Girls who cloud.

Getting girls into cloud, programming, and security

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’m working on the next iteration of my cloud security class. As part of that, I have some genuinely wonderful people who help me both by writing code for my labs and testing the labs. I try to have multiple people test them — generally, people who are new to all of it and will make all the mistakes a newbie would because that helps me ensure the instructions are clear. Sometimes I revise the labs or remove things as a result.

Opportunities

One of the people who recently started helping me with my labs is my niece. She’s a senior in high school. In the picture here we were trying out Cloud Mapper to see if I want to use it in the labs or not. We mostly use open source tools, but we are adding a few vendor products as well. In this case, as you can see, we’re getting some errors. I asked her to send me a screenshot. I thought it was a cool photo for this blog about girls who cloud.

Want to learn more about cloud security and cybersecurity? Get a copy: Cybersecurity for Executives in the Age of Cloud

One of the things girls need to get into the cloud, cyber, or programming is the opportunity to try. People shouldn’t push girls into technology. Instead, offer them opportunities where they can do something basic and see if they like it. Not everyone is going to want to continue, and that’s OK, but at least they got a chance to see what it’s like in a supportive environment. I don’t know where my niece would learn anything about cloud if her aunt wasn’t a huge nerd. I also don’t know if she will continue doing it, but that’s perfectly fine.

I always wonder is whether or not I would be doing what I do now it seemingly random events had not occurred as a kid. I wrote about this in a separate blog post on how I got into tech. I also wonder if I would have taken a different path in college if I understood that people did programming for a living. A random turn of events and a book got me to try programming. I found it interesting and figured out how to write a simple program. Later this propelled me to program in college and later as a career.

I recently took a trip to the Living Computers: Museum + Labs as one of the evening events that were part of the AWS Influencer Developer Summit. What I noticed at this event, full of very active and engaged members of the AWS Cloud community, was that a lot of us had programmed as kids. A bunch of us found our old computers, and we were trying to remember how to write little programs in Basic. I even found the book I think taught me to program in 6th grade — TI Beginner’s BASIC.

For whatever reason, many of us there had somehow been exposed to computers at a young age. We gravitated to them, and that seemed to influence our career choices later in life. We were also independently motivated to learn more. Not everyone will be, and that’s OK, but if never allowed to experience or try new technology, kids won’t even know it exists or what they can do with it.

At a security conference I attended earlier this year, I also heard from a person who was part of a program called Technology Access Foundation (TAF) that being a part of that program changed his life. TAF is a program for students who might not otherwise have the opportunity to learn about computers and programming. Having the chance to try things out in a positive, supportive environment combined with the motivation to learn seems to contribute to a future technical career.

Succeeding

This particular lab we were working on was new, and we hit a few glitches. These are the kind of glitches that can be very frustrating for newbies — especially using all sorts of different platforms, operating systems, versions, and libraries. When someone gets stuck, they might get entirely frustrated and give up. It’s at this point that we need to make sure everyone gets the help they need to work through the problem. I’ve been in these points of frustration, and they are maddening — but after you work through them, it’s a great sense of accomplishment. We need to make sure people can get to that point if we want them to succeed.

If women have to ask for help and are made to feel subpar, they might shy away from asking questions again in the future. I taught to an organization, and I noticed that is what was happening. The women were afraid to ask questions in front of their male counterparts.

Additionally, when women’s ideas are regularly shot down, this could lead them to choose another path. I know this affected me in the field of telecom. It still affects me today. If I express an idea in certain environments, and the response is overly critical, aggressive, and defensive comments, I will avoid that scenario in the future. Perhaps I also tend to have that type of personality in the first place, but when women are around, men might want to keep that in mind.

As for women entering the field, if you don’t feel supported in an environment — it might not be you. Don’t give up on technology. Try to find a new job at a different company. Choose companies that have women in technical roles — not just management. These are companies that will likely be more supportive of your career, and more accepting of ideas from women.

Role Models

At the AWS Developer Influencer Summit, I was in the Serverless track, and it was excellent, but I jumped over to containers for one session because I wanted to hear more about App Mesh. I was thrilled to see an incredibly technical woman making the presentation and answering questions. We need more of that. She was not just reciting from a script or giving a motivational speech. She was getting into the technical weeds along with her male counterpart seated at the front table.

After the session, I jumped out to see if they could answer one of my questions — and she was the one with the answer. We need fewer women panels talking about women in technology and more of women talking about technology. Kudos to AWS for what is happening this photo. I’d like to see more women in the crowd, but I believe that this is how we get there. When you put a woman in front of a bunch of men, some of them may scoff or assume she is not competent, but the more we can do this, the more accepted it will become.

Organizations that make decisions about speaker and instructors based on evaluation forms need to take bias into account — from men and women as I wrote about in a prior post — and make adjustments. Women will likely face harsher reviews. That said, I’ve been able to be “above the line” and in some environments get better reviews than male counterparts. So that doesn’t mean you have to let every woman speak. There are plenty of competent women who have the capabilities you need to ensure you have at least some female technical speakers at your next event who can add technical value.

Behavior

I recently saw someone post on Twitter that when dealing with men who tend to bully other people or think they are smarter than everyone else, that you have to tell them they are better and faster than the people around them and they need to wait for everyone else to catch up. It seems this may be reinforcing misconceptions and a less than ideal point of view. I have been in situations where I believe I have a better solution than an aggressive male, but rather than argue about it I will avoid the conversation and let him do whatever he wants — unless my name is on the code. Then he should prepare for battle because I refuse to release something inferior and take the blame. However, in many cases, I will nod and tell him to do whatever he wants.

In other cases, I have quietly backed away from, and avoided assignments for something I knew was going to fail. In those cases, I learned that they later did fail. One of those failed projects is so renowned, people who still work there told me they still talk about it. I tried to prevent it. I tried as nicely as possible to explain the issues and make suggestions to save it, but my opinions were rejected.

Being right doesn’t always help you. Look at Galileo. My bonus was likely negatively affected due to my lack of enthusiasm for the idea. When I finally got a transfer I requested, my new boss that my old boss had been trying to block it. I don’t generally want to tell my boss his idea is going to fail. Instead, I make a few suggestions, and if ignored, try to distance myself. In some cases, I left jobs to stay on good terms with people but escape something that feels like it’s going to end badly. Perhaps there are better strategies but over time my career has taught me to do otherwise is futile.

I was recently at a happy hour talking to a very intelligent and strategic young man. Conversing with him was a great deal of fun. He was, of course, idealistic and opinionated as most of us were when we got out of school and were in the early stages of our career. (Does this sound like I’m old and jaded? Perhaps — ha.) At one point, he told me he was so good at debating that he always wins arguments. I smiled and said, “Do you really always win, or does the other person just get tired of arguing?” He stopped and said he had to think about that. He was a good guy. I was trying to give him an alternate point of view. I think some people think they win, but that’s not actually what is happening. Although I can debate if I really feel the need, mostly I would rather not.

At one point in my career, some architects wanted to build a new architectural platform. They wanted to sneak it into one of my projects. My team was fast and delivered high-quality results, and I didn’t want to have that ruin our track record. I also knew it wouldn’t work for various reasons, but I didn’t want to get into all that. I told the business what they were doing and that the architectural overhead was unnecessary and would cause delays. The head of architecture and the business owner took it to the CTO and duked it out, and they ended up removing the architectural component from my project.

As you can imagine, some people were not happy with me. I suggested that they could still build it, and when it was complete, then teams could use the new architecture. That way, teams wouldn’t be slowed down, and they could get it working first. They and all the other development team leads got in a room to discuss. I tried to skip the meeting because I didn’t care if they built it so long as it was not in my project. I got dragged to the meeting by someone coming to my desk to get me.

There was a room of 15–20 men, and me. I sat quietly while they all debated the architecture. One of them even made fun of me jokingly for being the only nay-sayer in the room. I ignored this. Two years later, the architects pronounced they had completed the new architecture. Along the way, I heard from my friend in QA (a tester) they had some of the problems I predicted. My boss came to me and wanted me to incorporate this new architecture into my project. I asked him why he wasn’t asking all the other men who were in the room supporting it in that meeting? He said he did, but none of them wanted to use it. I told him, “Neither do I.” That was two years of time and money down the tube for that organization, but feeling outnumbered in a room full of men, there was no way I was going to argue about it.

This example is just one of many experiences I have had, where I felt people disrespected my opinion, but I could see how it was all going to turn out. I am not sure people didn’t see things the way I did because I was a woman. However, it demonstrates that men who think they are always right and smarter than the women in the room — maybe could listen a bit more to other points of view. When people (men and women) shoot down women’s ideas repeatedly, some of them are going to quit, leave, choose a new profession, and not be able to contribute to the extent otherwise possible. At the very least, they may choose not to speak up. Men are not always faster, smarter, and better, just for the record. Telling them they are as a strategy to get them to be more cooperative instead of asking them to consider alternate viewpoints that might be as good or better than their own, is not helping, in my opinion.

Getting to cloud

I tend to keep an eye on technology trends, and my predictions have been pretty accurate over the years. When I started programming, I picked up a book on object-oriented programming. I thought it looked promising, so I taught myself how to do it. It was much better than the spaghetti code I learned in the past. I am watching the functional vs. OO debates with interest, but regardless of which you prefer, they are both better than GOTO statements.

Later I saw this guy was trying to sell books on a web site. People said banks would never do it because the transactions were too risky. I immediately switched jobs and got involved in web and later, e-commerce. That guy with the book website — was Jeff Bezos. I’m not trying to follow Mr. Bezos around. He has just had a couple of ideas I thought were game-changers, and I had to jump on board.

Many technologies later, after dabbling in the cloud in years past, I noticed the CIA was going to use AWS. I thought — wait, what? I went and read all of the approximately 70 white papers at the time. This new information convinced me that the cloud was the future and now had the security controls missing in years past. When I tried to use it at work, someone told me, “Just forget it. Capital One will never use AWS!” I responded, “OK…but what would it look like if we did?”

I started the Seattle AWS Architects and Engineers Meetup, which now has almost 3,000 members since I couldn’t use AWS at work. I moved my own systems from a past e-commerce business and scratched my head over all the strange acronyms like EC2 and EBS. My boss was kind enough to let me go to a cloud class. I did a presentation on AWS at work. I even sent my presentation to our CIO after he spoke in Seattle with a short email. “Have you seen the Gartner report?”

Capital One was still trying to build an internal cloud at the time, but when I tried to help someone get up and running on that, it never worked. Finally, they did move to AWS, and I got to be part of the original cloud team. I learned a ton. I think some people made some excellent decisions. I also saw more haste than I would have liked, and some key people left the company. I remember one was in charge of application security. A network architect I highly respected also left. I don’t know why they left, I can only guess.

Although I was excited to move to the cloud and be part of the team, I had concerns about the implementation of some aspects of the cloud infrastructure. That propelled me to write this white paper: Balancing Security and Innovation with Event-Driven Automation. Companies need to be innovative and move quickly but still maintain security. I probably crammed too much into one paper and it took way to long to write, but it was inspired by the things that concerned me about that environment.

At some point, AWS contacted me to tell me I was an AWS Hero. I didn’t know what that was. I thought the emails were spam or phishing at first. It wasn’t until Jeff Barr contacted me on Twitter that I realized this might be important and something real. I looked up what an AWS Hero was and was honored to be invited to join the list. When I told my boss about this honor — he didn’t tell anyone else at the company. I wrote a little blog post about it when I was about to leave the company and some of my coworkers congratulated me, which was nice.

I immediately contacted people at the company after the Capital One breach because I had an inkling about what had happened. My suspicions were correct based on a couple of sources and I wrote about it on this blog. The reason I want to tell people what happened at Capital One — is because it could happen at a lot of companies. What we have been doing in security isn’t working. I hope that by writing about cybersecurity and offering classes, I can help educate more people and make a difference. Maybe some of those people will be women.

Another company was trying to recruit me shortly after I moved to the Capital One security team. At one point, I turned them down. Finally, I said I would come if I could build things the way I wanted. They told me yes. I ended up managing a team of thirty people, and it really wasn’t my thing, but with the help of some brilliant people we delivered the main thing I was interested in building — a secure DevOps pipeline based on my paper that was both flexible in order to deliver quickly yet had failover, visibility, security, and segregation of duties baked in. Architecting an IOT SAAS solution was kind of interesting as well but long story short, I now run my own cloud security business and teach cloud security classes.

I was on the original board of advisors for the SANS cloud curriculum and taught for them for about a year, but have since gone on to author a cloud security class aimed at preventing data breaches. I faced a data breach myself and that led me to almost an obsession with security as I wrote about in another post. I’ve had about 25 years of programming, security, business, and my recent focus — cloud experience. I have a master of security engineering, a master of software engineering, many security certifications like a GSE, reverse engineering malware, advanced pentesting, intrusion detection, incident handling, and others. I understand the perspective of the security team, the developers, and more recently have been helping auditors with cloud security. I hope to train more people in cloud security to help companies prevent data breaches.

Getting more girls to the cloud

I can’t give away all my time. I’m by no means wealthy. I try to provide some cybersecurity knowledge for free on my cloud security blog. One other thing I can afford though is to invite a few high school girls to take one of my cloud security classes. It will probably be hard to do during the school year, but likely I will be teaching classes next summer. If you are a high school girl, drop me a note on LinkedIn and let me know you are interested, why, and where you live. High school girls only please, not parents, teachers, or others. If I have enough interest, maybe I can get a sponsor and run a girls-only class. I hope to hear from you — and who knows maybe my niece will join us if she’s not too busy and still having fun in the cloud.

Even if you can’t make my class — you go, girl! If you want to learn technology, programming, cloud, or cybersecurity, you can do it. If anyone tells you otherwise, ignore them and keep going.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2019

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab