Screaming in the Cloud
aws-section-divider
Audio Icon
DevOpsy Security with Jam Leomi
Episode Summary
Jam Leomi is the lead security engineer at Honeycomb.io. She brings more than a decade worth of tech experience to the role, having previously worked as a security tech lead and infrastructure engineer at Splice, a security operations engineer at GitHub, a DevOps security pirate at CloudPassage, and an internal technology resident at Google, among other positions.

Join Corey and Jam as they discuss Jam’s journey from ops to security, how COVID-19 has made people used to remote work even more isolated than before, why Jam hopes that the pandemic enables folks in rural communities to be able to work in tech without moving to the coasts, how Jam began her journey in tech, why Jam ended up at Honeycomb, why an observability company needs a security engineer in the first place, how Jam enjoys taking a “DevOps-y” approach to security, and more.
Episode Show Notes and Transcript
About Jam Leomi
Jam Leomi is a penmaker who just so happens to computer. When not found ranting on equality and equity in #infosec and beyond on twitter, they're found doing their day job as Lead Security Engineer at Honeycomb.


Links Referenced
Transcript
Announcer: Hello, and welcome to Screaming in the Cloud with your host, Cloud Economist Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.


This episode is sponsored by our friends at New Relic. Look, you’ve got a complex architecture because they’re all complicated. Monitoring it takes a dozen different tools. Troubleshooting means jumping between all those dashboards and various silos. New Relic wants to change that, and they’re doing the right things. They’re giving you one user and a hundred gigabytes a month, completely free. Take the time to check them out at newrelic.com, where they’ve done away with almost everything that we used to hate about New Relic. Once again, that’s newrelic.com.


Corey: This episode has been sponsored in part by our friends at Veeam. Are you tired of juggling the cost of AWS backups and recovery with your SLAs? Quit the circus act and check out Veeam. Their AWS backup and recovery solution is made to save you money—not that that’s the primary goal, mind you—while also protecting your data properly. They’re letting you protect 10 instances for free with no time limits, so test it out now. You can even find them on the AWS Marketplace at snark.cloud/backitup. Wait? Did I just endorse something on the AWS Marketplace? Wonder of wonders, I did. Look, you don’t care about backups, you care about restores, and despite the fact that multi-cloud is a dumb strategy, it’s also a realistic reality, so make sure that you’re backing up data from everywhere with a single unified point of view. Check them out as snark.cloud/backitup


Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I'm joined this week by Jam Leoni, lead security engineer at Honeycomb. Jam, welcome to the show.


Jam: Thank you so much, Corey.


Corey: So, I want to start by thanking you for taking over the guest authorship of the newsletter, well, this week when this gets aired. But at the time we're recording this, you haven't actually done it yet. So, it's great to sit here and thank you now for a thing that you haven't done yet, but everyone listening to will have already been aware of because yeah, time is weird and is no longer linear, like anything else in 2020.


Jam: I mean, what is time?


Corey: Exactly. It's such a good year so far, and it's just getting better all the time. Ah. So, let's begin at a high level, I suppose. Who are you? What do you do? What's your story?


Jam: So, what am I? I am a Black, genderqueer security, turned ops, turned security engineer. [laugh].


Corey: Interesting as far as the ops turned a security engineer. Very often it feels like the common path in tech is the opposite direction, where it's, oh, I'm going to do security. And then you know what, it turns out that I don't like aspects of the job, and people want to often broaden out into other arenas. So, it feels, to me at least historically, that most folks go security to ops. Counterpoint, that's also the path I took, so there's a heck of a selection bias here.


Jam: Yeah, but, well, also for me, like, you have to realize that most security people don't actually start off in security. I think I'm the exception because my degree was in security, but I couldn't find a job in security. So, I had to do something else.


Corey: There's an almost unfortunate tendency that I see a lot, which is that people who get a degree in something believe—because they are told. Let's not mince words about that—that, oh, what your degree in is now going to define what you do in terms of your career; it's going to set your trajectory. So, then we are basically asking a bunch of 18-year-olds, in the common case to, yeah, figure out what you want to do with your life. I'm damn near 40 and I don't know what I want to do with my life, yet. So, it feels like it tricks people into believing they have to go a certain way.


Jam: Oh, but I was smart about it, though. So, the reason I went into security was specifically because the security degree program that I was a part of taught me so many things. So, I was like, well, if security doesn't work out, I can always jump into something else in technology like I went in as an 18-year-old thinking about this.


Corey: That must have been nice. I was never an academic. I am, effectively, someone who graduated from high school through an unaccredited organization, so on paper, I have an eighth-grade education. And this gets back, on some level, to what you said in the beginning with your introduction, that you are a Black genderqueer ops turned security engineer, I am a cishet, white guy, and society is built in such a way that it takes people like me and always picks us up and dust us off whenever we stumble as if I'm somehow entitled to take up as much space as I possibly want. And that's a travesty because on some level, don't you kind of want everyone to be able to have that freedom to experiment, freedom to fail alternate paths to success rather than prescribed ones? It just—I'm sorry, there's so much about society and the way it is structured that I do not pretend to understand.


Jam: Yeah, I'm in the same boat with you, and I wish I had answers to that. There are definite answers, you know, when we talk about white male privilege, and the patriarchy, and things like that, but I'd rather focus on—while there definitely is pain in the industry from being a Black genderqueer female-presenting person—especially female-presenting—I think it's also prepared me to always try to seek options. And it's a blessing and a curse for me to be always kind of thinking ahead and risk-managing.


Corey: And this is almost certainly made no easier whatsoever now by the fact that it is 2020 and so much has changed in a relatively short period of time. I feel like if there were a time warp, and one of these podcast episodes slipped through to just a year ago, “What the hell are you talking about?” And here we are now, working in a time of COVID, where everyone is more or less trapped at home, except to be honest, some of the worst people in the world. And everything has changed. It's sort of a weird segue here, but it's a weird year, during the course of this entire event, you've started working at a new job, you have effectively—as had the rest of us—tried to find a new normal. What has your experience of working in tech been like during these changes? How has COVID life changed our industry?


Jam: I think COVID life has changed… it's changed our industry, but I don't know how it's going to suss out. Right now, there's the obvious thing of pretty much we have everybody working from home right now. So, that can be kind of an isolating change. Some people are working with children, which, that can be also a change and a change of dynamic of managing energy. 


But for me personally, it's been, it's been slightly isolating. Usually, I'm used to working remotely, but I'm used to being able to go to the cafe and work there or go to a co-working space. And so now I'm having to think up ways to manage the normal ways I get connection through different avenues, whether it's making phone calls, making more use of Zoom calls, or just trying to—in the most safest way possible because, you know, your sanity is needed—try to find ways to socially distance and socialize as well.


Corey: It really has turned an awful lot on its head. What I'm trying to figure out is, at some point, a new normal is going to hit, regardless of what that looks like, and we're not going to be in pandemic stages forever. What's going to go back to the way it was, and what's going to be, I guess, forever changed.


Jam: Well, my hope is that the pool for employment in tech and the equity in tech changes to not just be on the coasts, and be more across the boards available to everyone. Now, that could have negative consequences. That could mean less people in cities, in more rural areas. Though, I think rural areas should have a shot, too. Like, I come from Kentucky, which, like many states, I came from a city but I was also surrounded by rural communities and I grew up around—have friends from rural areas. 


So, I want them to have a shot just as much as I do. And many of the times they don't, or you have to tell these people, “Hey, we want you to move halfway across the country away from your support systems, family, friends, and just get adjusted and come work for us.” And I feel like people shouldn't have to make that decision in order to make a living or in order to follow their dreams or their heart.


Corey: That is one of the most aspirational answers to that question because usually, people tend to go in a direction of, “Well, I don't know if tech conferences are going to have quite as much swag anymore.” And you're talking about making tech entirely more accessible to folks who, for example, might not live in eight square miles of an earthquake zone and calling it disruption. There's something to be said that is incredibly valuable for finding folks who have gone through alternate paths to get to where they are now. It winds up providing a diversity of experience. And that is incredibly valuable. As it turns out, maybe the sum totality of human existence isn't embodied by a bunch of people who went to Stanford together. Just as a random shot in the dark.


Jam: Yeah. [laugh]. Again, this is like in terms of there's many conversations in making tech more equitable, and making businesses more equitable, and it just can't be in specific places.


Corey: Yeah, I'd say one of the saddest days for San Francisco was when you moved away. To give a little insight back into, I guess, how long we've been talking to each other, I remember back in 2016, when I was running a DevOps team at my last, quote-unquote, “Real job,” and you interviewed for a role. And you were a terrific candidate; we extended an offer, and you were on the fence between this role and another job. And you and I went out and sat down and talked for a while, and at the end of it, my recommendation—that I stand by—was that you take the other offer. And you did. And when I tell people versions of that story, there's always two different responses. One is, “Oh, yeah. Of course, that's what you do.” And the other response is, “Wait, you did what?” And I've never understood people who take the second perspective.


Jam: Yeah, simply because, especially in this day and age, we're no longer in an era where somebody stays at their job until they retire at the age of 50 or 60. You are constantly—especially in the startup world—you're constantly moving jobs because, for some people, especially who look like me, you have to do that in order to get ahead. So, on that same vein, tech is small. People know each other. So, it behooves you, especially as a manager and a leader, to have good relations, even if the choice is not going to be beneficial to you.


Corey: It's funny that you mentioned this idea of being more mobile in our careers and life, extending beyond the next job, but it's amazing how everyone loves to pretend that in job interview stories, that oh, yeah, now the average tenure in tech is, of course, 18 to 24 months, but once you start here, you're going to work here for 25 years, you're going to wind up leaving with a pocket watch and a pension, and it's this ludicrous fantasy. We even take it a step further, where the stories we tell about someone leaving unexpectedly are always, they get hit by a bus, the bus factor. Great. How about, someone else offers them a 30 percent raise somewhere else that's aligned more directly with what they want to be doing? Because, spoiler, I've had a lot more colleagues leave because of a better offer than ever got hit by a bus.


Jam: Yeah. I'm also trying to wonder who are you talking to that are offering pocket watches, and, like, lifetime—because I've never heard of such a company.


Corey: Oh, yeah. They were all over the place in the 1960s, which is where a lot of that interview advice seems to have come from. It's, “Oh, you want to go ahead and get a job? It's easy. Just walk in the front door, have a firm handshake, and ask for a job. Be sure to call the boss, ‘sir.’” “What if the boss isn't a man?” “I have no idea what you're talking about.” It's this old-timey advice where you expect every video of it to be in crackly audio with black and white, where it's this ancient 1940s approach? Ugh, no, thank you. Yeah, pensions are also hilarious fantasies that are gone.


Jam: Yeah. And just, I feel like a lot of the humanity—not to say that there was any humanity back in the 1940s; there was probably some for some people more than others—but I feel like even more so now there's, kind of, less of it. Because you're talking to a person who's been through two recessions already, and also been through the Enron scandals, as well. As well as many other scandals related to misuse of funds.


Corey: Oh, yeah, I'd love the idea of, “Oh, just put your entire retirement in your company stock, it'll be fine.” What I always love is finding people who give that type of advice and talk about how, “Oh, I work at Google,” or, “I work at Amazon,” and, “Oh, all of my retirement is invested in my company's stock.” And well, that seems to be centralizing an awful lot of risk on that company doing well. And they'll come back with a whole suite of answers about this. 


And I see where they're coming from. They're arguing good faith. The counterpoint is that everything that they're saying, without exception, could have been said by an Enron employee right before the collapse. Now, for legal and moral reasons, I do want to point out that I'm not insinuating that Google, and Amazon, and the rest are fraudulently lying to everyone, that there falsifying audit information, et cetera. My point is not that they're engaged in malfeasance, but rather that you never know what the future is going to hold for any given company, and nothing lasts forever so decentralized risk.


Jam: Yeah.


Corey: But oh, does that rub some people the wrong way.


Jam: Yeah. And it's also just like, just like you want to make sure you're very diverse about your company, you kind of want to be diverse about your stocks. Don't have all your things in one pot. Or your investments in one pot. That's something I've even got from my financial advisor.


Corey: Oh, yeah. I should probably disclose this, I don't do it quite often enough that everything I own in equities is part of a broad-based index fund. The single exception to that, I own six shares of Amazon stock that I've held for years and will continue to hold indefinitely, not because I view this as a long term financial play, but rather one day I will manage to shitpost via shareholder resolution. Wait for it, it's going to be amazing. I just need to find the joke worth doing it for.


Jam: That is so great. [laugh].


Corey: We all need stretch goals, and that's one of mine because I make terrible life choices.


Jam: Oh, no, you don't.


Corey: So, tell me a little bit more about your path. You're one of those folks that I get to catch up with from time to time, and I love every chance that we get to sync, but it always seems like there's a lot to catch up on. Where did you first enter tech? And where did you go from there?


Jam: So, I first entered tech—it's funny I entered—if we want to say when I entered tech, it was when I was probably about 12 years old. I joined a computer club at school. It was a program that I was a part of until I graduated from high school called the Student Technology Leadership Program. And from there, I learned a whole lot about computers. This is back in the day when computers were starting to become a thing. 


And I really started the journey of doing more technical work when I was in high school, and they were taking computers apart at the high school that I wanted to go to, and I was like, “I want to do that.” And so that kind of started me on my journey of doing more deep dives into technical things.


Corey: One of the, I guess, strange things that I found is that when I talk to folks who've been in the space for a while, they always come from something into a new area, and then we have conversations around these things. But an awful lot of us were old school Unix types or Linux folks very early on with the sysadmin ops story. And those jobs, for better or worse seem to be drying up as more and more things move in a cloud-y type direction, so I find myself spending an awful lot of time wondering and having conversations about the topic. Where does the next generation come from? 


Where does the next series of cloud folks wind up originating from? Because the terrible answer to this is, “We're just going to wait until the cloud providers start sponsoring public school curricula. And then they're going to start teaching eighth-graders how to wind up spinning up Elastic Beanstalk,” or God knows what. And I don't think that's the answer anyone wants and I'm hoping people are better ones.


Jam: I don't think it's going to come from the children’s. I think it's coming from the people who are entering the industry from other places. Like, one thing I kind of have an issue with is so many of these big companies are like, “Well, we don't have a pipeline, so we're just going to push it to the children, push it to the children, push it to the children.” Meanwhile, I'm seeing so many people being like, “Man, tech is paying some money so I'm going to transition into that.” 


And you have so many of these people either transitioning into support roles or transitioning from support roles and trying to get higher up from different industries in the past five years. And so I think those people are going to tell us what is next. I don't think we have to wait for the kiddos to get 10 years in and be the next generation. I think we already have some of those people here, and I think they're going to push the needle on, tell us what's next.


Corey: I sure hope that you're right. There's a definite hope that I have that this is going to turn into something that's, I guess, lasting and transformational. And I don't like the idea that oh, so the only way to now get into this space is to stop doing whatever you were doing before, whatever it might be, and then go to a boot camp, possibly a boot camp then winds up doing an income repayment and they’ll send you straight to collections if you're unable to pay. And almost these predatory for-profit institutions that tend to not, I guess, really be focused on outcomes other than making money for investors. 


And I worry that there's going to become this, I guess, artificial gatekeeping story where you need to either have a degree or go to a boot camp. For someone who was able to talk their way past not having either of those things because well, honestly, look at me, I'm incredibly over-represented in this space, that path is not available to everyone. And it makes the existing biases that we have in this space worse, not better.


Jam: Yeah. And I feel like the boot camp thing is kind of changing because what I am seeing, and this is something I saw a few years ago, you're starting to see people who have degrees going into boot camps. And I think universities are starting to notice because these universities are now trying to create boot camps, as well. I don't know whether it is to get in on that money, or whether it's trying to do some more career extensions to their already vast portfolio, but I think that's something that's kind of helpful, too, especially as the traditional idea of degrees, especially in the land of COVID is going to go in a completely different direction.


Corey: This episode is sponsored in part by our friends at Linode. You might be familiar with Linode; I mean, they've been around for almost 20 years. They offer Cloud in a way that makes sense rather than a way that is actively ridiculous by trying to throw everything at a wall and see what sticks. Their pricing winds up being a lot more transparent—not to mention lower—their performance kicks the crap out of most other things in this space, and—my personal favorite—whenever you call them for support, you'll get a human who's empowered to fix whatever it is that's giving you trouble. Visit linode.com/screaminginthecloud to learn more. That's linode.com/screaminginthecloud.


Corey: I want to be very clear because I've been unclear on this in the past, I am not in any way, shape or form saying that a degree does not hold value, that if you have a degree you've made a poor decision or even that degrees are not absolutely necessary for some roles. What my position is—and remains—is that it's not going to work for everyone, and having a prescribed path for many roles that artificially requires a degree is not doing anyone any particular service. Now, if I'm going to hire an attorney, or I need an anesthesiologist, yeah, I have some degree requirements for those people. That is not really the type of role that lends itself to, I'll figure it out as I go. How hard could it be?


Jam: Yeah, I think the only reason that I myself have a degree is that, as a Black person, that is the only way that I can get my way into the door. Or at least that was the only way I could get my way into the door 10 years ago. I think boot camps are slowly changing that to give people the experience and the street cred to do that. Do I want it to go away? 


I hope so someday, and I hope that we can get back to a way of having people do more apprenticeships, kind of do the old school, old school way of having people try out jobs and learn skills. But until we get to that point—because again, we're still trying to think about more equitable ways, and unfortunately, the people making the decisions, the gatekeepers, do not look like me. [laugh]. Until that changes, we're working with what we have.


Corey: One of the best descriptions that I've ever heard for helping break down those gates and making things more accessible comes from Stephen O’Grady over at RedMonk, and it's, “Send the elevator back down.” That mindset is how I try to live my life. I mean, the reason that I have a career at all is that people who had no requirement to do so did favors for me when they didn't have to. And you can't ever repay that, you can only ever pay it forward. And I try—mightily sometimes with mixed success—to wind up doing that. And I hope I get it right more than I get it wrong. But what I don't understand is people with the attitude of well, “Screw you, I got mine.”


Jam: Yeah, I don't get those people either. But our industry is kind of saturated with that. But at the same time, it's slowly changing from the past 10 years when I felt like I saw that. There's still like beacons of people, like Jennifer Davis, who helped mentor me and was a sponsor for me, as well as other people in the industry who I feel like have kept me on a good path, especially in security, like [00:24:28 Kirstin Breaker]. I absolutely love her and she's one of my favorite Black female security people and I admire her so much. But just to be able to talk with those people and really get their wisdom and stuff is super helpful. So, I'm glad for her. As well as you, Corey.


Corey: Oh, please, I did a remarkably small amount of work until somewhat recently at any of this. I'm learning as I go, like anyone else. It's one of those looking back moments where it's, “Huh, I could have done a lot more than I did and I feel bad about it.” All you can really do, unless you have somehow the ability to change the past, is do better moving forward. I think that's something that people often give up on where it's, “Oh, I didn't do such a good job in the past. Well, too late to fix it now. Oh, well.” And nothing ever changes.


Jam: Yeah. And I think that's the thing about time—which has no meaning in 2020—there's always hope for moving forward and always changing things. And I think people don't give that opportunity right now so much. I've seen a lot of intense stuff on InfoSec Twitter and I wish there was more kindness in the accountability. I can understand why some reasons why you can't have the kindness because there's so many people who are hurt, and there's so much trauma everywhere. I'm a person with PTSD, so I understand how triggering it can be. And I have hope that it can change to a place where you can have more empathy.


Corey: I sure hope so. One of my greatest fears is that when we look back at this recording, in a few years, we don't look at this through a lens of, “Oh yeah. That was a dark time in our history.” But instead, “Oh yeah, those were the good old days.” That's what scares the hell out of me.


Jam: Oh…


Corey: “Oh, look how naive we were. We didn't even know about the comet yet.”


Jam: Corey, don’t, like [knocks]—don’t do that.


Corey: Don't put that juju [00:26:28 crosstalk] [laugh].


Jam: I’m like knocking on wood. Like, come on, man [laugh].


Corey: So, back when you were applying for your current job, what were you looking for? What was it that mattered to you from a, I want to work with these people, or that company or that technology perspective.


Jam: So, for me, it was actually funny because when I first decided to take a break after my last job, my plan was okay, I'm going to take a break, and then I'm going to come back out and I'm either going to see if I can work for a VC firm, [laugh] and see if I can do, like, security advising for them, because I wanted to do more of a leadership role in that, or I wanted to do some consulting. And at first, I did actually look into that. And one of the final companies that I worked for was a consulting firm. It was between a consulting firm and the place that I work now, but the reason why my current job worked out is for two reasons. 


One, I always love working at places with cool products. And Honeycomb had a really, really cool product and idea that I wanted to dive more into. And the second thing is that I love working with cool people, and Honeycomb had all the cool people. I really admire all the people who work there. I admire all of my coworkers; they're awesome people, and I think that is what attracted me there. On top of the fact that there was the third thing, which is there was the opportunity for leadership experience in security, and growth there, which I don't think I would have gotten in consulting.


Corey: Wholeheartedly agree. Honeycomb is a fantastic company, let's not kid ourselves here. And, of course in the interest of full disclosure, they've been a good recurring sponsor for a lot of my nonsense, but they're also a reference client for my consulting business. So, even if I didn't like all of you, folks, I think at this point, I'm contractually obligated to lie about it. I kid. I love what you folks do. I think there's a tremendous value to the industry across the board in about four different axes, and it's hard for me to think offhand of a company with a better internal culture.


Jam: Yeah. That is super, super true. I wish I could digress into it, but I can’t.


Corey: No, I completely understand that.


Jam: But yeah. Since I've joined, I feel like I've really been able to make a mark, and some impact, and really just challenged myself in new and different ways. So, I'm excited to see where my career goes from here.


Corey: I am, too. I look forward to our next recording where we wind up catching up on, “Oh, and here's the changes since the last time.” So, talk to me a little bit about why a company like Honeycomb, who does observability and/or yelling at people for saying, “Don't deploy on Fridays,” depending on your taste, hires a lead security engineer. Judging by everything else I see in the industry, security is this thing you bolt on after the fact and apologize for while saying how much of a priority it was, even though it clearly wasn’t. How does an observability company need a security engineer?


Jam: Well, here's the thing about technology right now. In the past 10 years, it has changed in that most startups need to—side note. This is my personal opinion and not the opinion of my company. End side note—but for a whole lot of startups that I've seen, a lot of them are selling to enterprise customers. And enterprise customers have that requirement called compliance, and they have certain compliance standards that they need in order to have you as a vendor. 


And so we're starting to see more companies who are trying to market to these big-money enterprise customers, and they are needing security people to get the work done because it is becoming a thing where at some point, you just can't bolt it on. Like, you have to have a security person in the room doing the work and telling you, “Okay, maybe you should do this differently so we can stay secure instead of doing the very, very security risky thing,” for lack of a better term.


Corey: Increasingly, it seems like the security risky thing is not hiring security folks. And I guess my problem with cloud security, and I can very rarely bring this up on the podcast when I'm talking to folks who work for one of the cloud vendors, is that they take a simple concept, such as the idea of the services themselves are basically secure 99 times out of 100—or more--any mistake is going to be something you have misconfigured. But rather than saying that sentiment that fits in a tweet, instead, they call it the shared responsibility model and then they turn it into this 500-word article at an absolute minimum, and an incredibly complicated slide, and it makes people miss the point. Is that just me having no attention span whatsoever, or does it feel like they're overly complicating a relatively basic concept?


Jam: I think they're overcomplicating a very, very simple concept, and at the same time, they don't want to be held liable, which I can understand that.


Corey: Yeah, good point. I mean, at some point, you have deniability, and you want to be able to point at something larger and complex when you're getting yelled at by one of your customers for their own misconfiguration that goes beyond, “It's your fault.” That is not a helpful sign to point at when someone is screaming at you, as it turns out.


Jam: Yeah. But at the same time, I do wish that the industry would make things more usable. [laugh].


Corey: Oh, my god, yes.


Jam: Even for beyond—like, one of the things I like about having a more holistic security practice is that I do want to try to be more DevOps-y with it; I do want to try to be more collaborative and not just let security people in, but for other people, for developers and other stakeholders of the business to understand. And sometimes it's super hard to make people understand if they can't see what's in front of them, and so much of the tooling that we've had thus far, have tried to inch closer and closer to it, and I'm starting to see some new players in the game to make that more usable, but for some of the bigger providers, it is still like, “Man, what are you doing?” Like, this is such a big space, and you have so much money. You could do some acquisition that's super cool. Like I've seen and been a part of companies with some products of being like, for lack of a better word, Amazon could buy you and stretch their security game so well. But instead, I have to do stuff where security is just basically unusable by even security people. Like one example is, and I hope it's changed in the future, is Cognito. I've had so many tussles with Cognito.


Corey: Oh, don't get me started on that. I really, really hope that by the time this episode gets published, Cognito is better than it is right now, but, mm, today, it seems almost like it is an incredibly well-executed advertisement for Auth0.


Jam: Yeah, Auth0, or just some of the other ones available, too. But it is… you just want it to be that because it is an integrated service. But it doesn't do some of the things that you imagine it would do. But it's also like, it's Amazon. So, it's Amazon, it's free, and all the security shouldn't be up to us, which is a great thing. And at the same time, yeah, I just wish it were better.


Corey: One other thing that I've never fully understood, the most depressing InfoSec experiences I’ve had was wandering around the RSA expo floor. And, first, I don't think you're allowed to sell anything, legally, if you don't have the word ‘firewall’ somewhere in it, and two, I understand that security is not something you can buy, but holy crap, do a lot of companies want to sell it to me. What's the deal there?


Jam: I think it's that people know that security is always going to be a need and it's ever-encompassing and ever-growing. The thing is, just as people have many different ways of engineering, there are also many different ways that people do security because everybody needs it, but nobody knows the specific security that they want or need. So, I think the issue that we run into right now, is that because we don't have somebody telling us what the best—or they're telling us what the best should be, people tend to get stuck in their tooling, and don't realize until it's too late that it doesn't work for them.


Corey: Yeah, on some level, you sort of have this dream that if you buy the right tool or hire the right person, suddenly all of these issues go away. But it doesn't. I wish it did because if there were a product that solved this, I would love to sell it. But it doesn't work that way. And I don't think it ever will because it's people. It's not always about the tools and it's not about the technology.


Jam: Yeah, I feel like the view that people should have on tools, whether they're security or operations, is that it's an extension, and support for people to do their best work. And so, especially when evaluating vendor tooling right now—because it comes up in my current job, and I also have to keep track of it for trends, to see where the industry is going both technology-wise and security-wise. But when looking at this, you always have to keep the business operations in mind, and I think some security people forget that and jump on, “Oh, we need the shiny new toy for compliance.” Instead of thinking of, “Hey, does the shiny new toy match up to our operational goals?” Do—


Corey: Oh, it used to be DR if it wasn't compliance, or it used to be, “Ah. Redundancy.” Or, there was always a reason to just hurl money at some project or whatnot, where you're never done, but depending on the story you tell, you can unlock massive budget?


Jam: Yeah. So, I’d like to think of it in a new way of being like, okay, does this align with our business values, and is this going to help further our business? And I think security people should keep that more in mind where they're evaluating tools.


Corey: If people want to know more about you, where can they find you?


Jam: So, if you want to find me, I can be found on Twitter at @jamfish728.


Corey: That's right. We are in fact, birthday twins.


Jam: Yes, we are birthday twins. Way to tell my secret about my handle. Um—[laugh]. And yeah, that's pretty much the only place that I have right now. I'm thinking about maybe restarting my blog up. I have a blog at blog.jam.fish that I haven't updated, but I might update it more because I'm starting to get antsy about doing stuff beyond Twitter.


Corey: Yeah, that's sort of what pushed me to doing a whole newsletter, and blog post, and podcast series, and breakfast cereal—next, for all I know. There's always the idea of creating more content. But, eh, it's a burden, you know, because now oh, great. Now you have to update it. But regardless, we'll put links to those in the [00:37:53 show notes]. Thank you so much for taking the time to speak with me today. I really appreciate it.


Jam: Of course, Corey, anytime. Let's do this again soon.


Corey: Deal. And thanks again for covering me for the newsletter so I can enjoy some time with the newborn.


Jam: Yay. I want baby pictures.


Corey: [laugh]. Absolutely. Jam Leoni, lead security engineer at Honeycomb. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on Apple Podcasts or your platform of choice, whereas if you've hated this podcast, please leave a five-star review in the same place along with an angry ranting comment about how your degree makes you a better person than me.


Announcer: This has been this week’s episode of Screaming in the Cloud. You can also find more Corey at ScreamingintheCloud.com, or wherever fine snark is sold.


This has been a HumblePod production. Stay humble.
View Full TranscriptHide Full Transcript