“Be comfortable getting in front of the journey”
This series aims to demystify careers, challenge stereotypes, and inspire connections. Today we talk with Ping Look, Cybersecurity Practice Manager for Microsoft’s Detection And Response Team (DART).
Prior to leading Microsoft‘s Detection And Response Team (DART) as Cybersecurity Practice Manager, Ping Look was Executive Advisor for Security Communications and Awareness at Optiv (previously Accuvant). Ping also has over a decade of experience building, promoting, and managing events in the IT space including two of the most iconic security events: Black Hat and DEF CON. It was during her tenure at Black Hat that she earned the (fond) monikers, “The Ping of Death” and “Crusher of Souls”. Ping continues to serve on the Black Hat Briefings and Training Review Boards, and is a podcast member for Social-Engineer.org.
Ping, what do you do?
My roles have always been primarily about people management. A big part is focusing on the day to day operations — making sure customer escalations are appropriately handled, ensuring that we have the right tooling and product support to get the work done — but ultimately, it’s about establishing strong relationships with the consultants on the team, within Microsoft, and with our partners.
During your tenure at Black Hat, you were referred to as the “The One You Don’t Want to Piss Off (or you will die)”, the “Crusher of Souls”, and “Ping of Death”. How did you earn this formidable reputation?
In the early days of Black Hat and DEF CON, we ran like a startup of mostly volunteers. As the event grew, we had to become more professional. That’s where I brought my persona of decisiveness.
We were deprioritizing the noise and focusing on getting things done.
We once dealt with a high-profile speaker who demanded we provide her with a personal helper to fetch her very specific water: room temperature, with sliced lemons and ice on the side. Everyone else around me would likely have said yes to her demands because they didn’t want to risk losing her participation. But I still said no — I felt strongly that her job was to train; our job was to facilitate, not cater to her whims.
I don’t always have the answers, but I’m comfortable making decisions quickly if sound judgment, reason, and logic are on my side. Some people thought I was intense. At the same time, my approach was working because these conferences were growing larger and more successful.
People may hesitate to make decisions because they’re worried about taking accountability for the fallout. How do you get over the fear of making mistakes?
First, I accept that it’s never about my ego. I never worry about getting yelled at or looking bad. Instead, I tell myself that if I have taken all the logical steps for the customer, then I’m comfortable making the decision.
I always ask, “What’s the fairest outcome we can achieve?”
Inevitably, people will be disappointed — maybe a member of our DART team won’t get an engagement they want, or someone at Black Hat isn’t happy with their speaking slot.
As a leader, you have to be comfortable getting in front of the journey and taking accountability if you want to make an impact.
Making decisions by consensus is helpful, because no one knows everything. I have to trust the people around me; I wouldn’t be successful otherwise. In turn, people enjoy working with me because they can rely on me to be honest. I may be candid and blunt, but there’s no extended pain.
You have a degree in Art History and Graphic Design. What connections have you discovered between your artistic training and your current security work?
Everything comes back to creative problem solving and people. Art history is about social interaction —it is the study of a point in time displayed through the graphic arts. In graphic design, we solve problems visually and must work with different stakeholders.
As a graphic designer, I learned a lot about compromise, communication, and about letting go.
Many times as a graphic designer, I had to learn to set aside my ego — for example, the customer might love yellow and black, which isn’t my taste, but I learn to go with it and actually find it easier to create within boundaries.
Historically, many of Michelangelo and Da Vinci‘s masterpieces originated as commissioned works. In contrast, Michelangelo worked on a sculpture for his own tomb but never finished it. I’m like that, in that I’m my own worst customer. I once tried to design my own business card, but was not very successful. It took me forever to decide on a paint for my hallway!
What are 3 qualities someone needs to succeed in a job like yours?
- Humble — It’s tough to be a leader if you’re not putting the team and customer first. As a leader, are you willing to make decisions in which you may not look as good but it makes your team look good?
- Pragmatic — We all strive for an ideal state, but in reality we work within parameters. As a leader, you need to set achievable goals so that people are happier.
- Pay-It-Forward (with mentorship, training, and knowledge sharing) — You have to embrace change from the beginning: Plan for future transitions and handoffs, and enlist everyone in knowledge sharing. This is a problem across the security industry, not just for transitioning teams during long-engagements. Those who’ve been in the industry for decades can struggle to onboard and train junior people because they forget what it’s like to be new. There’s so much to know, but we have to start somewhere.
Recommend 1 cybersecurity New Year’s Resolution for businesses.
Enable multi-factor authentication (MFA). Nine out of ten times, we (the DART team) are there because the customer has not enabled MFA and are left exposed in a password spray or credential harvesting attack.
With MFA enabled, the targeted victim would know someone was taking over their account and would save a lot of time fixing the problem.
Please settle a debate: Is a hot dog a sandwich?
I’m going to say yes: it’s two pieces of soft bread surrounding meat.
If you replace the hot dog with pastrami, you’d have to call it a sandwich. If we replaced it with roast beef, it’s a Philly cheesesteak. A Gyro’s a sandwich, right? It’s just a Mediterranean version. You can’t NOT call those sandwiches.
For more, follow Ping Look on Twitter and LinkedIn, or check her out on the Social-Engineer podcast.
