Subscribe
43 min read

P2P Podcast Series: Laurel from Photography to Infosec

She claimed to have terrible luck. But a healthy dose of paranoia became her advantage in InfoSec on the path to Staff Engineer
Lauren from Photography to Infosec

Laurel impressed me with her patience and dedication to building trust. After her start in the IT department, Laurel became a developer through an internal upskilling program for women. Her stunning nature photography reveals her eye for life's fragility. It's also a surprising advantage in her approach to building a career.

Today, Laurel Rivers (Photography) stays intentionally private while she secures the critical assets of a major US media company.

In our chat, we talk about the importance of health care, COBOL coming and going, risk aversion, and how to keep an open mind in a hostile world.

This episode is packed with insights about:

  • (00:03:55) Company had a special program to upskill women
  • (00:06:18) How to detect aptitude?
  • (00:08:14) Tech career can change lives
  • (00:12:02) Build your network, vitamin B
  • (00:15:58) Volunteer for projects to improve your orbit/visibility
  • (00:17:25) Politics: Building good systems requires building good organizations
  • (00:24:55) Backup and look at the whole picture sometimes
  • (00:29:53) Be motivated, ambitious, and willing to learn
  • (00:33:58) Pay attention to the personal risk security ratio
  • (00:38:36) Turn vulnerability into strength
  • (00:40:21) Learning is reading, doing, and adapting
  • (00:43:55) Mentoring is bidirectional growth
  • (01:01:13) Branch out of just tech: communication, writing, collaboration
  • (01:02:50) Working in customer service helps with soft skills

Listen and subscribe on Apple Podcasts, Spotify, Google Podcasts, Overcast, or your favorite platform.

Zeke Arany-Lucas is a principal engineer, coach, and consultant from Seattle, living and working in Berlin since 2014. He has been in the tech industry for over 25 years, starting with web browser development in the 90s, including long stints at Microsoft and Amazon in multiple leadership roles. You can also follow him on LinkedIn, Twitter, and Instagram.

Artwork by Emre Aydogan & Laura Diezler — ©️2022 Zeke Arany-Lucas

Read the full transcript

Laurel: It's a scary world, we live in sometimes. At least over here on this side of the Atlantic.

Zeke: Yeah. I, whatever. I mean, I'm still an American, but it's really hard to kind of fathom sometimes what's going on.

Laurel: How'd you end up in Germany.

Zeke: How did I end up in Germany.

Good question. I ended up in Germany because it was a childhood dream. So I started, you know, like when I was like 16, I kind of had this idea in my head that I'm going to live abroad one day.

And, Um, I didn't really know how, and I didn't, I didn't have a specific place in mind, but somewhere around 16, 17.

And then, you know, life happened and I didn't end up, I, you know, I had a kid, I moved to Seattle. I, you know, then I had a job at a gas station and then I had a job that got a job working tech support at Microsoft, and then kind of worked my way up the ladder there and just kind of fast forward, you know, it wasn't until I was 44 before I was able to figure out how to move abroad.

And, and when I decided to move abroad, I had to pick a city to start with. And basically, because I had, I had. I'll say practical constraints. I was going to move with my, my youngest child at the time, so I was looking for something that has, you know, like similar enough that it doesn't cause system shock to, to either of us and where we can kind of get things that we're familiar with, but also, still be challenged by foreign-ness and, and, and in Berlin ended up being the simplest choice.

I didn't know how long I would stay. Um, and when I decided, when I actually bought the ticket, and then I went and talked to my, um, the recruiter who'd hired me at Amazon and he told, told me that Amazon had opened an office and that I could apply for a transfer. And that just, so it just kind of, everything kind of fell together.

Laurel: nice, nice.

Zeke: yeah.

Laurel: You know, that's interesting that, you know, your background, cause I came from a kind of a non-traditional sort of tech background too, um, came into this very roundabout. Like I, I was waiting tables 20 years ago, you know? Um, so yeah, it's, uh, it's kinda interesting. Like,

Zeke: So, where were you waiting tables?

Laurel: uh, I used to wait tables at a little pizza place next to a college in Florida.

Um, which is no longer around, it was called the Mighty Mushroom, um,

Zeke: The pizza place

Laurel: the pizza place,

Zeke: Would have been funnier if the college was called the Muddy Mushroom.

Laurel: Although there were plenty of that going on there,

Zeke: I'm sorry.

Laurel: Yeah, I was waiting tables and I ended up not being able to afford to finish college, so I was out on my own. Um, I was actually a Marine bio major. Waited tables for awhile, uh, did photography kind of freelance. And then through photography I was doing, um, I was, uh, doing concert photography at the time.

And I ran into someone I knew from high school at a concert and he, we reconnected and he taught, he wanted to know how to learn, how to do photography. So I taught him the basics of photography and a few months later, he's like, Hey, uh, are you looking for work?

Company I'm looking for and need some tech people, and I know, you know, tech natively. Uh, I'll help you get a job. And I, I was struggling. This was pre Obamacare. There was no health insurance. I was living pretty, pretty low. And, uh, He helped me get in the door. Uh, and then that's what got me into tech. And I spent, I spent, oh, I don't know, 10 years doing IT grunt work.

[00:03:55] Company had special program to upskill women

Laurel: Uh, so what's, what's really interesting is that the company I'm working for, they had a program, a specific specifically designed for women to, uh, learn new skills within the tech sphere. And I applied to be on this program. And through that, I learned how to code and they'd put us on rotations within, uh, different parts of the company.

And that's how I ended up in security. Um, the first rotation of this program was on the security team. Like the first month I was there, there was something they needed, uh, basically some research done on in Splunk. And I had never touched Splunk before.

Uh, and I figured out how to use it real quick, found exactly what they were looking for. And, uh, with, by the end of the day, the CTO actually came and sat down at my desk to say, wow, that was really good work. And then, um, then I got picked up permanent. I was the first person in that program to get picked up, uh, in a tech in a, in a more advanced tech role.

Um, and that's how I ended up in security.

Zeke: That's a great story. You're on the cutting edge of a program that supports, people growing in their own development path. Right. Um, that's really cool.

Laurel: Yeah. We were the first group to do this program as a pilot program. Um, and, uh, there was so much support and, you know, because within the tech sphere only, I think it's 10 to 15% of tech employees are women and trying to push that number higher and just give more diversity in the tech space is really important.

And, uh, so there was a big drive within the company to do this, and they're still running this program. Now, this is, I think they're on their third run of this. Um, so it's, uh, it's, it's really special because there's not a lot of the places that do things like that. To have that kind of support to improve diversity is really important.

Zeke: So I want to just kind of rewind for a second. Um, going back to when you were a photographer and your friend said, Hey, I'm, you know, like I know you're into tech or I know that you have an aptitude for technology. How did he know this? What was it that led him to think that?

[00:06:18] How to detect aptitude?

Laurel: We've gone to school together. And, uh, you know, this was we, I was in high school in the nineties and so internet was starting to become a thing. And, uh, you know, we had some tech classes they're doing. Things like learning HTML. So I learned HTML in high school and he was actually a part of the, like, he was on the it for the student it team in high school.

So he knew that I knew my stuff from then. Um, and then just by reconnecting and chatting some he figured, oh yeah, you might be a good fit for this. Um, and I've been doing some freelance stuff too. Like I fixed, I did old school, web design, like HTML, web design, a little bit of PHP and kind of on the side.

Um, but technology had long passed me. Um, You know, I didn't know the latest stuff. I didn't know, Python, I didn't know Ruby or anything like that. Um, so I wasn't marketable except for like to a small number of like low end sort of projects. Um, but he knew that I knew that much enough that I could do the kind of work that we were doing there.

Um,

Zeke: And then you said, Um, you joined the, the, I couldn't actually tell what the, what was it? The IT department or the hardware department?

Laurel: Was doing, I was doing, I started out doing just basic desktop support IT, fixing your outlook problems, deploying computers, you know, that kind of thing. Uh, moving people's gear around.

And honestly, I did that about 10 years and I, uh, I was, it was starting to take a physical toll on me. I have some health problems which may made it difficult. I was on the verge of quitting when that program to that, that advancement program came around.

[00:08:14] Tech career can change lives

Laurel: Uh, so it was really a life-changing thing, uh, when we got to that point, um, because otherwise I'm not sure where I would've ended up. Um, I was just running on empty, doing the IT stuff.

Um, and now, you know, security is always in demand. Coding is always in demand. Um, I ended up with a lot better marketable skillsets after that and, uh, really just kind of climbed from there.

Zeke: You know, it's funny to talk about the insurance stuff, cause, um, especially in Europe, this is pretty confusing for people. Um, but you know, like my job at Microsoft was the first time in my life that I'd ever had health insurance, you know, I just, it had never, I mean, it was, and that isn't even weird, right?

Like in my peer group, like as a kid, some people had cell health insurance, but not everybody for sure.

Laurel: When I got sick, I would go and wait in line at the free clinic. You'd have to get there at four in the morning to get in line before they opened. And they only took a certain number of people per day. Um, so it was, it was not easy livin'.

And I think the turning point for me, the reason I, I, I accepted that job even though I didn't ever really want to work in an office. Um, was I was doing some freelance work. Uh, I had gotten hired by, uh, a publication to, uh, go with a reporter and we were going to go interview somebody and I was going to shoot the pictures and we're sitting in, I mean, I met up with the reporter, we're sitting in her car and. We're waiting for the person to show up if they were going to show up.

And the woman, the reporter with me has her arm in a sling and we get to talking and she broke her arm, but because she had no health insurance, she could not afford to go and get anything done. So she had just bought a sling at Walgreens and it was just kind of hanging on to it like that, hoping for the best.

And I sat there and I was like, I don't want this to be my life. And that's when I was like, okay, well, I think it might be time to get a desk job. And then just the timing of it all worked out. And, uh, I ended up getting the desk job and, health insurance.

Zeke: I respect that because, you know, similarly my, you know, my motivation was, I was trying to figure out how to pay my child support and have a chance to have visitation and take care of myself. And, you know, when I was working at the gas station, I mean, I got sick, like all the time.

And every time I got sick, it basically meant that, You know, my rent was at risk and my, um, you know, and my, my, my visit with my kid, you know, like it, was like, it was like so easy to just take to derail my whole life. And I was. Like you, I kind of got to the point where I'm, I have to change something like this is not sustainable.

Um, and I didn't know what to do either. And I was imagining maybe I try and go back to community college or something. Um, cause I tried and failed out already. Um, and, and then kind of similar to you, I, you know, I ran into somebody else who was in a different situation and, and they were like, yeah, you could probably, you could work at Microsoft.

And I was kinda like, work at Microsoft? I, it had never occurred to me that that was one of my choices. And he's like, yeah, yeah. You know, uh, I'll write you a referral. And he did eventually write me a referral, but of course one referral was not quite enough. I had to go backfill a lot of information studying before I was able to get a job.

[00:12:02] Build your network, vitamin B

Laurel: You know, and it, it really goes to show that who, you know, and having connections and knowing people gets you a lot farther sometimes in brilliant anything. Um,

Zeke: So, so true in, in Germany, they have this notion of vitamin bay, vitamin B, and that's, it's really the, it's the nutritional supplement that actually gets things done. And it's, it's who, you know, it's your network.

Laurel: Yeah.

Zeke: And

Laurel: I find that you build the more you build that, the more you'll succeed, just getting things done, getting into places. Yeah.

Zeke: I totally agree with you. What do you think are the strongest ways to build your network? Because I don't think like people talk about networking and I don't think this is how most people build their network is by going out to parties and schmoozing or something like this. It's, it's actually simpler than.

Laurel: Yeah. Well, you know, it's. I find that being helpful, something, this is definitely something that, that carried through it. I, in it, you have to help a lot of people. You're meeting a lot of people when you're doing that. Um, as long as, you know, if you treat them with respect and you're friendly and you're helpful, bill, there'll be more willing to open up to you and they'll learn that you're a decent person and you are good at what you do and that will help carry you forward.

And just when those opportunities come along, whether it's for, to take a chance on something and, uh, strike out for more advancement, or if it's just something like with my friend, he's like, Hey, will you teach me how to do photography? I could've told them know it, but if I had told them, no, I might not have ended up in the job I was in.

Um, So I think, you know, being friendly, being kind, being helpful, goes a long way.

I'm not the party type. I don't go to parties. I don't even drink. Um, so that kind of like kind of somewhat sleazy sort of schmoozing never really worked for me. I find that that honesty and just openness seems to be a better, uh, a better way to make good connections.

Zeke: You're preaching to the choir, right here. I always say that networking is just about building trust and, um, and a few high trust relationships kind of grown over time, usually has more weight than, um, you know, than a bunch of scattered, scattered, low trust relationships.

Um, certainly, you know, meeting people at parties might mean you create a little bit of a window of opportunity, but just like you were saying, you know, you have that same window of opportunity by working at a help desk. You say here's my chance to build a connection with somebody with, with no, I mean, it's not an agenda, right.

Laurel: No, it's just, you know, being a, being a, decent person.

Zeke: Being a decent person. Yeah.

Laurel: And being reliable and, you know, because people always know if you come sidling up to somebody with an agenda, they, they always know. They know you're just trying to, I mean, we see it a lot here in Los Angeles because I mean, it's a celebrity town and there's always somebody trying to hustle something.

And, but people, people instantly zero in on that, if they see you're not being genuine, if they think you're there just to gain something. If you come towards people with, you know, openness and just wanting to, uh, you know, be friendly, you get a lot farther, I think.

Um, you know, and maybe, maybe that develops into something that helps you down the line, or maybe it doesn't, but you can't go into it expecting that you're entitled to it.

Zeke: That's deep, man. That's really deep.

[00:15:58] Volunteer for projects to improve your orbit/visibility

Laurel: Well, you know, it's, it's, it's also, but I will say some of it is being in the right place at the right time and putting your, you know, putting yourself in the place to have that access. There were, you know, they called for volunteers to do something it's going to be more work. You take that anyway, you take that opportunity and it puts you in the orbit of people, you don't know.

There was, uh, a project that, uh, I, I spearheaded, uh, early on, which was, uh, starting up a streaming service, um, an internal streaming service for our company. And I didn't have to volunteer for it, but I was kind of interested and I did. And by the end of that, I was doing, you know, all the executives knew who I was because I was coming in to stream their, their private meeting, like their, their monthly meetings.

I was coming into stream their events. And so they all got to know me and suddenly, you know, when all these C level people know you, uh, you ended up, you ended up. Getting a lot farther, you know,

Zeke: Yeah, visibility, high trust visibility.

Laurel: but you have to, take the opportunity when those things come along. Maybe it's going to be more work, but you have to be committed to doing that work.

And that will put you in a place where, and they seen that. They see that you're taking the time to do all this extra stuff.

[00:17:25] Politics: Building good systems requires building good organizations

Zeke: That makes total sense to me. I mean, I, I don't know. Um, this is kind of a off topic a little bit, but I've noticed developers in particular, uh, do a lot of poo-pooing on politics. They always talk about, oh, this is office politics. That's just politics. That's not engineering, that's politics.

I know what they're talking about. I know that there are things which feel not salient to building complex systems. But at the core of anything we build is an organization that has to build it. And the first thing that good organizations have are good trust relationships. And I feel like a lot of times the people who are saying, oh, let's just politics are actually dismissing the importance of investing in developing trust with another person.

In other words, that team. I don't know what they do. I don't care what they do and I'm not going to learn it because that's just politics. And, and there's not a bigger piece of bullshit that you can fucking sling then I don't care about you, but they should do what I say. You know, like what you have to build trust.

You have to get alignment. You have to show that you're a partner. If you want people to execute with you,

Laurel: I mean, I worked for a guy who I have deep respect for. Um, and he basically, his philosophy was we never say, that's not our job.

Zeke: hmm,

Laurel: You don't, you don't, it might not be our job, but you don't tell somebody that you find a solution. Now that solution might involve, you know, in other groups that we bring in, we find the right people to do it.

But you don't, you don't dismiss somebody is like, that's not my job, I'm not going to deal with that. I don't care what you're doing, that's not important to me. Because that does not foster a cooperative environment, especially when you're in tech and you have to deal with so many different and very teams, developers, and customers, and the whole nine yards.

Zeke: Yeah. unless you're really what you want to communicate is I don't want to work with you.

Laurel: Yeah. And you, you know, you might not want to personally, you might be screaming internally as you deal with some people, but you do, you still have to work with them. They're not going anywhere. The bureaucracy isn't going anywhere, you have to work with the system you have, and sometimes that's unpleasant.

Um, but you have to, part of, I think part of being successful in tech is being able to navigate those kinds of waters. Um, and I think that coming from a non traditional tech background, I think you have a little more flexibility because you know, you come out of, I see a lot of, uh, a lot of recent graduates coming out with their CS degree and they're super enthusiastic about tech and I totally respect that.

And that's their whole world, um, That's not necessarily everyone's priority in the, in the business. Um, so you have to be willing to not talk down to non-technical people, um, to work with them, to to meet them where they're comfortable, especially when you're asking them to do things.

Zeke: This gets to an interesting, uh, point, which is, are there speaking from non-traditional backgrounds or unconventional kind of career paths? Are there things that you, where you feel like you have an advantage because of this non-traditional background or, and, or are there things that, you know, you feel like you're really at a disadvantage, um,

Laurel: It's a bit of both. Um, you'll I think definitely on the people skills side, I think I, you know, being, having worked a lot in customer service, doing things like waiting tables, you, you have to develop a little more patience with people. So you end up with a better skillset when it comes to dealing with other people, and also talking to people who don't necessarily know all the tech jargon.

At the same time, do I understand some of the deep, deep CS concepts? I might understand them. I might not know the words for them sometimes. You know, I didn't, I didn't spend four years basically submerged, nothing, but, but tech-goo.

I think the biggest, uh, the biggest downside is without that piece of paper that says, you've got a degree, you have to work extra hard to prove that you belong there. Um, and you will, you know, sometimes you find yourself limited, uh, where promotions aren't going to come in after a certain point, because you don't have a piece of paper that says you paid a hundred thousand dollars to go to college.

Um,

Zeke: Um,

Laurel: I think tech is still one of those fields where if you can prove, you know, what you're doing, you can get in without the degree. It might be changing, but I was very fortunate that I was able to get in and, you know, prove my jobs and learn along the way.

Um, I'm not sure how it is hiring hiring people cold these days, though. Um, again, that's where the networking comes in.

Zeke: I think it's rough. Even if you do have a CS degree, I mean the CS degree, um, usually gets you an interview with, you know, especially big tech. They'll pretty much just take their, so they're competing for the talent so hard that they'll just take anybody with a CS degree. Um, I mean, they'll give you a first kind of tier, um, interview, but definitely doesn't guarantee you a job by any means.

And I do think that networking or, you know, understanding what the companies need when they're hiring people, I mean. I think there's a lot of opportunity for people to differentiate themselves and they need more people than can be hired that then can be created by the universities, to be quite honest.

Laurel: Yeah, especially in security. Security is always hiring. I have recruiters in my inbox all the time. Um, so it's, you know, it's definitely a, a lot of demand for these skills and not enough people to fill the roles.

Zeke: Um, you know, like insecurity trust is the thing that you're challenging as the, as the model, right? Like almost always the security hacking is trying to figure out what assumptions, what trust assumptions the systems have and figure out where those assumptions can't be held and those are vulnerabilities. And then figure out if, what set of vulnerabilities, what set of assumptions and behaviors can be combined in order to create exploits. Right?

So we were talking about trust between people and, you know, trying to create high trust systems, high trust networks in order to build your career or um,

Laurel: Uh, it is all about, it's all about trust and in systems as much as people. Um, and, uh, you know, I think for me, I was doing a lot of, uh, uh, for me doing a lot of analysis work. Uh, this is another place I feel like non-traditional background, you've look at it with where a non-traditional background comes in handy because you look at it from a different lens, sometimes.

[00:24:55] Backup and look at the whole picture sometimes

Laurel: Um, security is it's easy to get really narrowly focused on just one thing, but you really have to back up and look at the whole picture sometimes. Um, especially when you're looking at data and you're looking at trends and things like that, um, You can't zero in too close. You have to be able to both zoom in and out, uh, to see everything.

Um, I guess that's kind of a rambling on the answer

Zeke: No, no, no, no. I actually agree with you. Have you been to Black Hat or DEFCON or

Laurel: I have not yet. Uh, I was, every time I try to go to DEFCON something happens that breaks it for me. Either, my last, I think the first time my Jeep broke down and I had to back out. Next time, my dog got sick. Um, the most recent time, I was sure I was going to go in 2020, and we all know how that went.

Zeke: Yeah, nobody went.

Laurel: We were supposed to go this year, but the company decided they didn't have the funding for us to go this year. Um, so, and I'm still not with, I have my higher risk health category, so I didn't want, I'm not ready to go to a convention center yet. So.

Zeke: Uh, respect for that, too. I am still only, um, I'm still, I'm still meeting everybody outside.

Laurel: Yup.

Zeke: Um, uh, my wife and I are happily waiting for some other sorts of signals about, you know, the Corona pandemic to be over before we start doing inside meetings.

Laurel: Yeah. I I'm saying I I'm an outdoors person in general, so like I've been fortunate that the things I do to entertain myself are already far away from people. So I haven't been bored.

Zeke: Just, I'm just laughing. Cause it really, if, if, you know, DEFCON is it's mostly alcohol and risky behavior,

Laurel: in Vegas.

Zeke: Yeah. In Vegas, but I mean, even, even on top of it, like it's kind of, you know, like. Black Hat a little bit less so, because there's a lot of kind of corporate squares that are going there to just sell their products, you know, there's like trading, but DEFCON is subversive .

And so there's a lot of transgressive behavior. Some of which is fun. And other of which is I would say dangerous, you know? Um, and it's hard to tell the difference And it's like, if you want to be cautious about health, whether that's your digital health or your physical health, the DEFCON is probably, it's probably good to steer clear of that until,

Laurel: And isolate both your, yourself and your devices. Quarantine for everything.

Zeke: Quarantine for everything. Just running around in a bubble suit.

Laurel: I think the funniest thing is I had a friend who, uh, told me, oh yeah, I'm going to Vegas for the weekend. And it was during Black Hat and I was, I was during Black Hat and DEFCON I was like, Uh, let me just give you a heads up here about what you're about to walk into. Maybe don't use any ATM's while you're there, like the whole time.

Maybe don't put your phone on any wireless networks, but just so you know, this is like the biggest hacker convention in the world taking place while you're going to be there. So, you know, be careful.

Zeke: Yeah.

And it's mostly for LOLs, right? You have to worry about there's going to be somebody who's just going to, you know, hack things just for, just for kicks, just to see if it can be done. Um, you actually, uh, I've only been one time and so it turns out that DEFCON overlaps with RollerCon. And at the same time, as I was, you know, hanging out with the hackers and stuff, I was also doing roller Derby, which is really another subversive group.

Laurel: That is.

Zeke: Um, and as hardcore as the DEFCON people are with their partying, the RollerCon people are at least as, as, as hardcore, but they don't have the amount of money. So, you know, the DEFCON things are funded by infinite, you know, bar tabs. RollerCon, it's, you know, more cheap beer and, uh,

Laurel: I've, I've, I've never gotten close to that, but I've heard enough rumors. No, that that's, uh, they party pretty hard.

Zeke: LA Derby dolls, they do bank track in LA.

Laurel: nice.

Zeke: Yeah. Good stuff. So when you were, oh, let's go back to how you made the switch into development. So you, there's an internal program at your company. That's designed specifically to take people and upskill them into, you know, development jobs. Um, what kind of program, what kind of skills did they teach you and how did they determine who could join?

[00:29:53] Be motivated, ambitious, and willing to learn

Laurel: So we actually had a pretty extensive application process. So we had to do a, they gave us like a coding exercise that we had to research. It was simple, but it just would show that you could look it up and learn something basic in a short period of time. Um, they did a variety of different interviews. Um, it was kind of like applying for a job really, um, except for what they were looking for, wasn't that you had established tech skills, um, but that they were looking for the drive to learn. That was their biggest thing, is they wanted people who were motivated, ambitious, and a willing to learn, because they pulled people from all sorts of places. We had people come from facilities. We had people come from, you know, project management jobs, uh, who were totally non-tech related.

Zeke: And you were convincing, clearly because as the pilot project, you also became their model star at the end of the day. So what story, or what did you tell the interviewers that helps them understand that you are, that person?

Laurel: Hmm. How did I get that? So when I went in, I basically focused on a lot of, uh, just showing them I had done things in the past that I had, I had learned on the fly, that I had engaged in projects that, uh, I had no previous background in, but it tried it and succeeded anyway.

I just kind of showed them, I was willing to do what it took.

Zeke: Is that like the streaming project

Laurel: The streaming project was one. That was my, that was my big accomplishment.

Zeke: Before you became a developer, right?

Laurel: Yeah. Yeah. So I, I, I did that. A lot of it was, uh, like I didn't do a lot of the hands-on part of, of building it because we ended up going through a third-party who helped us build things.

So I wasn't writing the code, but I basically learned how to do all of it. I learned about all the equipment. I learned how to do sound mixing and video editing and all this stuff that was tied to it. And, uh, and then I went on to train others to do that.

Zeke: That's real, that's real leadership stuff right there. That's, you know, owning the product and the execution. And you know, saying that, you know, like owning the success, I would say.

Laurel: What was fun was after I left that team and moved on to doing a security, the people who left it, I left it with, I was so sad to leave my baby behind, but they took it and they ran with it even further. And they've made the program just incredible. Like they, they took what I had built and my initial successes and built a company-wide program that is just renowned throughout the whole company.

It was really cool to see what other people did once they took what I was finished with. Um, I was really, really proud to be part of that.

Zeke: This may sound weird, but I've been looking into all this solopreneur, SaaS stuff. I mean, you just basically kind of told me, you know, I quit my job story and I started a startup to build something. Have you ever thought about doing that at this point?

Laurel: I've thought about it. Uh, I think for me, the major thing is health insurance. This is very American problem, obviously. Um, I have health problems that were a big driving factor in why I needed to have a steady job with a reliable income and striking off like that and trying to do a startup, uh, It's just that I, I worry about the risk there.

If I can't get the coverage I need, if something bad happens, if my, if my health gets worse. Um, so that's really what it's a uniquely American problem, but the ability to get health care is what has limited me from doing some of the things I really would've liked to have done, um, with photography, things like that, to.

[00:33:58] Pay attention to personal risk security ratio

Zeke: Yeah, I actually, I can relate, there was, I had a conversation not too long ago, um, where somebody was saying like, oh, you know, you know, they don't sign on too early to a company because you know, later on, you know, you can't make these kinds of decisions. You can't actually go do wild and crazy things like join a start-up.

And I was like, you're wrong.

Because when I was young, is actually when I needed security more because I had kids when I was young and I needed like insurance and I needed reliable income. I needed to be able to say that this is going to be there. And so I can meet my responsibilities in a reasonable fashion.

And now it's, you know, 25 years later, I actually am much less risk averse right now, than I was when I was. Yeah, 25 when I was 25, I was highly risk averse because I would've interfered with so many things that I really cared about at the time. And I think that being conscious of what your risk security ratio is because like, I, I, I was talking about investing, right.

You know, w what level of risk you're available for when you're making an investment. You know, can you throw money away by putting it in Bitcoin, or do you need to keep it so that you can pay for your kid's school? And I'm like, Yeah. I'm not investing in Bitcoin.

I'm going to make sure that I can make my school payments, you know? Um, and, and, and I think that this is something that people, um, you know, can just be internally thoughtful about, like what that balance is.

Laurel: Yeah. Yeah. I think I was more willing to take a lot of risks when I was younger because I had nothing, literally nothing to lose. Um, I was living in my car for one, for one period. So, I mean, you can only go upward from there. Uh, so I was, I took every opportunity that came my way. Um, when I was doing the freelance work, I hooked up with a public, uh, publication company.

Um, and that's how I got a lot of, uh, a lot of my work when I was doing freelance stuff. Um, and you know, you just kind of. I just took every chance I could, um, anything to try and get out of where I was. But now I'm a little more conservative about what kind of chances I take, just because I don't, uh, don't want to risk losing the health insurance.

Um, I there's a lot of uncertainty in the world right now, though. Um, so you know, trying to keep options open, mind open, not knowing what's going to happen next year, none of the year after.

Zeke: This gets into a different part. We, we, I think you touched on this a little bit, which is getting yourself into a configuration where, you know, you can take choices, right? You're saying, Hey, I connect up to these people. And that way, when opportunity comes by, I can take it. Um, I find that luck actually plays a pretty dramatically large role in, in success.

Um, can you think of places where, you know, like, like luck was both kind of either useful or, um,

Laurel: All the time. It was luck that my friend was at that same concert. I hadn't seen him in years. Um, it was luck when I ran into the people from the music publishing company who wanted to wanted to chat. Um, life is really a lot of random chance. The dice roll and. You never know what you're going to get sometimes.

Zeke: Do you, do you actually have strategies for increasing your luck?

Laurel: I have generally overall terrible luck. Um, I wish I had a strategy for improving luck, but for every lucky chance I've had, that's good, I have about 20 that are horrible. Um, usually things pile on all at the same time. Uh, I have a friend who's like, I don't understand how you have such horrible luck. Like all, all your stuff breaks at once.

That's just how, it's just how I

Zeke: man. So then you need to have strategies for, uh, being prepared for unlucky events. Right?

Laurel: Yeah. So my, my philosophy is always just prepare for the worst in all occasions, because it's likely to occur to occur. Um,

[00:38:36] Turn vulnerability into strength

Zeke: But does this help you as a security researcher? Because the worst is pretty bad.

Laurel: I think it does. Um, I think, you know, I think being in security requires a healthy dose of paranoia. And once your in security, your paranoia only increases, ask me if I have an Alexa or a, any hot mics or a ring camera. No. There's no smart appliances. I want dumb everything. Um, you know,

I, I feel like especially working in security and you see how unreliable tech is more and more, I go with analog stuff. Uh, I don't have an apple watch. I have an analog watch. Um, I spend my off time in a desert where there's no cell service. Uh it's uh, yeah. And you just insecurity the worst is really bad. And, uh, you try to be prepared and have plans in place for when things go wrong. Um, because they will.

Zeke: That's kind of dark, a little bit,

Laurel: but then you see what happens to companies like Sony that you know, their entire office more or less destroyed because of a couple of angry north Korean hackers.

Zeke: right, man. Um,

Laurel: Sorry, I'm a downer today. Uh,

Zeke: That's okay. That's okay. Um, I, I'm just trying to jump around here and, you know, see what we see, what we catch there.

Um, how do You learn best?

[00:40:21] Learning is reading, doing, and adapting

Laurel: You know, a combination of, working backwards. A lot of times, if I'm looking for something, I, I, I'm better at reverse engineering. Um, so if I, as a problem, I can't quite understand. I look at where it ends and then I work backwards from that, to where I'm at. Um, but just learning in general, a lot of it, it's, uh, a bit of doing a bit of reading.

Um, the internet is a great resource. Like you don't know something, you can find it, you can, you can figure it out. You can find somebody who's had the exact same problem that you're having. And, uh, and then you just kind of, you look at what they're doing. You see if it works for you, you kind of move it around a little bit.

So it works for what you're doing. Um, and then you do it and then the more you do it, the more you learn. Um, and I mean, when, like in the program I did to the, a advancement program, uh, that was more formalized, you know, it was classroom learning. They sat us down. Todd us like, like back in, back in college, again, back in high school.

Um, and I, I learned find that way too, but I really prefer like a mix of, of reading about it and then doing it. And as I do it, the mistakes I make, then you adapt and you figure it out and somebody else's recipe may not work the same way. Uh, you have to adapt it to work for what you're doing.

Zeke: Um, I think I'm pretty similar. I mostly just kind of read all over the place and then I just start, you know, packing, experimenting, doing,

Laurel: Sandbox sandbox it all.

Zeke: um, did it, uh, I think a classic problem for people who jump into tech, especially from tech adjacent stuff is, uh, uh, a longer period with imposter syndrome. Do You ever have like imposter syndrome or, or when, or when did you start to feel like a real developer?

Laurel: You know, imposter syndrome is, is, is funny. I feel like it gets wielded a lot, especially against women. And it's, I guess it's kind of under, it's kind of, for me, understanding that you're never going to have the depth of, of technical jargon, the technical learning to someone who just hopped out of college with like, they're going to have deep concepts about things that you might've missed, but having the experience to know how to practically make things work, I feel like is, is something that you can pick up from anywhere just from doing things.

And. I even now, I mean, I'm in a staff level role now, even now I encounter people who have way more advanced knowledge than me on certain subjects and it can feel almost intimidating, but at the same time, you have to remember that you have knowledge. That is, that is different to your skill sets are valuable.

And, uh, you know, uh, everybody's got a different, different field they're working in and you just have to, if there's something you don't know quick, go Google enough that you could at least understand what they're saying and, uh, go from there. Um, but I think what made me feel like I was actually at the level I'm at was when you, when you start mentoring and teaching other people.

[00:43:55] Mentoring is bidirectional growth

Laurel: Um, and I was mentoring a person, uh, at a previous role. And, uh, I was, she had, she was fresh out of college with a CS degree too. And so she had a lot of technical knowledge, but being able to show how to use that in the business environment and, you know, teach new things that they weren't, they didn't specific things like using Splunk or using certain types of, uh, of, uh, uh, platforms and things like that.

You can fill in the gaps. And so really having someone with more skills with you in one area is helpful. You kind of compliment each other, you fill in the gaps where each other doesn't have it. Um, and then being able to pass on what you've learned in 20 years of doing this, it really feels good.

Um, and, uh, I really think that's important as being able to pass on the knowledge you've learned and the experiences you've had. Um, and that's, uh, yeah.

Zeke: actually I think that's the most consistent, um, that's the most consistent checkpoint that I've seen over people's careers. Like when, when they know that they're past this type of imposter syndrome, when they're able to share their expertise with the next generation,

Laurel: Yeah,

Zeke: you know, I think it's a real like, oh wait, it just because it makes it clearer to yourself that you're not in that still in that state where you don't know anything.

Right. When you're like, oh wait, this person doesn't know anything. I am the person who has the knowledge, wait a second. I'm not the imposter, they're the imposter.

I'm just kidding.

Laurel: they're just, they're just green, you know, they just need to, to have some time to learn the new stuff, you know, the way it works

in a business.

Zeke: My mental model. My mental model for imposter syndrome is that imposter syndrome is just a proxy for, um, when you're outside your comfort zone. And with the, what I was kind of, kind of trying to say there is some times where we start outside of our comfort zone and we get more comfortable, but we don't let go of the feeling of not belonging, almost.

And that's the mistake, right? And the pipe where you could say, oh, wait a second. Now I realize I belong here because I'm trying to bring somebody else to where I am. You know, like this is the thing. Um, it's, it's, uh, Yeah, it's tricky, sometimes.

Laurel: Yeah, well, I mean, there's always, there's, there's times I'll pick up a project and I'll look at something and be like, I'm not sure what this is. And, but that's just not like, especially in tech, you're never finished.

Nobody has ever is ever finished learning about it because it moves and changes so quick that, you know, 15 years ago, who knew AWS, who knew cloud stuff, nobody, everybody had on-prem servers out in Nevada.

And, uh, you know, but now cloud is the thing. So you have to keep on top of it. Um, and if you, if you encounter something like that, rather than saying, well, I don't understand this. I'm never going to understand this. Somebody else is somebody else's better at this than me. You say, okay, well, I don't know this well, I'm going to go find out how to do it, you know?

And you put in the legwork and you learn how to at least interact with it. Even if you're not doing the top level, you know, hardcore stuff, but at least learn how to integrate into your skillset and your, your systems. Um, you know, you never, you never close your mind to learning new stuff.

Zeke: So given that's the case, you know, like you got to never close your mind, learning new stuff. What new stuff are you learning right now? What or are we like, what's your, what's your last browser tab on something you don't know?

Laurel: Oh, goodness. So I think I'm still, I've got some, some entry-level cloud architecture that I'm I've know enough about to be dangerous, but, uh, that's where I want to expand more is building out systems in there. Um, I can do it if I've got someone come behind me and check and make sure I'm doing things right, but I want to be more proficient in that, uh, Being able to spin stuff up a lot faster.

We're doing, you know, I'm working on a project where we're probably going to have to use a lot of, uh, scalable containers for something. And, uh, I don't want to have to outsource that to another team to do that work because they might not do it. Right. Um, and it might take forever. I'd rather it for me, just we're able to do it.

So, uh, that's where that's probably the next step for me.

Um,

Zeke: Cloud

Laurel: just so I can, yeah. Building out, just building out the infrastructure in cloud. Um, I know a little Terraform, but, um, I'd like to get better. Um, just so I don't have to rely on other people to build out, uh, my industry.

Zeke: Um, so which cloud are you guys going to be using?

Laurel: Which cloud you got?

Zeke: Yeah.

Laurel: spread across everything I've dabbled in Google have dabbled in AWS, Azure, pretty much any cloud you can think of. I've at least touched it. Um,

Zeke: Um, you mentioned Terraform here. We're just rambling a little bit, but, uh, I went and kind of did this. What was it. called? The infrastructure as a code and infrastructure as code research and Terraform is this infrastructure is code stuff. Um, and I, and I admit that it's attractive to me because I kind of am attracted to I'll say, get up style, um, development, where as much as possible, you just put things in source code and make it buildable.

This partially comes from, I think my, my background of building operating systems where, you know, all the important parts are in the build. Um,

and, and when I was digging around in here, the thing that I got really attracted to instead of Terraform was Pulumi. Have you seen Pulumi?

Laurel: I haven't looked at that one yet.

Zeke: Yeah. So it's an alternative , it allows you or your choice of programming language. Um, what's the AWS has one too. It's uh, it's cloud something, right? What is the

Laurel: Uh,

Zeke: cloud formation is the, the, this, the runtime serialization format, but the programming environment, what is it called?

Laurel: I'm doing what I usually do when somebody says something, I don't recognize them Googling for it.

Zeke: Yeah. That's what I'm doing, too.

CDK. So the AWS one is called CDK and that's cloud development kit, I guess. And that's run to basically do TypeScript to build your stuff. And Pulumi is a cloud agnostic.

Whereas Terraform is declarative with some weird semantics for imperative stuff. Like You kind of fakes imperative in a way that I don't know, I personally find ugly.

Um, you have to do weird tricks to do for loops and things like that in Terra form, but you can do them kind of transparently in Pulumi or CDk.

Laurel: Oh, this is nice. You can import as a library in Python.

Zeke: Yeah. And, if you're having environments all Terraform based and you want to use parts of it in Pulumi, you can totally do that. And I think the other way around, right? So it's not like, um, it's not as religious, although when I dug it into the Pulumi thing where it's not cloud specific, hybrid cloud stuff, I think is its own nightmare, that should be avoided.

Actually. It was, I was dealing with somebody who was like, oh yeah, we're all GCP. Except for AWS Lambdas. What does that even mean? All GCP except for AWS Lambdas, but like they did like all running on Kubernetes, except for their Lambdas are gonna run on AWS or something like that. And their, um, SNS, SQS queues.

And I thought that was really weird, like that they'd hybrided there, you know?

Laurel: Yeah. Well, you know, I think in, especially in larger companies where cloud adoption may not have been universal at all, all at once you end up with different segments, started experimenting with different things, like one segment of like, okay, we're going to use, you know, you can use Google cloud and the others go, oh, we're going to use AWS.

And so you end up with different segments that were doing different things before it was, you know, it was, it was more widely used service. And so there was no standards written yet. Um, which is a problem with tech in general is they move so fast that sometimes especially in security, your standards, don't always keep up.

Um, so, you know, you're constantly having to rewrite what security looks like as the landscape changes. Um, but yeah, you can end up with, uh, that's how you end up with a company that has all different types of cloud. 'cause they, they all grew up from separate seeds in different parts of the field.

Zeke: Yeah, I think it's, it's funny because Amazon would be that company, if it didn't have AWS. Meaning in every other technology choice that Amazon makes other than the cloud provider, it's like everything, they just choose it's completely federated decision-making.

Um, so It's really easy to imagine how other companies would end up with who knows what

Laurel: Well, and then you, you think about a company that's been around for say, you know, 50 plus years, and you think about some of the systems that you have in there that might be 20 years old and running on some sort of outdated weirdness. And, you know, we have legacy stuff that you, where did this come from?

Why is this still in use?

Zeke: Do they still use flash tubes? I mean, seriously,

Laurel: Uh, oh, the stories I could tell you. Oh, well that that's when we'd have to, we'd have to have a private chat,

Zeke: Right.

Laurel: yeah, it's, uh, it's, you know, I, I had a friend who told me a story about working, doing, uh, DOD contracting and they had some general who've wanted some programs. Some simulator program from like the eighties or the nineties and they had to dig up cause it wouldn't run on any modern equipment.

So they had to go to a garage sale and buy somebody's ancient desktop from a garage sale and put that all together for this guy, because this, you know, give one of these four star generals, they're going to get what they want. And so they,

you know,

Zeke: The next thing that happens is that somebody does a take home project and compile a recompiled emulator creates, uh, an emulator in JavaScript to run this version of the desktop and have the, uh, transpiler for, uh, you know, from the source code or something like that.

Right. There's the wacky things that people do these days.

Laurel: it's, it's uh, it's interesting. Um, I've seen some strange stuff.

Zeke: I bet. I was just thinking, you know, 50 years, you know, a 50 year old company is like, well, it's not a tech company, right.

You're in a, you're an entertainment media company. Sure. But like 50 year old, I was like,

Laurel: well, you know, you got, you got Bell. So like my father was what worked, he got into tech because he was in, he worked for Bell T climbing telephone poles, which became Southern Bell, and then AT&T bought them in all AT&T is a tech company now.

And you know, there is a time when they gave me opportunity and like, I guess the late seventies when computers were starting to become more prevalent to learn COBOL.

So they sent him off to learn COBOL. And so he went from climbing telephone poles to writing COBOL, um,

Zeke: I love that. I'm actually wondering who is going to be writing COBOL next.

I mean,

Laurel: Well, so there's a lot. Well, yeah, it's in a lot of financial systems and that's actually what he did was he wrote for their payroll program. Um, and it turned out what was it just recently, there was something that went down and COBOL was the only way. And so they're suddenly hiring people who knew COBOL.

Oh gosh. It was, it was just a couple of years ago. I can't remember

what it was.

Zeke: It's going to be like Jurassic park. What they're going to do is at some point, there's going to be where, oh, well, we need COBOL programmers. So we're actually going to invest in, you know, reanimation so that we can resurrect people from the dead to program our computers. Cause we can't convince kids to learn COBOL.

Laurel: well, and you know, the thing is, is like he, that was all, so he, his problem. He never learned anything else. He did COBOL and that's all he did and technology moved on. And then when they'd started outsourcing and they outsourced his job to India and he got forced into early retirement, and then he went back to, he was doing outdoor work.

After that he was replacing a telephone, a telephone, uh, replacing the electrical meters when they were going to, from analog to digital electrical meters. That's what you was doing at like 50, because he got laid off for doing COBOL. So, I mean, they probably did that to most of the COBOL programmers.

And so then you have, you know, 50 plus year old people who were probably bitter about being laid off, who aren't going to want to come back to do COBOL in their, you know, come out of retirement for that.

Uh,

Zeke: dollar

Laurel: I doubt they were offered that much. Um, but yeah, it's it's interesting. I could deal with some sharks with lasers. I can help you there. I was, I was a Marine bio major.

I mean, so it's, it's some things come back from the dead, but I think moral of that story really is keep learning because you don't want to just be the person who writes the outdated language that nobody uses, except for one small thing. Oh, I know what it was. It was the, uh, the unemployment, when the pandemic hit, all of these states, state governments were using COBOL to run their unemployment systems.

And so when suddenly they were flooded with, uh, with unemployment requests and the systems were overtaxed and couldn't handle it, that's when they were like, oh crap, we need to find some cobalt programmers to, to fix the system, to handle the load.

Zeke: Nice. Yeah, The last time that COBOL programmers were really in, in Vogue was for the Y2K prep. Right. Nobody knew what was going to happen there. So they were like, you know, basically bringing all these cobalt promoters back out from retirement to, to scan the code.

Laurel: Yeah, well, they did a good job because nothing exploded

Zeke: success. Right? This

is,

Laurel: the world didn't

Zeke: this is,

the, like what success looks like for a good security researcher. Nothing happened.

Laurel: Exactly. Exactly.

Yeah.

Zeke: My goal this month is that nothing happens,

Laurel: or if it does happen, we know about it before it becomes a problem.

Zeke: right. Which is the same as, you know, getting psychic powers.

Laurel: Yeah.

Zeke: Well, um, maybe we can wrap up with just, uh, one last question. Um, can you think of something that is an example of something that is valuable, that you would pass on to a next generation person, who's thinking about making a jump into tech? A person, a book, a website, a philosophy, a mental model.

Laurel: Stack Exchange?

[01:01:13] Branch out of just tech: communication, writing, collaboration

Laurel: Okay. Hopefully it never goes away. No, I think, uh, other more serious little, I think, you know, maybe it's my bias, but branch out of just tech, learn your tech, but also learn other things as well. Um, you know, be able to have those soft skills that a lot of PureTech people lack, be able to write well and cohesively and, and coherent.

Um, you know, learn how to, to deal with people who may not want to work with you. People who are resistant to doing things they need to do, um, learn those skills around that, uh, because it's, their tech is great and it's great when you get into the weeds with it, and you're, you're really focused. Um, but you also have to work with people who don't know the first thing about tech.

So being able to communicate, having communication skills is really the key. I think, to success in tech is being able to, uh, have your idea, have your, your, your, your big tech project, but also be able to communicate it to the people, the stakeholders, the money men, whoever it is, um, to actually get the work done.

So invest in soft skills.

Zeke: Do you have a, a resource or, uh, you know, something that actually kind of leveled you up in that space? Like a book or

Laurel: uh,

Zeke: no?

[01:02:50] Working customer services helps with soft skills

Laurel: I wouldn't, I wouldn't suggest go work a, a crappy minimum wage customer service job, because it's awful. Uh, but, uh, you know, learn to be around people, I guess. I wouldn't say there's a specific resource, uh, but just spend time around people get involved with things outside of tech. Um, just learn how to interact.

Zeke: You know, um, I'm actually gonna, I'm going to double down on the customer service job, I think.

I actually had a philosophy, a theory when I worked at the gas station because I dealt with so many terrible people. Everybody, no matter what background they come from should be required to work in and they have to stay in a customer service job until they learn how to make peace with it enough that they can say they're good at it before they're allowed to go work in other jobs.

Laurel: Yeah, well, I mean, when you're being screened by somebody over something silly and you can't do anything about it and you just have to take it, you just, you just have to learn to just take a step back, I think, and not take it personal. And honestly, you also, I think one of the biggest things in customer servicing any part of life, uh, is.

You don't know what they're going through. Every time you meet somebody, you have no idea what is going on in their life. They might be horrible to you. They might be the biggest stonewall on your project. They might, you know, send you some sort of snap, snappish, dismissive email. Um, but you don't know what just happened to them today.

Maybe, you know, they've got sick family members or maybe, you know, they've, they were in an accident on the way to work or maybe something horrible just happened to them. And there's so many reasons why somebody might be difficult to work with and you just have to take a step back, not take it personally, uh, and kind of put yourself in their shoes.

And when you're doing this and you're in tech and you're trying to get some project push through or get them to implement security controls or whatever else, you have to look at it and think about it in the way.

How do I make them want what I want?

They've got their own problems, their own agenda, things that they're, they're stressed about, their deadlines are coming up.

How do I make them see that the stuff I want is actually the same thing that they want and work from that. And that's, again, people skills are as much important, uh, as much importance as tech skills.

Zeke: Well, um, at the end on that note, empathy is a core skill for building, you know, better, better world. I think.

yeah.

Laurel: Yeah. Yeah. I mean, we tech is, is a tool, but where people and we have to live with each other.

Zeke: Yeah. All right. Thank you. very much.

Laurel: Thank you. It's been a pleasure.

Published by:

Zeke Arany-Lucas