Sara Diaz - Sr. Manager, InfoSec and IT - Career Contrast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Michael Lane Smith (00:11):
This is Career Contrast, the work
podcast, and I'm your hostrecruiter, Michael Lane Smith.
Joining me today is Sarah Diaz.
Welcome, Sarah.

Sara Diaz (00:20):
Thank you, hi, michael.

Hi Sarah.
So what did you want to be whenyou grew up?

Sara Diaz (00:27):
Nothing very realistic.
I honestly don't think Ithought that much about my dream
job when I was a kid, but Idefinitely remember wanting to
be a firefighter very badly.
I also really wanted to be anauthor very different and then,
for sure, an astronautdefinitely went through a phase

(00:49):
where I wanted to be anastronaut.
Then it was very sad that therewas like a minimum height
requirement that I certainlydidn't meet.

That's awesome.
And um what did you end upstudying in college?

Sara Diaz (01:02):
I studied cognitive neuroscience in college with a
minor in internationaldevelopment, so I was just kind
of doing whatever I wanted.
I wasn't thinking too muchabout my career.

Understood.
When you ultimately got out ofcollege, where did you find your
first job?

Sara Diaz (01:22):
So I got my first job through a friend that I studied
abroad with, actually inThailand.
We were on a very, very long vanride and she was like a second
semester senior already had herjob lined up.
I really didn't know what Iwanted to do and she was just
kind of talking about thiscompany where they had values

(01:44):
that really aligned with mineand it seemed like you know, a
place that really took effortsto train people when they first
got there, like there was a fiveweek like a fully immersive
training program in India andyou know it.
Just, it just sounded like aplace to learn and so, even
though I didn't really know whatI wanted to do, I just

(02:05):
interviewed for a job there ather company, um, which is called
ThoughtWorks shout outThoughtWorks and it's a software
consulting company.
I ultimately got hired as a QA,which is a quality analyst it's
called different things atdifferent places quality
associate, quality assurance, umbut it was quality analyst
there and and it was great, Ijust kind of like hit the ground

(02:27):
running and they didn't expectyou to know much.
It was a place where they werejust willing to teach you a lot.

Right on and , as a quality analyst, what
exactly did you do day to day?

Sara Diaz (02:39):
So the job of a quality analyst is really to
test things, and at that jobit's to test software.
It's set up a little bitdifferently than that at a lot
of other places, but you wouldbe on a team with the software
developers, and so their jobwould be trying to build

(02:59):
something that worked well, andmy job was trying to break it so
that you know we could make itstronger and it wouldn't break
later.
So your job as a QA is reallyto, I mean, you know, in sort of
the most like straightforwardway, you are just like writing
little tests that will like runautomatically every time that
something new is added.

(03:20):
But also, you know, you're kindof like fingers on the keyboard
, as they say, just using, let'ssay, like the web app in
unexpected ways.

Interesting.
Okay, so cognitive neuroscienceisn't computer science, at
least not from my understanding.
How much software experiencedid you have coming out of
college, going into this role asa QA at a software consulting
company have coming out?

Sara Diaz (03:44):
of college going into this role as a QA at a software
consulting company, I had totake one computer science class
for my major in college.
So I had like literally likeintro to computer science and
that was it.
And you know, that's definitelynot enough to like really know
how to code or like know thatmuch about how like anything

(04:06):
works.
So I think that what I reallylearned from that that did end
up helping me was um, just sortof like a different framework
for thinking, so thinking inlike conditionals, so like a lot
of how software is, or like ifstatements, or like for loops or
things like that, and um, justkind of becoming like code

(04:27):
literate.
You know, I think we think ofliteracy.
Of course it's like being ableto read, I think in the world
that we're, that we're creatingaround us, and especially in
like kind of the whatever thefuture that we can imagine, I
think like a concept of codeliteracy.
I think is is maybe importantjust being able to look at
something and getting a conceptof code literacy I think is
maybe important just being ableto look at something and getting
a sense of what it does, andthat that did honestly really

(04:50):
help me.
But beyond that, absolutelynothing from my cognitive
neuroscience degree like hadanything really to do with
software.

That's funny .
Your peers did they go similarroutes?
Did they end up in software?
Did they do consulting?
Did they do somethingcompletely different?

Sara Diaz (05:09):
You know, honestly, a lot of the people I was close
with in college were not in thesame academic space as me, they
were more in the humanitieshumanities.
But it is really common forpeople at my college to like get

(05:30):
a consulting job.
That's like probably the mostkind of cliche thing that you
can do.
I definitely I was part of that.
But people who studied computerscience often like went on to
like get a job as like an entrylevel or like a junior engineer
somewhere.

Understood, understood.
In your role as a QA, did youhave a large cohort of other
folks who started around thesame time as you as fresh grads?

Sara Diaz (05:50):
Yeah, absolutely so, not necessarily other QAs.
There were a couple, a handful,but my cohort of people who
started with me this kind ofgoes back to the five-week India
program I was talking about.
We all went to India together.
We got to like learn with otherpeople from the company, from
all around the world, so peoplefrom India, from China,

(06:13):
australia, germany, brazil, andso that was really amazing,
because you're just with like ahundred other people who are
brand new, like trying to figureout the same things you're
trying to figure out, and youlearn from people who don't have
the same job as you.
You know, like we were with itwas QAs, bas, which are business
analysts, so people who liketalk to the client, try and kind
of translate what the clientneeds into like what developers

(06:35):
then need to build, and then thedevelopers and you really just
you work together.
You learn a lot from each otherand it's you learn that it's
really important for you all tohave like different priorities
so that you can ultimatelycreate something that is like
well balanced.

That's really cool.
Did their academic backgroundsmirror yours, or were they more
software oriented or business?

Sara Diaz (07:00):
I would say for the most part more software oriented
.
For sure, I think, like peoplewho were BAs, they studied
whatever, or a lot of them werecareer changers.
But the people who were thereto be developers either studied,
you know, software developmentor computer engineering, or they

(07:20):
did a boot camp.
That's another really commonway to get into tech.

Start out with whatever your undergraduate
study is, and then add asoftware engineering boot camp
at the end.

Sara Diaz (07:34):
Or not.
Everyone there went to college.
Some people just had verydifferent paths and eventually
wanted to try out a boot campand then ended up being able to
get a job.

And so what do you do now and who do you
work for if you're comfortable?

Sara Diaz (07:49):
So yeah, of course, I work for a company called
Glossier, which is a beautycompany.
I'm the senior manager ofinformation security and IT.

Did your role in QA have a lot to do with
security or InfoSec?

Sara Diaz (08:09):
In a way, in sort of more of like a philosophical way
than anything else.
But, like I said before, yourjob as a QA is like to break
things and to use the thing thateveryone is building in ways
that it's not intended, you know, to be used, and that kind of

(08:31):
ends up putting you sometimes inthe mindset of a bad actor, you
know, maybe more commonlyreferred to as like a hacker, um
, which of course eventually,like once you start thinking
enough, like that you're justsort of doing security, like if
you're trying to, if you'relooking at like a login screen
and thinking like, well, whathappens if I just put in like a
bunch of semicolons and thencopy them and then paste them

(08:53):
all in and I just put, I endedup putting in like a thousand
characters, like what happens?
You're then like thinking likean attacker, which is just what
security is.
So in that way it led me to it,which then, you know, I was at
a company that also reallyencouraged giving talks.

So I started at your original company or at
Glossier.

Sara Diaz (09:16):
Yes, sorry, sorry.
Sorry, I might be jumpingaround a little bit, but sorry.
So what was your question?

You were talking about hacking things.
I was asking about how yourrole in QA might have led to
more InfoSec related work, and Ithink you gave a good answer,
so I'm happy to move on to thenext question.
Okay cool yeah.
So I'm currently recruiting foran InfoSec person to help with
identity access management, andthere's a lot of key concepts

(09:49):
that were shared with me inpreparation for that search
things like zero trust what what?
what is zero trust?
What other key concepts areimportant in understanding what
someone in cyber security orinfosec does?

Sara Diaz (10:02):
that's a great question.
Um, so zero trust is very aptlynamed.
It's just kind of the idea ofstarting from nothing.
So someone has to like gothrough a couple of different
steps, maybe to gain access tomaybe different parts of the

(10:23):
network or a system and at eachof those like authentication
steps, you're proving that youare who you are.
So everyone is kind of familiarwith this, even if they don't
know they are.
You know, like everyone's hadto like set up 2FA on something,
or you know multi-factor secondfactor, yes, whether that's
through your phone, whether eventhat's just like they're

(10:43):
getting like a text from yourbank or something like that.
That is a second.
So like the first factor beingyour password, the second factor
being something else Like theconcept is sort of like
something you know and somethingyou have.
So you know your password, youhave maybe your phone sometimes,
and more of like a corporatesetting, maybe it's your

(11:04):
specific IP address or like aVPN.
You know something like that,or like a VPN, you know
something like that.
So that's you know, kind of.

(11:24):
Basically, what zero trust is isjust making people prove that
they are the person they saythey are, that it's not
compromised in any way yournetwork maybe has to prove that
it's safe, that it's notcompromised.
So it gets a little bit moreand more intense, depending but
some other key concepts.
I mean, I think that somethingthat I didn't realize initially

(11:48):
when I got into security was howbig security is.
I think we think of security asone field, but it's really it's
many fields.
You know, there's applicationsecurity, there's network
security, there's enterprisesecurity, there's like identity
and access management, likeyou're talking about.
There's more likeinfrastructure focused things,

(12:12):
and so it really depends so muchon what you're trying to do.
There are some people whosejobs it is to kind of be the
custodian of all of these things, and there's some people who
are extremely, extremelyspecialized in like cloud
security or, you know,application security.
So it really I hate to say itdepends, but it does kind of

(12:37):
defend.

Yeah, no, that's super helpful and you
know, when I think about zerotrust it's applicable across all
of the business areas I'veworked like back in working at
McDonald's or Abercrombie andFitch or JCrew.
You know having to log in withan employee ID to now, in the
corporate world, having a VPN,or even like a third party item,
like a key to plug into mylaptop.

(12:59):
Zero Trust has showed up inevery professional environment
I've been in and you mentioned alot of different areas of
cybersecurity and InfoSec and itdoes sound like there's a lot
of different directions onecould go in their career.
What is your focus specificallywithin that larger ecosystem?

Sara Diaz (13:18):
Sure.
So my focus you know this, atdifferent times my job has
included and gone beyond thescope of my focus, but my focus
is more sort of.
I mean, infosec is largely likealong the lines of enterprise
security.
So things like policies, likewriting the you know the

(13:43):
company-wide policies for youknow, like the InfoSec policy I
think is probably the one thatwe're most familiar with or
maybe you know like a policy onacceptable use of, like how you
can use your machines, policieson like device security, things
like that.
I think of my focus as beingless technical generally, so

(14:06):
more so like compliance focused,maybe like working with legal
to make sure that we're, youknow, in compliance with
different standards or thatwe're in good standing with,
like cyber insurance providersand things like that, and also
focused on like awareness andkind of security culture.
I think is another thing thatpeople talk about.

(14:29):
So security culture being like,how often do we have security
awareness trainings?
How often do we have, you know,phishing campaigns?
How familiar are people withthe like security processes that
we have, whether that's likereporting phishing emails or
like flagging something whensomething goes wrong?
Do people know how to report asecurity incident, something

(14:50):
when something goes wrong?
Do people know how to report asecurity incident?

You know just things like that, Just kind
of like do people know where toturn when they see something
weird?
Yeah, and I can't remember whenI learned the term phishing.
It had to have been, I feellike, my first job out of
college, my first officeenvironment job.
What is phishing?
Could you explain that to ourlisteners?
Sure, yeah, that's a greatquestion PH yeah, ph phishing.

Sara Diaz (15:14):
I actually don't know why it's PH, I think, maybe
just to distinguish it fromfishing fish.
But phishing largely refers toan email where someone is trying
to get you is either maybetrying to pretend that they're
someone, that they're not tryingto get you to click on a link

(15:36):
that will either maybe infectyour machine with malware or
maybe open you up to a loginscreen that looks a lot like the
login screen for your corporatesingle sign-on or your
corporate email, but it's not,and so then they can steal your
password.
Or sometimes it's hey, I'm, youknow, the head of finance and I

(15:59):
can use it.
Can you resend me all the W2s?
So like just trying to getinformation that they shouldn't
have?

essentially, yeah, I've gotten a lot of like
phishing samples because myInfoSec teams at various
companies do like the phishingtests where it's like they're
trying to get employees onpurpose to like discover
vulnerabilities.
Is that still a common practice, like sending fake phishing
emails, which is kind of meta?

Sara Diaz (16:26):
Absolutely, it's a very common practice.
It's definitely something thatI do um, and I would say like
it's less so to find out likewho is vulnerable to a phishing
email, and maybe more so um fortraining you know, just to like

(16:46):
kind of build a muscle forpeople.
I I love to say that, likeeveryone has a bad day, like
sometimes, what I, what I loveto say that, like everyone has a
bad day, like sometimes, what Ilike to say is, sometimes you
just haven't had your coffee yet.
Like it's not that if you clickon a phishing email you are,
like you know, dumb, fired,fired.
Yeah, like it's just it couldreally happen to anyone.

(17:09):
And sometimes phishing emailsare very, very good.
Most of the time they're not.
But, sometimes they're reallyreally good.
And so another part of we callthem like phishing campaigns, so
kind of, like, you know,sanctioned phishing emails from
the security and IT teams.

(17:29):
Phishing emails from thesecurity and IT teams sometimes
it's just to kind of like getrid of the stigma around
clicking on a link, because forus, when people click on a link,
it then leads them to, like youknow, like an informational
page of like hey, this was aphishing test.
Here were some of the red flagsin the email.
Here's what to do.
If you ever do click on aphishing link, like do not hide

(17:52):
it, like report it to thesecurity team.
You know you're it's, it's fine, we just need to do, we need to
do things about it.
Um, and I think that peoplereally like take that to heart
Um, we get a lot of reports nowand sometimes the report is just
like hey, I got this weirdemail, and sometimes the report
is I'm so sorry, I clicked on alink and the second I did it, I

(18:15):
realized it was probably not agood idea.
What should I do?
And I appreciate those messagesmore than I can say.

Yeah, when people are just a little bit
more careful, it's reallyhelpful, I'm sure.
Yes, I think when you seehackers in the media, I think
when you see hackers in themedia, you often see a really
cool tatted up person with likeblack hair and like dark
eyeliner and maybe even withlike a wrist mounted computer,

(18:44):
like one hand typing away Justreally dramatic, interesting and
funny type of depictions.
But I'm hearing from you andfrom the example of phishing
that a hacker just could besomeone sending malicious
hyperlinks in an email thatlooks like maybe your boss's
Sure.
What other things would you saya hacker might typically try to

(19:06):
do?
What are maybe typicalvulnerabilities that
cybersecurity professionalsmight deal with?

Sara Diaz (19:18):
So there is something called a script kitty and what
that is is a person like, Ithink, nicknamed Kitty, because
oftentimes it's honestly, it'slike, you know, teenagers just
that are really interested insecurity or technology and
they're just like trying stuffthey find on the internet, but
it's just a person who, um,finds like a known exploit.
Uh, because, like, as much asyou can look up what to do if

(19:38):
you do something wrong on likegoogle, you can look up, like
how to like, how to hack someone.

so people like people not encouraging you
to do that, but but.

Sara Diaz (19:48):
But if you're a security professional it's
excellent to know these things.
You can literally like downloada script and then you can create
what's called a botnet, whichis really just like a bunch of
like cloud computing instancesthat will just be firing off
like the same kind of command orsequence of commands to just

(20:11):
any endpoint, any computer, anyum, anything that they can find,
and oftentimes it's targeted atlike a specific vulnerability,
so like a specific version of,you know, maybe an operating
system, maybe just like alibrary that's commonly used to
like build an application, tolike exploit a known

(20:34):
vulnerability.
And you might think, well, ifeveryone knows that this is a
vulnerability, why wouldn'tpeople just update to the next
version where it's patched?
This is honestly one of likethe biggest.
It's such a huge like issue Iguess I don't want to say issue,
but it's it's a big challengefor security professionals to

(20:56):
just manage patching across umyou know how many ever devices
they have, but um, it's anextremely common way that
companies will get attacked andlike pretty much every big
headline breach that we've allheard of, whether it's like
Equifax or Target, you know, alot of these things were just

(21:20):
like people exploiting knownvulnerabilities.

And people not updating their software.
Yes, yes.

Sara Diaz (21:27):
So I'm going to say the word patching probably a lot
and that's really just like avery techie word for updating.

For following the recommendations
that you get pushed to yourdesktop every time you log into
your computer to update yoursoftware.
That is automated and they'lldo it for you.
But I'm just I'm too busy, Idon't want to slow down and do
it.

Sara Diaz (21:44):
Yeah, for the average user, for the average like
corporate employee, it'sdefinitely just like keeping
your apps and your operatingsystem up to date.
For, you know, if we'rethinking about like a, like a
major web app, it's running onlike so many different, like
kind of like applications orlike mini applications, um, that

(22:05):
are, you know, strung togetherin different ways and those
applications are made up ofdifferent libraries, so it turns
into this much more complexpatching environment.
But yes, for the average user,it's just keep your machine up
to date.
I would say that's a hugerecommendation that I have.

Yeah, yeah, and you know I've seen also
depictions of hacking, as youknow, plugging something into a
laptop, but I'm hearing from youlike it could be clicking on a
link, so I imagine there's thephysical vulnerabilities.
So at a corporate environment,it would be maybe like the
servers that all of thedifferent devices are connected

(22:41):
to.
It could also be what you saidwere at the endpoints.
Could you explain to theaudience what endpoints are?
What was an endpoint?

Sara Diaz (22:48):
Sure, Endpoint can mean a couple of different
things.
I think.
For me now and now likemanaging the IT team, I very
often when I say endpoint I'mthinking about end user devices,
aka laptops, Laptops or, maybeyou know, iPads in a retail

(23:09):
company, and so we have a lot ofiPads in stores.
So really like that's kind ofwhat I'm referring to there and
it can mean many differentthings, but I think that's the
most like like obvious one, Iguess.

Yeah, yeah.
So if you hack like an endpoint, you can get into a system.
If you hack it, maybe a server,that's like probably more core
to an issue, right, having anentire network impacted, versus
maybe like a single endpoint?
Or if you get an endpoint, isit possible that you can disrupt
maybe even the whole centralnetwork?
Is that?
Tell me more about this.

Sara Diaz (23:41):
it really depends on how locked down everything is.
So one big focus of securityteams is having like secure
configurations on, you know,laptops.
This actually goes back to zerotrust.
So remember when I was sayinglike, yeah, like at the most
basic level it's maybe like 2FAon a more advanced level your

(24:05):
machine itself might be checkedfor, like if it is reliable.
So if that, if something likethat is implemented very
strictly, like it might be atfor like if it is reliable, so
if that, if something like thatis implemented very strictly,
like it might be at, maybe likea financial institution, um,
then you know, it's verypossible that an infected end
user device would be like itwould be isolated, the issue

(24:26):
would be isolated to thatmachine.
But it really depends.
And the same can go for like if,um, if a server, let's say,
itself is compromised, um it'sit's so dependent on and also
like we're a little bit gettingout of my depth here, I'm not
okay, this is not my, myspecialty, but a lot of it is um

(24:47):
just very dependent on, likethis, the settings, settings,
like the standards that you haveset up in your environment,
which is kind of you knowdefinitely core to zero trust.

Yeah, I'm imagining that there are ways
from a technical perspective tocreate like brick walls in the
software between what could bevulnerable endpoints and what
are you know, like the corebusiness functions of the
network.
Do you have experience workingin kind of architecting what
that looks like?

(25:19):
I'm imagining you describedyour role as focused on policy,
uh, maybe even kind of like theintersection of how all the
systems interact.
How much experience do you havein that realm and you know what
?
What would that look like?
How would you describe that?

Sara Diaz (25:33):
I think for me personally, my experience with
that has been more at like thehigher level.
So if you think about it asmaybe like I'm helping to draft
a policy and then maybe someoneelse is implementing the policy,
more of the, as we say, fingerson the keyboard work, but I
have definitely like worked withpeople.

(25:55):
I also, you know, like I said,it really depends on what
industry you're in, like, ifyou're in, if you're at a
financial organization, youlegally are held to a higher
standard when it comes to, um,you know, security and
compliance.
Compliance Like you have tohave maybe like more isolated
endpoints.
You maybe would have to havesomething like a YubiKey, which

(26:15):
you were referencing earlier,like a physical device for your
second factor to help you thenlike authenticate to your
network.
So it just it depends so muchof like the information that
you're trying to protect.
I think that that is a reallykey point.
It's like not everything shouldbe Fort Knox, you know, cause
that's a waste of money andenergy.

(26:36):
Um, like part of operating in abusiness is accepting risk.

But, uh, to answer your question, sorry, I
think like one maybe relatableexample of that kind of brick
wall that you were talking aboutis literally a firewall which I
think we're, all you know,pretty kind of, at least in
concept familiar with you knownow that I think about it,

(27:03):
though maybe not Like when Igrew up, we had software on our
desktop like the first of thefirst five computers ever sold
to people's homes, probably andthere was like a firewall that
you literally click on and turnon and then you had to take it
down to make phone calls oractually get on the internet.
I don't know if you rememberthis, but like I don't know if
kids these days are gettingsoftware where they are
purposely putting up a firewall.

(27:23):
So maybe explain what afirewall is and I might cut it.

Sara Diaz (27:28):
Yeah, sure.
So a firewall is something thatcan be on a network.
It can also be like we havefirewalls on our devices and
it's really just a set of rulesthat says this is what's allowed
in and this is what's allowedout.
Sometimes that can be reallyreally strict and locked down,

(27:48):
like based on not to get toolike boring and technical, but
based on like protocol.
So you know, when you'revisiting a webpage and that
webpage is HTTPS and we see thelittle like lock in the URL,
that is over, you know theprotocol is HTTPS, it's over
port 443, whatever.
If you're on an insecurewebpage, it's port 80, it

(28:09):
doesn't matter, but it can belocked down like that
specifically.
Or you can have something that'smore like content category
based like known malware or youknow for like a corporate
environment maybe, like you knowfirearms or you know things
like that Some employers maybeblock like games and social

(28:31):
media sites.
So it can happen at manydifferent levels.
Or for your laptop, maybe yousay like no incoming connections
other than already, likeindividually approved and
trusted sources, but likeeverything's allowed out, you
know it can.
It can really vary sources, butlike everything's allowed out,
you know it can.
It can really vary.

Interesting.

Sara Diaz (28:51):
So today, firewalls seem to be complex enough to
where you can set conditions andallow conditional access.
Yeah, and you know, the averageuser isn't doing that, of
course, but some like I think alot of the people that I have
worked with were kind of thekids that were like taking apart
computers and putting them backtogether and like seeing what
they could do, so it leaves alot.

(29:12):
Of.
The people that I have workedwith were kind of the kids that
were like taking apart computersand putting them back together
and like seeing what they coulddo.
So it leaves a lot of room forexploration, but it also just
ideally and a lot of times issecure by default.

Yeah, very cool.
If I was a student or a personinterested in the more technical
side of cybersecurity, whatwould those job titles look like
?
What should I look for?

Sara Diaz (29:34):
Oh, that's a really good question, you know, I think
that, to be 100% honest, Idon't know that many people
whose first job out of collegewas cybersecurity.
A lot of the time, I thinkpeople will start maybe from IT

(29:56):
and then, like, it and securityare so closely related, which is
why I'm now managing the ITteam.
So maybe I'll start from IT.
And also a lot of people I knowin IT they started as, like, at
Apple stores and then becameApple geniuses and then, you
know, went to like a morecorporate route, um, and you can
specialize in things like, oh,secure, secure configurations on

(30:19):
the firewalls, cause that is anarea that's extremely,
extremely related to IT, like atsome companies, that might
actually just be IT's job, um.
So I think you know that's if,like this goes back to the
conversation of there's so manydifferent, you know,
specializations within security.

(30:39):
So if you're looking for moreof like an enterprise or like IT
or network focused securityrole, then maybe that might look
like junior systemsadministrator, you know
something like that.
Or I'm trying to think of whatmy first title was.
Administrator is a good example, though you might see engineer

(31:04):
or like architect.

Maybe architects are doing less hands
on keyboard.

Sara Diaz (31:09):
If you're trying to approach from more of an
engineering side, so morefocused on like app sec,
application security or cloudsecurity or like dev sec ops is
at least was, a really big thingthat's just development
security operations.
It's kind of like theinfrastructure that builds

(31:29):
applications and making surethat we're securing that Step by
step.
Yes, like then maybe you'restarting more from an
engineering side and thenspecializing from there.
So either specialize, like youknow, you can kind of jump off
from either of those and thatmight just, yeah, look like
junior application securityengineer, yeah, junior cloud

(31:51):
security engineer or analyst.
Those are kind of the things tolook out for.
But I don't think it's supercommon for people to just jump
directly into security fromcollege or from, like, a boot
camp.
Actually, sorry, that's anotherway I should talk about is
people do boot camps to then goon and become engineers.

(32:12):
There are security focused bootcamps absolutely as well as
certifications, and that wouldreally help you like make the
jump.

That was a perfect segue into what I wanted
to ask about next, which iscertifications or advanced
degrees in this space.
I've heard of CompTIA.
I don't know what it is.
I don't know what it stands for.
I've heard of CompTIA.
I don't know what it is.
I don't know what it stands for.
Do you know what that one?
Is and what othercertifications are you aware of
in the space?

Sara Diaz (32:37):
So the first thing I want to say about certifications
is I don't have any, and a lotof the people that I work with
didn't.
A lot of the people I work withget certifications while
they're working.
But I want to say that up front, to say you don't need a
certification to work in thisindustry, like a lot of people

(32:58):
just gain practical experience.
So you know, I just I don'twant to be like setting a
precedent that you know this issomething that like everybody
needs to do, because it's not,but it's a really really, really
great way to get a leg up oreven just like to see if you're
interested.
Um, comp tia is actually justlike the name of the company, I
think it's like computer, likecomputation technology, I don't

(33:22):
know whatever.
But and then they offer a bunchof different certifications.
One of them is a securitycertification and I think that
that's just like security pluscomp tTIA, security plus.
But if you Google CompTIA,you'll see like they have a
bunch of differentcertifications to offer, but
definitely that security pluscert is a really common one,

(33:43):
kind of.
It's a great place to startbecause it's very broad, so
you'll learn about a bunch ofdifferent aspects of security
and IT.
Honestly, I think that that'sprobably more focused on like
the IT side of things, but it'sstill general and very well
known, and so when you say thatpeople are like, oh okay, yeah,

(34:04):
like this person is serious, isinvested in this.
If you're interested in more ofthe like app sec side of things,
there are also ethical hackercertifications.
I'm sure that there's like onereally common one, but there's a
number that you can do.
There's also just courses youcould do like a Coursera if you

(34:25):
wanted to.
There's also, if you don't wantto pay for anything.
There's a bunch of freeresources online for pen testing
.
Pen testing is penetrationtesting.
If that sounds fun to youethical hacking I would
definitely look into pen testing.

That's a job in and of itself and that's
just like hacking to helpcompanies really just discover
what those vulnerabilities areso they can patch them right.
Exactly, it's hacking so thatsomeone else doesn't do it first
we have a lot of those in thefederal government, or at least
we have in the past, I believe.

Sara Diaz (34:56):
Yeah it is like there are people who that's sort of a
tool that they have in theirtool belt, um, and maybe their
job is broader.
But there are also people whothat's their whole job is pen
testing.
Yeah, those people are waycooler than me, but they're the
people with the wrist-mountedkeyboards.

I see I need to talk to them.

Sara Diaz (35:15):
They have like skulls on their glasses and stuff.
You know, yes, they're verycool and they're often extremely
good at their jobs, but alsothey're using tools, like
they're using automated tools aswell.
So, you know, it's not like youjust have to be like a super
genius.
Sometimes you just need to begood at operating a tool that

(35:35):
will do the automation for you.
Like, I think something that'sgood to learn about this job is
that a tool operating like atool can do, can literally send
thousands of requests in asecond.
You can be so good at your job,but you can't do that.
So knowing how to operate atool is very, very, very, you
know, to your, to your benefit.

(35:57):
Some examples of that, ifpeople are interested.
It's like Burp Suite is a greatplace to start.

It's just like a fantastic name for a
product.

Sara Diaz (36:04):
Yeah, it's great, also very commonly used for
testing.
But anyway, I think like thoseare probably those kind of are
two different sides of places tostart.
So like CompTIA security cert,if you're maybe more interested
in like enterprise security, itnetwork security, and like
looking into ethical hacking ifyou're more interested in

(36:25):
application security or thingsrelated to that like actual
development of software.

Right on and you know you've talked about a
lot of different areas forsecurity.
App security is probably in mymind and correct me if I'm wrong
the specific security aroundspecific applications within a
larger system.
Endpoint security specificallyfocused on devices connected to
the larger network.
Am I thinking of that right,and are there any other specific
named security areas you couldsummarize for the audience very

(36:54):
quickly?

Sara Diaz (36:55):
Sure, yeah, absolutely yeah.
Appsec.
I think very much what you'resaying.
It's focusing on basically likemisusing different applications
, and the way to think about anapplication can literally just
be like you know for Glossier,just typing in glossiercom
that's our web app you know, Ithink, like often, as just

(37:18):
casual users of the internet, wedon't necessarily think of the
websites we're visiting as apps,but they are.
So I think, like you know,that's absolutely the right way
to think about it.
Another really common one iscloud security.
Almost every company is usingsomeone else's computers to run

(37:43):
all of their systems.
By someone else's computers Imean the cloud.
So a very common example ofthat is AWS, of course, amazon
Web Services, and having aspecialization where you know
what the important securitysettings, security
configurations, what those arein an environment like AWS is

(38:07):
invaluable.
That is like an it's anextremely, extremely good skill
set to have and it also it helpsyou learn so much because
everything does kind of happenin the cloud.
So, like you're, you're stilllearning a little bit about
network security.
You're configuring firewalls orlike security group rules.

(38:27):
You're you know you'reaccessing the like servers
directly.
You're patching, you knowyou're like patch management is
very important in the cloud.
So it's it's extremely valuableand you also get you know a
taste of a lot of differentthings.

Yeah, and I'm familiar with the major, the
three major cloud providersMicrosoft Azure, aws, gcp,
google Cloud Protocol and eachone of those has its own
security settings approach.
Would you say that you know anexpert in one is an expert in
all, or is it really you knoweach individual knowledge set is

(39:08):
expertise in and of itself anda career track or a skill that
could be valuable in this space?

Sara Diaz (39:14):
And I think that's a really good question.
I think that an expert in oneis not an expert in all, but
that doesn't.
It's just kind of learning thesemantics of a different system.
You know the specifics, but Ithink if you understand what is
important in cloud security,then you can translate those

(39:37):
skills to a differentenvironment.
It just might take you a littlebit of time, but a lot of any
job in tech, honestly, is justknowing how to Google.
And so if you know what isimportant and what you need to
be looking for and you know youare an expert in GCP and you got
a new job at a company that'san AWS shop you know you can

(39:59):
just google the yeah, you canfigure it out.
It might there will be some rampup time and there are
definitely some key differences.
I'm sure I'm kind of likepainting over this with broad
strokes, but, um, you know it's.
You know you're not an expertin all of like painting over
this with broad strokes, but youknow it's.
You know you're not an expertin all of them if you're an
expert in one, but it's just amatter of like learning more
specifics and just investingmore time.

Absolutely, absolutely.

Sara Diaz (40:21):
You.

I'd like to go back to the conversation we
were having about certifications.
In recruiting, certificationsoftentimes are like a plus on a
resume, but what's mostimportant when I'm having
conversations with candidates istheir ability to articulate a
specific problem or problem setthat they were working to solve
in the space we're recruitingfor.

(40:51):
And so you know, it sounds likeyou were saying the the main
qualifications, the mainexperience you need really is
just the knowledge of experienceand experience working with
cybersecurity concepts andphilosophies so that you can
employ those or work with theright IT people to deliver.
Is there a you know, a set ofquestions that you would say are

(41:15):
pretty common in the interviewprocesses for getting these jobs
, and would you agree with mygeneral view on certifications
in the recruiting process?

Sara Diaz (41:26):
100%.
I would agree with that view.
That's exactly how I look at it.
It's been a very long timesince I've interviewed for a
security position or since I'veinterviewed anyone else to, like
you know, join with a securityposition.
But I was recently, you know,recruiting for an IT contractor
and it was that's exactly how Iwould say it Like if they had

(41:49):
certifications, great, butthat's not really what I was
looking for.
It was notifications great, butthat's not really what I was
looking for.
It was what do we need, like,what specific problems are we
trying to solve?
What gaps do we have and whathands-on experience does this
person have with those problems,or something that could be, you
know, transferable?

Absolutely, absolutely.
So, yeah, tell me a little bitabout how you got your job, your
first cybersecurity job, thatprocess, from moving from maybe
it was your first company Ican't remember the name of it to
Glossier, directly ThoughtWorksThoughtWorks, yeah.
Or did you take a role atGlossier and then step into
cyber after?

Sara Diaz (42:53):
So I got into security at Thought.
In security I was giving liketiny little talks around the
office like after work aboutlike you know, tiny little
security tests that I was doing,and so I was like putting it
out there, not knowing orthinking that anything would
come from it, just because Ikind of wanted to like practice.
But because it was out there,it just I got really lucky and

(43:14):
honestly like forget everything.
I just said because it was outthere.
I got really lucky and honestlyforget everything I just said
because it didn't have anythingto do with my actual experience.
But the security team atThoughtWorks at that time, which
was 2015, 2016,.
around 2015- or 2016, was allmen, all very experienced senior
security practitioners, andthey just like didn't think that

(43:38):
it was really acceptableanymore, that they had an all
male team.
And they heard my name and theyreached out to me and asked me
if I wanted to join, despite notreally having specific security
experience, and they said thatthat was fine.
And they said that as long as Iwas, you know, willing to do

(43:58):
the work and learn, that theywould teach me.
And that was incredible.
You know, I don't want to actlike that's common, that, you
know, that's like the mindset,that, like a lot of companies
have, and also, hopefully, now,that's not as common, you know,
to have a team that's just allmen.
But it was really, it was someaningful and so lucky.

(44:21):
And I also want to say, by thetime I left ThoughtWorks, the
team was 50% women.

Oh, that's awesome, Right on.
Yeah, there's been a lot ofchange in the cybersecurity
space and I'm aware of.
You know, in the early days ofthe internet and networks, you
had like a centralized servernetwork and then we launched the
cloud and now you know you havea lot of host servers run by
Amazon, google, microsoft, andwhen you're doing things in the
cloud, there's liability on thecloud hosting servers side cloud

(44:50):
hosting provider that's thename cloud hosting provider side
and there's also thevulnerabilities on the apps that
you're hosting on the cloud.
And you mentioned that you'reusing a lot of tools these days
and cybersecurity.
Way back, you were justprobably doing raw code to
protect your set of servers.
Now you're relying on a bunchof other people's general code

(45:13):
and the systems they've set upin the cloud and your own
applications and there's justlayers of technology built on
top of each other.
It sounds like technical skillsaren't super crucial for what
you're doing day to day.
What's more important is theunderstanding of technical
concepts, of technical concepts.

(45:39):
How much do you rely on?
You know?
I would say maybe like thedecades of technology stacks
that you know have been built upto run security and, you know,
are there often things that comeup like maybe one domino that
was put up 30 years ago thatcould cause the whole system to
come crashing down, like that'ssomething I haven't thought
about a lot personally, but Ihear about a lot in media or in
conversations about technologyand vulnerabilities.

(46:01):
Tell me a little bit about yourthoughts there.

Sara Diaz (46:04):
That is such a good question.
I think we would typically callthis like legacy software or
legacy implementation, legacyinfrastructure.
Like legacy software or legacyimplementation, legacy
infrastructure you know, legacyis the word that people often
use to describe kind of whatyou're, what you're talking
about At a company like Glossierthat is newer, you know it's

(46:25):
only been around for 10 years.
That's, it's different, youknow it's it's.
It doesn't quite have the maybelegacy issues that like a large
institution might have.
I feel like I keep referring tofinancial institutions but like
you know, you know it's ityou're held to different

(46:46):
standards for compliance.
You also, as a person on thesecurity team, your concerns
might be different when it comesto legacy.
You know, just the legacysoftware, legacy infrastructure

(47:09):
that's in place At Glossier yeah, sure, there are things that
are older and that we're, youknow, updating and migrating,
but that you know the oldestwould be 10 years and it's not
because we were, you know, wewere not really building our own

(47:30):
stuff at the infancy ofGlossier, so it's just on a
really different scale, honestly.
So it's still a concern, it'sjust in different ways and it's
like less entrenched almost.
It's very hard to undosomething that's been in place
for 30 years maybe, and it'shard to undo something that's

(47:51):
been in place for seven years,but it's less hard yeah.

Yeah, so newer companies like Glossier,
you know, just have a less riskytechnical environment because
they can rely on newer productsthat have been, you know,
probably tested a lot morerecently and are just more
reliable overall.

Sara Diaz (48:09):
I think I would maybe not say less risky, I would
maybe just say a different setof concerns, because maybe in a
startup environment where you'reso focused on speed, maybe your
concern is more, just like lessthe underlying infrastructure
and more so the way it was puttogether, way it was put

(48:38):
together.
So it just really depends.
I think that it's so contextualthat it's difficult really to
get into, but I think it'sinteresting to talk about it in
terms of just your focus isdifferent.
Everybody has risk.
Absolutely Every company, everyteam is focused on risk.
That's what security is.
They're just different sets ofrisk depending on your technical

(49:01):
environment, your businessenvironment, the data that
you're actually dealing with andthe resources that you have.

Even One of the things I think about a lot
when it comes to hiring forroles is you know how much of a
job is if this, then that, howmuch of it is standard operating
process, service levelagreements or SLAs versus how
much is it?
You know, you kind of makingexecutive decisions every second
of every day?

Sara Diaz (49:31):
What is your role like in that context?
That's such a good, it's such afunny question, because I feel
like I could go either way withthat, like in certain ways, like
if you blur your eyes enough,maybe a lot like 90% of it.
Yeah, a lot of it's like thesame problems, but if you're
looking at things, there'snuance to different um, to
different requests.

(49:51):
So, like you know, part of myjob now is I manage the team
that manages the internalsupport channel, and a lot of
the requests that come throughthe internal support channel are
like can I have access to this?
Or I got locked out of oursingle sign on, or I got a new
phone, how do I set up 2FA again?
And you know, and like a lot ofthose things are super routine.

(50:14):
There can also be factors thatmean that you have to really be
considerate with how you have toapproach it.
You know, maybe someone'slocked out for a reason that
you're like oh, I thought it wasthis obvious thing, but
actually that fix didn't work.
We have to look a little bitmore into it now.
Or maybe, like this person'sasking for access, but should

(50:36):
they have it?
Or maybe this person's askingfor access but we're out of
seats.
Who do we take a seat away fromso that we don't, you know, get
charged with an overage, thingslike that.
I think at my, my specific rolein those day-to-day is often, if
it gets escalated to me.

(50:58):
So my team will field a lot ofthose questions and requests
initially, and then, if there'ssomething a little bit different
about it, then they'll talk tome and we'll figure it out
together, it out together, andmaybe that's why I'm thinking a
little bit more along the linesof like it's all different

(51:18):
because they shield me from thestuff that's.
You know, that's the same.
So you know, I think that, likeI mean, honestly, this is like
a little bit different from thequestion that you're asking, but
just to give a sense of howmuch in security and IT is what
we would call like unplannedwork, so the things that are
just kind of coming in on aday-to-day basis.
When we're building out ourroadmap for the year, we only

(51:40):
really plan for about 40% of ourcapacity, because we know that
about 60% of our capacity isgoing to be figuring out
unplanned work or day-to-dayproblems that come up
Whack-a-mole yeah like sometimesthere are things that are going
to be solved in an hour.
Sometimes someone comes in andwe're like, oh, this is a
weeks-long project actually.
They'll come in with a requestthat's like, oh, can we have,

(52:04):
you know, secure ftp to you know, our uh from our um hr provider
into this google're like, okay,we need to build something to
support that, but yeah, we cando it, which is fun.
I think you know that's.
It's maybe a personality traitof people in security and IT
that we get excited when we seestuff like that.

Yeah, you mentioned a couple of things
that I just wanted to clarifyfor the audience.
You mentioned seats.
I understand seats to mean, youknow, when you are buying
software, paying a subscriptionfor software for your employee
base, each seat is one personwho can use that product and
have access to that product.
Yes, that's correct.

Sara Diaz (52:44):
Honestly, another part of my job at my level is
like renewing contracts,renegotiating contracts, things
like that.
I'm talking to vendors, a lotabout things like seats.
Sometimes it's not seats based,but a lot of the time it is,
and it's exactly what you'resaying.
It just means like one seat orone license is one person.

(53:09):
So when we sign an agreementwith, say, um, adobe, for
instance very common softwarewe'll maybe get 20 licenses for
Adobe Acrobat Pro and we're at20 and another person on like
the creative team or somethinglike that like needs a license.
We have to then figure out howto, how to handle that.

So that is, that is seats you also said the
word escalations, and I think Iheard escalations in a
conversation I had with a spaceservices software engineer last
week.
Check out episode three.
Everyone but an escalation isjust corporate speak.
For I have a problem.
I need my boss to step in andhandle it Right in a

(53:50):
service-oriented role, like onrecruiting.
For me, it's, you know, I don'thave authorization to extend
$10,000 more than I initiallywas given.
I need to ask my boss to getapprovals.
For you guys, it's, this is asoftware issue I can't solve
immediately.
I need Sarah's help.
Something like that, right.

Sara Diaz (54:09):
It could be, or sometimes it's just like hey,
this request is, you know, weirdI don't really know exactly how
to respond or like thisperson's asking for something
that I know that we can't do orthat we don't have the capacity
to do.
Can you be the one to have thatdifficult conversation which
I'm always happy to have?
So?

yeah, love difficult conversations.

Sara Diaz (54:28):
Honestly, it's like I feel like it's the job of a
manager to like be the bad guy,so I'm always happy to step in
and be like no, but yeah, Ithink for sure, like generally,
what you're saying escalationsis exactly right.
It's just, or sometimes it'shey, I just need to like bounce
some ideas off of you.

(54:48):
Before I get back to thisperson, my team is amazing and
they really they're so smart andthey know so much more about a
lot of things than I do, so Itrust them, like implicitly with
so much stuff.
So it's really more strategicthings that they're coming to me
for rather than technicalthings.
If it gets a little bit moreinto security and our other

(55:10):
security systems, then maybe theescalation to me is technical,
but oftentimes it's more aboutlike process.

Yeah, yeah, I asked earlier a little bit
about the evolution of the space.
How have you seen disruptorschange your space in the you
know, eight to 10 years you'vebeen doing it.
What's coming?

Sara Diaz (55:31):
That's.
That is such like a flatteringquestion to ask, cause I'm just
genuinely like, oh, I don't know, let's see what is coming.
No, I mean, I I think I havelike theories, of course, and I
have seen things changeDefinitely.
What have you seen?
I think that you know, I think,like with a lot of industries,

(55:52):
ai and machine learning are justmaking tools more advanced,
more predictive, and that'sgreat.
That's a really good thing.
And I think, specifically insecurity and IT, that's not an
area where it's going to replacepeople, because those, first of
all, those tools need to belike operated and reviewed and

(56:13):
configured and, you know,maintained, things like that,
but it's also just there arealways going to need to be a
human element of, you know,handling those kinds of issues.
But I think email security is agood example of where I've

(56:33):
specifically seen tools become alot more advanced.
You know, like we havebasically a tool that sits in
front of our email, our incomingemail, that we have different
like rules configured within it,but it can also just use like
AI to determine whether or notsomething has like a strong,

(56:57):
like you know, whether it'slikely to be from a malicious
sender or a phishing email orjust something that's anomalous.
So anomalies are something wetalk a lot about in security and
that basically just meanssomething that you know deviates
from the, because a lot oftimes something that deviates
from the norm can be anindicator of compromise, so

(57:19):
something that is maybe a hintthat something has gone awry.
You know there's a bad actorwho's taken hold somewhere.
I think that, like that,technology has gotten great and
that's a good thing, becauseit's not like it's anyone's job
to sit there and sift througheverybody's emails to make sure
that they're, all you know,looking safe.

I think I've seen this in action before in
my own personal email.
You get an email, at the topthere's a little yellow band.
It says suspicious sender.
Maybe instead of it's a companyname dot co email it's a
company name dot com or dot edu,something random that you

(58:04):
wouldn't expect to see.
That is an anomaly, but yournaked eye might not recognize it
because Outlook now hidesincoming email addresses.
They just show the name.
So that's probably a goodexample, right?

Sara Diaz (58:15):
A great example and also just a PSA.
I guess it is extremely easy tofake a name in an email.
You can pretty much put anyname you want.
It's much, much, much moredifficult, in some ways not
possible, to fake an emailaddress.
And so if you're suspicious ofan email and let's say it's

(58:38):
Outlook, you know well, I don'tknow, I've never been in a place
that uses Outlook, so I'mactually not that much of an
expert in the specifics ofOutlook.
But you know you can open.
You can open I feel like thisis a thing people are nervous to
even open an email that seemssuspicious.
You can open it.
Just don't click on anything orlike download any attachments.
But if you can look at wherethe actual like the email

(59:00):
address that it's come from,that's a great way to like stop
and, you know, get a sense ofhow legit the thing in your
inbox actually is.
But yeah, I think emailsecurity is definitely.
I mean I don't want to say comea long way, because it's not
like I've been in this industryfor 15 years, but I've seen it

(59:21):
advance in the time that I'vebeen here and even in like the
tools that I'm assessing now forlike the coming years.
It's, you know, it's great,it's becoming really, really
strong.

The last 48 hours have been a stressful
period of time.
I'm seeing news around civilservants being locked out of
access to the government'sfederal HR workforce system, as
well as the payment system fromthe US Treasury, and they're
being forced out by what isbeing called the Doge office,

(59:58):
the Department of GovernmentEfficiency, led by Elon Musk,
and I understand cybersecurityenvironments and systems are set
up with a large variety ofcomplexity and controls and it's
been 11 days, maybe 12 days, ofthis new presidency.
We're seeing a lot of changehappen very quickly and a lot of

(01:00:20):
you know career civil servantsbeing kicked out and locked out
of these systems.
As a cybersecurity professionalaside from, maybe, the politics
of it you know what kind ofconcerns might you see with that
kind of action happening veryquickly?

Sara Diaz (01:00:36):
I definitely am not an expert in what's going on.
I have a really high level, youknow, understanding.
But I mean, you know, I think,like kind of moral and
philosophical and politicalconcerns aside, when you have
something like that, a hugeconcern is just like knowledge
transfer, knowledge loss.
You're losing, like there's somany people who probably have

(01:00:57):
really critical information andcontext that either, I mean, are
going to walk away from theirjobs, lose their jobs, just to
have access, just kind of belike forced out, and there are
going to be things that fallthrough the cracks absolutely.
And the things that fallthrough the cracks may not
matter, but they, I mean in inlike any context.
They may have huge implications.

(01:01:21):
Um, and it's, it's just scary tosee that it feels really
irresponsible to just lock hugeswaths of a workforce out,
especially in something thatimpacts so many people like
government.
I think, honestly, even lookingat what's been going on with

(01:01:43):
air traffic control, I thinklike that's thinking about
security in a different way,which is like resources.
You know people need to havethe resources to do their job
and when you're cutting staffingshort, bad things are going to
happen.
Things are going to slipthrough the cracks and sometimes
it won't matter, and sometimesit could matter a lot.

Michael Lane Smith (01:02:06):
Well, thank you for spending so much time
chatting with me today.
I do want to ask maybe two morequestions no-transcript.

Sara Diaz (01:02:46):
I think, like, try and figure out what is
interesting to you, because itisn't a monolith.
I mean, some people's jobs likemy job is fairly generalized in
terms of, you know,cybersecurity practitioner, but
I think it's.
You're going to have so muchmore fun at work if you're just
kind of like following thethread of a thing that you think

(01:03:08):
is really cool.
So if you start getting intolike ethical hacking or doing a
couple of different like pentesting exercises and you cannot
get enough of it, just keeppulling at that thread and then
maybe, you know, invest in acertification like we were
talking about before.

(01:03:29):
Um, I think that one of the liketraits that serve me the best
in my career is like an almostobsessive curiosity about things
.
Like I can get extremely,extremely into the weeds of like
needing to just change,changing small things over and
over again until finally itworks.
Like you're going to fail a lotin this job and in any tech job

(01:03:53):
honestly.
A lot in this job and in anytech job, honestly, and it's
just, you know, keeping at ituntil the thing is what you want
it to be or until the thingworks.
And if that doesn't soundappealing to you, then you know
that's fine, that's definitelyfine, and maybe that means that
something more policy related ismore your speed.
Not that you know that doesn'thave its own set of like

(01:04:15):
failures and honing and uhobsessiveness.
But uh, I would say, just liketake a step back, do a little
bit of high level research aboutthe different um focus areas
and just follow your gut.
You know, uh, just kind of likethink about what seems
interesting to you right now,because you can always change

(01:04:36):
course later on.
So you know it's hard to planfor five years from now, at
least for me.
It's very difficult for me topicture five years from now, or
even like two years from now,especially career wise.
So I think, just like followyour instinct on what feels
interesting and fun andfulfilling now.

Awesome.
And, as always, my lastquestion how has your work or
your career changed you?

Sara Diaz (01:05:03):
Oh, wow, I think that I don't know that it's changed
me, but I think that it's mademe more aware of a couple of
different things.
So, for instance, I think thatit's made me more aware of a
couple of different things.
So, for instance, I think thatit's made me so aware of how
easy it is to make a mistake andhow you know it.

(01:05:25):
Like things can really happento anyone.
I feel like a lot of times inmedia or whatever, like people
who fall victim maybe to like aphishing email are depicted as
like ignorant with technology oryou know something like that,
and I think that like it'sreally made me maybe more like

(01:05:45):
empathetic to the fact that itreally can just happen to
anybody and to just have a lotof compassion when you know like
that's a really tough moment insomeone's life and, even if
it's not something that impactsyou long-term, it doesn't feel
good.
I've talked to a lot of peopleafter they've, you know, made a
mistake and they are goingthrough it.

(01:06:06):
I think it's also taught me tosee things in like everyday life
in a little bit more of adifferent way and maybe like
more of a kind of zero trust orlike secure by design way.
Um, if you even think aboutlike your house, you know when,
when you leave your house, youlock the door.
Maybe if you have an alarm, youset the alarm, um, but there's

(01:06:30):
security measures that we're alltaking all the time, like you
know, if you're driving, ifyou're on the subway, just like
the way that you act reflectshow like safe that you feel.
I think that that's somethingthat I've started to think about
a lot more and I've also triedto use that to talk to people
about security in a morerelatable way.

(01:06:58):
Way, and I think kind of like tothat effect, like getting more
into, like becoming moreknowledgeable about
cybersecurity, has made merealize, like how important it
is for people to also gain thatknowledge and how we need to
make it accessible.
So I think the way that it'stalked about it feels like you
know jargon to people, or itfeels like another language.
Way that it's talked about itfeels like you know jargon to
people, or it feels like anotherlanguage, but it's actually so

(01:07:18):
intuitive to all of us.
We're all kind of like you know, threat modeling is sort of a
common term that's used insecurity just basically means
like assessing your threats andacting accordingly.
We're all doing that constantlyand it just looks a little bit
different when you're doing itwith software.
But I think that it's just mademe feel passionate about
spreading awareness about, like,what we can all do in our day

(01:07:39):
to day lives and that, like Iwant to make people feel
empowered to, you know, feelsecure on the internet, which we
all have to use every singleday to just like get through our
lives.

Yeah, get a password manager.

Sara Diaz (01:07:53):
Get a password manager.

Sarah Diaz, yes.

Sara Diaz (01:07:56):
That's the number one .
If you remember one thing fromthis interview, get a password
manager.

You know the ones that are automatically
provided by now Google and Apple.
Are those sufficient or wouldyou recommend like a third party
?

Sara Diaz (01:08:09):
I think if you are, it's you know it depends your
level of.
If you're comfortable with that.
It's absolutely better thannothing.
If, instead of using Chrome'spassword manager, you were going
to just have the same passwordfor everything, definitely use
Chrome's password manager.
If you feel like up for orinterested in using a standalone

(01:08:33):
application like 1Password orLastPass, then do that.
That's great.
Those are great.
I'm a huge fan of 1Passwordspecifically, but LastPass and
DashPass are good as well.
But honestly, even a note inyour note I'm not endorsing this
, but a note in your notes appwith different passwords is in

(01:08:57):
many ways better than having thesame password for everything.

Oh man, I feel so.
Seen For the record, I havemoved on to now having a
password manager, Thanks to you.

Sara Diaz (01:09:09):
You just got it.
You got to meet people wherethey're at.

Thank you so much for your time, Sarah.

Sara Diaz (01:09:13):
Thank you so much for your time, Sarah.
Thank you.

All Episodes

Sara Diaz - Sr. Manager, InfoSec and IT

Episode Transcript

Popular Podcasts

Crime Junkie

24/7 News: The Latest

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Sara Diaz - Sr. Manager, InfoSec and IT