Career Contrast
Career-focused informational interviews from the perspective of a talent expert.
Career Contrast
Sara Diaz - Sr. Manager, InfoSec and IT
Listen to Sarah Diaz's journey from her cognitive neuroscience undergraduate studies to now a Sr. Manager in Cybersecurity at Glossier.
From zero trust principles to multi-factor authentication, we delve into the essential concepts defining today's cybersecurity landscape. Sarah reflects on her role at Glossier, where enterprise security policies are crucial in defending company assets, and emphasizes the diverse fields within cybersecurity, such as application, network, and identity management.
You can learn more about Sara at https://www.linkedin.com/in/saradiaz42/
Visit CareerContrastPod.com for more information. Want to tell your story? Contact us at Careercontrast@gmail.com.
This is Career Contrast, the work podcast, and I'm your host recruiter, Michael Lane Smith. Joining me today is Sarah Diaz. Welcome, Sarah.
Sara Diaz:Thank you, hi, michael.
Michael Lane Smith:Hi Sarah. So what did you want to be when you grew up?
Sara Diaz:Nothing very realistic. I honestly don't think I thought that much about my dream job when I was a kid, but I definitely remember wanting to be a firefighter very badly. I also really wanted to be an author very different and then, for sure, an astronaut definitely went through a phase where I wanted to be an astronaut. Then it was very sad that there was like a minimum height requirement that I certainly didn't meet.
Michael Lane Smith:That's awesome. And um what did you end up studying in college?
Sara Diaz:I studied cognitive neuroscience in college with a minor in international development, so I was just kind of doing whatever I wanted. I wasn't thinking too much about my career.
Michael Lane Smith:Understood. When you ultimately got out of college, where did you find your first job?
Sara Diaz:So I got my first job through a friend that I studied abroad with, actually in Thailand.
Sara Diaz:We were on a very, very long van ride and she was like a second semester senior already had her job lined up.
Sara Diaz:I really didn't know what I wanted to do and she was just kind of talking about this company where they had values that really aligned with mine and it seemed like you know, a place that really took efforts to train people when they first got there, like there was a five week like a fully immersive training program in India and you know it. Just, it just sounded like a place to learn and so, even though I didn't really know what I wanted to do, I just interviewed for a job there at her company, um, which is called ThoughtWorks shout out ThoughtWorks and it's a software consulting company. I ultimately got hired as a QA, which is a quality analyst it's called different things at different places quality associate, quality assurance, um but it was quality analyst there and and it was great, I just kind of like hit the ground running and they didn't expect you to know much. It was a place where they were just willing to teach you a lot.
Michael Lane Smith:Right on and, as a quality analyst, what exactly did you do day to day?
Sara Diaz:So the job of a quality analyst is really to test things, and at that job it's to test software. It's set up a little bit differently than that at a lot of other places, but you would be on a team with the software developers, and so their job would be trying to build something that worked well, and my job was trying to break it so that you know we could make it stronger and it wouldn't break later. So your job as a QA is really to, I mean, you know, in sort of the most like straightforward way, you are just like writing little tests that will like run automatically every time that something new is added. But also, you know, you're kind of like fingers on the keyboard, as they say, just using, let's say, like the web app in unexpected ways.
Michael Lane Smith:Interesting. Okay, so cognitive neuroscience isn't computer science, at least not from my understanding. How much software experience did you have coming out of college, going into this role as a QA at a software consulting company have coming out?
Sara Diaz:of college going into this role as a QA at a software consulting company, I had to take one computer science class for my major in college.
Sara Diaz:So I had like literally like intro to computer science and that was it.
Sara Diaz:And you know, that's definitely not enough to like really know how to code or like know that much about how like anything works.
Sara Diaz:So I think that what I really learned from that that did end up helping me was um, just sort of like a different framework for thinking, so thinking in like conditionals, so like a lot of how software is, or like if statements, or like for loops or things like that, and um, just kind of becoming like code literate. You know, I think we think of literacy. Of course it's like being able to read, I think in the world that we're, that we're creating around us, and especially in like kind of the whatever the future that we can imagine, I think like a concept of code literacy. I think is is maybe important just being able to look at something and getting a concept of code literacy I think is maybe important just being able to look at something and getting a sense of what it does, and that that did honestly really help me. But beyond that, absolutely nothing from my cognitive neuroscience degree like had anything really to do with software.
Michael Lane Smith:That's funny. Your peers did they go similar routes? Did they end up in software? Did they do consulting? Did they do something completely different?
Sara Diaz:You know, honestly, a lot of the people I was close with in college were not in the same academic space as me, they were more in the humanities humanities. But it is really common for people at my college to like get a consulting job. That's like probably the most kind of cliche thing that you can do. I definitely I was part of that. But people who studied computer science often like went on to like get a job as like an entry level or like a junior engineer somewhere.
Michael Lane Smith:Understood, understood. In your role as a QA, did you have a large cohort of other folks who started around the same time as you as fresh grads?
Sara Diaz:Yeah, absolutely so, not necessarily other QAs. There were a couple, a handful, but my cohort of people who started with me this kind of goes back to the five-week India program I was talking about. We all went to India together. We got to like learn with other people from the company, from all around the world, so people from India, from China, australia, germany, brazil, and so that was really amazing, because you're just with like a hundred other people who are brand new, like trying to figure out the same things you're trying to figure out, and you learn from people who don't have the same job as you. You know, like we were with it was QAs, bas, which are business analysts, so people who like talk to the client, try and kind of translate what the client needs into like what developers then need to build, and then the developers and you really just you work together. You learn a lot from each other and it's you learn that it's really important for you all to have like different priorities so that you can ultimately create something that is like well balanced.
Michael Lane Smith:That's really cool. Did their academic backgrounds mirror yours, or were they more software oriented or business?
Sara Diaz:I would say for the most part more software oriented. For sure, I think, like people who were BAs, they studied whatever, or a lot of them were career changers. But the people who were there to be developers either studied, you know, software development or computer engineering, or they did a boot camp. That's another really common way to get into tech.
Michael Lane Smith:Start out with whatever your undergraduate study is, and then add a software engineering boot camp at the end.
Sara Diaz:Or not. Everyone there went to college. Some people just had very different paths and eventually wanted to try out a boot camp and then ended up being able to get a job.
Michael Lane Smith:And so what do you do now and who do you work for if you're comfortable?
Sara Diaz:So yeah, of course, I work for a company called Glossier, which is a beauty company. I'm the senior manager of information security and IT.
Michael Lane Smith:Did your role in QA have a lot to do with security or InfoSec?
Sara Diaz:In a way, in sort of more of like a philosophical way than anything else. But, like I said before, your job as a QA is like to break things and to use the thing that everyone is building in ways that it's not intended, you know, to be used, and that kind of ends up putting you sometimes in the mindset of a bad actor, you know, maybe more commonly referred to as like a hacker, um, which of course eventually, like once you start thinking enough, like that you're just sort of doing security, like if you're trying to, if you're looking at like a login screen and thinking like, well, what happens if I just put in like a bunch of semicolons and then copy them and then paste them all in and I just put, I ended up putting in like a thousand characters, like what happens? You're then like thinking like an attacker, which is just what security is. So in that way it led me to it, which then, you know, I was at a company that also really encouraged giving talks.
Michael Lane Smith:So I started at your original company or at Glossier.
Sara Diaz:Yes, sorry, sorry. Sorry, I might be jumping around a little bit, but sorry. So what was your question?
Michael Lane Smith:You were talking about hacking things. I was asking about how your role in QA might have led to more InfoSec related work, and I think you gave a good answer, so I'm happy to move on to the next question. Okay cool yeah. So I'm currently recruiting for an InfoSec person to help with identity access management, and there's a lot of key concepts that were shared with me in preparation for that search things like zero trust what what?
Michael Lane Smith:what is zero trust? What other key concepts are important in understanding what someone in cyber security or infosec does?
Sara Diaz:that's a great question. Um, so zero trust is very aptly named. It's just kind of the idea of starting from nothing. So someone has to like go through a couple of different steps, maybe to gain access to maybe different parts of the network or a system and at each of those like authentication steps, you're proving that you are who you are. So everyone is kind of familiar with this, even if they don't know they are. You know, like everyone's had to like set up 2FA on something, or you know multi-factor second factor, yes, whether that's through your phone, whether even that's just like they're getting like a text from your bank or something like that. That is a second. So like the first factor being your password, the second factor being something else Like the concept is sort of like something you know and something you have. So you know your password, you have maybe your phone sometimes, and more of like a corporate setting, maybe it's your specific IP address or like a VPN. You know something like that, or like a VPN, you know something like that. So that's you know, kind of.
Sara Diaz:Basically, what zero trust is is just making people prove that they are the person they say they are, that it's not compromised in any way your network maybe has to prove that it's safe, that it's not compromised. So it gets a little bit more and more intense, depending but some other key concepts. I mean, I think that something that I didn't realize initially when I got into security was how big security is. I think we think of security as one field, but it's really it's many fields. You know, there's application security, there's network security, there's enterprise security, there's like identity and access management, like you're talking about. There's more like infrastructure focused things, and so it really depends so much on what you're trying to do. There are some people whose jobs it is to kind of be the custodian of all of these things, and there's some people who are extremely, extremely specialized in like cloud security or, you know, application security. So it really I hate to say it depends, but it does kind of defend.
Michael Lane Smith:Yeah, no, that's super helpful and you know, when I think about zero trust it's applicable across all of the business areas I've worked like back in working at McDonald's or Abercrombie and Fitch or JCrew. You know having to log in with an employee ID to now, in the corporate world, having a VPN, or even like a third party item, like a key to plug into my laptop. Zero Trust has showed up in every professional environment I've been in and you mentioned a lot of different areas of cybersecurity and InfoSec and it does sound like there's a lot of different directions one could go in their career. What is your focus specifically within that larger ecosystem?
Sara Diaz:Sure. So my focus you know this, at different times my job has included and gone beyond the scope of my focus, but my focus is more sort of. I mean, infosec is largely like along the lines of enterprise security.
Sara Diaz:So things like policies, like writing the you know the company-wide policies for you know, like the InfoSec policy I think is probably the one that we're most familiar with or maybe you know like a policy on acceptable use of, like how you can use your machines, policies on like device security, things like that. I think of my focus as being less technical generally, so more so like compliance focused, maybe like working with legal to make sure that we're, you know, in compliance with different standards or that we're in good standing with, like cyber insurance providers and things like that, and also focused on like awareness and kind of security culture. I think is another thing that people talk about. So security culture being like, how often do we have security awareness trainings? How often do we have, you know, phishing campaigns? How familiar are people with the like security processes that we have, whether that's like reporting phishing emails or like flagging something when something goes wrong? Do people know how to report a security incident, something when something goes wrong? Do people know how to report a security incident?
Michael Lane Smith:You know just things like that, Just kind of like do people know where to turn when they see something weird? Yeah, and I can't remember when I learned the term phishing. It had to have been, I feel like, my first job out of college, my first office environment job. What is phishing? Could you explain that to our listeners? Sure, yeah, that's a great question PH yeah, ph phishing.
Sara Diaz:I actually don't know why it's PH, I think, maybe just to distinguish it from fishing fish. But phishing largely refers to an email where someone is trying to get you is either maybe trying to pretend that they're someone, that they're not trying to get you to click on a link that will either maybe infect your machine with malware or maybe open you up to a login screen that looks a lot like the login screen for your corporate single sign-on or your corporate email, but it's not, and so then they can steal your password. Or sometimes it's hey, I'm, you know, the head of finance and I can use it. Can you resend me all the W2s? So like just trying to get information that they shouldn't have?
Michael Lane Smith:essentially, yeah, I've gotten a lot of like phishing samples because my InfoSec teams at various companies do like the phishing tests where it's like they're trying to get employees on purpose to like discover vulnerabilities. Is that still a common practice, like sending fake phishing emails, which is kind of meta?
Sara Diaz:Absolutely, it's a very common practice. It's definitely something that I do um, and I would say like it's less so to find out like who is vulnerable to a phishing email, and maybe more so um for training you know, just to like kind of build a muscle for people.
Sara Diaz:I I love to say that, like everyone has a bad day, like sometimes, what I, what I love to say that, like everyone has a bad day, like sometimes, what I like to say is, sometimes you just haven't had your coffee yet. Like it's not that if you click on a phishing email you are, like you know, dumb, fired, fired. Yeah, like it's just it could really happen to anyone. And sometimes phishing emails are very, very good. Most of the time they're not.
Sara Diaz:But, sometimes they're really really good. And so another part of we call them like phishing campaigns, so kind of, like, you know, sanctioned phishing emails from the security and IT teams. Phishing emails from the security and IT teams sometimes it's just to kind of like get rid of the stigma around clicking on a link, because for us, when people click on a link, it then leads them to, like you know, like an informational page of like hey, this was a phishing test. Here were some of the red flags in the email. Here's what to do.
Sara Diaz:If you ever do click on a phishing link, like do not hide it, like report it to the security team. You know you're it's, it's fine, we just need to do, we need to do things about it. Um, and I think that people really like take that to heart Um, we get a lot of reports now and sometimes the report is just like hey, I got this weird email, and sometimes the report is I'm so sorry, I clicked on a link and the second I did it, I realized it was probably not a good idea. What should I do? And I appreciate those messages more than I can say.
Michael Lane Smith:Yeah, when people are just a little bit more careful, it's really helpful, I'm sure. Yes, I think when you see hackers in the media, I think when you see hackers in the media, you often see a really cool tatted up person with like black hair and like dark eyeliner and maybe even with like a wrist mounted computer, like one hand typing away Just really dramatic, interesting and funny type of depictions. But I'm hearing from you and from the example of phishing that a hacker just could be someone sending malicious hyperlinks in an email that looks like maybe your boss's Sure. What other things would you say a hacker might typically try to do? What are maybe typical vulnerabilities that cybersecurity professionals might deal with?
Sara Diaz:So there is something called a script kitty and what that is is a person like, I think, nicknamed Kitty, because oftentimes it's honestly, it's like, you know, teenagers just that are really interested in security or technology and they're just like trying stuff they find on the internet, but it's just a person who, um, finds like a known exploit. Uh, because, like, as much as you can look up what to do if you do something wrong on like google, you can look up, like how to like, how to hack someone.
Michael Lane Smith:so people like people not encouraging you to do that, but but.
Sara Diaz:But if you're a security professional it's excellent to know these things.
Sara Diaz:You can literally like download a script and then you can create what's called a botnet, which is really just like a bunch of like cloud computing instances that will just be firing off like the same kind of command or sequence of commands to just any endpoint, any computer, any um, anything that they can find, and oftentimes it's targeted at like a specific vulnerability, so like a specific version of, you know, maybe an operating system, maybe just like a library that's commonly used to like build an application, to like exploit a known vulnerability.
Sara Diaz:And you might think, well, if everyone knows that this is a vulnerability, why wouldn't people just update to the next version where it's patched? This is honestly one of like the biggest. It's such a huge like issue I guess I don't want to say issue, but it's it's a big challenge for security professionals to just manage patching across um you know how many ever devices they have, but um, it's an extremely common way that companies will get attacked and like pretty much every big headline breach that we've all heard of, whether it's like Equifax or Target, you know, a lot of these things were just like people exploiting known vulnerabilities.
Michael Lane Smith:And people not updating their software. Yes, yes.
Sara Diaz:So I'm going to say the word patching probably a lot and that's really just like a very techie word for updating.
Michael Lane Smith:For following the recommendations that you get pushed to your desktop every time you log into your computer to update your software. That is automated and they'll do it for you. But I'm just I'm too busy, I don't want to slow down and do it.
Sara Diaz:Yeah, for the average user, for the average like corporate employee, it's definitely just like keeping your apps and your operating system up to date. For, you know, if we're thinking about like a, like a major web app, it's running on like so many different, like kind of like applications or like mini applications, um, that are, you know, strung together in different ways and those applications are made up of different libraries, so it turns into this much more complex patching environment. But yes, for the average user, it's just keep your machine up to date. I would say that's a huge recommendation that I have.
Michael Lane Smith:Yeah, yeah, and you know I've seen also depictions of hacking, as you know, plugging something into a laptop, but I'm hearing from you like it could be clicking on a link, so I imagine there's the physical vulnerabilities. So at a corporate environment, it would be maybe like the servers that all of the different devices are connected to. It could also be what you said were at the endpoints. Could you explain to the audience what endpoints are? What was an endpoint?
Sara Diaz:Sure, Endpoint can mean a couple of different things. I think. For me now and now like managing the IT team, I very often when I say endpoint I'm thinking about end user devices, aka laptops, Laptops or, maybe you know, iPads in a retail company, and so we have a lot of iPads in stores. So really like that's kind of what I'm referring to there and it can mean many different things, but I think that's the most like like obvious one, I guess.
Michael Lane Smith:Yeah, yeah. So if you hack like an endpoint, you can get into a system. If you hack it, maybe a server, that's like probably more core to an issue, right, having an entire network impacted, versus maybe like a single endpoint? Or if you get an endpoint, is it possible that you can disrupt maybe even the whole central network? Is that? Tell me more about this.
Sara Diaz:it really depends on how locked down everything is. So one big focus of security teams is having like secure configurations on, you know, laptops. This actually goes back to zero trust. So remember when I was saying like, yeah, like at the most basic level it's maybe like 2FA on a more advanced level your machine itself might be checked for, like if it is reliable. So if that, if something like that is implemented very strictly, like it might be at for like if it is reliable, so if that, if something like that is implemented very strictly, like it might be at, maybe like a financial institution, um, then you know, it's very possible that an infected end user device would be like it would be isolated, the issue would be isolated to that machine. But it really depends.
Sara Diaz:And the same can go for like if, um, if a server, let's say, itself is compromised, um it's it's so dependent on and also like we're a little bit getting out of my depth here, I'm not okay, this is not my, my specialty, but a lot of it is um just very dependent on, like this, the settings, settings, like the standards that you have set up in your environment, which is kind of you know definitely core to zero trust.
Michael Lane Smith:Yeah, I'm imagining that there are ways from a technical perspective to create like brick walls in the software between what could be vulnerable endpoints and what are you know, like the core business functions of the network. Do you have experience working in kind of architecting what that looks like? I'm imagining you described your role as focused on policy, uh, maybe even kind of like the intersection of how all the systems interact. How much experience do you have in that realm and you know what? What would that look like? How would you describe that?
Sara Diaz:I think for me personally, my experience with that has been more at like the higher level.
Sara Diaz:So if you think about it as maybe like I'm helping to draft a policy and then maybe someone else is implementing the policy, more of the, as we say, fingers on the keyboard work, but I have definitely like worked with people. I also, you know, like I said, it really depends on what industry you're in, like, if you're in, if you're at a financial organization, you legally are held to a higher standard when it comes to, um, you know, security and compliance. Compliance Like you have to have maybe like more isolated endpoints. You maybe would have to have something like a YubiKey, which you were referencing earlier, like a physical device for your second factor to help you then like authenticate to your network. So it just it depends so much of like the information that you're trying to protect. I think that that is a really key point. It's like not everything should be Fort Knox, you know, cause that's a waste of money and energy. Um, like part of operating in a business is accepting risk.
Michael Lane Smith:But, uh, to answer your question, sorry, I think like one maybe relatable example of that kind of brick wall that you were talking about is literally a firewall which I think we're, all you know, pretty kind of, at least in concept familiar with you know now that I think about it, though maybe not Like when I grew up, we had software on our desktop like the first of the first five computers ever sold to people's homes, probably and there was like a firewall that you literally click on and turn on and then you had to take it down to make phone calls or actually get on the internet. I don't know if you remember this, but like I don't know if kids these days are getting software where they are purposely putting up a firewall. So maybe explain what a firewall is and I might cut it.
Sara Diaz:Yeah, sure. So a firewall is something that can be on a network. It can also be like we have firewalls on our devices and it's really just a set of rules that says this is what's allowed in and this is what's allowed out. Sometimes that can be really really strict and locked down, like based on not to get too like boring and technical, but based on like protocol. So you know, when you're visiting a webpage and that webpage is HTTPS and we see the little like lock in the URL, that is over, you know the protocol is HTTPS, it's over port 443, whatever. If you're on an insecure webpage, it's port 80, it doesn't matter, but it can be locked down like that specifically.
Sara Diaz:Or you can have something that's more like content category based like known malware or you know for like a corporate environment maybe, like you know firearms or you know things like that Some employers maybe block like games and social media sites. So it can happen at many different levels. Or for your laptop, maybe you say like no incoming connections other than already, like individually approved and trusted sources, but like everything's allowed out, you know it can. It can really vary sources, but like everything's allowed out, you know it can. It can really vary.
Michael Lane Smith:Interesting.
Sara Diaz:So today, firewalls seem to be complex enough to where you can set conditions and allow conditional access. Yeah, and you know, the average user isn't doing that, of course, but some like I think a lot of the people that I have worked with were kind of the kids that were like taking apart computers and putting them back together and like seeing what they could do, so it leaves a lot. Of. The people that I have worked with were kind of the kids that were like taking apart computers and putting them back together and like seeing what they could do. So it leaves a lot of room for exploration, but it also just ideally and a lot of times is secure by default.
Michael Lane Smith:Yeah, very cool. If I was a student or a person interested in the more technical side of cybersecurity, what would those job titles look like? What should I look for?
Sara Diaz:Oh, that's a really good question, you know, I think that, to be 100% honest, I don't know that many people whose first job out of college was cybersecurity.
Sara Diaz:A lot of the time, I think people will start maybe from IT and then, like, it and security are so closely related, which is why I'm now managing the IT team. So maybe I'll start from IT. And also a lot of people I know in IT they started as, like, at Apple stores and then became Apple geniuses and then, you know, went to like a more corporate route, um, and you can specialize in things like, oh, secure, secure configurations on the firewalls, cause that is an area that's extremely, extremely related to IT, like at some companies, that might actually just be IT's job, um. So I think you know that's if, like this goes back to the conversation of there's so many different, you know, specializations within security. So if you're looking for more of like an enterprise or like IT or network focused security role, then maybe that might look like junior systems administrator, you know something like that. Or I'm trying to think of what my first title was. Administrator is a good example, though you might see engineer or like architect.
Michael Lane Smith:Maybe architects are doing less hands on keyboard.
Sara Diaz:If you're trying to approach from more of an engineering side, so more focused on like app sec, application security or cloud security or like dev sec ops is at least was, a really big thing that's just development security operations. It's kind of like the infrastructure that builds applications and making sure that we're securing that Step by step.
Sara Diaz:Yes, like then maybe you're starting more from an engineering side and then specializing from there. So either specialize, like you know, you can kind of jump off from either of those and that might just, yeah, look like junior application security engineer, yeah, junior cloud security engineer or analyst. Those are kind of the things to look out for. But I don't think it's super common for people to just jump directly into security from college or from, like, a boot camp. Actually, sorry, that's another way I should talk about is people do boot camps to then go on and become engineers. There are security focused boot camps absolutely as well as certifications, and that would really help you like make the jump.
Michael Lane Smith:That was a perfect segue into what I wanted to ask about next, which is certifications or advanced degrees in this space. I've heard of CompTIA. I don't know what it is. I don't know what it stands for. I've heard of CompTIA. I don't know what it is. I don't know what it stands for. Do you know what that one? Is and what other certifications are you aware of in the space?
Sara Diaz:So the first thing I want to say about certifications is I don't have any, and a lot of the people that I work with didn't. A lot of the people I work with get certifications while they're working. But I want to say that up front, to say you don't need a certification to work in this industry, like a lot of people just gain practical experience. So you know, I just I don't want to be like setting a precedent that you know this is something that like everybody needs to do, because it's not, but it's a really really, really great way to get a leg up or even just like to see if you're interested. Um, comp tia is actually just like the name of the company, I think it's like computer, like computation technology, I don't know whatever. But and then they offer a bunch of different certifications. One of them is a security certification and I think that that's just like security plus comp tTIA, security plus. But if you Google CompTIA, you'll see like they have a bunch of different certifications to offer, but definitely that security plus cert is a really common one, kind of. It's a great place to start because it's very broad, so you'll learn about a bunch of different aspects of security and IT. Honestly, I think that that's probably more focused on like the IT side of things, but it's still general and very well known, and so when you say that people are like, oh okay, yeah, like this person is serious, is invested in this.
Sara Diaz:If you're interested in more of the like app sec side of things, there are also ethical hacker certifications. I'm sure that there's like one really common one, but there's a number that you can do. There's also just courses you could do like a Coursera if you wanted to. There's also, if you don't want to pay for anything. There's a bunch of free resources online for pen testing. Pen testing is penetration testing. If that sounds fun to you ethical hacking I would definitely look into pen testing.
Michael Lane Smith:That's a job in and of itself and that's just like hacking to help companies really just discover what those vulnerabilities are so they can patch them right. Exactly, it's hacking so that someone else doesn't do it first we have a lot of those in the federal government, or at least we have in the past, I believe.
Sara Diaz:Yeah it is like there are people who that's sort of a tool that they have in their tool belt, um, and maybe their job is broader. But there are also people who that's their whole job is pen testing. Yeah, those people are way cooler than me, but they're the people with the wrist-mounted keyboards.
Michael Lane Smith:I see I need to talk to them.
Sara Diaz:They have like skulls on their glasses and stuff. You know, yes, they're very cool and they're often extremely good at their jobs, but also they're using tools, like they're using automated tools as well. So, you know, it's not like you just have to be like a super genius. Sometimes you just need to be good at operating a tool that will do the automation for you. Like, I think something that's good to learn about this job is that a tool operating like a tool can do, can literally send thousands of requests in a second. You can be so good at your job, but you can't do that. So knowing how to operate a tool is very, very, very, you know, to your, to your benefit. Some examples of that, if people are interested. It's like Burp Suite is a great place to start.
Michael Lane Smith:It's just like a fantastic name for a product.
Sara Diaz:Yeah, it's great, also very commonly used for testing. But anyway, I think like those are probably those kind of are two different sides of places to start. So like CompTIA security cert, if you're maybe more interested in like enterprise security, it network security, and like looking into ethical hacking if you're more interested in application security or things related to that like actual development of software.
Michael Lane Smith:Right on and you know you've talked about a lot of different areas for security. App security is probably in my mind and correct me if I'm wrong the specific security around specific applications within a larger system. Endpoint security specifically focused on devices connected to the larger network. Am I thinking of that right, and are there any other specific named security areas you could summarize for the audience very quickly?
Sara Diaz:Sure, yeah, absolutely yeah. Appsec. I think very much what you're saying. It's focusing on basically like misusing different applications, and the way to think about an application can literally just be like you know for Glossier, just typing in glossiercom that's our web app you know, I think, like often, as just casual users of the internet, we don't necessarily think of the websites we're visiting as apps, but they are.
Sara Diaz:So I think, like you know, that's absolutely the right way to think about it. Another really common one is cloud security. Almost every company is using someone else's computers to run all of their systems. By someone else's computers I mean the cloud. So a very common example of that is AWS, of course, amazon Web Services, and having a specialization where you know what the important security settings, security configurations, what those are in an environment like AWS is invaluable. That is like an it's an extremely, extremely good skill set to have and it also it helps you learn so much because everything does kind of happen in the cloud. So, like you're, you're still learning a little bit about network security. You're configuring firewalls or like security group rules. You're you know you're accessing the like servers directly. You're patching, you know you're like patch management is very important in the cloud. So it's it's extremely valuable and you also get you know a taste of a lot of different things.
Michael Lane Smith:Yeah, and I'm familiar with the major, the three major cloud providers Microsoft Azure, aws, gcp, google Cloud Protocol and each one of those has its own security settings approach. Would you say that you know an expert in one is an expert in all, or is it really you know each individual knowledge set is expertise in and of itself and a career track or a skill that could be valuable in this space?
Sara Diaz:And I think that's a really good question. I think that an expert in one is not an expert in all, but that doesn't. It's just kind of learning the semantics of a different system. You know the specifics, but I think if you understand what is important in cloud security, then you can translate those skills to a different environment. It just might take you a little bit of time, but a lot of any job in tech, honestly, is just knowing how to Google. And so if you know what is important and what you need to be looking for and you know you are an expert in GCP and you got a new job at a company that's an AWS shop you know you can just google the yeah, you can figure it out.
Sara Diaz:It might there will be some ramp up time and there are definitely some key differences. I'm sure I'm kind of like painting over this with broad strokes, but, um, you know it's. You know you're not an expert in all of like painting over this with broad strokes, but you know it's. You know you're not an expert in all of them if you're an expert in one, but it's just a matter of like learning more specifics and just investing more time.
Michael Lane Smith:Absolutely, absolutely.
Sara Diaz:You.
Michael Lane Smith:I'd like to go back to the conversation we were having about certifications. In recruiting, certifications oftentimes are like a plus on a resume, but what's most important when I'm having conversations with candidates is their ability to articulate a specific problem or problem set that they were working to solve in the space we're recruiting for. And so you know, it sounds like you were saying the the main qualifications, the main experience you need really is just the knowledge of experience and experience working with cybersecurity concepts and philosophies so that you can employ those or work with the right IT people to deliver. Is there a you know, a set of questions that you would say are pretty common in the interview processes for getting these jobs, and would you agree with my general view on certifications in the recruiting process?
Sara Diaz:100%. I would agree with that view. That's exactly how I look at it. It's been a very long time since I've interviewed for a security position or since I've interviewed anyone else to, like you know, join with a security position. But I was recently, you know, recruiting for an IT contractor and it was that's exactly how I would say it Like if they had certifications, great, but that's not really what I was looking for. It was notifications great, but that's not really what I was looking for. It was what do we need, like, what specific problems are we trying to solve? What gaps do we have and what hands-on experience does this person have with those problems, or something that could be, you know, transferable?
Michael Lane Smith:Absolutely, absolutely. So, yeah, tell me a little bit about how you got your job, your first cybersecurity job, that process, from moving from maybe it was your first company I can't remember the name of it to Glossier, directly ThoughtWorks ThoughtWorks, yeah. Or did you take a role at Glossier and then step into cyber after?
Sara Diaz:So I got into security at Thought. In security I was giving like tiny little talks around the office like after work about like you know, tiny little security tests that I was doing, and so I was like putting it out there, not knowing or thinking that anything would come from it, just because I kind of wanted to like practice. But because it was out there, it just I got really lucky and honestly like forget everything. I just said because it was out there. I got really lucky and honestly forget everything I just said because it didn't have anything to do with my actual experience. But the security team at ThoughtWorks at that time, which was 2015, 2016,.
Sara Diaz:around 2015- or 2016, was all men, all very experienced senior security practitioners, and they just like didn't think that it was really acceptable anymore, that they had an all male team. And they heard my name and they reached out to me and asked me if I wanted to join, despite not really having specific security experience, and they said that that was fine. And they said that as long as I was, you know, willing to do the work and learn, that they would teach me. And that was incredible. You know, I don't want to act like that's common, that, you know, that's like the mindset, that, like a lot of companies have, and also, hopefully, now, that's not as common, you know, to have a team that's just all men. But it was really, it was so meaningful and so lucky. And I also want to say, by the time I left ThoughtWorks, the team was 50% women.
Michael Lane Smith:Oh, that's awesome, Right on. Yeah, there's been a lot of change in the cybersecurity space and I'm aware of. You know, in the early days of the internet and networks, you had like a centralized server network and then we launched the cloud and now you know you have a lot of host servers run by Amazon, google, microsoft, and when you're doing things in the cloud, there's liability on the cloud hosting servers side cloud hosting provider that's the name cloud hosting provider side and there's also the vulnerabilities on the apps that you're hosting on the cloud. And you mentioned that you're using a lot of tools these days and cybersecurity. Way back, you were just probably doing raw code to protect your set of servers. Now you're relying on a bunch of other people's general code and the systems they've set up in the cloud and your own applications and there's just layers of technology built on top of each other.
Michael Lane Smith:It sounds like technical skills aren't super crucial for what you're doing day to day. What's more important is the understanding of technical concepts, of technical concepts. How much do you rely on? You know? I would say maybe like the decades of technology stacks that you know have been built up to run security and, you know, are there often things that come up like maybe one domino that was put up 30 years ago that could cause the whole system to come crashing down, like that's something I haven't thought about a lot personally, but I hear about a lot in media or in conversations about technology and vulnerabilities. Tell me a little bit about your thoughts there.
Sara Diaz:That is such a good question. I think we would typically call this like legacy software or legacy implementation, legacy infrastructure. Like legacy software or legacy implementation, legacy infrastructure you know, legacy is the word that people often use to describe kind of what you're, what you're talking about At a company like Glossier that is newer, you know it's only been around for 10 years. That's, it's different, you know it's it's. It doesn't quite have the maybe legacy issues that like a large institution might have.
Sara Diaz:I feel like I keep referring to financial institutions but like you know, you know it's it you're held to different standards for compliance. You also, as a person on the security team, your concerns might be different when it comes to legacy. You know, just the legacy software, legacy infrastructure that's in place At Glossier yeah, sure, there are things that are older and that we're, you know, updating and migrating, but that you know the oldest would be 10 years and it's not because we were, you know, we were not really building our own stuff at the infancy of Glossier, so it's just on a really different scale, honestly. So it's still a concern, it's just in different ways and it's like less entrenched almost. It's very hard to undo something that's been in place for 30 years maybe, and it's hard to undo something that's been in place for seven years, but it's less hard yeah.
Michael Lane Smith:Yeah, so newer companies like Glossier, you know, just have a less risky technical environment because they can rely on newer products that have been, you know, probably tested a lot more recently and are just more reliable overall.
Sara Diaz:I think I would maybe not say less risky, I would maybe just say a different set of concerns, because maybe in a startup environment where you're so focused on speed, maybe your concern is more, just like less the underlying infrastructure and more so the way it was put together, way it was put together. So it just really depends. I think that it's so contextual that it's difficult really to get into, but I think it's interesting to talk about it in terms of just your focus is different. Everybody has risk. Absolutely Every company, every team is focused on risk. That's what security is. They're just different sets of risk depending on your technical environment, your business environment, the data that you're actually dealing with and the resources that you have.
Michael Lane Smith:Even One of the things I think about a lot when it comes to hiring for roles is you know how much of a job is if this, then that, how much of it is standard operating process, service level agreements or SLAs versus how much is it? You know, you kind of making executive decisions every second of every day?
Sara Diaz:What is your role like in that context? That's such a good, it's such a funny question, because I feel like I could go either way with that, like in certain ways, like if you blur your eyes enough, maybe a lot like 90% of it.
Sara Diaz:Yeah, a lot of it's like the same problems, but if you're looking at things, there's nuance to different um, to different requests. So, like you know, part of my job now is I manage the team that manages the internal support channel, and a lot of the requests that come through the internal support channel are like can I have access to this? Or I got locked out of our single sign on, or I got a new phone, how do I set up 2FA again? And you know, and like a lot of those things are super routine. There can also be factors that mean that you have to really be considerate with how you have to approach it. You know, maybe someone's locked out for a reason that you're like oh, I thought it was this obvious thing, but actually that fix didn't work. We have to look a little bit more into it now. Or maybe, like this person's asking for access, but should they have it? Or maybe this person's asking for access but we're out of seats. Who do we take a seat away from so that we don't, you know, get charged with an overage, things like that.
Sara Diaz:I think at my, my specific role in those day-to-day is often, if it gets escalated to me.
Sara Diaz:So my team will field a lot of those questions and requests initially, and then, if there's something a little bit different about it, then they'll talk to me and we'll figure it out together, it out together, and maybe that's why I'm thinking a little bit more along the lines of like it's all different because they shield me from the stuff that's. You know, that's the same. So you know, I think that, like I mean, honestly, this is like a little bit different from the question that you're asking, but just to give a sense of how much in security and IT is what we would call like unplanned work, so the things that are just kind of coming in on a day-to-day basis. When we're building out our roadmap for the year, we only really plan for about 40% of our capacity, because we know that about 60% of our capacity is going to be figuring out unplanned work or day-to-day problems that come up Whack-a-mole yeah like sometimes there are things that are going to be solved in an hour.
Sara Diaz:Sometimes someone comes in and we're like, oh, this is a weeks-long project actually. They'll come in with a request that's like, oh, can we have, you know, secure ftp to you know, our uh from our um hr provider into this google're like, okay, we need to build something to support that, but yeah, we can do it, which is fun. I think you know that's. It's maybe a personality trait of people in security and IT that we get excited when we see stuff like that.
Michael Lane Smith:Yeah, you mentioned a couple of things that I just wanted to clarify for the audience. You mentioned seats. I understand seats to mean, you know, when you are buying software, paying a subscription for software for your employee base, each seat is one person who can use that product and have access to that product. Yes, that's correct.
Sara Diaz:Honestly, another part of my job at my level is like renewing contracts, renegotiating contracts, things like that. I'm talking to vendors, a lot about things like seats. Sometimes it's not seats based, but a lot of the time it is, and it's exactly what you're saying. It just means like one seat or one license is one person. So when we sign an agreement with, say, um, adobe, for instance very common software we'll maybe get 20 licenses for Adobe Acrobat Pro and we're at 20 and another person on like the creative team or something like that like needs a license. We have to then figure out how to, how to handle that.
Michael Lane Smith:So that is, that is seats you also said the word escalations, and I think I heard escalations in a conversation I had with a space services software engineer last week.
Michael Lane Smith:Check out episode three. Everyone but an escalation is just corporate speak. For I have a problem. I need my boss to step in and handle it Right in a service-oriented role, like on recruiting. For me, it's, you know, I don't have authorization to extend $10,000 more than I initially was given. I need to ask my boss to get approvals. For you guys, it's, this is a software issue I can't solve immediately. I need Sarah's help. Something like that, right.
Sara Diaz:It could be, or sometimes it's just like hey, this request is, you know, weird I don't really know exactly how to respond or like this person's asking for something that I know that we can't do or that we don't have the capacity to do. Can you be the one to have that difficult conversation which I'm always happy to have? So?
Michael Lane Smith:yeah, love difficult conversations.
Sara Diaz:Honestly, it's like I feel like it's the job of a manager to like be the bad guy, so I'm always happy to step in and be like no, but yeah, I think for sure, like generally, what you're saying escalations is exactly right. It's just, or sometimes it's hey, I just need to like bounce some ideas off of you. Before I get back to this person, my team is amazing and they really they're so smart and they know so much more about a lot of things than I do, so I trust them, like implicitly with so much stuff. So it's really more strategic things that they're coming to me for rather than technical things. If it gets a little bit more into security and our other security systems, then maybe the escalation to me is technical, but oftentimes it's more about like process.
Michael Lane Smith:Yeah, yeah, I asked earlier a little bit about the evolution of the space. How have you seen disruptors change your space in the you know, eight to 10 years you've been doing it. What's coming?
Sara Diaz:That's. That is such like a flattering question to ask, cause I'm just genuinely like, oh, I don't know, let's see what is coming. No, I mean, I I think I have like theories, of course, and I have seen things change Definitely. What have you seen? I think that you know, I think, like with a lot of industries, ai and machine learning are just making tools more advanced, more predictive, and that's great. That's a really good thing.
Sara Diaz:And I think, specifically in security and IT, that's not an area where it's going to replace people, because those, first of all, those tools need to be like operated and reviewed and configured and, you know, maintained, things like that, but it's also just there are always going to need to be a human element of, you know, handling those kinds of issues. But I think email security is a good example of where I've specifically seen tools become a lot more advanced. You know, like we have basically a tool that sits in front of our email, our incoming email, that we have different like rules configured within it, but it can also just use like AI to determine whether or not something has like a strong, like you know, whether it's likely to be from a malicious sender or a phishing email or just something that's anomalous.
Sara Diaz:So anomalies are something we talk a lot about in security and that basically just means something that you know deviates from the, because a lot of times something that deviates from the norm can be an indicator of compromise, so something that is maybe a hint that something has gone awry. You know there's a bad actor who's taken hold somewhere. I think that, like that, technology has gotten great and that's a good thing, because it's not like it's anyone's job to sit there and sift through everybody's emails to make sure that they're, all you know, looking safe.
Michael Lane Smith:I think I've seen this in action before in my own personal email. You get an email, at the top there's a little yellow band. It says suspicious sender. Maybe instead of it's a company name dot co email it's a company name dot com or dot edu, something random that you wouldn't expect to see. That is an anomaly, but your naked eye might not recognize it because Outlook now hides incoming email addresses. They just show the name. So that's probably a good example, right?
Sara Diaz:A great example and also just a PSA. I guess it is extremely easy to fake a name in an email. You can pretty much put any name you want. It's much, much, much more difficult, in some ways not possible, to fake an email address. And so if you're suspicious of an email and let's say it's Outlook, you know well, I don't know, I've never been in a place that uses Outlook, so I'm actually not that much of an expert in the specifics of Outlook.
Sara Diaz:But you know you can open. You can open I feel like this is a thing people are nervous to even open an email that seems suspicious. You can open it. Just don't click on anything or like download any attachments. But if you can look at where the actual like the email address that it's come from, that's a great way to like stop and, you know, get a sense of how legit the thing in your inbox actually is. But yeah, I think email security is definitely. I mean I don't want to say come a long way, because it's not like I've been in this industry for 15 years, but I've seen it advance in the time that I've been here and even in like the tools that I'm assessing now for like the coming years. It's, you know, it's great, it's becoming really, really strong.
Michael Lane Smith:The last 48 hours have been a stressful period of time. I'm seeing news around civil servants being locked out of access to the government's federal HR workforce system, as well as the payment system from the US Treasury, and they're being forced out by what is being called the Doge office, the Department of Government Efficiency, led by Elon Musk, and I understand cybersecurity environments and systems are set up with a large variety of complexity and controls and it's been 11 days, maybe 12 days, of this new presidency. We're seeing a lot of change happen very quickly and a lot of you know career civil servants being kicked out and locked out of these systems. As a cybersecurity professional aside from, maybe, the politics of it you know what kind of concerns might you see with that kind of action happening very quickly?
Sara Diaz:I definitely am not an expert in what's going on. I have a really high level, you know, understanding. But I mean, you know, I think, like kind of moral and philosophical and political concerns aside, when you have something like that, a huge concern is just like knowledge transfer, knowledge loss. You're losing, like there's so many people who probably have really critical information and context that either, I mean, are going to walk away from their jobs, lose their jobs, just to have access, just kind of be like forced out, and there are going to be things that fall through the cracks absolutely. And the things that fall through the cracks may not matter, but they, I mean in in like any context. They may have huge implications.
Sara Diaz:Um, and it's, it's just scary to see that it feels really irresponsible to just lock huge swaths of a workforce out, especially in something that impacts so many people like government. I think, honestly, even looking at what's been going on with air traffic control, I think like that's thinking about security in a different way, which is like resources. You know people need to have the resources to do their job and when you're cutting staffing short, bad things are going to happen. Things are going to slip through the cracks and sometimes it won't matter, and sometimes it could matter a lot.
Michael Lane Smith:Well, thank you for spending so much time chatting with me today. I do want to ask maybe two more questions no-transcript.
Sara Diaz:I think, like, try and figure out what is interesting to you, because it isn't a monolith. I mean, some people's jobs like my job is fairly generalized in terms of, you know, cybersecurity practitioner, but I think it's. You're going to have so much more fun at work if you're just kind of like following the thread of a thing that you think is really cool. So if you start getting into like ethical hacking or doing a couple of different like pen testing exercises and you cannot get enough of it, just keep pulling at that thread and then maybe, you know, invest in a certification like we were talking about before.
Sara Diaz:Um, I think that one of the like traits that serve me the best in my career is like an almost obsessive curiosity about things. Like I can get extremely, extremely into the weeds of like needing to just change, changing small things over and over again until finally it works. Like you're going to fail a lot in this job and in any tech job honestly. A lot in this job and in any tech job, honestly, and it's just, you know, keeping at it until the thing is what you want it to be or until the thing works. And if that doesn't sound appealing to you, then you know that's fine, that's definitely fine, and maybe that means that something more policy related is more your speed.
Sara Diaz:Not that you know that doesn't have its own set of like failures and honing and uh obsessiveness. But uh, I would say, just like take a step back, do a little bit of high level research about the different um focus areas and just follow your gut. You know, uh, just kind of like think about what seems interesting to you right now, because you can always change course later on. So you know it's hard to plan for five years from now, at least for me. It's very difficult for me to picture five years from now, or even like two years from now, especially career wise. So I think, just like follow your instinct on what feels interesting and fun and fulfilling now.
Michael Lane Smith:Awesome. And, as always, my last question how has your work or your career changed you?
Sara Diaz:Oh, wow, I think that I don't know that it's changed me, but I think that it's made me more aware of a couple of different things. So, for instance, I think that it's made me more aware of a couple of different things. So, for instance, I think that it's made me so aware of how easy it is to make a mistake and how you know it. Like things can really happen to anyone. I feel like a lot of times in media or whatever, like people who fall victim maybe to like a phishing email are depicted as like ignorant with technology or you know something like that, and I think that like it's really made me maybe more like empathetic to the fact that it really can just happen to anybody and to just have a lot of compassion when you know like that's a really tough moment in someone's life and, even if it's not something that impacts you long-term, it doesn't feel good. I've talked to a lot of people after they've, you know, made a mistake and they are going through it. I think it's also taught me to see things in like everyday life in a little bit more of a different way and maybe like more of a kind of zero trust or like secure by design way. Um, if you even think about like your house, you know when, when you leave your house, you lock the door. Maybe if you have an alarm, you set the alarm, um, but there's security measures that we're all taking all the time, like you know, if you're driving, if you're on the subway, just like the way that you act reflects how like safe that you feel. I think that that's something that I've started to think about a lot more and I've also tried to use that to talk to people about security in a more relatable way.
Sara Diaz:Way, and I think kind of like to that effect, like getting more into, like becoming more knowledgeable about cybersecurity, has made me realize, like how important it is for people to also gain that knowledge and how we need to make it accessible.
Sara Diaz:So I think the way that it's talked about it feels like you know jargon to people, or it feels like another language. Way that it's talked about it feels like you know jargon to people, or it feels like another language, but it's actually so intuitive to all of us. We're all kind of like you know, threat modeling is sort of a common term that's used in security just basically means like assessing your threats and acting accordingly. We're all doing that constantly and it just looks a little bit different when you're doing it with software. But I think that it's just made me feel passionate about spreading awareness about, like, what we can all do in our day to day lives and that, like I want to make people feel empowered to, you know, feel secure on the internet, which we all have to use every single day to just like get through our lives.
Michael Lane Smith:Yeah, get a password manager.
Sara Diaz:Get a password manager.
Michael Lane Smith:Sarah Diaz, yes.
Sara Diaz:That's the number one. If you remember one thing from this interview, get a password manager.
Michael Lane Smith:You know the ones that are automatically provided by now Google and Apple. Are those sufficient or would you recommend like a third party?
Sara Diaz:I think if you are, it's you know it depends your level of. If you're comfortable with that. It's absolutely better than nothing. If, instead of using Chrome's password manager, you were going to just have the same password for everything, definitely use Chrome's password manager. If you feel like up for or interested in using a standalone application like 1Password or LastPass, then do that. That's great. Those are great. I'm a huge fan of 1Password specifically, but LastPass and DashPass are good as well. But honestly, even a note in your note I'm not endorsing this, but a note in your notes app with different passwords is in many ways better than having the same password for everything.
Michael Lane Smith:Oh man, I feel so. Seen For the record, I have moved on to now having a password manager, Thanks to you.
Sara Diaz:You just got it. You got to meet people where they're at.
Michael Lane Smith:Thank you so much for your time, Sarah.
Sara Diaz:Thank you so much for your time, Sarah. Thank you.
