[00:00:00] Jack: Welcome to the security voices. Hey Lesley. It's great to have you on finally.
[00:00:04] Lesley: Thank you for having me.
[00:00:07] Dave: We've been talking about this for a long time and Jack has been waving me off and saying, no, no, no. Leslie has too much going on right now. She's, you know, doing one of a myriad of huge things and, you know, can't, can't be bothered at this point.
So it's a, it's cool. After about two and a half years that we're finally making this happen. So great to have you here save the
[00:00:28] Lesley: best for last.
[00:00:31] Dave: Oh. But there's so much more to come. There's so much more. And speaking of, um, of stuff that wrapped up, so you just, yesterday, you just had pancake con and the third edition of it, right?
[00:00:43] Lesley: Yes, I did.
[00:00:45] Jack: I had a lot of time to prepare for this one. Right? What did you have? Like three days or something. And we had
[00:00:51] Lesley: 11 days this time instead of six days.
[00:00:54] Dave: So H how did you end up with such little time to prepare for.
[00:00:58] Lesley: Uh, ShmooCon postponed. And we were originally scheduled for March and, uh, all the cons for January, you know, they postponed to the spring.
So it was either, it was either March or April. And we were like, oh no. So, um, you know, we're a little dinky virtual kind, but more importantly, like all these cons are getting postponed that people really were looking forward to if they were finally gonna get together. And, you know, they'd be sitting there that weekend with nothing to do, being miserable.
So try to give people something to do. That's the most important thing. We don't make any money off of it. So it's just to, to entertain people.
[00:01:35] Dave: I mean, basically you looked at it and said, if we keep it where it is, it's going to get a little squashed, but lemons, you know, lemons to lemonade. If we move it to now, we have a captive audience potentially.
So let's hustle make it happen. And that's what.
[00:01:49] Lesley: Yep. Bye. TA I sent a message out to all my co-conspirators and said, Hey, can we make this happen in two weeks? And he said, oh God. Okay.
[00:02:00] Dave: And you had you're about to tell me how long yesterday was. It started at six 30 in the morning, central time and wrapped up my
[00:02:09] Lesley: day, wrapped up around nine at night and without any breaks.
So it was a long day yesterday.
[00:02:16] Dave: That's insane. That's huge. So did you, what did you do to celebrate? Did you sleep in this morning? Well, how do we find you today?
[00:02:25] Lesley: Work and today, but I'm, I'm not too, I'm not too put together, but I think I woke up about five minutes before I had to start work. So it's a, it's a rough day, but it's really worth it.
It's just that, that post con you know, slump after that, the adrenaline wears off after you've been organizing things and running things all day.
[00:02:45] Jack: For those who don't know about it. Can you tell us about the format? Cause it's not a typical cyber thing, hacker thing. Uh, content only, it's kind of cool and what you do with it.
So you want it for those that have missed it. Let's let's give them, uh, a delayed FOMO or something for having missed a wonderful event. Oh, well,
[00:03:05] Lesley: sure. Well, um, so, uh, when I started this conference, I started it the first week of lockdown in the U S in March of 2020, and everybody was panicking and burnt out.
So I was like, how do I reduce people's burnout right now? And get them to still do an InfoSec con? So what I decided to do was make the talks half and half, so they can talk about a cybersecurity topics. 20 minutes and then they can talk about something that's not related to it for 20 minutes. So a hobby, uh, cooking, you know, um, fitness, something like that.
They have to talk about something else for 20 minutes, you get 20 minutes of learning and then every, every 20 minutes you get a break from. So it's trying to keep people's attention and keep them from burning out on the conference because virtual events are so, so, so hard. Um, they're still hard.
Everybody's struggling to figure out how to do them. But the, the method that I found was 20 minutes on 20 minutes off. And I mean, you're still learning things during the hobby talks, you're learning how to do a new hobby, but you're learning how to do something fun. You're learning how, you know, like trains work or something or how to cook something.
So it's, it gives your, your part of your brain that is focused on cybersecurity, analytical work, a little break, so you can keep going through the day.
[00:04:19] Dave: So the 20 minutes on is a topic from the presenter. It's something you'd expect at a normal conference right around that Ted talk, 18 minute mark. And then the 20 minutes off is anything from I, I kind of perused the topics.
It was, um, easy stuff to make an a Crock-Pot to mindfulness, to gin and tonic recipes, that sort of thing. That's that's the office.
[00:04:46] Lesley: That's that's the point? It's, it's a switch though. They say the sides of your brain really aren't as important as we always thought, but switch, switch parts of your brain for 20 minutes and then switch them back.
[00:05:00] Dave: And what was, what, um, what motivated you to do this? I mean, you, you talked a little bit about that, but you could have done many, many things. What motivated you to create pancake con
[00:05:11] Lesley: I'm an incentive responder. Um, I'm a natural organizer. I run into fires and I put structures in place. I tell people if I had been born 30 years earlier, I would have been a travel agent because I'm very structured about planning stuff.
So I'm really good at planning events. So that's something I can do. I can put an event together and run it to perfection. That's something that I'm able to do. So, um, you know, we're, we're all trying to find ways to help people cope with the pandemic and with the way our lives have changed over the last three years.
And, and that's different for different people and the level of what we can commit to is different for different people. But that's something that I could do.
[00:05:51] Dave: And the audience is mostly students. If not exclusively students.
[00:05:57] Lesley: It's a mix, you know, especially this year with people with cons canceled, you know, I target the audience, the audience of the talks to junior people, but you know, people are just starved for interaction right now.
So we had a showing of a little bit of everything this time
[00:06:14] Dave: and about how many people were there.
[00:06:17] Lesley: It's hard to guess based on statistics from like our streams, uh, we're guessing around 450 people were watching live, but we had another hundred involved in the villages and then another a hundred something involved in the CTF.
So it respectable showing for a community con.
[00:06:38] Jack: Yeah, I think the format and the things you had added to that draw because we're, we're burnt out on just a common good. We've been zoomed to death and even good stuff is hard to do. So the engagement, you got shows that, that you're doing it right. That's cool. That is very
[00:06:57] Dave: good. Yeah, there is. There's a few comments on the, um, on the hashtag on Twitter, where people were saying they appreciated the, it felt more human to them than most conferences.
And they appreciated the implicit message that our hobbies or interests outside of work are really important to keep people from getting burnout. Like people got that completely from, and I know that's a big topic for you and something you, you believe in deeply. And it's kind of, it's cool to see that the conference and what you've, what you've built is an expression of one of your beliefs.
And I'm sure to have people kind of parrot that back to you is, is pretty damn
[00:07:37] Lesley: cool. Good. When people get it. Yeah. I remember interviewing junior candidates even a decade ago, who would come in from college with no outside interests except for doing cybersecurity. And it really worried me. I mean, it's great if you really, really love the field and that's all you want to do day in and day out, but you're going in per now.
You're going to burn out and you're going to struggle to make social connections, um, because even people inside the, what we call the, the cyber security communities or they InfoSec communities, we share hobbies. We do things like, you know, at conferences, we, we like lockpicking things like that. So things that are tangentially related, maybe, but, uh, there's a big community they're into fitness and a big community that's into like cooking and things.
So, um, w even we have hobbies as a community. And if you don't have those things, especially right now, where life is really changing, you need those social connections. Even if you're an introvert, you need, you need things that will refocus your mind.
[00:08:38] Dave: Yeah. I mean, back when the world was a little more normal in the heady days of 2019, I took my son to Def con roots and he spent time there that day for like two hours even did it like a mini CTF that was sponsored by the Amazon team, which was awesome.
And he had a lot of fun with it, but the cool thing was the lockpicking to your point. And Mike Andrews, who's our head of engineering at open Raven was there, uncle Mike is Wyatt knows him and he loved it and he thought it was so cool. And it didn't just even. Yes, it was Mike's kind of outlet to get back, but also a totally open the door for my son into a community that someday he may or may not join, but he understood things a little better thought it was immeasurably.
Cool. And so on. It's one of those like happy unintended, but beneficial consequences of us, just all being a little more human, you know, it not only allows the person who's giving to express their humanity, but it opens the door for other people to come into. And I think that's, that's one of the really cool things about
[00:09:46] Lesley: it.
Absolutely. Totally agree. That's wonderful that you had that experience.
[00:09:52] Dave: Yeah. So maybe, maybe we can do it again. I don't think Vegas is quite yet like Alma Cron free or, or will be any sun anytime soon. So I still think Vegas is a bit too much of a human Petri dish right now for any of us to wander near it.
But, um, maybe, maybe this summer, maybe by this summer, we'll have full of flamed out on the Greek alphabet and you know, things will be okay.
[00:10:15] Lesley: Yeah. We all cross our fingers simultaneously. Yeah.
[00:10:19] Dave: Yeah.
[00:10:22] Jack: Uh, yeah. Frankie's is, uh, Frankie's is beckoning indeed. I mean, I think the first one that, uh, that, um, uh, ShmooCon does a lot of us putting a lot of hope into ShmooCon, but we'll see.
But we're wise to postpone the, when the worst place in the country for, uh, the pandemic is where you're holding a conference. I felt
[00:10:47] Lesley: so hopefully they're not the worst place in a couple months. Yeah. So not
[00:10:52] Dave: the best. So what were your, what were your highlights from pancake con. You haven't had much time to reflect you went straight from, hopefully you, at least.
Did you at least like crack open a good bottle of wine last night or do something to reward yourself for a job? Well done anything.
[00:11:09] Lesley: Not really. I was seeing a, tying a baby stuff with the AAV crew and, uh, but I hope they did. Gosh, you know, they all work so hard. Our volunteers, like it's insane, what people put into these events, um, for, for free on their own time.
Why? I don't think it gets appreciated enough, but, um, so, so I owe a ton of this to them, but highlights. I mean, I didn't really get to watch a lot of the talks in a dedicated way because I was monitoring the different streams and the operations and things like that. But I did get a lot of feedback from people.
And especially like you were saying, like on the hashtag on Twitter, just like these people who were engaged and they liked the format and they understood why we were doing it. And another really great thing is we have a code of conduct, of course, cause we have hundreds of people who participate in the conference.
And, uh, we only had one violation all day. Uh, people were great. People were supportive. We have a really active mentorship channel and networking channel and people were doing what they're supposed to do there, which is helping people find jobs, helping people better their career. I think 40 people went through our resume and interview village, which is really honestly an insane amount because those are like 30 minute one-on-one interviews.
So yeah, a lot of people got helped and I got a lot of great feedback on that. So that makes me really, really happy.
[00:12:31] Dave: Very cool. And if someone wants to, to watch some of the content, presumably they can just roll right up to the pancake con site and watch any of the content there for free.
[00:12:43] Lesley: Yes. So we have a website it's pancakes, con.com, and that has links to all of our things, our social media, our YouTube and stuff.
And of course on YouTube and Twitter and things like that. We're pancakes con. So our talks in the last two years, or are yet on YouTube will be post-processing our videos from this conference over the next few weeks. And then there'll be up there once they're captioned into edited and things like that.
[00:13:06] Dave: All right. And your keynote speaker was L
[00:13:11] Lesley: yeah, they are phenomenal. One of my favorite people and they give you such an incredible talk on, um, how, how we make these unwritten rules for what we do in business. I recommend everybody watch it once it's posted it's about all these expectations, that business sets for us that are artificial and where they need to go.
Um, you know, for us to be successful in the future and healthy as a community. And it was a phenomenal keynote talk. Um, they were so worried about it. It was, I think their first keynote and the talk was incorrect.
[00:13:47] Dave: Very cool. Very cool. So none others that, um, that kinda jump out to you after that, or you probably need a little more time to reflect digest and action.
I actually watched the
[00:13:56] Lesley: time, so I need to go through the raw recordings now and actually enjoy them. So, but it's not for me,
[00:14:02] Dave: so. All right. And if someone wants to participate the call for papers, opening up. Late this year. When, when, when should people look for the CFP, God
[00:14:12] Lesley: almighty, we are con we are truly a pop-up con this time again, we've put it all on there 11 days.
And that included the call for papers. So, yeah. Yeah. I've had a lot of sleepless nights for the last couple of weeks. Um, and, uh, you know, when we have time to plan for it, when it's not in the middle of a virus wave, it's changing everything. We try to do the CFP a couple of months out and get it posted.
You can follow our website, you can follow our Twitter. Those are the two best places to get updates on what we're doing. And when we're planning for, um, I hope we don't have to do this on the spur of the moment next year in 2023, but who knows.
[00:14:53] Dave: So it's, it was interesting when you and I spoke, you were, so we're not, there's so many topics we could cover with you.
You've done a ton of things. Um, clearly if you can put on a conference in 11 days, God forbid, we give you a little bit of time, you know, magic magic happens. I'm, I'm convinced of it, but it was interesting when I spoke to you, I said, so what, what haven't you talked about that you'd like to, um, since podcasting and this sort of your, your public persona on Twitter and elsewhere, and you'd mentioned something that, um, I think a lot of that's true to a lot of people, but, um, maybe not immediately obvious, which is folks, even like well-known folks who do great things, occasionally submit papers for conferences, they get rejected.
It just doesn't say so on. And you had a really interesting. Topic, which was I I'm just going to badly paraphrase it as real talk on security jobs, pen testing, incident response, reversing, malware, everything else. You submitted this for a talk. You had a concept here. Um, how far did you get with it? Did you actually fully develop it or did you mostly have an abstract?
[00:16:05] Lesley: Yeah, so it actually has been, I got rejected from like three cons with this cause people said it was too negative and I'm a very negative person, so, but it's a fair, fair criticism of this topic. And I did get accepted decipher console, the speaking at cipher concept for cons a little bit more regional though.
So I'm not sure how many people are going to see it, but I have developed this talk. And what I want to talk about is the downsides of cyber security initiatives, because I think all of us as cyber security professionals, we get to ask the same question by students all the time, which is how do I get into cyber secure?
And then after a few weeks, it's how do I pick which area of cybersecurity to get into? So those questions, we get asked all the time and I blogged about it and I've spoken about it before, but I think something that's missing in those discussions is what's the downside of these niches, because we are very, very good at selling.
Hacking is cool. Like we do that all the time at our conferences and things. It's like, here's this cool pen testing story, or here's this wild incident response case. And it is super cool. And it is super interesting. We're in this field because we think it's interesting, but at the same time, not every niche is going to be fun for every person, because there is a lot of 90% of these jobs that you don't see in those talks.
We don't talk about them. Like if you're in pen testing, you're spending 80, 90% of your tight time writing, you know, scoping and writing reports and they have to be very well-written. They can't just be like throw pasta at the wall and see what sticks you have to be really good at. Right. Proposals and, and writing reports for various audiences.
And that's a massive part of pen testing, and we've never talked about it. Like, and people get into pen testing in their leg. Oh my God. I have to write all these reports. I hate my job. Like, why didn't we tell you that in advance, like it's the same with incident response? You know, you know, that the crisis is you have to deal with and the, the, you know, the frontline user communication, you have to deal with panicking, angry, uh, you know, furious people like, um, so, so that was kind of the talk ideas.
I wanted to talk about those, those downsides as well as what personality types, these various niches really.
[00:18:16] Dave: That rings so true to me. I, I started out doing pen testing. Well, at least I got into it early and realized like, nah, not, not really my bag for a whole bunch of reasons. And then I did exactly one incident response in the late nineties, um, and realized also that I liked a little more normalcy in my life.
I didn't like being beholden to all the mayhem. And, uh, 20 years later product's been pretty good to me most of the time. So yeah. My personal experience lays that out pretty clearly. Let's let's pick one and dive into it. Let's so, so that people have kind of a clear example, like which, which one? Which one should we do?
Should we do I R or should we do the reversing malware pen test? You already, you did a little bit of pen test, but let's maybe,
[00:19:07] Lesley: and I'm not even the expert on that. Sure. Let's let's talk about, let's talk about IRS. Yeah. So, um, I R yes, you get to, so that the really cool part that you see in the talks that they they're just legitimately part of IRR is, Hey, you're being a detective.
You are, you are figuring out how somebody compromised a network and you're figuring out what to do next. So you've got this case and you've got to crack the case in a certain amount of time. And you've got to figure out how the bad guy got in and how, how they did things technically and what their TTPs are.
And then you have to figure out how to get them out and get the network secure again. Yeah, that's really interesting. Detective work. But at the same time, the downside to IRS. Yeah. There's report writing and things too. But, um, if you consider that a downside, but potential negatives, there is I can be on the road at the flip of a coin.
First of all, like if something goes wrong, I need to leave my home and get on a plane. It doesn't matter if it's in the middle of the night or, you know, it's Christmas or something, you know? And I miss a lot of holidays because the adversaries know when to attack. Um, I miss a ton of holidays with my family.
So if I had kids, uh, if I had people who depended on me, um, it'd be really, really difficult to do the work I do, because it's like, okay, you're in a plane in two hours. Like all of a sudden your, your week is now been appended. You're doing something totally different. And second of all, you're doing crisis management.
And I R which means, think back to like working retail, like, and dealing with the angry, furious customers. Like all of a sudden you're dealing with people on their worst day of. There they are in a crisis. They think they've lost millions and millions of dollars potentially, or even in my space, which is industrial control systems.
There's a health and safety. Maybe somebody who's at risk of dying issue and in the incident. And you've got to deal with that. You've got to manage that. You've got to walk in with confidence and be able to speak to multiple audiences so that they don't scream at you and throw you out the door. So there's, there's huge human communication elements there, which a lot of InfoSec people aren't particularly comfortable with.
Some are, some people love that, but you have to understand that that's part of the job.
[00:21:17] Dave: I, how this is. I'm not sure any of us really know the answer to this. And I'd love to have Spafford on who I think is the other person you've, you've threatened to have on Jack that we should follow up with and see if we can, if we can get them to grace, us with his presence, we can
[00:21:32] Jack: get Spath on.
[00:21:35] Dave: But I wonder, and I ran into one of his students, actually a Thanksgiving of all things, maybe not his students, but of the, um, the InfoSec serious. Do I have to say cyber sex over at Purdue? And it's kind of funny. It was, um, oh youth these days. Um, I expected I'm like, oh, that'll be nice. I'm like, I'm sure this kid will ask me some interesting things and so forth.
And he didn't ask me anything. So apparently I'm either not that impressionable about that insightful or he just didn't care. But having said that, I do wonder. How well we're preparing people for the industry and what we could do differently. I mean, I had a VC and I haven't put a lot of thought into this, but it's come up so much recently that a VC showed me yet another recruiting platform, or he's like, Hey, what do you think about this?
And it was like a games based recruiting platform for finding like cybersecurity talent. I'm like, honestly, there's such a shortage, man. No, one's going to do that. And there's all these biases in it and so forth. I'm like, and I replied back. I'm like what I could probably get excited about. Is a program that took students fresh out of college and trained them up and then unleashed them in the job for us afterwards, and actually gave people real training.
But I'm not even sure if that's the answer. That was my kind of off the cuff. Um, how well are we preparing people for cyber security jobs? You know, two point Leslie, it, it, it feels like we're still figuring it out.
[00:23:12] Lesley: Yeah, we're definitely still figuring it out. We have been for the last 20 years, um, and the degree programs are one vector, but not everybody can afford college loans, um, college tuition, and there's issues with the degree programs.
Now the bachelor's programs to some extent are getting back. Um, they're getting a little bit more held to the fire and having to keep their curriculum up to date where I still see huge gaps are the master's programs. There are a few good ones out there, but there is a lot of cybersecurity master programs out there who, um, they they're teaching out out of date information and they're not teaching enough information.
It's hard to cram that all into a master's program. The person has a different undergrad degree and we see a lot of candidates coming in with master's degree who think they're prepared because they paid a bunch of money for a master's degree for. Extensively credible school and they don't, they can't answer anything practical in the interviews.
They, they, it's not even a matter of technical minutia. It's like their, their knowledge, their foundational knowledge is so limited and out of date that they can't build upon it with modern concepts. They can't think critically about problems in cyber security. So I'm seeing a lot of problems with masters programs still.
Now, if you already have an undergrad in something related to security and you're up on the topic and you start sell study and things, of course it can be a valuable career tool, but there's, there's a lot of issues in our education pipeline for, for cyber security, where people are getting sold on programs that they're, they're told they're gonna make a lot of money with, and they're not really preparing them to do it.
[00:24:53] Dave: Is there anyone who you think is doing it well, and by anyone, I mean, an institution or a group that you think is doing a nice job that we could, we could look to as an example.
[00:25:02] Lesley: Yeah. Produce doing very, very well. Um, my Alma mater DePaul, I'm still very impressed with their curriculum GMU. Um, there's, there's a lot of well known schools that are starting to build up very good cybersecurity programs, especially in the undergrad space.
Um, I think the concept of putting somebody in a master's program for cybersecurity with not no related undergrad degree, so coming in from say physics or something, um, it's a little dubious to me in general, but, um, the sands masters program of course is quite credible and they put you through a ton of sands classes, which is kind of cool.
Um, and if you don't have that background, but. You know, really understanding, not falling for the sales pitches, understanding what you really need to know in the field is important. And I'm not sure we convey that for.
[00:25:58] Jack: The master's program thing. I was thinking about, um, Lewis black does a rant about this, about you knowing in my generation.
And before you, uh, didn't get a degree in management, you did it got a degree, or you did a job, and at some point in time you realized you needed to do more. And then, then maybe you'd go back and get your master's, uh, whether it was an MBA or not. And, uh, it's not just our field having been in the car business for decades.
There are a lot of people that know nothing about the auto industry, nothing about retail at that scale, nothing about finance at that scale, but they have an MBA from Babson. And, uh, that's part of the reason that in my opinion, the industry collapsed, uh, 20 years ago, which was cool for me. Cause that's when I shifted into this industry.
So it got me out of the car business, but, um, yeah. Yeah, we. Yeah, people
[00:26:51] Lesley: always going to try to sell training and degree programs. They're always going to try to sell those. And they're always going to try to tell you how much money you can make with their programs, but it's not always,
[00:27:00] Jack: I can't imagine what it's like for anyone who's not ancient because that, that is most of what happens on LinkedIn for me, which I'm not looking for a gig I'm there to, for B sides and for tenable and other things.
I'm working LinkedIn for connect to the communities I'm engaged with. Uh, but I pretty much daily get somebody trying to sell me, uh, certifications I had 20 plus years ago, or have actively retired from, and I'll be rich. I'm like, well, that's not how this works.
[00:27:34] Dave: So you graduated from DePaul, but you also spent a big part of your history is your time spent in the military as well.
Talk to us back to the beginning of which, which is another incredibly legitimate path. And I can think of a number of super impressive people who started in the military as opposed to getting a degree. I mean, some of these people have been bedrocks of the cybersecurity community long before it had its cyber.
How did you get involved first with the military? Were you involved before you went to school or did you, yeah,
[00:28:09] Lesley: actually it was the other, other way around. I was already involved in a hackerspace before I joined the military and it was a, that was a frigging delinquent as a teenager. I barely passed high school.
Um, I made, uh, I made money in the.com era because I knew how to use computers as a kid. And I got my first job as a programmer at 15. And, uh, I kinda, you know, I was already an angry teenager, angry at the world, angry at fight the man teenager. And, uh, so I kind of slacked off and didn't do anything and, you know, the.com bubble burst and I had to do something and I was like, uh, uh, you know, what sounds fun, fixing planes.
So, um, so I joined the air force and, uh, yeah, that, that's kind of how that happened. It wasn't a happy story. It wasn't a fun story. It was just like, oh, I better do something now, a story. So, um, but yeah, I had already been involved in, in the it space and the hacking space before that, because I started so very young.
Um, and, uh, yeah. Yeah. So, um, I, my first day out of basic training, I had planned to just be a reservist and then go to college right away and become an officer in the military. Um, I enlisted obviously, cause I didn't have a degree. And my first day out of basic training was nine 11, 2001. So nothing, nothing went according to plan.
Um, but yeah, that, that was the plan originally. That's not what actually ended up happening. Obviously everything went to hell, um, uh, in, in got totally insane after that. And my whole life changed, but yeah, I spent 20 years in the air force, um, as a reserve assigned various activations and deployments and things.
Um, yeah, and I got out about a month ago.
[00:30:02] Dave: Wow. That's that's extraordinary. How long, how long were you? And I'm going, gonna use the wrong words here, but how long were you full time in the air force? And then what, how, what period were you at risk?
[00:30:13] Lesley: Uh, so I enlisted as a reservist again, my plan was my plan was, oh, I'll, I'll do this for a little while.
You know, you have, it takes like a year to become a reservist, especially in a technical field, you got to go to school and stuff, so we'll do this and then I'll go to college and I'll get my commission and then I'll be an officer and it'll be awesome. Know, you have all these plans when you're a teenager and none of them actually happened, but in my defense, there was a fricking war, multiple frickin war.
It's like, thanks. Things did not go according to plan. So yeah, no, I enlisted as a reservist. It just didn't really stay. It didn't really stick.
[00:30:50] Dave: What happened? So all of a sudden, you know, you just finished basic training, you're thinking, all right, you know, settle into something.
[00:30:58] Lesley: I do my eight months, nine months of, of technical school in that time, who was avionics.
So at your craft computer systems, and then I'll, I'll go to college and I got all these plans, but
[00:31:09] Dave: no, yeah. Down come the towers. And what do you end up doing? What happened in?
[00:31:15] Lesley: Well, the reserves had been for several years kind of chill. Um, you know, you didn't, there weren't a huge number of deployments going on around the world, but all of a sudden, everybody was getting deployed and everybody was getting activated.
And even if you weren't deployed to the desert, you were doing support work. And, uh, it was, it was like a real full-time job.
[00:31:36] Dave: So you actually didn't get shipped out, but you ended up supporting the folks who were
[00:31:41] Lesley: yeah. I mean over 20 years. Absolutely. I went all over the place, but, uh, yeah. Yeah. I mean, it was a mix of that and it was just nonstop for years and years.
[00:31:51] Dave: So as you look back, what are some of your favorite moments? What are some of the highlights and things that kind of stick out at you over a couple decades? I
[00:31:59] Lesley: got to go a lot of interesting places in the world, which was really, really cool. Um, multiple continents all over the U S and, and, uh, during really meaningful stuff.
I was, uh, I was in the Gulf coast for six months after Katrina, which was a life changing thing. Certainly. Um, And, uh, you know, you meet a lot of interesting people too, and you get exposure to a different way of doing everything, including cybersecurity in the military. So, um, it definitely changed my perspective.
I got a good idea of how things function on the military side of things and the government side of things. Um, as well as getting to go to a lot of interesting places, um, and met all kinds of interesting people along the way. So that's the upside. Certainly
[00:32:52] Dave: what's the things that people who have never done military service, who don't have your experience in the air force, what are they, um, what do they miss from their perspective?
Um, I'm curious, like how has it changed your thinking in a way that other folks could maybe benefit from if they had a similar experience? Is that a fair question?
[00:33:14] Lesley: Yeah, absolutely. So in terms of. Operational stuff. Um, it makes you think about risk management and prioritization and triage really, really acutely, um, you know, your risk management cycles, your OODA loops, uh, how you make decisions.
Um, you learn a lot of that in the military, and it's, it's very important for doing things like I do an incident response, you know, critical triage stuff. Um, in terms of what people don't know about the military in the United States, at least, um, he's, it's a, it's slightly different in, in allied countries.
Um, there are multiple pieces of the military, so there's the various. Branches. So obviously there's army and Navy and air force and Marines and well as face force and coast guard. And, uh, you know, and they all perform various functions. Sometimes they overlap, but there's also the different components. So there's there's guard and reserve and active duty, and they also have interesting overlap and they perform different functions.
Um, people don't really know that those things exist as discrete objects. Um, so it's, so there is, um, a vague understanding, I think, in people's minds that you can do part-time military, like I did. And, um, you know, people think about it as the guard or the reserve, but they're two totally different things.
So your guard is your, your. Component of service in most states. And, um, you are working for your governor in essence, most of the time, although you can be called up to do federal stuff as well. Um, so you're more aligned to your state guidelines and your state requirements. You're doing disaster relief, things like that.
And then the reserves are part of the federal military. So you are reporting to the same place as the active duty people are, who are in the full-time military. Um, and you are supplementing them, things like that. And you are not necessarily helping with things like national natural disasters, unless there's, you know, a presidential declaration of there being a state of emergency or disaster zone.
So, um, you're doing a little bit different things. You're supplementing people in different ways. There's different requirements. You're spending different amounts of time doing things. I mean, if you live in a state where. There are a lot of natural disasters and emergencies. Then you might get activated all the time in the guard, um, in the reserves you might be sent on longer deployments overseas to deal with, you know, federal things.
So, um, and you know, relief efforts overseas as well. So, um, there's multiple things going on there and the requirements to get into each one are different too. So the requirements with regards to age and things like that, health, et cetera, vary between the reserves and the guard and active duty, um, and your requirements for what you have to do to stay in are different.
So, um, there's a lot of things to explore there. If there, if it's something that you're interested in doing, um, it's definitely not necessarily what they save for. Part-time like the, the, what do they say one weekend, a month, two weeks a year. It doesn't really end up being that it ends up being a lot more than that, especially during wartime.
Um, but, uh, It, there is, there's a lot of things to explore. And if you're, you're a young person and you're like, Hey, I think I might want to do the military thing. I mean, look at the guard, look at their reserves, look at active duty, see what the differences are there. See what they'll offer you. Sometimes you can get a guaranteed job in the reserves or the guard as opposed to active duty.
Well, they'll just give you one, they'll say here's your ass fab score. This is your job. Now you are a computer programmer or you are a cook. Like they'll just make that decision for you. So, um, it's a little bit different and uh, yeah, a lot of things to think about. And that's even without thinking about becoming invested in an officer or whatever, so talk to people and actually understand your options there.
The recruiters will lie to you.
[00:37:08] Dave: How do you juggle that uncertainty of, Hey, you know, at any point in time, there could be a state of emergency, like a Katrina there, it could be a war that yanks you out of your day job. I'm assuming the employer asked to agree to this beforehand and know this going in and all of that.
Like, how did, how did you personally juggle that uncertainty alongside your, your day job?
[00:37:35] Lesley: So you have legal protections as a military member, as a guard or reservist person. Um, you, you cannot be fired for doing mandatory reserve service or guard service. It's that's the law in the United States. He can't be fired for it.
They have to hold your position, uh, while you're deployed or activated. Um, and this is, this is non-voluntary stuff. So not, I just want to go do this thing cause it's cool. Um, but, but your, your commitments as being part of those organizations, And the things that you required to do as a military member.
Um, now that doesn't include joining the guard or the reserves after you're already employed, that's, that's a different matter, um, that you have to discuss, but, um, if you are already a guard or reserve member and you get a job, they can't, they can't fire you. They have to have a equivalent job waiting for you when you come back.
Uh, that doesn't mean it never happens. I mean, uh, people are skeevy, uh, and there are organizations out there like ESG are that protect us that have lawyers and things. And we'll go after companies that do things like that, that they're not supposed to do by law. Um, so, so you do have legal protections, but in practicality, um, it's tough.
You, you are juggling. I mean, by the time I was a senior. Enlisted person in the reserves. I was doing 10 to 15 hours outside of my normal job every week, just as part of my reserve job. I mean, obviously you can telecommute now it's it's 2022. Uh there's. There's telecommuting for those things too. So yeah, you're doing employee reviews and you're doing, you're doing, uh, you know, unfortunately, uh, remedial action for people, things like that, that have to be tracked every single day or, you know, paperwork for, for new projects or deployments.
And, and you have to fit that all in, into your day with everything else. It's part of the gig.
[00:39:25] Dave: If someone was to join the reserves and add it in along what they're doing, what would it look like? What, you know, what, what, what should they expect first off? It sounds like there's, there's a training period.
And do they, do you have to take a kind of a year of training first before you're even you're in this situation where you're juggling things, you basically have to step out for it.
[00:39:47] Lesley: Yeah. So it depends on how much training is involved in the job you got. If you're a cook, it might be two weeks. And I just use that as example, there's not many cooks in the military anymore.
It's mostly contracted out, but, um, if you are a computer programmer or a linguist, it could be a year or two years of training school. Full-time that you have to do to, to join the reserves or guard. Um, and that's, full-time just like everybody else. Um, And that's, that's part of the obligation. Um, some classes can be waived.
They say in the military, there's a waiver for everything. That's not really a true, hard and fast rule that there's waivers for a lot of things like age and, and, uh, medical conditions as well as school. So for some technical training schools, you can, if you have a lot of work experience in the space, submit a package with that experience and see if they'll waive part of the school.
Um, sometimes they'll, they'll cut pieces of it off. If, if they think that you have enough experience, um, it's always worth pursuing, but it's not always possible. So yeah, if you're, if you are a InfoSec person right now, who's like, Hey, I want to join the guard. Um, I mean, you'll have to talk to a guard recruiter and you'll have to talk to a unit where your potential job might be and make some decisions about how long you can go to school and whether that's the right job for you and what that's going to mean for your day.
So
[00:41:03] Dave: it's, it's super variable based upon what your background is, what you're trying to do. It may not, it may be a year. It may be more, maybe a heck of a lot less if there's a really a really clean match. Yeah,
[00:41:15] Lesley: yeah. And, um, recruiters again, try to make things simple. And it's not a simple problem. Like recruiters, that's part of their job.
It's making things very, very simplistic sounding. And in reality, you know, especially if you're a cybersecurity person, there's a lot going on there and you need to make some smart decisions about whether you want to be an officer. If he enlisted, whether you want to be reserved for guard, um, where you want to do that, what unit you want to go to because they have different missions.
Like the one down the street might be doing blue team, but the one 150 miles away might be doing red team. And that might be more what you want to do. So
[00:41:49] Dave: once you get through all that, let's assume you get through all that and you get put on a project you're assigned to a unit and presumably they, they give you a project.
Does it honestly, does it end up being a lot, like a. Uh, project that you'd have inside a business. What are the, what are the similarities? What are the differences? Yeah.
[00:42:09] Lesley: I mean, it's the military and the government run very much like businesses today. Um, in terms of, you know, you've got your email and you've got your computer and you're doing project planning and, and, uh, a lot of management training in the military now is very much the same stuff that you get in the commercial sector in terms of team dynamics and project planning, things like that.
But, um, there's this added element of all the military requirements as well. So there's a fitness requirements, regardless of your branch of service, you have to be able to pass your fitness tests. And that can include things like cardio fitness, and also things like weight and or waist size, depending on the branch of service.
Um, and then there's the, you know, potentially clearance requirements, which are a beast of your own, um, which can dictate where you can travel and how you live, um, appearance too. Um, you know, you, you have. Every month when you show up or whenever you get activated, you have to have the right haircut and the right color hair and, and, uh, the proper tattoos and the, the, you know, you know, if you're a female, then the proper piercings, um, or no piercings, if you're, if you're male.
Um, so there's a lot of appearance rules too. So there's a lot of things on top of the day-to-day work that aren't necessarily part of a year commercial job. And that doesn't include the. That go along with deploying, you know, so there's all that, that baggage there of, when are you going to deploy? When are you up for deployment?
How long are you going to be away and things like that. So,
[00:43:40] Dave: so with the red hair you have right now, fly with the military. You have to change it before.
[00:43:45] Lesley: Oh, thank God. No, no, no. That was like, the moment I got out, I was like, it's been 20 years. I have been able to color my hair. Like, it was really exciting.
Like I am way too old to be excited about this, but it's like, wow, I've never been able to do that. I mean, I enlisted when I was 17. So they go all these things I can, I can potentially do
[00:44:04] Dave: now. So, and you, you retired. If, if I remember what Jack told me correctly, a master Sergeant in the air force, which is incredibly impressive, and that was a 20 year career.
Ish. Yeah. Wow.
[00:44:20] Lesley: A little bit
[00:44:20] Dave: over, but how did you, how did you know it was the right time? I mean, that's, that's such a long time. You could have quit at any point along. What, um, what made you say it was, was enough? What was the inflection point? We got a
[00:44:33] Lesley: pension to 20 years and health insurance when he retired.
So that's why it was important that they stay after it. This is the rule of thumb that I've heard is that after you hit 10 years, you really have to make a decision in the military. Cause you're halfway there to getting your retirement. Um, the, actually the pensions are no longer really a thing in the military.
I was grandfathered. Um, now you get somethings more similar to a 401k, but regardless you can retire at 20 years. So, um, Yeah. So that's definitely a consideration there, but then at 20 years you've got to make a decision. It's like, do I want to keep doing this or not? And the nice thing at that point is at any time you can say, okay, I've had enough.
Um, as long as you get approval to retire from your, your chain of command. But, um, it's still not to juggle. Like I was saying, I was doing 10, 15 hours outside of, outside of my, um, some weeks outside of my, my day job, you know, just, you know, wrangling things and talking to people and, and responding to requests, things like that.
So it's, it can be a lot, um, on top of, you know, incident response, which is potentially 60 hours a week, 70 hours a week. So like you only have so many hours in the day.
[00:45:43] Dave: Yeah, it sounds exhausting. So it may be too soon, but what do you miss about.
[00:45:50] Lesley: I mean, of course my unit, the comradery, they, I mean, I've made tons of friends through the military through the years and I'm excited about their future.
Um, I'm excited about the future of our unit and what missions it gets, things like that, but it was time for me to go. But, uh, you know, I'm trying to keep in touch with everybody. It's just hard because in the military you learn the skill of just being friends with everybody on the spot, you know, um, see, you know, you get sent different places all the time with different groups of people you get deployed or you get sent on TDY or something.
And, uh, or, you know, you go as a reservist to fill a spot at an active duty base. You meet people overnight and then you're going to know them. A few weeks or a few months, and then you're never going to see him again. So you have to be best buddies with these people who you just meet out of the blue and then they drift away in your life.
It's just part of being in the military and it's kind of fun, but you know, it's like, I worry that I'm not going to be able to keep in touch with these people who have been what I would, they feel like close friends because you build those friendships so fast. It says it's a skill. I don't think a lot of people talk about in the military.
That's part of being in the military, but you just, you just get this ability to sit down at the bar and be best friends with the person who's sitting next to you. And that doesn't necessarily mean you trust them like security wise, but like, you can have a good time with them and you build a good relationship with them.
So your plate and you're friendly and things like that. And, um, I do worry that I'm going to lose those connections.
[00:47:20] Dave: Yeah, that's it, it makes perfect sense. We can describe it, but that's not something that I would have, um, I would have immediately grokked or thought of either. I mean, that's. That's really cool.
What are you, what part of you is completely glad that that's behind you? I suppose the part of you that likes sleeping more than five hours a night.
[00:47:38] Lesley: Yeah. And the part of me that wants to be able to like go get tattoos and things and dye my hair, fun colors. And I know it's really petty. It's just, I have never gotten to do it.
And I mean, I I'm, I'm almost 40 and I just haven't gotten to do any of those things. And it just, it like Jack knows, I missed a lot of birthdays and, uh, it's kind of fun. I had a big party, you know, I said it was for my 18th birthday, my 21st birthday. Cause I both, I miss both of those. Cause I was doing military stuff.
[00:48:10] Dave: More birthdays, more parties and more tattoos has the first tattoo happened yet.
[00:48:15] Lesley: Oh yeah. I have a, I have a bunch of tattoos, but they're not invisible places cause I couldn't get like my arms tattooed.
[00:48:21] Dave: So maybe the first arm tattoo is around the
[00:48:23] Lesley: corner when I, when the virus is a little better. Yeah. When I'm willing to sit there for eight hours, but the random person.
Yeah.
[00:48:33] Dave: Jack, I don't want to dominate the questions here. Um, I'll I'll keep going. God knows. You know that.
[00:48:40] Jack: Yeah. There are so many places to go when chatting with Leslie, because you've done so much and you're so visible and uh, so, um, you try so hard to be approachable and I know you really are, but I know it's overwhelming too at times.
Uh, but you know, one of the things that you've done a lot of is the whole. Career coaching and resume review and, and trying to help people get into the field and move forward in the field. And a lot of that, I mean, you touched on this with that talk that you're going to do. Um, and you've had rejected many times just telling the truth about what to expect.
And I mean, that's, that's really important is, um, if you will. Um, but, you know, luckily I haven't had to do hiring in a long time. Um, but when I did, that was always one of the things that I tried to do was like, this is what this job is. And most of that was in the car business and then therefore, mostly garbage jobs and are like, this is kind of a crappy job and no, you're not going to get regular raises, but here's, you know, here's what it is.
And letting people know what they're up against, whether it's a great job or a minimum wage job, that's not great, but at least they'll have some income. Um, you know, being honest with people as you're trying to help them move forward, uh, helps them. And also if you're, if you're the hiring manager, uh, it slows turnover.
If you're being honest with people, if you're bringing people into an organization and you're, you're honest with about what they're and. You know, personally for me, where this has been true in recent years is when working with volunteers, you know, decides and other things, but mostly it would be sides.
You know, I always tell people if it's not fun, stop doing it. Um, your time commitment is going to be more than anybody else on the board told you. It's going to be, that was the one that, uh, this come back to me several times. You were the only one who was honest about how much work this volunteer gig is.
Um, so anyway, that's sort of a random thing, but you, uh, you've done a lot to, uh, reach out to people and, um, you know, what's, what are your thoughts on that? What are your thoughts on getting people in? What are, uh, what are, I don't know if you want to say any specific success stories, but what, what's the feel good vibe.
And then I know there are frustrations with that. So how do you stay motivated, um, in what is often a thankless job or doesn't necessarily get the, thanks that maybe you should.
[00:51:08] Lesley: I don't think I ever stop long enough to think about it. You know, I know I don't stop. Like, I don't know what would happen if I stopped. Like, I'm, I'm a compulsive planner. That's what I have to do. Like I just, I just keep going, you know, and I don't ever take enough time to really think about whether I'm getting enough thinks or enough or enough, uh, successes or things like that.
I mean, God knows I better not, I better not take the time to think about it because, um, yeah, I, I. I haven't, I haven't stopped in a long time. And it's important, obviously it's important because the stuff is always in demand. People are always asking for my time about things. People are always asking for my help on things.
And, um, so obviously it's in demand, but, uh, whether whether it's meaningful or not, and whether I'm reaching enough people, like, I don't want to, I'm not going to stop doing this long enough to do, to introspection to figure that
[00:52:08] Dave: out. You know, there's an honesty there. I appreciate it. It's like, I, I, I flatly reject your, your nudge to, uh, to, to be introspective whatsoever.
I simply cannot and will not slow down enough. Do you have any
[00:52:25] Lesley: bad things to think about in the world?
[00:52:34] Dave: I'm just going to keep doing Jack that that was the response. It's like, you know, the car 45, it's got a fits gear.
[00:52:44] Jack: Ah, there may be a perspective for me being, uh, many decades older than Leslie and, uh, has been substantially older than you too, Dave. I bet I'm going to add a different point in life. I'm like, huh?
So yeah, I keep, well, I certainly, you know, keep hammer down and hammer down
[00:53:07] Dave: ready when, when you're ready for the true, what motivates Leslie and you know why this life of service and the rest of it, like.
[00:53:17] Lesley: Well, why does it, why am I motivated to do it? Because it, for me, because I was, I was a kid in the nineties trying to get into the hacker scene and I, I, nobody wanted, nobody wanted to spend time with the girl, like, and, uh, that that's, uh, it, it wasn't even just that nobody wanted to spend time with a new, like, and it was so hard to get into this field.
It was so hard to get into the hacker community. It was so hard to get into, you know, it, to be accepted into it is anything other than a name and IRC or something. It was so hard to make it into digital forensics. I called all over the place trying to find mentorship, just advice on how to get into it.
And I got no answers. It was really, really hard to get into this space, which I wanted to do when I was a teenager. And it was a long. Very dirty roads through the military and through college and through different programs and connections to get there at all. I don't want other people, if it do that, it's ridiculous.
It was awful. It made me feel awful.
[00:54:23] Dave: Where do you think we are now? Do you think today it's materially better than when you were, you were starting out? Like where do you think we've, we've made progress?
[00:54:34] Lesley: Oh, yeah, there's much more representation now. And there's, there's more people willing to help other people.
There's still a lot of jackasses out there. Um, there's people who are gatekeepers and, and, you know, you never know who it is to sometimes if the people who inspire folks on the big names who are horrible, um, but there's enough people out there who are willing to help people get into the field. If they're willing to, you know, work hard and study hard and be engaged, um, there's, you can find mentorships now and, and cybersecurity is now not just a hobby.
Like in the nineties, a lot of it, there was, yes, there was work in cyber security, but a lot of it was hacking hobby, you know, that kind of stuff. And uh, now it's more of a serious career. So there is those factors in there's degrees, stuff like that. There's training programs, formal certifications, things like that.
So it's, it's more of like a serious business that you can get into. And a lot of the really nasty parts of conferences and gatekeeping have been shot down. People have said, this is ridiculous, and we're going to stop doing this. There's still problems. And there's still people who complain about that, but things are a lot better.
You don't have to just shut up and deal with stuff just to stay in the field. And I did many years of in the military and in cyber security and IOT of shutting up and dealing with horrible things that I hated because he was the only way to stay in the field and people shouldn't have to do that either.
So yeah, things have improved. We have a long way to go, but things are better.
[00:55:59] Dave: Where do you, if there's an area that you could, that you could fix something that you consider. Especially screwed up. Where would it be and what would you do? Do you have, do you have a favorite cesspool in the industry?
[00:56:14] Lesley: Yeah, well, um, I have a few, but let's start with a practical one to fix, which is hiring, um, our, our postings for jobs, where we want the people with like five years of experience and, uh, as an entry level person that we're going to pay something ridiculously low for, um, you know, we, we, aren't making jobs for entry-level people and we are making jobs for entry level people.
We're we're we are putting ridiculous requirements on them and we are gatekeeping unconsciously in our postings by, you know, wording out and, and require minting out people like parents and older people, um, people from a variety of backgrounds, um, as opposed to, you know, unfortunately the, the straight white, mostly men, um, That the, that make up a large part of our cybersecurity community.
So, um, we do that through our language and our postings. We do that through requirements in hiring, uh, through the ways that we test our candidates through the ways that we vet our candidates, things like that. And simply the, the, the raw requirements that go through our screening systems. So we have to fix that.
It's ridiculous. Everybody is complaining constantly that they can't hire enough talent in cybersecurity. And I'm meeting people all the time at, at, you know, virtual and in-person cybersecurity meetups who are trying to get into the field. It's nuts.
[00:57:41] Dave: I, you know, being a VC back company and I had to sign a I'm at a sign, an agreement when we took our seed funding from Kara at upfront, uh, that's a commitment to diversity and.
That's interesting, but it strikes me that, you know, in the VCs, let's be honest, like they're fueling so many, so much of, of cyber security that's out there. I think that there's room for a really forward leaning or just a VC that wants to make a difference to provide young companies with relationships, with organizations like, you know, LGBTQ organizations, um, and with historically black colleges and universities and so forth.
I think the VCs, if they really wanted to make a difference could have a huge impact because these young companies. I mean young people who are emerging from these universities, have they have the pliability, they have the last, the city, they have the desire. In many instances to pour themselves into a young company, the company doesn't have that much money to pay them.
Even, it feels like such a good match, but none of these entrepreneurs are going to have the time to go out and build those relationships. My like one of the things I'd love to see happen is the venture, the venture capital community raised their hands and say, we have a role here to help source young talent into young companies.
And to match-make a bit here and Kleiner Perkins has done this. Like we've gotten some great talent through their fellows program, but my sense is like, we need about a hundred more of those, you know, in order to help bring in young talent or even other talent, diverse talent into. Into these companies, because as an entrepreneur, we've just way too often just lean into our network because it's most available.
And I think like if you don't, there's so many startups and so much of the cybersecurity community now is small to midsize to growth companies. We're all just w if we just don't make the time and it isn't easy to do, it'll be someone like me where I sign an agreement, but then when it came to actually execute on that, it fell way short, partly that was just the dynamics of a young company and who my network is and everything else.
But part of that, I think is the VC's responsibility too. I think they could play a much better role here anyway. So I'll, I'll step off my soap box
[01:00:18] Jack: and Dave, you and I have spoken to. Different kinds of VCs. I mean, Kara is not, uh, you know, when you, when you think of your typical Silicon valley, the ones that we all on Twitter like to hate on, um, Kara is different.
Chincy is different. Um, Buc-ee's at Kleiner Perkins, but he's different in the end. Um, the challenge for you and for anybody higher up the challenge for anybody hiring for any position is that if training's involved and you're already as a manager or a team member, you're already buried, that's why you need more people.
You don't have time to train people. Um, and, uh, when you bring somebody in, you have to have the time and the resources to train them. And the reality is we probably got advanced to do management without being taught, how to be managers. We certainly haven't been taught how to be hiring managers when we get the promotions.
And so there's a bunch of stuff. And that idea that the venture capitalists could. As part of the package say, we're, we're investing in you as an organization. We're investing in you as a management team and we're investing in, uh, these programs where we feel that, uh, we can, um, help you hire people at a competitive rate who are going to fit well for the company, but also advance, um, you know, forgive me for whatever, not just the industry, but we're going to advance society and the process.
And it's, they're the people that have the money. And, um, it seems that they should be able to find return on that too. There, there should be returned there, but somebody has got to have the resources. To do the development of people. I mean, I completely get it. It's like a, I don't have time to train somebody to do the job I need them to do so I'm going to work the extra hours and kill myself.
Um, you know, I'm going to, I'm going to work really hard. Leslie's shaking her head, but you, I know you've both been there where you needed, there was somebody else was needed, but you couldn't take the time to bring them up because nobody's a degree, you know, back to the degree thing, nobody's degree or experience, uh, is going to be a perfect fit for where you're going to slot them in.
Uh, and so, you know, we need some flexibility. Um, but anyway, yeah, we've, we've beaten up the, the hiring thing a few times to,
[01:02:45] Dave: it's a really big deal. It's it's, uh, for a lot of companies, I think it's a sourcing problem and. You know, you've gotta, you have to make the effort to find the right talent. And, uh, it's just, we don't, we don't, we haven't done it as an industry. And we, we do, like you were saying, Leslie, like we do some of the basic things wrong.
And I think many times unconsciously, you know, it's just, it's a sin of a mission.
[01:03:12] Lesley: It's like antagonistic things. We do like market startups to people by talking about the pool table and things like really, you know, how is that selling to a single mom? Like the fact that you have a pool table it's selling to like the 20 year old guy, you know, it's, you know, it's just like the perks that we talk about in our companies, things like that.
They're not targeted towards minority demographics. They're targeted towards people like the person who's written the job description. And, uh, and that can be, you know, outwardly kind of hostile, like. W we're really bad at that stuff. And we're, we're missing a lot of talent that way. And we can't complain that there's nobody who wants cybersecurity jobs when we aren't making an effort to build better.
[01:03:56] Jack: Yeah, absolutely. And I mean, anybody that's listening for any length of time or knows me, knows my social and political views, but this isn't about diversity and inclusion for the sake of diversity and inclusion. Uh, this is a practical business problem and we're ignoring huge swaths of the population that would be, uh, would be good members of our community.
I have, like I said, social and political views, uh, that make me want to, uh, promote diversity, um, and inclusiveness. But really this is, uh, there's a really Machiavellian straight up business re we're ignoring huge swaths of the population. And we're saying we can't find enough people to fill the jobs.
It's like, well, that seems kind of dumb. Doesn't it?
[01:04:45] Lesley: There's a pragmatic business justification for diversity too, especially for developing a product or a service. Um, if you don't look like your customer base, if you don't feel like your customers, if you haven't had the same experiences, you're going to miss things, um, having a diverse, developing development of your services and your products, things like that makes the products more desirable to here to a wider customer base.
So that's, that's simply a fact, um, it's like just it to be the most, uh, least into the antagonistic about this. I mean, think about like self-driving cars, you know, think about developed, developing the men place, where it never snows and they don't work in the snow. Um, are you, how much of a market are you losing?
Cause you can't sell your self-driving cars. People who live in a place where it snows regularly. How much of it, how much of a market, if you lost there just by not having a, a workforce that has diverse experiences with weather, you know, so, so, uh, diverse backgrounds in your employees are really important for developing good things to sell in general.
[01:05:52] Dave: So in pancake con you get 20 minutes of a serious topic, and then 20 minutes of a personal one, we've gone for 66 minutes. It's been pretty, pretty damn serious. And why don't we take at least six minutes? So our ratio will be totally jacked up, but you have a number of interesting hobbies, but your big one is martial arts.
I believe if I'm not mistaken. Yeah. I believe there Jack was telling me he, he dropped this tantalizing hint of a story about where you were flown somewhere to be presented with a sword. Can we, is this, is this true? Is there a sword story here?
[01:06:38] Lesley: There is sword story. Um, I studied a few different martial arts.
I have black belts in TaeKwonDo and Tang pseudo, which is karate. And I also study, uh, Northern style Sheldon and I study a screamer and our niece, um, just stick fighting, Filipino martial arts. Um, and I've actually gone to the Philippines to train. Because, uh, the, the instructor, the, the, the, the head of our style lives there, of course being a Filipino style.
And, uh, yeah, I went there to get a sword one year. It was pretty cool. Um, I had a sword made in the Philippines and I went to go get it, and they didn't know what to make of me. It was very out of place, but, um, it was a lot of fun. It was a great experience. And I'm not like any, I, I'm not like miss MMA or something.
Like, I'm not, I'm not a super brilliant martial artist going to compete places, um, professionally. Um, I, I'm never going to be that person. I wasn't, I wasn't born with that, with that, uh, aptitude and I am certainly too old now, but I enjoy martial arts very much. I enjoy the history. I enjoy participating in them.
And now I've been teaching for. Eight years too. I teach middle schoolers and elementary school kids. So I really enjoy it again. It's never going to be like, uh, I'm never going to be the bad-ass that I wish I could be in my mind, but, um, I enjoy martial arts very much. I hope that I can pick up other styles in the future.
Um, and, uh, I get more exposure and more travel in the space when we can travel again. So,
[01:08:14] Dave: so take a moment and tell us about this sword. Like let's, let's dig into the details for a moment. So you, you show up in the Philippines and I imagining, uh, I I've got Tarantino in my head here. There's like, I'm, I'm going to try and erase all the, all the kills you show up and this person has made you a sword.
And, and I'm wondering also like, how do you get it back into the country?
[01:08:42] Lesley: Well a secret. It was no big deal. Um, you can't bring it in the carry on, like and kill bill it's stored in your luggage.
[01:08:51] Dave: It's okay. There's a special sword bag.
[01:08:57] Lesley: You, I know I put it in my suitcase. It was a machete is so, so, so are Nisa popular, the different styles of machetes that you fight with as well as sticks and knives and karambit and, and such.
Um, so, so essentially a machete made for, for fighting. Um, there's a lot of different styles in the Philippines, various types of sorts, but, um, so yeah, it was made out of, uh, Springs. They melt down Springs from cars and they, they, they, uh, they, they make the swords out of those. So it's not, not to not to kill Villa there, it's practical.
Um, but that, that's what I practice with, um, uh, and train with. So I have a trainer that's not sharp. And then I have the authentic sore that is sharp and they're cut to be the same style and weight and size and things. Um, And what did it involve? Uh, it did involve some adventures. I mean, it was a bunch of, I went with, uh, mostly women and, uh, nobody knew what to make of us.
Uh, they were very baffled by us. Um, we, we went across, we flew to Subu and we, we got. Took puddle jumpers across the Philippines and then fairies. And then the, the, uh, they think they'll call them nice. They, they, they opened back trucks. We took those across and all this time, we're carrying our backpacks with our swords and things.
And, uh, it was a fun adventure, but I've had a lot of fun adventures in my life. You know, you just have to keep a good attitude about it. Like, you know, you, you, you, you go really remote places. You're not gonna have like the showers you're used to, or necessarily the indoor plumbing that you're used to when you're away out in the boonies.
But, uh, it it's it's fun. It was a, it was a cool adventure. Nobody died. Nobody got seriously hurt. We were responsible adults going to buy our swords and train with knives.
[01:10:57] Dave: There's not really, not much you can say to that. Is there a Jack
the
[01:11:08] Lesley: visually I think my favorite part of that adventure there, I, there was a 12 year old girl with us and the daughter of two of the people who were there and she's half Filipino. So she was getting to see the Philippines for the first time. And that was kind of neat, but at one point, our, our flight got delayed and, um, it got delayed for a day and we were going to miss our flight back to the U S so we had to do this mad dash by like aircraft and.
Car across the Philippines to get to a different airport. And not all of the areas of the Philippines are really safe. Um, uh, the places where we stayed and we traveled were mostly fantastic. It was wonderful place. I recommend highly people go to the Philippines, enjoy it, see the sites. It's incredible.
I'll go back then. When would, I can do that again with the pandemic, but there are places in the Philippines where you don't want to go. Okay. Um, there's there's problems with terrorism and things. So we had to get through a kind of nasty area, um, to get to the airport, to make a flight home to the U S. So we pile into the secure van with the, with the tinted windows and stuff to get to this airport.
And we've got the 12 year old girl with her, with us. And before we get in this van, really okay. Take off anything that doesn't need to use an American, everybody P everybody drinks some water, cause we're not stopping for the next hour and a half. Um, so, so everybody's like, yeah, yeah, yeah, we did it. So we get like 10 minutes in this van with a tinted windows flying like 90 to 90 miles an hour, um, to get through these less savory areas.
And the 12 year olds, like I need to pee and we're like, no, you don't. No, no, no, you don't. We spent the rest of that hour and 10 minutes, the, the driver of this like secure van, we and the other passengers were piled into, had one CD. And it was like nineties pockets. And it cycled through, you know, cause it's just a CD and we spent the entire hour and 10 minutes with our swords singing along with nineties pockets is at the top of our lungs to try to distract the 12 year old from the fact that she needed.
Cause we were in the stuffing. We were in that stopping.
[01:13:25] Dave: Did, did she make it.
[01:13:27] Lesley: Yeah, she did. She did. That was a impressive effort of willpower on her part. And on our part, you have like these, these like business guys, these American business guys waiting to get home in their flight in the van to, and everybody is singing along with Brittany spheres.
Cause we're like, Nope, there, there is no bathroom there and we are not stopping there.
[01:13:53] Dave: So let let's, uh, what a great story. Let's um, let's transition over to our, our speed round here. What's the last thing you read watched, or article of media you digested that had an impact on you? What's what's been a recent favorite.
[01:14:11] Lesley: Yeah. So, um, gosh, most meaningful thing that I just read. Um, I was just reading a article.
I need to go find it for you all, but it was about, um, the state of mental health care in war zones right now, especially in the middle east and Africa in places that have been incredibly, incredibly damaged by the pandemic and by ongoing warfare. And what happens to mental health patients there as the mental health professionals flee because they're educated people and they can leave, um, which is a super relevant topic for a number of places in the world right now that have been hit hard by, um, both warfare sanctions and then finally the pandemic.
Um, and that's something we don't think about a lot is, you know, because we don't have a great mental health care system in the United States is where these people go. And what happens to them when people abandoned them, especially the caregivers who. I do care for, for mentally old patients, especially severely, mentally ill, eight patients.
So, um, that was, I believe that was advice. And I'm going to have to track it down for you. Hmm.
[01:15:28] Dave: Vice has had some great articles. Like I remember doing some research on data brokers and things like that when I was preparing for the, um, the speech I did with Nilu last year, and I found myself stumbling into a number of really good vice articles, long form well-researched well-written
[01:15:53] Lesley: yeah. They they've had a wonderful, yeah. So, um, this, this particular piece that I read recently, and I've been reading about it a lot. Um, the one that I read from vice most recently and, uh, watch, they also have a video that goes along with it with some interviews, it was, uh, with regards to Yemen. Um, and that sent me down a rabbit hole without reading about this in a number of.
Across the world that have been extremely devastated by a variety of things recently. So, um, yeah. So the article name, if you want to look for it, as Yemen's mentally ill are change tranquilized and abandoned by advice, um, and it's distressing, but it's, it was eye opening and it made me think about problems in another part of the world in a way I hadn't before.
[01:16:38] Dave: I shouldn't have expected anything at this point in our conversation.
[01:16:45] Lesley: Yeah. Well, you asked for something that was meaningful to me, and sometimes it's the things that need you make you just stop and think for a while. I mean, I thought I've watched a ton of fluffy fun things recently, but they don't really stick.
You know, we do a lot of that during the pandemic just to get our mind off things, but sometimes it's a really meaningful things that make you think, oh wow, I've got it really, really good. And people in the world really, really need help that, that make you really stop and do some
[01:17:10] Dave: introspection. There's so many people that lean on you and benefit from everything you do.
But who do, who do you lean on? Who are the people that you keep on speed dial for, um, for help for advice unit.
[01:17:25] Lesley: My friend says that we have, or like our rings, zero friends and our ring, one friends and Irving, two friends. I love that. Um, but I definitely have a ring zero of, um, both, you know, I have a small family, but, uh, both, uh, family and, um, cyber security pals who I've been friends with for a long time, who I keep in touch with routinely.
And, um, I definitely have a ring zero. There are people who I talk to all the time and we just ranted each other sometimes. Like, this is the thing that happened to me day to day. And it was really terrible. Um, I, uh, my best friend, unfortunately, for medical reasons can't get vaccinated. So I don't see her as much as I would like, but, um, and, uh, so she's kind of locked up, but, uh, I still talk to her all the time, but I have a lot of friends in the cybersecurity space too.
And those various rings who are close and, and I can't ask for better friends in the world when I had my retirement party last month, it was, it was really a, uh, an experience to see everybody tearing out. And it was very nice to see that people are interested in, in what's going on in my life. So
[01:18:36] Dave: that's great.
What, um, what makes you hopeful? There's so many negative things that happen. So many Broughton things we see in the industry and so much work left to do, but what's, what's something and it can be technical. It can be human, it can be, you know, something else. It can be regulatory, you name it. What gives you hope?
[01:18:59] Lesley: Yeah. So from a technical perspective, uh, the improvements to security and windows building and more implicit security into windows 10 and then windows 11, um, and, uh, really making some meaningful improvements in term in terms of doing things like reducing the spread of ransomware and enforcing security controls on those systems.
Those those make me hopeful from a technical perspective, they don't always be a cat and mouse game. There's always going to be infections that impact windows. There's always going to be vulnerabilities, but we see a lot more targeting of people, not doing the proper things from a security and a human perspective than just targeting windows, XP, SMB, like we did in the past.
So, um, I there's always going to be vectors, but I am happy to see Microsoft taking a sincere look at the security landscape in their operating systems recently. Um, From a human perspective, uh, gen Z gives me hope. I guess we all say that about the next generation, but, um, I have students, of course, I have a lot of students in the next generation and, uh, they're starting to hit the workforce now and they aren't taking people's crap.
And I like that they, they are not putting up with things that we have put up with for a long time, in terms of, you know, ridiculous work requirements in terms of trust codes, in terms of busy work in terms of hours, as opposed to productivity. And they're saying no to a lot of things, especially in the professional space where they can, and I think that's awesome and they give me a lot of hope on that front.
Um, so, so a shout out to them
[01:20:38] Dave: that feels like a great point to wrap up on, and it is 1203. So we've, we've leaked over into your afternoon. Yeah. Go as fast as.
[01:20:48] Lesley: Wow. I mean, I don't know. Who's going to actually sit down and listen to me, talk for, for an hour and a half, but if they made it this far. Wow.
[01:20:59] Dave: All right.
Well, this has been amazing. Thanks so much, Leslie. Thank you. All right. Thank you.