What’s your background, how did your journey start?
I’ve been a hacker all my life. As a kid, I was the one who always took my toys apart to figure out how they worked. At 10 years old I got my first job as a paper carrier, and by 12 I had saved up enough money and bought myself my first computer. This was 1989, most families did not have computers in the home so it was a pretty big deal. I taught myself BASIC programming, and a year later, when I got a modem and connected to Prodigy, I learned asynchronous modem communications and figured out how to get into some premium areas of their service.
Still I didn’t see it as a career; I planned to be a doctor. However, after three semesters I decided that wasn’t for me. I needed a new major and discovered they had a computer science program. So I enrolled and shortly thereafter got my first full-time salary job as a programmer for a FinTech company (while I was still in school). I was in software development roles at that company for 10 years before I moved into my first penetration testing role, and started my career in security.
How did you find your first cybersecurity job?
To be honest, my first job found me. I never really saw computers, let alone hacking, as a career path. Even after I began as a developer, the idea of being an “ethical hacker” as we called it back then, was pretty foreign. However, a manager from our security team, whom I had worked with, came to me one day and asked if I’d like to join the Security Test Team as a penetration tester. I told her I had no idea how to do that and her response was simply, “You’re smart, you’ll figure it out. That’s why I want you to join our team.”
So I joined the team. With my developer background, I was particularly well suited for performing application assessments, although I did plenty of network level testing too. Within a year I was the team lead and after three years, I was officially managing the team. I was pretty young, early thirties, and here I was responsible for the complete vulnerability management program of a multi-billion dollar financial technologies company.
And what are you currently working on?
I’ve got a lot of projects going on right now. In my current role I’m an Application Security Advocate for Snyk. Basically, my job is to interact with the community and share ideas and strategies for Application Security while also listening to what is important to others.
Also, I’m working on a report that is looking at the current state of security in open source software as part of my day job. I’m developing a methodology for conducting threat modeling in a way that plugs into the user story, so that it doesn’t slow down DevSecOps software delivery. I’ve also been doing a lot of research into Deepfake technology and machine learning. I’ve spoken quite a bit on all these topics at conferences over the past year.
Finally, I’m working on a book and some research into starting a career in cybersecurity. I expect to have the electronic preview available before BlackHat (if it happens this year) and it will be published in print by February of next year.
What’s your tech stack?
I don’t think I can really say I have a particular tech stack, because I’m always digging into so many things. I have many of the typical pentesting tools in my hacker toolbox, on the programming side I work with a number of languages, but I guess I’m most active in Python. With the research I’ve been doing around Deepfakes, I do have a high-powered GPU that I use for doing a lot of that machine learning work. So there really isn’t a single stack that I can say I focus on.
What excites you most about your role?
The security community is so dynamic and despite our problems, we’re getting better at being supportive, cooperative and diverse in many ways. So being able to make my involvement with all these wonderful people my primary job is extremely exciting.
What are the biggest challenges you’ve faced and obstacles you’ve overcome?
There are two challenges that I’ve had to deal with in particular as my career has progressed.
First is imposter syndrome. Because of the way I got into this role, I never felt like my skills were good enough, like I deserved to be where I was, or that I knew enough to be on the level with those around me. While it does drive me to continually grow my skills, it’s also been unhealthy at times and has caused me to hold myself back. However, I’ve now learned how to self-analyze, to see my accomplishments for what they are, and to understand that no one is as knowledgeable as I perceive them to be. I’ve studied a lot about this concept and while it still creeps in from time to time, I now handle it much better and use it as motivation.
I’ve also dealt with the challenge that many women face of trying to break past that manager title. I’ve been unfairly excluded from consideration for promotions based on very arbitrary criteria that have nothing to do with job readiness. I’ve witnessed first hand the reality that men are promoted based on their potential but women are expected to demonstrate full proficiency before being considered for a step up.
Ultimately, I made the decision to back off from that rat race. I’ve chosen to focus on just doing a job that makes me happy. I have put myself in a position where my title isn’t even really something I think about very often. I’m in a job where my expertise and presence drive influence, and where I can directly affect strategy without all the political wranglings over authority and organizational structure. It’s a very freeing situation to be in.
Have you found anything particularly helpful or advantageous?
I’ve had a few really good mentors along my path. It helps to have that person you can confide in, who you can ask for advice on sensitive topics in particular, and who believes in you and wants to help lift you up. Mentoring relationships are best when they grow organically. I don’t think you can really set out on a search for a mentor, but rather they’ll find you.
What’s your advice for those who are just starting out?
Interact with the community and build your network. Ask for help, listen to the ideas others have and don’t be afraid to share your own ideas. The majority of people in this community are incredibly helpful and want to help lift each other up. Getting that first job or that next job can be so much about who you know, as well as what you know. Use social media and conferences to get introduced to new people and interact.
If you do run into one of those in the shrinking minority of people in the community who want to try to knock you down or hold you back, move on to someone else. There are far more who want to help you succeed, you’ll find them pretty easily.
How to become a powerful security force?
I know the highly technical knowledge around things like penetration testing, digital forensics, and such are very flashy and exciting. But if you really want to be a powerful force in the security community, learn about the business side of things. Understand how decisions are made at the top and how business risk is looked at in the bigger picture.
Empathy and emotional intelligence are skills that are really lacking in this community. Understanding the motivations of those you hope to influence is critical in this job. Whether it’s talking with developers in an application security sense, or trying to win support from executive leaders, you need to be able to see and understand how their motivations and priorities are different to yours as a security person. We, as a community, need to realize that these people are not foolish or ignorant just because they don’t act on our advice. They have conflicting priorities that they have to balance and security isn’t always the top priority. That is totally valid. We do better when we can learn to work within that.
Finally, don’t be afraid to have fun and try things. If you end up going down a path you decide was not the right one, you can pivot. That’s one of the truly great things about security, is that there are so many specializations yet they’re all intertwined. So if you dive into one area and decide it’s not for you, it’s pretty easy to change course and jump into a different area of security expertise. Find your passion and bring that excitement to the community.
Where do you find inspiration, news, industry trends?
My inspirations come from the community and our interactions on social media (Twitter in particular) and at conferences. I listen to people’s ideas and see how I can help build off them. If someone is working on cool research, I listen, I take it in, and if it’s something that particularly interests me, I’ll ask questions and dig deeper.
I do also watch a few of the security focused news sites like Dark Reading, The Hacker News, and TechCrunch to see what’s breaking. I read a few executive focused electronic magazine sites like CSO Magazine, Info Security Magazine, and Security Magazine in particular to stay on top of what challenges security leaders are facing.
What are your goals for the future?
I want to continue working to improve the security community in terms of our inclusion and diversity. I can’t think of an industry that needs a diverse set of experiences, backgrounds, and ideas more than security. To get there however, we need diversity across all the demographic groups. Sadly as we all know, security in particular is still very white-male dominated. There are experiences and perspectives that aren’t always considered, as a result. I want to see this improve and I’ll continue working toward that goal. Throughout my career I’ve enjoyed a certain measure of privilege that other women don’t typically experience. So now that I’ve developed a platform I intend to use it to help build up women, people of color, and the LGBT+ within our security community.
My goal for the future is to continue building my personal brand. I would like to be on the stage at TED someday. I’ve learned some very interesting lessons and have a perspective that not many can share, so I think that would be useful for many to hear.
About Alyssa Miller
Alyssa Miller is a hacker, security evangelist, and public speaker with over 15 years of experience in cybersecurity. She is a Board Member for Women of Security and a member of the Advisory Board for Blue Team Con.