“A better way to find talent is to identify people with tenacity.”
This series aims to demystify careers, challenge stereotypes, and inspire connections. Today we talk with Rey Bango, Senior Security Advocate at Microsoft.
Rey Bango is a security advocate at Microsoft focused on helping the community build secure systems and being a voice for security practitioners & researchers within the company. He has been working in software development for 30 years and recently made the jump to security to help protect people and the web. In addition to his work at Microsoft, Rey was a founding member of the jQuery Project Team, listed by ThinkVitamin.com as one of the top web developers to follow on Twitter, and cited by Nettuts as a JavaScript developer to subscribe to for insights. He has spoken at major tech conferences including at W3Conf, Microsoft Build, and THOTCON hoping to share his experiences and knowledge with the community.
Rey, what do you do?
I am an advocate within Microsoft for the community of security researchers, bug hunters, and practitioners. They are the ones rolling up their sleeves and fighting the good fight, installing the systems that the CISOs purchase, the ones who are on call to defend their networks at all hours of the night.
I want to understand what is important to them in terms of tooling and methodologies, and share that feedback back to Microsoft.
We are great at having conversations at the C-level and with business managers, and I want us to be good at having practitioner-level conversations as well.
If someone wanted to have your job one day, what qualities would they need to be successful?
I tend to engage quite a bit on social media because there are a lot of talented people having great exchanges on there. The hard part is filtering out the signal from the noise but by engaging directly, you’ll hopefully be gleaning information that might be useful feedback.
I’m also an advocate of meeting face to face . There’s nothing like “face time” where you can interpret body language, mannerisms, and nuances of personality that you’d never see online. The hardest thing about any social setting is that first introduction — “hey, I’m so and so.”
It can be difficult to be at a conference by yourself and talk to people, but in this role you are proactively building relationships all the time.
That sounds like a lot of social engagement, in person and online. Do you identify as an extrovert?
I can be very social, but I always look forward to decompressing alone later. For me, working from home helps. When I travel for conferences and speaking engagements, I seek out friends for dinners and meetings to make a big conference feel homier. Stepping away and having more intimate meetings over coffee helps remove me mentally from the craziness of the event.
There is great energy at big industry events, but after a while I do hit a limit.
What made you interested in a career in cyber security?
When malware infects a system, we often think there’s no lasting harm. If malware affects a financial institution, for example, you assume it recovers because they have insurance. But when WannaCry hit, it had a significant impact on human life — on people who needed dialysis or treatment for cancer. I asked myself, “How can I help? How can I change the way I think about security and how others think about it?”
I asked myself, “How can I help? How can I change the way I think about security and how others think about it?”
I initially thought security was going to be a volunteer hobby. Making a major career change, leaving thirty years of software development experience, was a scary proposition. At the time I was managing a team and loved my job, but I really felt this was the direction I needed to go in.
Why is it difficult to contemplate changing careers? Given the looming cybersecurity skills gap, shouldn’t it be easier to transition careers for those interested?
Unfortunately, the tech industry often suffers from a mindset of looking for proven experience in the hiring process. The security space can be especially unforgiving. You need to build relationships if you want to enter this space.
A better way to find talent is to identify people with tenacity. My own transition into security was driven by sheer force of will. I knew coding and networking, but hacking a system wasn’t my deal. Once I determined that this is what I wanted to do, I created a plan to train myself and ramp up my skills.
I ask hiring managers to screen for tenacity. If someone doesn’t have twenty years of red teaming, but is demonstrating clear passion and strong interest in a problem space, pay attention! Someone with passion will want to learn and get in the game.
If someone doesn’t have twenty years of red teaming, but is demonstrating clear passion and strong interest in a problem space, pay attention!
I recently gave a talk at THOTCON about my career transition story, which is a lesson about the importance of looking past someone’s prior life to see what they can contribute now. Being able to do that is the difference between hiring a diamond in the rough and letting them slip into your fingers.
What are you excited to be learning now?
Just before this interview, I was learning about DNS tunneling attacks. Next, I plan to take a course on building advanced exploits with SANS, to dig into attack scenarios that our customers may be facing.
There’s always more to learn! If I can then share my knowledge with someone who might not have access to these resources, it will be worthwhile.
How can cyber security professionals better engage the developer community?
The biggest opportunity is for the security industry to take a leadership role in educating developers on building secure software. Security industry leaders complain that developers don’t think about security enough. On the other hand, what are we doing to teach secure coding best practices?
We need more of a partnership mindset. It’s not enough to direct developers to read the OWASP site. Take the time to establish stakeholder meetings and brown bag learning sessions; have dev leads and security leads sit down on a biweekly basis to share learnings and do code reviews.
Developers face a lot of pressure to push out product, with expectations to ship out features faster than ever. Unfortunately, this sometimes causes security to be an afterthought. Also, many devs assume security is baked into a framework or tool they use. Security leaders can help developers “shift left” — to start thinking about security from the beginning of the development lifecycle. My hope is that software developers will realize that they have a part to play in evolving development practices and secure coding.
My hope is that software developers will realize that they have a part to play in evolving development practices and secure coding.
Another common issue for software developers is that they are smart and will find ways around security restrictions that IT puts on their laptops. Instead of just trying to block their behavior, we need to think about what tools and resources they need and how we can help them accomplish it securely.
Lastly, please settle a debate: Is a pop tart a ravioli?
No. A ravioli is a pasta. A poptart is a toaster pastry. Don’t mess with my pasta!
To follow Rey Bango in person and on the Internet, find him on LinkedIn, Twitter, and his website blog and on Medium. He recently wrote about social engineering with Seema Kathuria.
