1 00:00:00,500 --> 00:00:10,800 [Laughter] 2 00:00:03,650 --> 00:00:11,750 thank you I thank you so much for having 3 00:00:10,800 --> 00:00:13,889 me here 4 00:00:11,750 --> 00:00:16,259 you know the organizers in Kevin Tucker 5 00:00:13,889 --> 00:00:18,150 had let me know that there was a you 6 00:00:16,260 --> 00:00:20,460 know a great conference happening here 7 00:00:18,150 --> 00:00:22,890 and this is my first time at the dojo 8 00:00:20,460 --> 00:00:26,460 and really enjoying seeing seeing the 9 00:00:22,890 --> 00:00:30,210 ambiance and the the the serve workshop 10 00:00:26,460 --> 00:00:33,630 atmosphere here so I've titled my talk 11 00:00:30,210 --> 00:00:35,250 something kind of tongue-in-cheek a 12 00:00:33,630 --> 00:00:37,620 little provocative everything you know 13 00:00:35,250 --> 00:00:39,090 is wrong how computering will while 14 00:00:37,620 --> 00:00:43,169 leading people a beer and during 15 00:00:39,090 --> 00:00:48,120 challenge and a lot of this is some of 16 00:00:43,170 --> 00:00:51,239 my thoughts and and kind of war stories 17 00:00:48,120 --> 00:00:53,399 from over the last five years or so I've 18 00:00:51,239 --> 00:00:56,070 been working in Silicon Valley for 20 19 00:00:53,399 --> 00:01:00,600 years started out my crew my technical 20 00:00:56,070 --> 00:01:03,739 career debugging t1 and t3 lines for a 21 00:01:00,600 --> 00:01:05,519 ISP that was in a basement 22 00:01:03,739 --> 00:01:09,090 non-air-conditioned basement in San 23 00:01:05,519 --> 00:01:10,470 Francisco and was hands-on for about 15 24 00:01:09,090 --> 00:01:12,150 years working my way through all the 25 00:01:10,470 --> 00:01:14,039 various parts of the stack and spending 26 00:01:12,150 --> 00:01:15,360 a good long time doing a system 27 00:01:14,040 --> 00:01:18,960 administration and site reliability 28 00:01:15,360 --> 00:01:21,170 engineering the last five years I ended 29 00:01:18,960 --> 00:01:23,009 up going into management at first 30 00:01:21,170 --> 00:01:25,950 kicking and screaming but then 31 00:01:23,009 --> 00:01:27,420 eventually learning to embrace the but 32 00:01:25,950 --> 00:01:29,659 the power and the the joy of being able 33 00:01:27,420 --> 00:01:32,939 to lead others and other teams to 34 00:01:29,659 --> 00:01:34,860 fulfill necessary necessary things that 35 00:01:32,939 --> 00:01:37,710 had to happen in security as well as 36 00:01:34,860 --> 00:01:39,420 helped to grow themselves but what I 37 00:01:37,710 --> 00:01:41,669 wanted to talk about today a little bit 38 00:01:39,420 --> 00:01:44,759 is how a lot of the things that you 39 00:01:41,670 --> 00:01:48,210 start out and eventually learn to become 40 00:01:44,759 --> 00:01:49,950 a proficient engineer need to be either 41 00:01:48,210 --> 00:01:52,169 turned on their head or reformulated 42 00:01:49,950 --> 00:01:54,240 when you move into trying to lead people 43 00:01:52,170 --> 00:01:55,530 it is a very obvious thing of course but 44 00:01:54,240 --> 00:01:58,919 it's a hard thing to shake off those 45 00:01:55,530 --> 00:02:03,600 habits once you're once you're well into 46 00:01:58,920 --> 00:02:06,930 your profession I took this I took this 47 00:02:03,600 --> 00:02:09,780 quote from Oliver Wendell Holmes who was 48 00:02:06,930 --> 00:02:11,440 one of our early Supreme Court jurors 49 00:02:09,780 --> 00:02:13,330 I'm saying that the young man 50 00:02:11,440 --> 00:02:16,690 the rules but the old man knows the 51 00:02:13,330 --> 00:02:19,000 exceptions and have found that I'm 52 00:02:16,690 --> 00:02:23,200 probably on a certain a certain side of 53 00:02:19,000 --> 00:02:26,770 the line now at this point okay so uh 54 00:02:23,200 --> 00:02:29,320 just grabbing some notes from here but 55 00:02:26,770 --> 00:02:30,880 I'm I'm gonna start with one of the one 56 00:02:29,320 --> 00:02:32,769 of the kind of precepts behind being a 57 00:02:30,880 --> 00:02:34,720 great engineer was which is that you're 58 00:02:32,770 --> 00:02:37,050 showing your work not just telling it a 59 00:02:34,720 --> 00:02:39,370 lot of times one of the things that I 60 00:02:37,050 --> 00:02:41,830 appreciated most about my first mentor 61 00:02:39,370 --> 00:02:44,500 was that we were constantly being asked 62 00:02:41,830 --> 00:02:46,120 to prove what we had done and to show it 63 00:02:44,500 --> 00:02:48,370 in an almost very mathematical way and I 64 00:02:46,120 --> 00:02:50,440 took that capability or that mindset 65 00:02:48,370 --> 00:02:54,840 into every single job I took afterwards 66 00:02:50,440 --> 00:02:58,030 and it worked well up to that point and 67 00:02:54,840 --> 00:02:59,590 you know this idea of having to being 68 00:02:58,030 --> 00:03:02,290 able to just show your work and being 69 00:02:59,590 --> 00:03:03,820 able to demand that others also rise up 70 00:03:02,290 --> 00:03:06,190 to that same level of technical language 71 00:03:03,820 --> 00:03:07,750 and technical proof was very easy when I 72 00:03:06,190 --> 00:03:09,930 was working around people who had the 73 00:03:07,750 --> 00:03:13,330 same kind of mindset or maybe the same 74 00:03:09,930 --> 00:03:16,209 appetite for learning it as as we all 75 00:03:13,330 --> 00:03:18,640 did but it didn't always work when we 76 00:03:16,209 --> 00:03:19,989 were working with folks who were coming 77 00:03:18,640 --> 00:03:22,869 from a different company or a different 78 00:03:19,989 --> 00:03:24,580 company culture shall I say so this idea 79 00:03:22,870 --> 00:03:27,280 of telling your story and being more 80 00:03:24,580 --> 00:03:30,610 verbose or having to go out and set a 81 00:03:27,280 --> 00:03:32,320 narrative was almost I felt almost 82 00:03:30,610 --> 00:03:34,660 allergic to and I first started going 83 00:03:32,320 --> 00:03:36,780 into management but then realized that 84 00:03:34,660 --> 00:03:40,450 it was completely completely essential 85 00:03:36,780 --> 00:03:42,040 in some ways you can see a lot of how 86 00:03:40,450 --> 00:03:43,480 that plays out and the political sphere 87 00:03:42,040 --> 00:03:45,070 and any kind of cause that you care 88 00:03:43,480 --> 00:03:47,380 about the facts are one thing and the 89 00:03:45,070 --> 00:03:49,840 experts know something but the 90 00:03:47,380 --> 00:03:51,910 capability to tell a story that 91 00:03:49,840 --> 00:03:54,340 resonates with people who do not know 92 00:03:51,910 --> 00:03:55,570 the same things that you know is really 93 00:03:54,340 --> 00:03:58,330 really important and it's really 94 00:03:55,570 --> 00:04:00,130 important that people who are experts 95 00:03:58,330 --> 00:04:01,570 and understand the facts are the ones 96 00:04:00,130 --> 00:04:04,780 who are helping to steer that narrative 97 00:04:01,570 --> 00:04:06,820 so I definitely encourage you to you 98 00:04:04,780 --> 00:04:07,330 know look at the full full picture on 99 00:04:06,820 --> 00:04:09,340 these things 100 00:04:07,330 --> 00:04:11,410 I mean when I'm thinking about examples 101 00:04:09,340 --> 00:04:13,390 of what you know where this comes up a 102 00:04:11,410 --> 00:04:15,730 lot you know even in the world of 103 00:04:13,390 --> 00:04:19,418 open-source tools you know the 104 00:04:15,730 --> 00:04:22,930 prevalence of Linux and and how that 105 00:04:19,418 --> 00:04:24,460 emerged you know in in competition in 106 00:04:22,930 --> 00:04:25,630 collaboration with say BSD 107 00:04:24,460 --> 00:04:28,239 right you know I think that's one 108 00:04:25,630 --> 00:04:30,460 example of you know something achieving 109 00:04:28,240 --> 00:04:32,919 a great deal of community mind sure even 110 00:04:30,460 --> 00:04:35,109 while BSD had a great reputation within 111 00:04:32,919 --> 00:04:36,639 the technical community how important it 112 00:04:35,110 --> 00:04:38,470 is to get that kind of ecosystem 113 00:04:36,639 --> 00:04:42,490 footprint and how how much it can 114 00:04:38,470 --> 00:04:46,319 determine the end the end result in the 115 00:04:42,490 --> 00:04:48,940 line of the line of systems that I 116 00:04:46,319 --> 00:04:51,069 specialized in DevOps and the DevOps ech 117 00:04:48,940 --> 00:04:53,169 world a lot of the configuration 118 00:04:51,069 --> 00:04:54,699 management tools such as you know puppet 119 00:04:53,169 --> 00:04:57,880 and chef and cfengine 120 00:04:54,699 --> 00:04:59,380 there's a there were a lot of there was 121 00:04:57,880 --> 00:05:01,240 a lot of sort of flag waving around 122 00:04:59,380 --> 00:05:03,280 which ones were the better ones during 123 00:05:01,240 --> 00:05:05,020 the time and you know it may come down 124 00:05:03,280 --> 00:05:06,698 to which has a better set of templates 125 00:05:05,020 --> 00:05:08,469 or which one is in the language that 126 00:05:06,699 --> 00:05:10,360 everyone likes right Ruby was very very 127 00:05:08,470 --> 00:05:12,729 popular for a certain period of time and 128 00:05:10,360 --> 00:05:14,050 then eventually that conversation moves 129 00:05:12,729 --> 00:05:16,840 to the virtualization and container 130 00:05:14,050 --> 00:05:19,240 worlds and at the end of the day a lot 131 00:05:16,840 --> 00:05:20,590 of the fundamentals never really changed 132 00:05:19,240 --> 00:05:22,270 especially in terms of how you're 133 00:05:20,590 --> 00:05:25,479 incorporating security into those layers 134 00:05:22,270 --> 00:05:26,680 of the stack are you looking at the are 135 00:05:25,479 --> 00:05:28,389 you looking at the change where it 136 00:05:26,680 --> 00:05:30,370 originally happened are you looking at 137 00:05:28,389 --> 00:05:32,830 it at each place at which is being 138 00:05:30,370 --> 00:05:35,590 deployed to a new environment are you 139 00:05:32,830 --> 00:05:37,599 tracking where it's actually where it's 140 00:05:35,590 --> 00:05:39,849 actually triggering an event in your 141 00:05:37,599 --> 00:05:41,469 production site and those kinds of 142 00:05:39,849 --> 00:05:42,759 things those fundamentals didn't really 143 00:05:41,469 --> 00:05:45,550 change but a lot of the layers in 144 00:05:42,759 --> 00:05:49,719 between did and how people were able to 145 00:05:45,550 --> 00:05:51,639 seer and get buy-in and enthusiasm can 146 00:05:49,719 --> 00:05:54,219 often dictate whether or not technology 147 00:05:51,639 --> 00:05:57,400 wins or loses not just the merit of the 148 00:05:54,219 --> 00:06:00,400 technology itself you know in the world 149 00:05:57,400 --> 00:06:02,919 of security and privacy right you know 150 00:06:00,400 --> 00:06:04,859 security has become such such an 151 00:06:02,919 --> 00:06:07,900 essential and hot topic now but I think 152 00:06:04,860 --> 00:06:10,599 that in some ways this is because for 153 00:06:07,900 --> 00:06:12,250 years so much of what security and site 154 00:06:10,599 --> 00:06:15,310 reliability professionals did was 155 00:06:12,250 --> 00:06:17,440 somewhat undervalued and now that the 156 00:06:15,310 --> 00:06:20,139 external world is feeling the impact is 157 00:06:17,440 --> 00:06:21,729 now catching up to understand okay what 158 00:06:20,139 --> 00:06:23,740 is this really how much is this really 159 00:06:21,729 --> 00:06:26,500 hurting us and what do I need to 160 00:06:23,740 --> 00:06:29,560 understand to navigate now so I think 161 00:06:26,500 --> 00:06:33,219 that you know being able to tell that 162 00:06:29,560 --> 00:06:36,070 story and tell it the right way or early 163 00:06:33,219 --> 00:06:36,930 on made a difference also in certain 164 00:06:36,070 --> 00:06:38,639 aspects of 165 00:06:36,930 --> 00:06:42,630 fashion being being a little bit 166 00:06:38,639 --> 00:06:44,100 undervalued here's another one that we'd 167 00:06:42,630 --> 00:06:46,919 like to talk about a lot in technical 168 00:06:44,100 --> 00:06:49,470 circles right don't repeat yourself you 169 00:06:46,919 --> 00:06:51,630 know incorporate whatever logical change 170 00:06:49,470 --> 00:06:53,940 you're doing in one you know in one 171 00:06:51,630 --> 00:06:55,440 central place and from there on things 172 00:06:53,940 --> 00:07:00,120 should be extending or leveraging those 173 00:06:55,440 --> 00:07:02,520 things don't be repetitive and looking 174 00:07:00,120 --> 00:07:04,169 at that compared to you know what a lot 175 00:07:02,520 --> 00:07:06,479 of managers and a lot of leaders end up 176 00:07:04,169 --> 00:07:08,008 doing which is you know telling that 177 00:07:06,479 --> 00:07:10,889 story and repeating it and repeating it 178 00:07:08,009 --> 00:07:12,870 in different ways I was reading there 179 00:07:10,889 --> 00:07:14,520 was a quote by Jack Welch in one of his 180 00:07:12,870 --> 00:07:16,289 books about leadership saying that you 181 00:07:14,520 --> 00:07:17,940 know you have to be able to provide a 182 00:07:16,289 --> 00:07:19,440 vision and you're gonna be telling your 183 00:07:17,940 --> 00:07:21,030 vision until you're ready to gag on the 184 00:07:19,440 --> 00:07:23,430 words and I thought that was just that 185 00:07:21,030 --> 00:07:25,289 just sounded terrible but you know you 186 00:07:23,430 --> 00:07:27,090 know thinking about it more you know the 187 00:07:25,289 --> 00:07:28,590 amount of times it takes for people who 188 00:07:27,090 --> 00:07:30,780 are doing something different than you 189 00:07:28,590 --> 00:07:33,599 to really understand and and just you 190 00:07:30,780 --> 00:07:35,219 know what's important there is it's it 191 00:07:33,599 --> 00:07:37,440 takes a while and it takes there's a 192 00:07:35,220 --> 00:07:39,690 psychological journey people have to go 193 00:07:37,440 --> 00:07:41,130 on along the way you know while I was 194 00:07:39,690 --> 00:07:42,479 doing a little research for this 195 00:07:41,130 --> 00:07:45,840 presentation there was a book written 196 00:07:42,479 --> 00:07:50,190 back in 1855 about advertising 197 00:07:45,840 --> 00:07:52,770 I think the fellows name was I think the 198 00:07:50,190 --> 00:07:54,930 fellows name was Tom Smith and he said 199 00:07:52,770 --> 00:07:57,180 something on the lines of it will take 200 00:07:54,930 --> 00:07:59,159 your customer 20 times to hear something 201 00:07:57,180 --> 00:08:00,449 before they're ready to buy it so in a 202 00:07:59,159 --> 00:08:02,370 lot of ways you know coming in and 203 00:08:00,449 --> 00:08:05,699 trying to be really concise and terse 204 00:08:02,370 --> 00:08:08,880 and not being to not being too 205 00:08:05,699 --> 00:08:10,380 repetitive you have to know what you 206 00:08:08,880 --> 00:08:11,190 have to know what venue it you're in and 207 00:08:10,380 --> 00:08:12,840 what you're trying to accomplish 208 00:08:11,190 --> 00:08:14,370 sometimes you're going to have to turn 209 00:08:12,840 --> 00:08:15,508 some of this logic on its face because 210 00:08:14,370 --> 00:08:17,940 you're trying to reach a new audience 211 00:08:15,509 --> 00:08:19,110 you're trying to bring someone along for 212 00:08:17,940 --> 00:08:20,820 a ride and they're not quite ready yet 213 00:08:19,110 --> 00:08:22,289 and you have to start figuring out how 214 00:08:20,820 --> 00:08:24,330 to break it down so that they can start 215 00:08:22,289 --> 00:08:25,620 hearing really hearing what the benefit 216 00:08:24,330 --> 00:08:29,639 is going to be to them and that's that 217 00:08:25,620 --> 00:08:31,949 takes work on both sides in my own 218 00:08:29,639 --> 00:08:34,709 professional journey what brought me 219 00:08:31,949 --> 00:08:37,110 into the DevOps and DevOps suck sort of 220 00:08:34,708 --> 00:08:39,149 communities and circles after some 221 00:08:37,110 --> 00:08:41,310 initial resistance was realizing that I 222 00:08:39,149 --> 00:08:43,320 was going to company after company 223 00:08:41,309 --> 00:08:45,270 giving the same presentation about 224 00:08:43,320 --> 00:08:46,890 DevOps and configs management and change 225 00:08:45,270 --> 00:08:48,449 management and why was this the same 226 00:08:46,890 --> 00:08:50,220 problem each time 227 00:08:48,450 --> 00:08:51,930 and then I realized the thing that I had 228 00:08:50,220 --> 00:08:54,329 been looking at for more than a decade 229 00:08:51,930 --> 00:08:55,949 and that seems so obvious to me was not 230 00:08:54,329 --> 00:08:58,290 going to be obvious to other people 231 00:08:55,950 --> 00:09:00,480 because they hadn't been subject to the 232 00:08:58,290 --> 00:09:02,579 exact same problems or the same the same 233 00:09:00,480 --> 00:09:04,920 experience and so you know at that point 234 00:09:02,579 --> 00:09:07,370 I realized that I had to I had to change 235 00:09:04,920 --> 00:09:12,360 my own perspective on it in terms of 236 00:09:07,370 --> 00:09:14,550 stepping up to communicate another 237 00:09:12,360 --> 00:09:16,740 aspect I think of you know moving around 238 00:09:14,550 --> 00:09:18,449 from managing a technology problem 239 00:09:16,740 --> 00:09:20,190 versus working with people is in 240 00:09:18,449 --> 00:09:21,810 especially in small startups we 241 00:09:20,190 --> 00:09:23,579 prioritize speed and just getting it 242 00:09:21,810 --> 00:09:25,138 done you know the result at any cost 243 00:09:23,579 --> 00:09:26,790 even if it means burning the midnight 244 00:09:25,139 --> 00:09:29,250 oil or burning through your team's 245 00:09:26,790 --> 00:09:31,230 efforts because at the end you know 246 00:09:29,250 --> 00:09:33,000 getting there and winning the result is 247 00:09:31,230 --> 00:09:35,130 more important than anything else in 248 00:09:33,000 --> 00:09:36,690 larger companies and also companies with 249 00:09:35,130 --> 00:09:38,370 a longer ramp you're going to be looking 250 00:09:36,690 --> 00:09:41,459 more at the journey and the destination 251 00:09:38,370 --> 00:09:43,649 because you want to be creating a 252 00:09:41,459 --> 00:09:46,380 situation where people can sustain and 253 00:09:43,649 --> 00:09:48,930 the the rules and the the processes can 254 00:09:46,380 --> 00:09:51,389 sustain beyond just that one project and 255 00:09:48,930 --> 00:09:52,800 so you know moving between there's two 256 00:09:51,389 --> 00:09:54,449 worlds of you know the folks who are 257 00:09:52,800 --> 00:09:55,890 like really really fast movers and fast 258 00:09:54,449 --> 00:09:57,990 thinkers and maybe a little bit rough 259 00:09:55,890 --> 00:09:59,699 around the edges and then into this 260 00:09:57,990 --> 00:10:02,250 environment where hey actually it's not 261 00:09:59,699 --> 00:10:03,750 always going to be to your benefit to 262 00:10:02,250 --> 00:10:04,980 win every single time what's really 263 00:10:03,750 --> 00:10:06,630 important is also that we're bringing 264 00:10:04,980 --> 00:10:08,880 along certain groups or that we're 265 00:10:06,630 --> 00:10:11,579 bringing other departments along for 266 00:10:08,880 --> 00:10:14,610 this this ride was was also a different 267 00:10:11,579 --> 00:10:17,130 kind of inflection point on what what is 268 00:10:14,610 --> 00:10:19,890 important when when you're making a when 269 00:10:17,130 --> 00:10:23,459 you're trying to where you're trying to 270 00:10:19,890 --> 00:10:25,529 move the needle on these things in a lot 271 00:10:23,459 --> 00:10:28,290 of in a lot of ways you know thinking 272 00:10:25,529 --> 00:10:30,149 back on my last few my last few 273 00:10:28,290 --> 00:10:32,459 important initiatives for companies 274 00:10:30,149 --> 00:10:34,170 usually uniting compliance and security 275 00:10:32,459 --> 00:10:36,630 problems and doing a lot of technical 276 00:10:34,170 --> 00:10:38,880 debt catch up I always always made it a 277 00:10:36,630 --> 00:10:40,800 priority for us to make sure we got to 278 00:10:38,880 --> 00:10:43,769 that finish line in terms of whether it 279 00:10:40,800 --> 00:10:45,180 was PCI or IPO readiness or you know 280 00:10:43,769 --> 00:10:48,060 making sure we got through that Sox 281 00:10:45,180 --> 00:10:51,209 problem but looking back you know I 282 00:10:48,060 --> 00:10:53,489 think that part of what we sometimes 283 00:10:51,209 --> 00:10:55,979 missed in the urgency for a done line 284 00:10:53,490 --> 00:10:58,110 was that piece about could people be 285 00:10:55,980 --> 00:11:00,089 working at a sustainable pace were we 286 00:10:58,110 --> 00:11:01,110 building things in in such a way that 287 00:11:00,089 --> 00:11:03,720 the organization 288 00:11:01,110 --> 00:11:05,370 and the rest of the rest of the 289 00:11:03,720 --> 00:11:07,470 technology could continue to do the work 290 00:11:05,370 --> 00:11:11,400 after we had maybe moved on to another 291 00:11:07,470 --> 00:11:13,920 project would we be able to would we be 292 00:11:11,400 --> 00:11:16,020 show that you know the relationships and 293 00:11:13,920 --> 00:11:17,819 the organization actually got better not 294 00:11:16,020 --> 00:11:20,790 worse because of it and a lot of that 295 00:11:17,820 --> 00:11:22,680 comes back to being able to talk with 296 00:11:20,790 --> 00:11:25,469 people as you're going along on a tough 297 00:11:22,680 --> 00:11:26,939 project and bringing them to bringing 298 00:11:25,470 --> 00:11:30,150 them to understand why it as a priority 299 00:11:26,940 --> 00:11:31,650 and why why they're going to why they're 300 00:11:30,150 --> 00:11:33,569 gonna benefit from it it wasn't enough 301 00:11:31,650 --> 00:11:35,790 just to win and to get the result at the 302 00:11:33,570 --> 00:11:37,500 end of the day it was just as important 303 00:11:35,790 --> 00:11:39,689 to make sure that people understood why 304 00:11:37,500 --> 00:11:41,130 now this ended up being both like for 305 00:11:39,690 --> 00:11:43,560 people's own quality of life and I'll 306 00:11:41,130 --> 00:11:45,030 even say in being able to make sure that 307 00:11:43,560 --> 00:11:47,010 the right people and right departments 308 00:11:45,030 --> 00:11:49,020 got credit for the work if it was not 309 00:11:47,010 --> 00:11:50,610 well understood what was the root 310 00:11:49,020 --> 00:11:52,800 problem in an organization or what was 311 00:11:50,610 --> 00:11:54,840 the root problem why we weren't able to 312 00:11:52,800 --> 00:11:56,550 get vulnerabilities addressed at a 313 00:11:54,840 --> 00:11:58,110 quicker pace or why were people 314 00:11:56,550 --> 00:12:01,079 repeating the same problems over and 315 00:11:58,110 --> 00:12:04,160 over it became very very easy for folks 316 00:12:01,080 --> 00:12:07,290 and other departments to you know assign 317 00:12:04,160 --> 00:12:10,620 reasons or cause that may be more 318 00:12:07,290 --> 00:12:14,280 debatable so I think that it is it is 319 00:12:10,620 --> 00:12:15,990 very much important to to know that the 320 00:12:14,280 --> 00:12:22,920 facts alone aren't always going to be 321 00:12:15,990 --> 00:12:25,290 enough another another nice aphorism 322 00:12:22,920 --> 00:12:26,969 that ended up having to flip on its head 323 00:12:25,290 --> 00:12:28,380 was that idea that a premature 324 00:12:26,970 --> 00:12:30,450 optimization was the root of all evil 325 00:12:28,380 --> 00:12:32,340 and I think that was a credit to Donald 326 00:12:30,450 --> 00:12:36,600 Knuth and networking in engineering 327 00:12:32,340 --> 00:12:38,940 spheres I think we have all experienced 328 00:12:36,600 --> 00:12:40,260 that you know experience that need to 329 00:12:38,940 --> 00:12:41,940 focus and make sure that we're not 330 00:12:40,260 --> 00:12:43,970 working on the wrong thing that we're 331 00:12:41,940 --> 00:12:46,050 not loading code and creating additional 332 00:12:43,970 --> 00:12:47,580 dependencies or security liabilities 333 00:12:46,050 --> 00:12:50,760 where they don't need to be and you know 334 00:12:47,580 --> 00:12:53,910 being able to have that laser focus once 335 00:12:50,760 --> 00:12:55,950 started working more with people and the 336 00:12:53,910 --> 00:12:57,959 organization and the teams that mindset 337 00:12:55,950 --> 00:13:00,750 didn't necessarily work as well because 338 00:12:57,960 --> 00:13:02,610 it there is definitely a complete truth 339 00:13:00,750 --> 00:13:04,470 to the idea that you have to build the 340 00:13:02,610 --> 00:13:06,690 relationship before something is needed 341 00:13:04,470 --> 00:13:08,130 from it people are more like people are 342 00:13:06,690 --> 00:13:11,010 growing entities right they need to be 343 00:13:08,130 --> 00:13:13,620 felt feel taken care of and fed and 344 00:13:11,010 --> 00:13:14,800 watered beyond just what I need for this 345 00:13:13,620 --> 00:13:16,089 particular transaction 346 00:13:14,800 --> 00:13:18,219 this moment and I think in the work 347 00:13:16,089 --> 00:13:20,649 world sometimes especially with a lot of 348 00:13:18,220 --> 00:13:27,790 urgent deadlines this can become very 349 00:13:20,649 --> 00:13:29,560 easy to forget and I think some of the 350 00:13:27,790 --> 00:13:33,399 some of the things that people look at 351 00:13:29,560 --> 00:13:35,739 in terms of what you know they consider 352 00:13:33,399 --> 00:13:37,540 a waste of time in terms of you know 353 00:13:35,740 --> 00:13:39,610 there's meeting without an agenda or you 354 00:13:37,540 --> 00:13:40,959 know I'm having to you know form these 355 00:13:39,610 --> 00:13:42,399 relationships with all these folks that 356 00:13:40,959 --> 00:13:44,619 you know I don't know why yet 357 00:13:42,399 --> 00:13:46,930 especially in organizations where you're 358 00:13:44,620 --> 00:13:49,000 trying to you're trying to get security 359 00:13:46,930 --> 00:13:50,709 to be proactive not just reactive this 360 00:13:49,000 --> 00:13:53,110 becomes extra important you know being 361 00:13:50,709 --> 00:13:54,518 curious and interested in knowing why 362 00:13:53,110 --> 00:13:56,170 are the problems occurring where they're 363 00:13:54,519 --> 00:13:58,079 occurring why are there some unexpected 364 00:13:56,170 --> 00:14:00,699 things happening in certain places and 365 00:13:58,079 --> 00:14:03,729 why do some people have certain concerns 366 00:14:00,700 --> 00:14:05,110 that pop up in in places that you just 367 00:14:03,730 --> 00:14:06,940 wouldn't expect all of these things 368 00:14:05,110 --> 00:14:08,380 become very very relevant down the line 369 00:14:06,940 --> 00:14:10,510 as you're trying to either troubleshoot 370 00:14:08,380 --> 00:14:13,899 a major issue or sometimes things that 371 00:14:10,510 --> 00:14:22,450 become become unexpected issues down the 372 00:14:13,899 --> 00:14:24,160 road and of course I think one of my one 373 00:14:22,450 --> 00:14:27,010 of my favorite lessons from having 374 00:14:24,160 --> 00:14:28,810 worked at the large retailers was 375 00:14:27,010 --> 00:14:30,880 something that one of my mentors told me 376 00:14:28,810 --> 00:14:32,290 when we were discussing why was it so 377 00:14:30,880 --> 00:14:34,240 hard to get the different departments to 378 00:14:32,290 --> 00:14:38,290 coordinate why was it so hard to get 379 00:14:34,240 --> 00:14:40,899 silos you know to reach apart in terms 380 00:14:38,290 --> 00:14:42,699 of the development and operation piece I 381 00:14:40,899 --> 00:14:44,860 think on the engineering side of course 382 00:14:42,700 --> 00:14:46,270 we get very very used to making sure 383 00:14:44,860 --> 00:14:47,440 that we can prove everything that we're 384 00:14:46,270 --> 00:14:50,250 saying and that we were empirically 385 00:14:47,440 --> 00:14:52,779 right but the fundamental point that 386 00:14:50,250 --> 00:14:55,450 that I think that was the takeaway for 387 00:14:52,779 --> 00:14:56,709 me was not to force logic into emotion 388 00:14:55,450 --> 00:14:58,959 and this idea that it is a different 389 00:14:56,709 --> 00:15:02,229 dimension of problem at that point and 390 00:14:58,959 --> 00:15:03,609 when I saw that I realized like when we 391 00:15:02,230 --> 00:15:05,740 would have get into an argument with 392 00:15:03,610 --> 00:15:08,770 such and such team because they were 393 00:15:05,740 --> 00:15:11,140 they didn't want us to let's say for 394 00:15:08,770 --> 00:15:13,209 example that it was we were moving into 395 00:15:11,140 --> 00:15:15,100 an area where we were doing more asset 396 00:15:13,209 --> 00:15:17,349 management which I would think would be 397 00:15:15,100 --> 00:15:18,880 a plus for the organization maybe 398 00:15:17,350 --> 00:15:20,709 another organization would be not that 399 00:15:18,880 --> 00:15:22,420 happy about it and we'd under in a 400 00:15:20,709 --> 00:15:24,729 conversation and I wouldn't understand 401 00:15:22,420 --> 00:15:25,990 initially why it was so charged once I 402 00:15:24,730 --> 00:15:28,040 stepped away from it for a little while 403 00:15:25,990 --> 00:15:30,110 I realized it's not about enough 404 00:15:28,040 --> 00:15:31,849 thoroughly the logical win-win in front 405 00:15:30,110 --> 00:15:33,800 of them there is a reaction to something 406 00:15:31,850 --> 00:15:36,350 some perception of something being taken 407 00:15:33,800 --> 00:15:38,269 away that needs to be addressed even 408 00:15:36,350 --> 00:15:40,370 before we can have a really rational 409 00:15:38,269 --> 00:15:43,730 discussion about how best to make this 410 00:15:40,370 --> 00:15:47,480 problem solved for the company and when 411 00:15:43,730 --> 00:15:49,579 when I backed off of that that concept 412 00:15:47,480 --> 00:15:52,100 that we had to we had to approach it 413 00:15:49,579 --> 00:15:53,660 completely on that side of hey you know 414 00:15:52,100 --> 00:15:54,949 we just need to put this in terms of an 415 00:15:53,660 --> 00:15:57,019 argument the other side is going to 416 00:15:54,949 --> 00:15:59,540 understand and try stuff into like okay 417 00:15:57,019 --> 00:16:01,699 what are the things that this group are 418 00:15:59,540 --> 00:16:03,709 reacting against and that where there 419 00:16:01,699 --> 00:16:05,300 might be a little bit of there might be 420 00:16:03,709 --> 00:16:07,369 a little bit of history there that 421 00:16:05,300 --> 00:16:09,769 changed the equation in a lot of ways in 422 00:16:07,370 --> 00:16:12,529 terms of being able to work beyond just 423 00:16:09,769 --> 00:16:32,779 the just what was the immediate problem 424 00:16:12,529 --> 00:16:35,720 at the time yeah that's right yes sure 425 00:16:32,779 --> 00:16:37,370 sure so I think you know the I'm a 426 00:16:35,720 --> 00:16:39,500 believer that the the roots of a 427 00:16:37,370 --> 00:16:40,880 solution are in the the seeds to a 428 00:16:39,500 --> 00:16:43,250 solution er and the roots of the problem 429 00:16:40,880 --> 00:16:44,779 so what you just described okay so I'm 430 00:16:43,250 --> 00:16:45,949 talking to a developer and saying hey 431 00:16:44,779 --> 00:16:47,779 you know you've got a really high 432 00:16:45,949 --> 00:16:49,790 proportion of these kinds of bugs and 433 00:16:47,779 --> 00:16:53,569 they're getting offended understanding 434 00:16:49,790 --> 00:16:55,099 okay this person has like they want to 435 00:16:53,569 --> 00:16:57,649 believe that either they don't make that 436 00:16:55,100 --> 00:17:01,459 many they don't make that many bugs or 437 00:16:57,649 --> 00:17:04,459 that they are having someone else bring 438 00:17:01,459 --> 00:17:07,520 it to them is an issue and so I think 439 00:17:04,459 --> 00:17:09,230 that you know part of it is part of it 440 00:17:07,520 --> 00:17:12,379 in that kind of situation is to let them 441 00:17:09,230 --> 00:17:14,929 know that hey this is not this is not 442 00:17:12,380 --> 00:17:16,610 that unusual necessarily and so 443 00:17:14,929 --> 00:17:18,679 therefore this is just part of part of 444 00:17:16,609 --> 00:17:20,389 what we're doing as a development this 445 00:17:18,679 --> 00:17:22,100 is just part of being an engineer 446 00:17:20,390 --> 00:17:24,319 needing to be better you don't have to 447 00:17:22,099 --> 00:17:25,938 take it personally but I think when 448 00:17:24,319 --> 00:17:27,829 you're seeing someone react let's say 449 00:17:25,939 --> 00:17:29,600 with ego first right you know I think 450 00:17:27,829 --> 00:17:30,740 it's stepping back to say like okay is 451 00:17:29,600 --> 00:17:32,719 this something that we can work with 452 00:17:30,740 --> 00:17:36,320 here and this is where you have to use 453 00:17:32,720 --> 00:17:37,460 all of your both relationship and and EQ 454 00:17:36,320 --> 00:17:39,168 skills about like is this something we 455 00:17:37,460 --> 00:17:40,870 can work with in terms of getting them 456 00:17:39,169 --> 00:17:43,210 to understand this is you 457 00:17:40,870 --> 00:17:45,610 just something you can get better at you 458 00:17:43,210 --> 00:17:47,290 know like our former speaker who was up 459 00:17:45,610 --> 00:17:50,530 here with saying the knowledge piece can 460 00:17:47,290 --> 00:17:52,659 be taught right if it's something where 461 00:17:50,530 --> 00:17:54,370 it's maybe a little bit more entrenched 462 00:17:52,660 --> 00:17:59,770 and you know I've encountered that as 463 00:17:54,370 --> 00:18:02,919 well sometimes I took two approaches 464 00:17:59,770 --> 00:18:06,580 right let's say for an instance we were 465 00:18:02,920 --> 00:18:08,860 we were having issues getting a getting 466 00:18:06,580 --> 00:18:10,330 a remote manager to agree to some things 467 00:18:08,860 --> 00:18:13,928 that we all knew that the company needed 468 00:18:10,330 --> 00:18:16,830 and I you know and I could see that 469 00:18:13,929 --> 00:18:19,870 there was a lot of there was a lot of 470 00:18:16,830 --> 00:18:22,360 investment in this idea that you know 471 00:18:19,870 --> 00:18:23,590 the way that this person wanted to do it 472 00:18:22,360 --> 00:18:26,919 was a higher standard than everybody 473 00:18:23,590 --> 00:18:29,290 else's so therefore he had totally dug 474 00:18:26,920 --> 00:18:31,840 in his heels about not not bending on 475 00:18:29,290 --> 00:18:35,080 that standard we had to approach it from 476 00:18:31,840 --> 00:18:36,879 the perspective of from a managerial 477 00:18:35,080 --> 00:18:39,428 standpoint there was we definitely had 478 00:18:36,880 --> 00:18:42,730 to work with his manager as well and 479 00:18:39,429 --> 00:18:44,530 have a recent conversation about hey you 480 00:18:42,730 --> 00:18:46,450 know here's our alternatives you know 481 00:18:44,530 --> 00:18:49,540 help us pick which one is going to be 482 00:18:46,450 --> 00:18:52,330 the best here and also picking the 483 00:18:49,540 --> 00:18:54,520 battles kind of aspect like I don't have 484 00:18:52,330 --> 00:18:56,409 any kind of illusion that there's going 485 00:18:54,520 --> 00:18:59,080 to be perfect results to this it's just 486 00:18:56,410 --> 00:19:00,760 people trying to grow and grow the org 487 00:18:59,080 --> 00:19:12,149 at the same time as you go but I think 488 00:19:00,760 --> 00:19:12,150 you do yeah that's right 489 00:19:15,090 --> 00:19:19,178 that's right yeah 490 00:19:17,950 --> 00:19:22,419 make them part of the solution that's 491 00:19:19,179 --> 00:19:24,490 always a little bit better and I totally 492 00:19:22,419 --> 00:19:26,200 you know his manager as well was there 493 00:19:24,490 --> 00:19:28,570 to say like hey you know if we don't 494 00:19:26,200 --> 00:19:31,240 make a choice that's unacceptable so we 495 00:19:28,570 --> 00:19:32,620 must make a choice you know so I think 496 00:19:31,240 --> 00:19:34,210 that combination of things kind of 497 00:19:32,620 --> 00:19:37,299 helped get us around the bend on that 498 00:19:34,210 --> 00:19:46,539 particular issue but you know definitely 499 00:19:37,299 --> 00:19:52,090 there's you know it's yeah yeah that's 500 00:19:46,539 --> 00:19:53,500 right that's right I mean absolutely if 501 00:19:52,090 --> 00:19:56,049 he takes pride in the quality of his 502 00:19:53,500 --> 00:19:58,059 coding it takes pride in being let's say 503 00:19:56,049 --> 00:19:59,379 you know the best developer one of the 504 00:19:58,059 --> 00:20:01,539 most professional developers in that 505 00:19:59,380 --> 00:20:04,750 work helped give him more tools to be 506 00:20:01,539 --> 00:20:06,879 that person right and I think especially 507 00:20:04,750 --> 00:20:08,710 the security being so interesting and so 508 00:20:06,880 --> 00:20:10,270 critical nowadays there's a lot of ways 509 00:20:08,710 --> 00:20:12,250 to bring people into the fold in that 510 00:20:10,270 --> 00:20:14,950 respect you know more and more in these 511 00:20:12,250 --> 00:20:16,600 days you know and you all probably 512 00:20:14,950 --> 00:20:19,149 experienced this too you know people 513 00:20:16,600 --> 00:20:21,189 approaching our our teams myself asking 514 00:20:19,149 --> 00:20:22,570 how to get into security what should 515 00:20:21,190 --> 00:20:25,690 they be learning about and this and that 516 00:20:22,570 --> 00:20:28,178 and so I think in that way you know the 517 00:20:25,690 --> 00:20:29,799 folks who the folks who you're actually 518 00:20:28,179 --> 00:20:31,750 engaging with and you can get a reaction 519 00:20:29,799 --> 00:20:33,010 from you have you have a chance they're 520 00:20:31,750 --> 00:20:36,100 the problems are like where you have 521 00:20:33,010 --> 00:20:37,899 like silos or no response you know I 522 00:20:36,100 --> 00:20:40,059 think if you can at least get a reaction 523 00:20:37,899 --> 00:20:42,760 from someone because they have some kind 524 00:20:40,059 --> 00:20:45,720 of they have some kind of investment in 525 00:20:42,760 --> 00:20:45,720 it there's a shot 526 00:20:51,840 --> 00:20:58,178 so I I kind of a put put the slide here 527 00:20:56,799 --> 00:21:00,610 at the end because one of the things 528 00:20:58,179 --> 00:21:01,870 that I found when you know kind of 529 00:21:00,610 --> 00:21:04,178 switching back and forth between the 530 00:21:01,870 --> 00:21:05,799 technical and the the people aspect of 531 00:21:04,179 --> 00:21:07,929 it is sometimes just having too refined 532 00:21:05,799 --> 00:21:09,850 footing because you know turning those 533 00:21:07,929 --> 00:21:13,480 those ideas of like whatever it was that 534 00:21:09,850 --> 00:21:15,789 you I felt made me a good engineer into 535 00:21:13,480 --> 00:21:17,559 something else I would have to come back 536 00:21:15,789 --> 00:21:19,059 and say okay like where am I on this and 537 00:21:17,559 --> 00:21:21,879 where you know what's the situation and 538 00:21:19,059 --> 00:21:23,740 I I think what the message I want to 539 00:21:21,880 --> 00:21:26,770 give is that there is a path through in 540 00:21:23,740 --> 00:21:29,380 terms of finding finding a center you 541 00:21:26,770 --> 00:21:32,918 know finding a place that you can work 542 00:21:29,380 --> 00:21:34,929 from that still is has integrity to you 543 00:21:32,919 --> 00:21:37,049 as an engineer but allows you to grow 544 00:21:34,929 --> 00:21:40,000 other people but it does require 545 00:21:37,049 --> 00:21:42,309 constantly adjusting constantly being on 546 00:21:40,000 --> 00:21:44,620 your toes and knowing who you're working 547 00:21:42,309 --> 00:21:46,330 with and so I think bringing that into 548 00:21:44,620 --> 00:21:48,760 the fold and understanding that there's 549 00:21:46,330 --> 00:21:50,980 a progression to how everyone is is 550 00:21:48,760 --> 00:21:53,140 learning as as engineers and as other 551 00:21:50,980 --> 00:21:54,760 managers that they gradually become more 552 00:21:53,140 --> 00:21:57,429 informed they gradually became more 553 00:21:54,760 --> 00:22:01,480 flexible kind of helps that process 554 00:21:57,429 --> 00:22:03,520 along and those are the the major the 555 00:22:01,480 --> 00:22:05,919 major kind of points that I wanted to 556 00:22:03,520 --> 00:22:08,559 talk about today in terms of you know 557 00:22:05,919 --> 00:22:12,460 what I felt had to be changed between 558 00:22:08,559 --> 00:22:14,440 those between those worlds if if anybody 559 00:22:12,460 --> 00:22:15,820 has any other questions or any kinds of 560 00:22:14,440 --> 00:22:18,700 stories they'd like to share from their 561 00:22:15,820 --> 00:22:41,168 own experiences I'd I'd welcome hearing 562 00:22:18,700 --> 00:22:43,799 them sure depends on the the area right 563 00:22:41,169 --> 00:22:45,909 like so for the DevOps and 564 00:22:43,799 --> 00:22:47,470 infrastructure and tooling and all that 565 00:22:45,909 --> 00:22:50,559 kind of stuff I do like all their DevOps 566 00:22:47,470 --> 00:22:52,659 groups and DevOps Enterprise has been 567 00:22:50,559 --> 00:22:55,720 has been a great contact source as well 568 00:22:52,659 --> 00:22:57,429 I think you know you go in there and 569 00:22:55,720 --> 00:22:59,679 what's great is you know you can go in 570 00:22:57,429 --> 00:23:02,110 with a problem and then as you're as 571 00:22:59,679 --> 00:23:03,279 you're working with other folks who have 572 00:23:02,110 --> 00:23:04,959 the same problems you guys can come up 573 00:23:03,279 --> 00:23:06,940 with the solutions together too 574 00:23:04,960 --> 00:23:09,039 state the obvious but you know you start 575 00:23:06,940 --> 00:23:10,120 out with you start out with a little bit 576 00:23:09,039 --> 00:23:12,480 of uncertainty and then end up moving 577 00:23:10,120 --> 00:23:14,770 moving into late into better places for 578 00:23:12,480 --> 00:23:17,049 application security of course the OWASP 579 00:23:14,770 --> 00:23:19,389 the Hoth stuff is a good place to start 580 00:23:17,049 --> 00:23:23,799 I really like some of the stuff that I'm 581 00:23:19,390 --> 00:23:26,080 seeing with that a was the secure 582 00:23:23,799 --> 00:23:27,520 developer and you know Shannon Lee it's 583 00:23:26,080 --> 00:23:29,980 over it intuitive been talking about 584 00:23:27,520 --> 00:23:32,379 adversary focused application of 585 00:23:29,980 --> 00:23:34,289 security as opposed to just the captain 586 00:23:32,380 --> 00:23:37,360 which are obviously very important also 587 00:23:34,289 --> 00:23:39,129 I think those two things plus like a 588 00:23:37,360 --> 00:23:42,760 good knowledge of threat modeling and 589 00:23:39,130 --> 00:23:44,950 internal actual internal you know 590 00:23:42,760 --> 00:23:46,870 threats and weaknesses would be a decent 591 00:23:44,950 --> 00:23:52,330 way to go about that 592 00:23:46,870 --> 00:23:53,830 and you know I obviously you know Bruce 593 00:23:52,330 --> 00:23:57,580 Schneier is vlog is always a good one to 594 00:23:53,830 --> 00:24:01,658 resource I try to like find I try to 595 00:23:57,580 --> 00:24:11,470 find where I think the most most 596 00:24:01,659 --> 00:24:15,290 specific experts are oh I didn't say 597 00:24:11,470 --> 00:24:17,190 that but that's a it is a good thought 598 00:24:15,290 --> 00:24:18,460 [Laughter] 599 00:24:17,190 --> 00:24:20,409 yeah 600 00:24:18,460 --> 00:24:21,880 I would say most of my career has been 601 00:24:20,409 --> 00:24:23,860 focused on the blue team side of it 602 00:24:21,880 --> 00:24:26,169 coming up from infrastructure and all 603 00:24:23,860 --> 00:24:28,469 that and so that's been that's been the 604 00:24:26,169 --> 00:24:28,470 aspect