reportedly weeks away from you having a physical copy in your hands of a book.

And the segue there is because no one wants to write a book. Everyone wants to have written a book, but apparently—unless you start doing dodgy things and ghost-writing and exploiting people in the rest—one is a necessary prerequisite for the other. So, you’ve written a book. Tell me about it.

Alyssa: Oof, well, first of all, spot on. I mean, I think there are people who really do, like, enjoy the act of writing a book—

Corey: Oh, I don’t have the attention span to write a tweet. People say, “Oh, you should write a book, Corey,” which I think is code for them saying, “You should shut up and go away for 18 months.” Like, yeah, I wish.

Alyssa: Writing a book has been the most eye-opening experience of my life. And yeah, I’m not a hundred percent sure it’s one I’ll ever—I’ve joked with people already, like, I’ll probably—if I ever want another book, I’ll probably hire a ghostwriter. But no, I do have a book coming out: Cybersecurity Career Guide. You know, I looked at this cyber skills gap, blah, blah, blah, blah, blah, we hear about it, 4 million jobs are going to be left open.

Whatever, great. Well, then how come none of these college grads can get hired? Why is there this glut of people who are trying to start careers in cyber security and we can’t get them in?

Corey: We don’t have six months to train you, so we’re going to spend nine months trying to fill the role with someone experienced?

Alyssa: Exactly. So, 2020 I did a bunch of research into that because I’m like, I got to figure this out. Like, this is bizarre. How is this disconnect happening? I did some surveys. I did some interviews. I did some open-source research. Ended up doing a TED Talk based off of that—or TEDx Talk based off of that—and ultimately that led into this book. And so yeah, I mean, I just heard from the publisher yesterday, in fact that we’re, like, in that last stage before they kick it out to the printers, and then it’s like three weeks and I should have physical copies in my hands.

Corey: I will be getting one when it finally comes out. I have an almost, I believe, perfect track record of having bought every book that a guest on this show has written.

Alyssa: Well, I appreciate that.

Corey: Although, God help me if I ever have someone, like, “So, what have you done?” “I’ve written 80 books.” Like, “Well, thank you, Stephen King. I’m about to go to have a big—you’re going to see this number of the company revenue from orbit at this point with that many.” But yeah, it’s impressive having written a book. It’s—

Alyssa: I mean, for me, it’s the reward is already because there are a lot of people have—so my publisher does really cool thing they call it early acc—or electronic access program, and where there are people who bought the book almost a year ago now—which is kind of, I feel bad about that, but that’s as much my publisher as it is me—but where they bought it a year ago and they’ve been able to read the draft copy of the book as I’ve been finishing the book. And I’m already hearing from them, like, you know, I’m hearing from people who really found some value from it and who, you know, have been recommending it other people who are trying to start careers and whatever. And it’s like, that’s where the reward is, right?

Like, it was, it’s hell writing a book. It was ten times worse during Covid. You know, my publisher even confirmed that for me that, like, look, yeah, you know, authors around the globe are having problems right now because this is not a good environment conducive to writing. But, yeah, I mean, it’s rewarding to know that, like, all right, there’s going to be this thing out there, that, you know, these pages that I wrote that are helping people get started in their careers, that are helping bring to light some of the real challenges of how we hire in cyber security and in tech in general. And so, that’s the thing that’s going to make it worthwhile. And so yeah, I’m super excited that it’s looking like we’re mere weeks now from this thing being shipped to people who have bought it.

Corey: So, now it’s racing, whether this gets published before the book does. So, we’ll see. There is a bit of a production lag here because, you know, we have to make me look pretty and that takes a tremendous amount of effort.

Alyssa: Oh, stop. Come on now. But it will be interesting to see. Like, that would actually be really cool if they came out at about the same time. Like, you know, I’m just saying.

Corey: Yeah. We’ll see how it goes. Where’s the best place for people to find you if they want to learn more?

Alyssa: About the book or in general?

Corey: Both.

Alyssa: So—

Corey: Links will of course be in the [show notes 00:32:49]. Let’s not kid ourselves here.

Alyssa: The book is real easy. Go to Alyssa—A-L-Y-S-S-A, back here behind me for those of you seeing the video. Um—I can’t point the right direction. There we go. That one. A-L-Y-S-S-A dot link—L-I-N-K slash book. It’s that simple. It’ll take you right to Manning’s site, you can get in.

Still in that early access program, so if you bought it today, you would still be able to start reading the draft versions of it. If you want to know more about me, honestly, the easiest way is to find me on Twitter. You can hear all the ridiculousness of flight school and barbecue and some security topics, too, once in a while. But at @alyssam_infosec. Or if you want to check out the website where I blog, every rare occasion, it’s alyssasec.com.

Corey: And all of that will be in the [show notes 00:33:41]. Thank you—

Alyssa: There’s a lot. [laugh].

Corey: I’m looking forward to seeing it, too. Thank you so much for taking the time to deal with my nonsense today. I really appreciate it.

Alyssa: Oh, that was nonsense? Are you kidding me? This was a great discussion. I really appreciate it.

Corey: As have I. Thanks again for your time. It is always great to talk to people smarter than I am—which is, let’s be clear, most people—Alyssa Miller, BISO at S&P Global. I’m Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you’ve enjoyed this podcast, please leave a five-star review on your podcast platform of choice—or smash the like and subscribe button if this is on the YouTubes—whereas if you’ve hated the podcast, same thing, five-star review, platform of choice, smash both of the buttons, but also leave an angry comment, either on the YouTube video or on the podcast platform, saying that this was a waste of your time and what you didn’t like about it because you don’t need to read Alyssa’s book; you’re going to get a job the tried and true way, by printing out a copy of your resume and leaving it on the hiring manager’s pillow in their home.

Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.

Announcer: This has been a HumblePod production. Stay humble.