You can glean a lot about an organizational culture by which straight white men-authored business books everyone passes around and which corporate astrology personality tests they put employees through. As a few examples:

Deep Work: does the org devalue the glue work of administrative tasks, relationship-building, mentorship? Which employees are afforded the privilege to work "deeply"?

Security operations folks: what do you wish the teams who design and develop detection/response tools understood better about your jobs? And to clarify, I’d also welcome just a description of current state or problems you’re trying to solve — proposed solution optional!

Since folks are discussing communication as a core security skill, I’ll add that it’s vast and multidimensional. Helps to pick a fairly narrow area to focus on developing, w/ time-box & tangible measures of progress/success.

Thread of how I’ve tackled this in past pro-dev plans: First, a few ways to structure. IDPs (individual development plans) can be useful for this — there are tons of templates for these online. A broad development goal, then a specific goal and steps to work toward it within a set amount of time, like one quarter.

#BadStockPhotosOfMyJob

The hardest part about working in security is when someone tries to crack the password on the Adriatic Sea by setting it on fire.

The second hardest part is playing the piano solo from “Layla” on your desk before you begin the triage process. Meanwhile, after a rogue admin Konami-coded their way into AWS’s Artic Circle and Kazakhstan regions, Gabon gets DDoS’ed by shopping carts via a nation-state attack on Aldi’s 25-cent cart-unlocking mechanism.

Such carnage. It’s a good thing you‘re wearing your IR cufflinks.

I’m enthusiastically singing along to the @Indigo_Girls livestreaming concert of the entire Rites of Passage album. Cheers, queers. 🏳️‍🌈 “Galileo” now. 😍 I remember seeing them in Madison in 2011, and they closed the show with this song... they got the entire audience singing the bridge a capella.

Ohhhh Mean Girls quotes work so well for this.

She doesn’t even go here, and I still don’t have a toaster!

https://twitter.com/redsteeze/status/1259128816770768896

You can’t sit with us! And I still don’t have a toaster!

What does a technical evangelist do to scratch the in-person conference itch when there are none? Live-tweet a fake security con held at her apartment, of course.

Here we go. (1/14) I’m here today at the illustrious and completely faux StayHomeCon ATX! I’ll be in the @capsule8 tshirt so come say hi if you see me!!

First impressions: super impressed with this year’s badges — the organizers really went all out this year. Hashtag badgelife. (2/14)

I already worked remotely and generally enjoyed it. Even though my work setting hasn’t changed, the pandemic has still impacted my routine and focus in many ways.

For one, this is a massive-scale trauma. Survival mode isn’t a good state to be productive, but we’re all there now. We can lift one another up from afar, but it’s not the same when there’s zero in-person interaction. One of the reasons I was able to function well in a WFH role is that I kept an active social life in the evenings and weekends. It made the solitary work days manageable.

Granola I’ve been baking for years. Base recipe lends itself to infinite variations:

3 c rolled grain
2 c other stuff (seeds, nuts, puffed grain)
1/2 tsp salt
1-2 tsp spices
1/2 c syrup (maple, molasses, agave)
2 tbsp oil
1 egg white (optional)

Bake @ 300 1hr in 9x13 pan.

https://twitter.com/TheSweetKat/status/1241387334647635968

The egg white is optional but gives it good cronch without adding more sugar. Mix in dried fruit after cooling.

This is a modified version of seriouseats.com/recipes/2012/1…

With a heavy heart, I’m withdrawing from speaking at @CypherCon. I’m exploring options to record at home.

While I was excited to speak at a great con in the great state I grew up in, staying in ATX is the most socially responsible thing I can do to help curb COVID-19’s spread. Watch this space once we’ve sorted out potentially recording in advance — y’all may become my live studio audience.

Many thanks to the conference organizers for their understanding and flexibility. My cheese curd cravings will just have to wait a little longer to be fulfilled.

“Beatings will continue until morale improves” was never an effective strategy. People will get phished. We need to accept that fact and 1) make our colleagues feel safe to report a phish; 2) put safeguards to minimize the impact of a phish.

No one‘s job should be in jeopardy.

https://twitter.com/jvehent/status/1233841924798373888

Whenever I did security education for colleagues, I emphasized that first point quite a bit. If you fall for a phish, we’re not going to shame you, we just want you to tell us what happened so that we can take the appropriate mitigating actions. Blamelessness is key.

This was a lot of fun. Thanks for having me as a guest! Cheers!
🍵✨🍵

https://twitter.com/PurpleSquadSec/status/1231590116059164675

Oh, and I also completely fumbled on my response to the “public cloud infra vs on-prem”. I had spent the afternoon writing product release notes and my brain was a bit liquified. (“KMS” was the AWS acronym I was grasping for). A few additional thoughts I’d struggled to verbalize:

🧵 Doing IR while neurodiverse in multiple comorbid flavors can be a rollercoaster in ways that I didn’t fully appreciate until I stepped back from an on-call role.

(CW: some trauma stuff)

First of all, the perennial advice “learn how to emotionally detach from the incident”. Oh my sweet summer child, would that we all had a brain that easily could do that.

Shit will meet fan. Emotions will arise. Learn how to identify them and minimize impact rather than expecting them to just not exist. (See also, chaos engineering.)

Oh hey, some holidays are coming up and I occasionally get questions about religious background, beliefs, and observances. I often find it hard to answer in one sentence; I’ve straddled multiple worlds my whole life. So here’s a short version (and by short I mean several tweets): By birth I’m a Cashew: 1 Catholic parent 1 Jewish parent. They had a priest & a rabbi at their wedding. We celebrated Hanukkah and Christmas; sometimes latkes and opłatky would adorn the same table. Religious pluralism was always normal for me.

I’ve largely stopped chasing the “technical” label. It’s nebulously defined and often a dogwhistle for perceived competence based on the devaluation of other skills and knowledge. “Non-technical” somehow became code for less worthy and less intelligent.

https://twitter.com/varcharr/status/1197929230656425984

My last role drew upon many tech skills, but I didn’t write code for a living. If I can be called “non-technical” on the security operations team of a security company while wearing my NetWars Champion hoodie, no amount of technical prowess will make Bro DiMaggio shut up.

For absolutely no reason, the mashup you never wanted, @duosec swag as the Spice Girls: Scary

*”scary” interpreted in the hacker sense rather than the Mel B sense

While Madison is burning, it’s time to dust off another classic tale from my hometown’s history.

Gather round, friends, for the story of the Great Madison Butter Fire. (Yes today is a mental health day for me and I should be giving my brain a rest from thinking about incident response-related matters, but it doesn’t count if I’m talking about *actual* firefighting, right?)

I found a worry I wrote down a few years ago that seems so completely irrelevant now: “What if I’m a fraud and don’t really have the hacker nature?”

Let’s talk qualities that are seen as things that you either have innately or don’t have and never will.

So, I’m a vocalist... I’m pretty good at singing; it gives me a rush whether I’m in front of a crowd or just belting out Hamilton in my car. Many people who compliment my voice assume I was born with the voice I have now. But years of effort and good circumstances went into making it look effortless.