Alyssa Miller ๐Ÿ‘‘ Duchess of Hackington Profile picture
Hacker, Public Speaker, BISO ๐Ÿฆฌ | Co-Host @CompromiseLive | Board: @BlueTeamCon & @CircleCityCon | @hacknotcrime advocate | Opinions==mine!=employer's | She/her
2 Dec
Thursday morning, back home after a few days of board meetings and I have some thoughts to share on being effective in board presentations. Tech and security leaders still seem to struggle in these settings so here goes:

As always, it's a ๐Ÿงต

1/
1. Research your board members. Find out in advance who you'll be presenting to and look up their background. Talk to your peers who've chatted with the board before, see what intel you can get from them on the dynamics of those discussions. Prep accordingly.

2/
2. Read the room. Important with any presentation but particularly so in the board room. If they're looking at their phones, you lost them. It maybe that you got to technical. Change things up, change your tone, elevate the message and grab their attention again.

3/
Read 8 tweets
1 Dec
The number of potentially qualified people that I see self-eliminating from open #infosecjobs saddens me. The thing is when you're looking at job descriptions, there are two ways you can look at them.

In typical Alyssa fashion, a ๐Ÿงต follows:

1/
Some people will read through the requirements from an implicit mindset of identifying the reasons not to apply. They look for any requirements that suggest they're not qualified and when they find too many of them (for some that means even one), they choose not to apply.

2/
The other method, and the mindset I wish more job seekers would take, is to look at a job description with the focus of finding the reasons to apply. What requirements are things you're good at or could be good at. What responsibilities are areas of interest for you.

3/
Read 6 tweets
21 Nov
FORTY SEVEN

Forty-seven trans people have been violently killed so far in 2021. While this number represents an increasing trend, let's talk about what that number doesn't tell us.

#TDOR #tdor2021

1/
* These are violent crimes, meaning someone else took their lives. This number does not reflect those that took their own lives as a result of unmanageable pressures of discrimination, abandonment, homelessness, forced conversion therapy, etc.

2/
* This number only includes those situations where Law Enforcement documents the victim as transgender. It does not include those killed where police and families hid the gender identity of the victim. This is a common occurrence and skews the numbers heavily.

3/
Read 12 tweets
6 Nov
Let's talk job offer negotiation, a ๐Ÿงต.

If you've heard my talks on this, you know I'm a huge advocate for knowing your worth, getting paid, and asking for what you need.

Recruiters and hiring managers expect it, they're not going to rescind an offer if you ask for more ๐Ÿ’ฐ

1/
However, you also have to know what can and cannot be negotiated and remember it's a negotiation not a demand letter.

Salary, bonus, time-off, flexible work/wfh, signing bonuses, title

These are things that can typically be negotiated to varying degrees.

2/
Health/Dental coverage, retirement plans, other corporate benefits and all their associated costs and provisions

These are things that are pretty universal across the org, only get setup once per year, and most often cannot be negotiated.

3/
Read 8 tweets
6 Nov
Hey #infosec n00bs!!

One of the worst habits we have in security is speaking in absolutes. Saying things like "Unhackable", "Breachproof", "Fully Secure", "No Risk". They're simply untrue.

But this also includes when we talk about skillsets. There are no absolutes.

1/
So when someone says, "You must know x, y, z" or "You have to do a, b, c" to get a certain job (or any job) in security, you can simply toss out those absolutes in with all the other fallacious absolutisms that security people throw around. Simply ignore them.

2/
The reality is we need people of all different skillsets, all different backgrounds, and with all different perspectives in order to be successful. Security is about problem solving and problem solving is strongest when different viewpoints collaborate.

3/
Read 7 tweets
4 Nov
As more job descriptions are including pay range, you as a job seeker need to understand how those ranges actually work.

You might look at a range of $110K-155K and say, well I'll take $155K thanks! However, that might not always be the right approach.

1/
Unfortunately, most orgs only train managers (and sometimes not even them) on how these ranges work. Typically, there is a high, low, and midpoint.

The high-level goal is to bring people who are below the mid-point for a role, up to that mid-point.

2/
This happens through good performance appraisals that drive good raises and up they float. For those who've now moved beyond the mid-point, that's a sign to their leader that they should be about ready for next level up (i.e. a promotion), so those conversations start.

3/
Read 9 tweets
22 Oct
A ๐Ÿงต about tech interviews:

The technical interview is one of the most contentious aspects of the recruiting process IMHO. Hiring managers and orgs don't always handle it well and candidates get beat up with anxiety from the process. So how do we make it better?

1/
When I interviewed for my role at @Snyksec, I thought I bombed my tech interview. Benji asked me a couple questions about concepts I had never heard of before.

I admitted I didn't know the answer, but then shared a bit of logical deduction based on the terms as to what

2/
I thought they may mean. I was sure I had really messed up. However, I got an offer and shortly after I started I found out he thought I did very well and actually had recommended hiring me based off the interview. He told me he liked how I thought about things and that I was

3/
Read 9 tweets
24 Jun
So I really want @ECCouncil to understand the damage they've done (a thread):

1. People who proudly achieved certifications are now disavowing and not renewing those certifications because of the shady practices of the org that provided those certs. All that hard work, lost.
2. People who won awards from your org are now renouncing those awards because they don't want to be associated with the practices of a company like @ECCouncil. These were accomplishments they should be able to be proud of that you've ruined.
3. Organizations and universities who've built educational programs and partnerships are being forced to review and potentially change their entire approach because they can't count on the integrity of @ECCouncil's materials.
Read 12 tweets
23 Jun
So I want to make clear just how trivial it was to find repeated cases of plagiarism in the EC-Council blogs. All it took was going to recent blogs, finding a few key terms in the content and then Googling for those terms. Literally that's it. #ECCPlagiarism

1/
With less than 30 minutes of work, I was able to easily locate the original works that were leveraged to craft two of their blogs. That time included verifying the content matched, taking screen shots, confirming the blog was cached at archive.org and posting

2/
the details.

So consider this as you hear @ECCOUNCIL claiming that they tried to prevent plagiarism. No more than 5-10 minutes of human effort per blog and they could have avoided this mess. One has to question, since they didn't, did they really even care?

3/
Read 5 tweets
23 Jun
OK my last tweet (ok a thread) on the whole EC-Council fiasco for the night. They've shut down their blog and someone already congratulated me.

Let me be clear, I am not happy and I am not celebrating. This is not a win. There are only losers here. EC-Council loses for

1/ Image
the obvious reasons.

However, our community loses as well. This whole thing sows distrust between practitioners and all of the educational and certification orgs we place our trust in.

Content creators lose as we realize we have to take exceptional measures to protect

2/
our works and their copyrights.

Ultimately, I hate this whole thing. I hate that it has robbed us all of so much. I hate that the effort I put into helping EC-Council in April turned out to be a waste.

I don't know where this is headed next, but no, I am not celebrating

/3
Read 4 tweets
27 May
"I want friends not fans" - This quote will stick in my head forever.

This sums up my attitudes toward infosec rockstar culture. IDC how many followers a person has, how many talks, media interviews, or books they have under their belts. We're all just humans 1/
and we all have something to learn from others and something we can teach others.

If you encounter a highly recognized person in this community who isn't willing to give you the time of day or who thinks their accomplishments make them superior to you, just walk away. 2/
They are not worth your time.

It hit 40K followers today, and it's shocking and humbling to know that there are that many people who find something interesting about what I have to say. But I would hope that any one of them would feel comfortable coming to me with 3/
Read 5 tweets
26 May
Let's be crystal clear about this. If your first reaction to survivors of sexual predators is skepticism or questioning, you're literally supporting and enabling sexual predators everywhere.

Here's the thing. Sexual predators pick their targets deliberately. They look for 1/
people they can manipulate or control. Most often this is due to a power dynamic in their relationship with their victim and they use fear and shame as tools.

When you question survivors, when you speculate or attack them in public discourse, you play right into what these 2/
predators are looking for. You create the very tools they use to keep their victims quiet. And victims that are too afraid or ashamed to report are what allow a Denver public school employee to rape 62 high-school aged girls, or a film producer to harass and/or assault 3/
Read 7 tweets
8 Mar
On #IWD2021 let's talk about the reality of women's experience in the professional world:

1. According to study after study, women are consistently paid less than men for doing the same job. WOC make even less than their underpaid white women counterparts.

1/
2. Numerous studies have shown that in promotions, men are considered based on their potential to do the job while women are evaluated on whether they've already demonstrated the skills of the job (I've experienced this myself)

2/
3. Women are consistently assumed to have lesser technical expertise than their male peers.

4. Women are far more likely to be interrupted during meetings and have their opinions minimized or ignored.

5. Women with tattoos are more harshly judged for them than men.

3/
Read 7 tweets
29 Sep 20
I know it's easy to hop on the bandwagon of shaming #infosec in Healthcare given the ransomware news over the last two days. But please before you decide to blast your theory on how healthcare is lazy, uncommitted, etc. to security, take a few moments to consider their risk 1/
models and the unprecedented level of complexity they have to deal with in terms of technology and threats. We know the challenges of ICS systems that are built once and typically can't be easily upgraded as vulnerabilities are discovered. This is 10x worse when it comes to 2/
medical devices. Now add in the complexities of EMR systems which are managing vast amounts of disparate forms of data. Far more complex than even what we see in financial services. But the complexity doesn't end there. Consider the crazy networking infrastructures needed to 3/
Read 7 tweets
22 Sep 20
The more I think about this tweet, the angrier I get. This does not help your case @TwitterComms. This says not only did your training set and the team creating this model lack sufficient diversity, but apparently so did the team testing it. What makes me angry however is 1/
that this is not the first, tenth or even hundredth time we've seen models fail like this. It's talked about widely in the tech space. Yet somehow @Twitter ignored all the discussions about how to avoid these biases and instead went with pre-delivery testing as the solution 2/
to eliminating such biases? And @dantley this isn't about dunking on you or @Twitter, this is about frustration at the pattern of behavior by tech giants who utilize ML and AI without being able to sufficiently address the inherent biases they introduce. It's a disturbing 3/
Read 4 tweets
18 Sep 20
A little reminder for the #hackerfit #redteamfit #blueteamfit #gitfit folks out there. Keep your eye on the big picture. One of the things has helped me most is this trend line. If you look data plots, you can see how my weight fluctuates up and down a lot. It is easy to 1/ Image
get discouraged in those moments, but having the trend line allows me to see the big picture. No matter how I plateau or fluctuate, it remains in a downward slant. That reminds me that my setbacks are momentary and that I am doing the right things. Even when my heart feels 2/
the frustration, my logical mind sees that line and knows it's alright. In the end, I hit my goal while losing an average of 2.24lbs/week which is right in line with my plan of 2 lbs per week (what most agree is the most aggressive rate of loss you should target). So whether 3/
Read 4 tweets
28 Aug 20
With #IStandWithJKRowling trending as she returns an award she didn't deserve, it's important to point out a few things.

1. Her whole premise is based on the faulty logic that allowing trans people to pee and poop in the bathroom that matches their gender somehow erases sex. 1/
2. She, like those who say #IStandWithJKRowling, reference 1950's science in their argument, while ignoring 70 years of deeper investigation that has discovered many of the realities of gender vs body sex characteristics. 2/
3. Nothing in her rhetoric, or that of the #IStandWithJKRowling crowd who claim not to be transphobic, ever once seeks to open a dialogue focused on solutions. Instead it's always focused on telling others what they can and can't do with their own bodies. 3/
Read 4 tweets
25 Aug 20
Let's talk apathy for a moment. We bemoan users for it. We see the issue with it, yet as #infosec folks who know better, we participate in it. I've been seeing this trend in our community. It was particularly visible when the TikTok privacy concerns were brought to light. 1/
On one extreme, you had those that over-reacted and sensationalized it, agreed. But on the other, you had this weird reaction of "Well it's no worse than what FB, Twitter, and others do." I have two issues with this response. First, it flippantly and irresponsibly 2/
dismisses the unique nature of what and how they gathered the info. Second, since when to we as security folks say "Well everyone's doing it so don't worry about it"? I'm seeing this occurring more and more every time there is news of a privacy breach. I'm even starting to 3/
Read 4 tweets
24 Aug 20
Been a thread going today on the "talent shortage" in #infosec. We've talked about HR, Hiring Managers, Orgs having unrealistic hiring goals, bad job desc., etc. However it's time for some real talk on an issue that is reducing the number of EXPERIENCED professionals in the 1/
market. It's an uncomfortable conversation but one that cannot be ignored (although I know now as I bring this up, there will be those that claim it doesn't happen). The fact is, we as a community continue to drive people away. You know where I'm going, this industry continues 2/
to push out members of underrepresented groups. Some of this is done with very aggressive, overt, tactics. Some of it is more subtle but still very intentional. And in some cases it's simply systemic and we participate in it by our failure to acknowledge and work against those 3/
Read 11 tweets
7 Aug 20
Alright, so let's answer this. First I assume you're talking about Susan Mauldin who was the CSO (not CIO) of Equifax at the time of the 2017 breach. She did indeed have a music degree, actually 2 (BA and MA). And I have no problem with that fact in and of itself. 1/
Degrees matter little in terms of job preparedness unless it's THE thing you're claiming prepares you for a role. As your experience grows, the need to rely on the educational components of a degree are lessened. By the time someone reaches an executive level, it's in many 2/
ways approaching irrelevancy. What is important is what did she do in her years of private sector work prior to Equifax. Well among other things she was a director of infosec audits and compliance at HP for 6 years. So I'd say she had some relevant experience. 3/
Read 9 tweets
30 Jul 20
OMG my Twitter Fam!! You guys are freaking amazing! My mentions were blown the hell up with support this morning and I can't express how much it means. Thank you. I know I don't owe anyone an explanation but I decided I'd like to share more details. A thread: 1/
Last night I retweeted one of those "Why aren't people attracted to you" threads. I chose to highlight stats from real studies about the struggles in dating as a trans person. Anyone that's been following me for any length of time knows I don't tweet a whole lot about 2/
trans issues. Mostly because I'm a woman first and foremost and I chose to make my focus the issues women experience as a whole. Lately I've opened up a little and have discussed some trans issues but I still save most of that for other spaces. My visibility is my advocacy 3/
Read 8 tweets