Diana Initiative 2021-Jasmine Hex-Punk Compliance: DIY Security Audit Readiness for Everyone

Jul 21, 2021 03:32 · 7062 words · 34 minute read

Punk Compliance: DIY Security Audit Readiness for Everyone Jasmine Henry >> Hi, Lea, thank you for the introduction.

00:57 - And thank you, everybody, for being here. I know that there’s a lot of amazing talks on the Diana Initiative schedule today. And when given a choice, compliance is really the most appealing option. So, thank you for attending this talk. Thank you to the organizers and thank you to our sponsors as well. For helping us put on this event. Who am I? I’m Jasmine Henry. I also respond to Jasmine Hicks. I’m a security director at a fast growing Seattle startup.

We do not have a security product so I’m not selling anything. And I also am not claiming to speak on behalf of the punk movement. I have identified with counterculture movements since my teen years. And I’ve always been somebody who has not fit the mold or the standard. I think that’s something that many of us in security have in common is having felt like an outsider. And not only have I felt like an outsider at times in my life to kind of mainstream culture, I’ve also felt like a security industry outsider at any points during my career.

It was really hard for me to break in. Just because my pathway is not perfectly traditional. And either am I.

02:19 - I faced a lot of rejection. Especially early in my career. Trying to break into security roles. My undergraduate degree was not in computer science. And I started off in help desk. At the time I thought that I would never get when I wanted to go. It was also 2010 so, the job market was terrible. But I really felt like I’d failed. And I wish I had been kinder to myself because I think that help desk is a great launch pad for a lot of us.

02:53 - I am mentored by an amazing woman CISO, CEO, and she also started in help desk. And we both agree that it is an amazing set of experiences for security people. So, early in my career I was rejected because I had literally zero experience.

03:12 - I got into project management. And I got a master’s degree in analytics next because I was tired of hearing that I wasn’t technical enough. After that, I started doing more program management. That’s also the point in my career where I started working a lot more with cloud and DevOps and I did some consulting for a few years. And I was often rejected because I didn’t have premises based networking experience. And I’ve gamed it. I’m glad to tell you that it gets easier as you gain more experience.

You face your rejections. And now I get a lot of messages on LinkedIn and Twitter kind of questioning my qualifications. But I think that it just goes to show that there’s always gonna be trolls. And it’s okay. You know? So, I’m not a typical person. I don’t fit the mold. But I also drive exceptional results.

04:18 - Last year I passed three compliance audits in 6 months. I was hired last year as the first US woman employee at a startup. We had a little bit less than 40 staff at the time.

04:33 - And several months later we were going to sign a Fortune 500 customer. And we had to put security policies and controls automation into place in order to pass the risk assessment.

04:49 - I think this is kind of a common pathway for a lot of businesses and startups where compliance and security are really customer driven. And that’s there a hesitation to invest in these things before the customer is asking for it. September was the turning point where my focus fully shifted to security. Shoutout to Rin Oliver by the way. We were working with each other then and Rin handled that with a lot of grace. Please don’t miss Rin’s keynote tomorrow at 4:30.

A couple months later, it took the customer a couple months to review our risk assessment and decide they were going to sign us up and part of the contract said that we had to pass three audits on a very short period of time.

05:38 - We had to be basically done with the audits and submit reports by June 1st. So, we started an audit really, really quickly and we dug in. I was the only dedicated security and compliance person at the organization at the time. I had a lot of help. We have an amazing cloud and DevOps team. Amazing program managers, amazing engineers. It turned out that we had an employee who was a nationally award winning pentester in college and high school. So, he was able to do some pentesting for us, you know? We made it work.

06:13 - And in the past few months, my company has had a series B funding round. And we’re really starting to scale. I’m creating a 247 SOC currently. Really scaling controls. Creating a 247 capacity for security support and growing my program. The decision has been made that security at my company is gonna own IT. So, that’s another area I’m building. And I’m really excited. But before I kind of get into talking about what I’ve learned on this journey, and how I am leveling up, I wanted to kind of create some some definitions around security and compliance.

07:00 - Compliance is not security. And that maybe the only thing that people on InfoSec Twitter can agree on. Audits don’t prove security. Even the standards organizations will tell you that compliance is a minimum set of security requirements. Compliance is doing the bare minimum. And that’s that’s, to paraphrase the words of the PCI DSS council, compliance is a really valuable business tool, however, even though it’s not the same as security.

07:36 - In my case, I think that my compliance journey this last year was pretty defining for my career in security leadership. Which is something I fought for a decade to achieve. It, you know, kind of proved me to future hiring managers and it proved me within my organization. It was through that I was able to get head count and own IT. And get funding for my program.

08:05 - Which I think that security resources, hiring, is something that’s a huge challenge for people at companies of any size. Truth is that the security industry is under resourced. There’s no CISO in the world that wants to get hacked. It’s a matter of the fact that fighting for ed had count is really difficult for all of us because security is often seen as a cost center. I’m working to change that perception, which I’ll talk about a little bit later. But yes.

Compliance is really great business proof. Compliance frameworks are also great for internal decision making. Again, executives often want to spend as little as they can on security. And saying we need this to pass audits is often a lot easier than saying, we need this to manage risks. Many compliance frameworks are pretty cut and dry and that’s really valuable for navigating these discussions. And finally, this one’s huge. I think for startups and small business, compliance, it’s an international mark of security maturity.

It doesn’t say that you’re doing all the right things. But it shows that you’re doing some of them. So, at my organization, it helped us when the first enterprise customer and more after that. I know that our investors looked at our compliance reports when we got our series B. And I think it’s a real helpful tool for small businesses. That said, compliance frameworks, again, they’re not the same thing as best practice. There can be a huge difference. And I think the difference is getting bigger.

Especially as we’ve gone away from traditional networks to distributed ways of working. Distributed systems. Frameworks don’t always reflect reality.

10:04 - And at a lot of organizations, companies of all sizes, that can create a huge challenge.

10:10 - There’s a recent Shinikuni study that says that 99% of CISOs feel compliance is outdated for the cloud landscape. And it’s really challenging because there’s the need to kind of interpret standards and scope systems that’s way harder than it’s ever been. There is a desperate need for compliance automation, which is a field that’s really popping.

10:35 - And not only are we having to pass more audits, it’s harder to get there. And I think that the industry desperately needs leaders who know the difference between compliance and best practice. And this is the important part. We need leaders who have the courage to defend going above and beyond compliance to executives. And I’ll talk a little bit about how I do this as well. You know, I think that for a lot of people here, people who are in security, people who are breaking into security, people who are considering going into security, compliance is probably going to be inevitable.

There was a huge shift back in I think it was 2008 in terms of compliance burdens. We can also blame it on Enron. As well as recent hacks. The compliance department at most organizations is getting bigger. Even at companies like mine. I’m not in a traditionally highly regulated industry like finance or healthcare. Technology vendors, software companies, which my company is in that space, we’re having to pass more audits. So, the average CISO passes three to six audits a year.

According to the same Shinikuni study. Most commonly high tech, PCI DSS and SOC too. The cost of compliance when you dig into the studies are absolutely staggering. You know? Numbers vary wildly depending on who you ask. I think the highest figure I saw was a KPMG study that said it’s 10% of operating costs or more for 21% of businesses. We did not spend anywhere near that much. Which sing important. But it is still a huge operational burden. And last, I think this one’s also important.

If your organization is sells to businesses, essentially. If your customers or other businesses, compliance is increasingly going to be a cost of doing business.

12:39 - 83% of organizations are investing in vendor risk assessment. I don’t want to name names.

12:46 - But SolarWinds. I think that there has been things in the security ecosystem. Especially in the last year. That have made organizations realize that they really need to be looking into vendor risks. And that’s why, you know, these audit reports are a highly valuable tool. Because it is one form of proof that you can give your customers that you’re doing many of the right things. Or doing the bare minimum.

13:16 - And in my opinion, my unpopular opinion, compliance is extremely punk. I think that compliance is wildly misunderstood. It has a reputation of being a checklist. It has a reputation of being boring. I’m not claiming it’s the same as security. But I really feel that there is some kind of resonance between compliance and the punk ethos.

13:43 - A interview with Rick Reese who is an amazing West Coast artist who has a lot of kind of counterculture and skateboard influenced art summed up the idea better than I could. I’m going to point to Rick Reese’s words. Punk is subversive in how it rejects commodification, consumerism and corporate culture. In underground music, there is a real DIY ethos. If nobody is going to help me, I’ll do it myself. We speak truth to power. When we’re not permitted to speak, we hold up a mirror.

That’s why I think countercultures are really the most important agents of change. This is the crux of my talk. I’m here to share my experience as a security leader at a small business without a huge compliance budget. Having to kind of DIY compliance audits. And how I succeeded. But I think that these these lessons are important for everybody. Especially individuals who have at points in their lives have felt like they’re on the periphery. Have felt that they don’t fit the mold.

Have faced rejection. I think that those of us who choose to not fit molds or just don’t, are important change agents and that the industry desperately needs us. I think that people who spark change are what gives me hope for the future. And I think that compliance is what it is.

15:14 - But it can be an amazing business tool for sparking change within an organization. And growing support for security programs. The first thing I learned, I feel like as I became a security leader and started my compliance journey, is that you cannot brute force executive buy in. I think a lot of us get to our first security leadership job because we are detail oriented. We are analytical. We work really hard to prove that we’re analytical.

15:47 - And we come to meetings, and we come to presentations prepared with data analysis that we’ve spent 8 hours on. We have every industry and internal statistic to prove our case possible. And that is not always the most effective tactic, especially if it’s the only one you’re using.

16:05 - There is an amazing Gartner study annually on CISO effectiveness that asks what are the top CISOs doing differently than their peers. And the most recent one said that the one of the top five things that the effect security leaders do differently is they invest a lot of time and attention in building relationships with executives. They meet three times as often with executives. And they meet with the the marketing and sales team.

16:35 - I have learned to become better at nurturing ideas. I plant a seed and I water it. I revisit ideas with executives, and I really focus on the relationships. And I’ve learned to create kind of shared interests around common goals to create support for security in order to have the budget that I need and the head count that I need.

16:59 - I do work closely with our marketing team. I’m a SME for our marketing team on security and compliance and privacy. And operating systems and a couple other things as well.

17:12 - But I collaborate with them, and I help them. I help them create resources. And they they help generate internal and external support for my efforts with press releases about passing audits and security whitepapers and security website pages. Marketing is a critical relationship for me within my organization. I am have always worked closely with our sales team. And in a couple weeks I’m going to do a training for all of our sales representatives so that they can sell security.

We’re gonna talk about, you know, when during the sales cycle should you bring up security. There’s evidence that somehow should be down it sooner.

17:52 - How you handle vendor risk assessment requests? What are the benefits of our product and product features? What are ways that you can upsell customers on security? I think that’s super valuable. Because that allows me in the future to say, hey, security was a huge part of these deals. I’m not just a cost center. And that’s probably the most important one of the most important things I can do to get the funding that I need for my program to do security right.

Because revenue really matters to executives. Something else I’ve done with the, you know, the sales team like I mentioned is I worked with our rev Ops leader to figure out which of our deals security played a role in in our audit reports. Right now 20% of our enterprise customers, or 20% of our revenue, depends on successful compliance. And that is a stat I can bring up in these executive meetings, you know, if there’s ever a question of what value I’m adding.

It’s a lot. It’s a lot of revenue. It’s a contractual obligation to these customers and I think that that’s that was a really important relationship for me for sure. Something else we’ve noticed just really quickly is that the customers that are asking about security are often the customers that we want.

19:20 - I think there’s often a Chang challenge where, you know, not every organization is aware of security, you know, in this kind of business to business space. And so, that means you can educate them. That involves working with the marketing and sales team again. But you can also learn how to attract the customers that are ready to have those security discussions.

19:45 - So, again data is not everything when it comes to winning executive buy in. It is important.

19:53 - So are relationships. But something I’m doing is measuring compliance and security using shared metrics. Metrics that matter to other leaders in my organization.

20:04 - Again, I’ve calculated the ROI of compliance. I was able to say, you know, here’s a super specific point in time when we broke even on our audits. Now we’re making money off our audits, we’re making money off security. I’m not a cost center. That is a really important kind of metric that I know I worked with RevOps to define. Something I measure, I try to measure once a month is I use the CIS critical controls to honestly assess our maturity. And through that, I was able to finally prove the fact that our first audit cycle improved our maturity by 30% according to CIS critical controls.

Here’s what we need to do next. I think there’s a lot of different ways to measure it. For us, CIS controls is one of the tools that makes sense. We also use OWASP SAMMS, which is a fantastic tool for benchmarking security maturity. And through a, I’m able show, you know, here’s here’s what we’ve done. Here’s what all the people who are helping with the audits have voluntarily done to improve our security posture. If I have hiring needs, as always, I use the same kind of OS, and critical controls tools to demonstrate how, you know, if we hire this person, this is how it’s going impact our maturity and risk.

And I use similar calculations if I’m asking for an expensive piece of software. Here is how it’s going impact risk and security.

21:43 - And I will often show as well, you know, here’s what we could be spending.

21:51 - Another thing I learned is that you can’t force an engineer to do anything. At any company of any size, compliance is gonna involve a lot of people. It’s gonna involve a lot of collaboration. You’re gonna need evidence to submit to the auditor from the HR team, from the engineering product DevOps teams. Executives as well. So, in order to be audit ready, you need buy in. And it’s really not wise to force it. You know, I have more authority than I did at the beginning of my audit journey.

But I don’t think that exerting, kind of flexing that muscle of you have to do this, is the best way to get anything done. I think that it is more effective to lead my influence. We have not we’re not process of formally appointing team champions. But this is something you can do informally if you don’t have that go ahead. Is understand who within each function at your organization is gonna champion for you. And really foster those relationships. Promote shared interests.

Again, know how security matters to sales. And make sure they have the sales enablement tools, the brochures, you know, the FAQs, to sell, you know, your security benefits. Because that benefits you because you can prove revenue impact. Communicate value that matters to others. I think that we need all types of individuals in security. But we really need people who can community.

23:28 - Communicate in terms that matter to the audience. And communicate to different audiences.

23:34 - Build trust. I think that every security and compliance leader needs to build trust. But if you’re trying to, you know, DIY an audit cycle on a tight budget, you really need trust.

23:48 - My organization, a lot of our engineers come from open source backgrounds. Because we’re in the Android space. A lot of them grew up on OWASP SAMMs and other OSS projects. And what that means is that privacy really matters. It matters to me, and it matters to my engineers.

24:08 - So, I’ve chosen to be aggressively transparent about controls and the fact that I intend long term to defend employee and customer privacy rights. And that actually was a huge way that I won buy in and trust was being really, really transparent about my short and longer term, you know, data collection activities within the context of monitoring.

24:36 - And my privacy values as well. A fourth thing that I think is a valuable tool for leading by influence is advocating for others at all levels of the organization.

24:49 - You’re gonna have a lot of tasks that you need to do to pass an audit. And you can do them yourself, which I did plenty of. And you can also delegate. And I think it’s really important to consider whether there’s opportunities to get delegate to kind of junior employees.

25:10 - Maybe recent grads, maybe other people in kind of junior roles. Is there something you can assign to people that is an opportunity for them to have a high visibility win? That was a really effective tactic for me. And I think it’s an important way to build security and compliance experience internally. And enabled others to get that experience, that on the job experience that you yourself early in your career needed. And had a hard time getting. You know? Thing many of us faced a lot of gatekeeping.

And it is our responsibility to remove barriers for others. And it’s really great that it also helps you pass audits.

25:54 - InnerSource is the best source. There is a ton of documentation involved in audits. And I have been working and will continue to work to build an InnerSource culture of documentation.

26:07 - The term “InnerSource” was coined by Tim O’Reilly. It means using open source paradigms for internal processes. Open source is something that’s super familiar to a lot of our engineers.

26:19 - So, I think it was a good cultural fit. And it was also a necessity for us to pass audits quickly. I think that our InnerSource documentation practice has some work to do to become mature.

26:34 - But it was it was what we did because we were resource strapped. We were growing fast, and we had a global team as well. So, we established a hub for policies and SOPs. For us, we used Confluence as our Wiki. Removed barriers for contribution to all. We brought up in kind of the monthly All Hands meeting that everybody was invited to participate in this policy process. These policies need to work for all of us. You know? A policy was never presented as a top down thing.

And I don’t think it should be. I think that policy should be a collective effort to figure out where you need controls.

27:11 - And, you know, there’s also an effort of matching your controls to audit frameworks. I am transparent about decision making. That’s a huge part of, you know, InnerSource policy culture.

27:25 - I will often share kind of v1 proposed things and collect feedback. I wish I got more feedback, but getting some is a win. And I put in every effort I can to reward people who contribute to documentation. I don’t think anybody’s ever thought it was easy to get engineers to document their standard operating procedures. And things like that. But if you’ve got a healthy, inclusive policy culture, it is easier for sure.

28:01 - Recognition and reward is a huge part of effective leadership. Especially if you’re trying to do audits on a budget. Cause, again, you need voluntary and cross functional support. I think that any compliance budget, no matter how big or small, and security budget, needs funds for rewarding team members who are not, you know, don’t have security in their job title. If they’re helping security, try to make room in your budget for, you know, gift cards, courses, other rewards.

And be public about how you recognize people who have taken action, added value and created an impact. Sorry.

28:49 - I make sometime for recognition in security meetings. But I’ve also made a point of getting time in our All Hands meetings with the whole company. And I use Slack as well to really make sure that I am recognizing people in public on internally in public. try to make a point of spotlighting people who have, you know, exhibited great security behaviors.

29:17 - Behaviors who are helping us on our audit journey. And I’m really loud. You know? We have shoutouts every Friday. I have a lot of shoutouts. I think that it is important to have gratitude for others. And, again, you know, recognize people who are contributing voluntarily. And have really, you know, stepped up and made impact.

29:46 - Communicate constantly. I don’t think any executive ever has complained about the fact that they are too up to date on a project status. So, regular compliance project updates and security updates are really important. Especially if you’re kind of in a high risk scenario where you have a tight budget, a tight timeline, something like that.

30:13 - I think that, you know, kind of weekly updates perhaps for different audiences, executives, leadership, company wide should be at the core of kind of a compliance communications strategy. And even before you kick off your compliance project and assign tasks out in JIRA and stuff like that, start creating conversations with individuals from all teams at all levels of the organization. Start talking about your unified vision for security. How privacy matters to you long term.

How you have a vision for security never being a tool that gets in people’s way, you know? Enabling silent security in every scenario possible. Start having those conversations and define the vision for your program.

30:58 - Impact of compliance is a huge thing to have conversations about. Talk about shared values.

31:03 - You know? Again for me, I brought up earlier that privacy is something that really matters to a lot of our teams. So, talk about ways that your vision aligns with the vision of other teams. Automation is another thing that is a shared value for me and other technical leaders. And then finally, you know, just be really transparent about audit deliverables. Give people opportunities to step up and take on tasks. And be and giving them the opportunity to own something.

And have impact. I think that a lot of us got to where we are because we were given opportunities to take on projects.

31:48 - And do things. People trusted us. And as a leader, whether or not you have leader in your job title, I think it’s really important to do that for others.

31:59 - Lesson 7, again, not selling anything. There is a lot of open source and premium tools for compliance. Which is really helpful if you’re on a budget. And I think that for all of us, building out compliance is it’s a question of, you know, what do I want to invest in now? You know, where does investment have the impact? You know, where is open source a good long term solution? And if I can’t afford to cover this, these control areas with the tool I really want, what can I put in place that is compliant, it is secure, and it’s not too painful to rip out? I’ve used many of the tools on this list.

Some of which I source from amazing blog by Jupiter One. And there’s others I have not used and it’s a couple of different free things you can use. Jupiter One is one of several organizations that has a GitHub full of security policies that you can take and adapt to your organization to pass audits if you don’t have a dedicated compliance team. I’m actually pretty new to discovering Google vSEC. But it’s a tool for you to do assessment on your vendors. Risk assessments.

Which is super awesome. I do not use Wizer Training. I’m aware of it. It’s a way to do security training. Communication should involve a lot of different communication styles. Socio, Wizer is a valuable free tool in the context of other things. Some of our HR and administrative processes are handled through Jira. We do onboarding through Jira service management, and IT and access requests. Jira has a free version. For us, we’re not on a free version, we’re definitely on a paid version.

But it was a tool that we could add that didn’t involve another piece of software and cost. Netflix Stethoscope is something I’m looking at. It’s for device configuration management. Super cool. Wireguard is a free VPN. I have not looked into Netflix Dispatch. I hope to do that just because I’m curious.

34:36 - Bitbucket has a free analysis. Snyk is an analysis tool with a free version as well.

34:45 - App threat Terraform. All the Amazon tools for cloud security vulnerability monitoring have free versions to a point. You may need more than free to pass your audits. But it’s a free option to see if they work. We use hacker guardian is the cheapest that’s validated bit PCI DSS council. So, it’s an option. And just kind of, you know, to sum things up, I think that compliance is not necessarily the goal for many of us. You know? We don’t embark on our security careers or start to embark on security careers because we really want to do governance, risk and compliance.

Not all of us. But we end up doing it. And I think that it can be a really positive thing because, again, compliance can be a tool for sparking change. And those of us who didn’t always fit the mold are amazing change agents.

35:51 - If I had one request it would be that all of us in the security industry try to stop saying that things are technical or not technical. It’s not a binary evaluation system and I don’t think it’s the most effective evaluation system. You know? Even when I was in a computer science graduate program, as a woman I faced a lot of times when I was labeled as not technical enough. Or assumed that I was not technical enough. And not only that was not true, it’s just not helpful.

And I think that as we get to the point in our careers where we have a platform, we have, you know, initiatives, we have budget. We have a responsibility to stop labeling others or creating, you know being gatekeepers by saying that people and things are not technical. Because that’s just not helpful. Governance, risk and compliance has a reputation of not being a technical security domain. And it’s really not true now that we’re trying to scale these kind of outdated frameworks to our mature DevOps and cloud programs.

You know, automation and controls automation is playing a increasingly important role in compliance strategies. It’s the only way you can do it when you have these massive and dynamic cloud environments. So, I think that this is important to stop judging, you know, compliance and compliance people as non technical because it’s increasingly not true. And that does not go to say that people who don’t have a background in coding have no role in compliance. Because we desperately need people who can communicate and document and lead programs and influence and do things like that.

37:42 - Saying a person is technical does not measure their impact. And often, effective security and compliance leaders are people who have impact in different ways. Almost everybody in security leadership roles is a masterful communicator. Or they probably need to be.

38:02 - You know, again, there is a a need for people who advocate for others. Who commit to stopping the security industry’s gatekeeping problem as much as they can. You know, I do not have the same hiring budget by a long shot as people at much larger organizations. I have a limited number of hires I can make. But I can make small change even within that tiny head count, you know? I’m currently hiring for a role that is a security support position to help people who are in help desk achieve a SOC analyst role.

You know, even if you don’t have a huge hiring budget, I think there’s some room to create apprenticeships, give people experience. Things like that. And at larger organizations, you have the privilege to make much larger change. And that’s something we can all do.

39:01 - Effective leaders are relentless about how they set priorities. If you’re doing a budget with you’re doing an audit cycle with not enough budget and resources, priorities are gonna be huge. We need people who are agile. And we need people who can learn. Learn in real time and help others learn. I think that Carlota Sage spoke to that this morning in a teen village panel. That knowledge management is huge. It’s about resources and documenting.

39:34 - Documenting in ways that work for others. And often being kind of an interpreter to help others around you understand as well. Speaking directly to people who are in security leadership roles and people who aspire to them, I think that we have some particular responsibilities. I think that we should see compliance for what it is. And understand that it’s a valuable business tool for sparking change. I understand that compliance is not everything my organization needs to be doing for security by a long shot.

But compliance has been a really helpful tool for getting the budget and resources I need for security and making security maturity progress. You know, have the courage to educate yourselves and others on best practices. Have those conversations with your leadership team. Here’s what we need to do for compliance. Here’s what we should be doing. Educate people in your organization on the difference between security and compliance. And even more importantly, become a SME.

Become a public interest technologist. Join special interest groups or SIGs. And help create a next generation of standards that are more in line with best practices for cloud and multi cloud environments. There is no shame in using compliance, you know, as an internal tool for winning buy in. That’s, I think, a highly effect tactic in a resource strapped security industry. You know, create better open source culture for compliance so that compliance is not a barrier to success for small organizations and startups.

There is a growing culture of people who are sharing policy templates, compliance templates, on GitHub. And creating kind of an open source culture around that. I think that, you know, if you’re taking anything open source, whether it’s code or a template, you should always validate whether it’s, you know, effective and there’s ways to do that.

41:50 - But I’m here for creating a better open source compliance culture.

41:56 - And again, you know, give opportunities to others. You’re going to need a lot of help to pass your audits and it is an opportunity to break down barriers. Really quickly, if you aspire to security or are considering a career in governance, risk and compliance, don’t give up. You know, don’t change yourself to fit anybody’s mold. I’m a security director who does public speaker and I have a neck tattoo. I’m a first generation college graduate.

42:30 - And I’m here. So, I think that the security industry needs all types. And that those of us who have had different backgrounds and think differently are effective change agents.

42:42 - If there was one thing I could change about my early career, I wish I was not so hard on myself. I was building valuable experience in help desk and database analyst positions.

42:57 - And I also wish that I thought a little bit differently about breaking into security.

43:02 - Five years ago cloud wasn’t considered security work. DevOps who is here to define exactly what security is or isn’t? Other than the sys main domains. I think security involves a lot of job titles that don’t have security in them. And I think we should all be appreciative of ourselves and the fact that we’re building experience.

43:29 - And there are ways, it is not as easy to build GRC experience outside a job as it is perhaps for, you know, pentest your team. But there are ways. Volunteer, get yourself in the local chapter of OWASP. Open source projects. That’s huge. A ton of documentation and process and compliance and audits, that’s something you’re going to build in open source projects. As a hiring manager, I specifically look for people coming from open source bang grounds even if it’s nothing to do with our organization or product.

They can work in global teams using asynchronous processes and mentor others. And have a community mindset. Learn Git. Learning Git does not involve any code. But I think it is it is a valuable tool for pretty much any security professional. Get a free GitHub account. Build a portfolio on there. You can create templates. And upload those to your GitHub. Carlota Sage taught me that. That’s super valuable. Write. You don’t need to write poetry. Don’t need to write huge technical papers and get them published.

But work on your writing skulls and communicate effectively to different audiences. There’s a lot of different ways to do that. Any questions? LEA: Yeah. We actually had a couple people post questions during. So, I’m going to go ahead and read the first one to you. There are quite a few companies coming out with compliance solutions. Are you looking at some of these? And if so, do they look like they will help? JASMINE: Sure. So, I do have strong opinions on that.

And when I was putting together this presentation, I really tried to be as agnostic toward any paid solutions as possible. I’m not trying to sell anything. I think a lot of compliance is process and people in leadership. And that matters more in, you know, in the real world than paid tools. That said, we do use a compliance automation solution that I am extraordinarily happy with. Like love. It’s called Jupiter one, it’s a sophisticated cloud inventory tool and I compared it to a lot of different things.

And I love talking about compliance software. Email me, hit me up on Twitter, LinkedIn, and ask me questions.

46:13 - Let’s talk. Great question. LEA: Nice. The next question that came in during was, any advice for a customer defrauded by a rogue actor internal to a massive corporation who needs to get the audit committee of said Corp. to take them seriously? JASMINE: I don’t know that I actually I apologize. Could you possibly share the text that have over Slack, so I pick sure I understand? LEA: Yeah. I can do that.

46:46 - JASMINE: Thanks so much. LEA: Yeah. JASMINE: I’m pretty sure I have never been in that situation personally.

46:54 - LEA: Did you get the Slack? JASMINE: I did. Yeah. I’m looking at it right now. Thank you. That sounds like a really challenging situation. I’m really, really sorry that happened. I am not a lawyer. I would probably, you know, if it’s an issue of fraud that you’re dealing with from a vendor, I would probably talk to your legal counsel.

47:23 - Because they can dig into the specific contract and relationship and give much better and more prescriptive advice. LEA: That’s always good advice in my opinion.

47:32 - Talk to legal. And the other question that came in is, could you please explain more about volunteering in standards organizations. JASMINE: Sure. So, there’s a lot of different standards. Some of which are put together by employees. PCI DSS, you know, has employees.

47:59 - They also have industry subject matter experts. So, there’s different ways that standards are put together. However, there is ways to get involved with different standards organizations with varying levels of experience. Joining an OWASP chapter would be a great example of that. And my mind just completely went blank because I’m absolutely exhausted. But there is yeah. There’s different ways to do that as well. OWASP SAMMS is another project you can get involved in.

It’s basically software development life cycle skirt. There’s different open source contribution positions you can take with that. I am not totally sure if MITRE has volunteer positions or just employees. But I would look at different standards you’re interested in and figure out if they have chapter meetings, if they have conferences, if they have open source projects that you can contribute to. As one, you know, way to influence the future of of these standards.

LEA: Yeah. Totally. I don’t see any additional questions. Just the last call for questions. And if not, please fill out the survey. Please visit the expo hall because we’re about to go on break. And looking forward to seeing everybody back on the stages I guess in just over an hour. Thanks so much, Jasmine, really appreciate it. JASMINE: Thanks so much, Lea. Take care! [Lunchtime!] Next on stage 1 at 2 p. m. Pacific: Honey, I m Home! (Customizing honeypots for fun and profit!) Kat Fitzgerald.