Maril Vernon: 0:14

Welcome back to The Cyber Queens Podcast, where we are talking all things getting into and succeeding as a woman in cyber, trying to inspire you Gen Z to help us close this gender gap. I'm one of your hosts, Maril Vernon, resident offensive and hacking expert. I'm joined by Nathalie.

Nathalie Baker: 0:30

And I'm Nathalie Baker, SOC Manager: all-things blue team.

Maril Vernon: 0:34

Yes, blue team, red team, one team, two team. Today, we are here talking to you about something that is a crucial skill that is kind of, losing its prominence in the balance, which is talking technically to a technical audience. And we wanted to bring this up because, there are a lot of people mid-career pivoting into cyber. There are a lot of soft skills that are very important in cyber, like the ability to speak layman, but a lot of us are losing the ability to accurately convey technical concepts, to technical audiences who don't want the layman summary. They want you to get into the weeds of the code and the syntax and the utilities and all those things. So that's what we're talking about today. Nathalie, what are your feels, give 'em to me.

Nathalie Baker: 1:18

I just have to say, this is a really great topic because soft skills are really important. You have to know your audience. It's very important to know who you're talking to.

Maril Vernon: 1:30

It is definitely in pentesting

Nathalie Baker: 1:34

If you're talking to a client, they might not understand the technical speak at all. Sometimes we'll have to go through reports and decide, "Let's spell this out a little bit further for this, client." Whereas if you have a client that is very technical, has a technical team, they have their own security team. You're just like the backup then, you can speak a little bit more technically you don't have to spell it out as much, but you can go into a little bit more detail with them.

Maril Vernon: 1:59

That's a great strategy. I feel like a great way to always approach these situations is when you're in a mixed audience or you don't typically talk to these people, they're not your typical stakeholders, they're not your usual IT team, you might not know who you're speaking to. Especially people like Erika, I wish she was here to weigh in. Erika could talk about sales calls. You never know if you've got the lead architect online or the GRC person or the person who's just making a budget call. So I feel like it's always best to start out non-technical, start out with your analogies and your high level speaking. If someone comes up with a technical question can you explain how your API would integrate with our vulnerability management software on the back end? And you think, "Oh, you're technical, let me get into that for you." That's a great way to speak to that audience member, while not excluding everyone else and leaving everyone else behind.

Nathalie Baker: 2:47

It's really important if you speak down a little bit at the beginning, and then you figure out, hey, this person really does know a bit of technical, you have to know if they understand the technical jargon or they're just using the technical jargon. Because some people will just use technical jargon and it'll be like word vomit coming out of their mouth and you're like, "You're not even using the correct terms correctly."

Maril Vernon: 3:08

You're not. This is actually such a great thing to bring up because there are a lot of laymen who make their way into technical management roles, or even like higher echelons of technical leadership. For instance, I'm currently doing one to one sessions with someone right now who rose to a COO position. She's not a CTO or anything, but she rose to a C-level position for a very technical product for literally an adversarial emulation product. She's saying, she came from like a financial background. She said, "I have a hard time keeping up. I don't understand what they're saying. I don't understand where I should ask questions, how to refute, where to push back, where to ask for more, because I'm already lost when the conversation begins." So it's so great to know the technical aspect of your job, because yes, using an analogy, explaining it to someone who's in your stakeholder meeting or your executive outbrief is going to be totally different than your technical outbrief. We literally have to generate, as pentesters, three different versions of our reports. There is the executive report, which does not have as much information as the stakeholder report, which does not have as much information as the technical deep dive that we have with the remediation teams who want to know which binary we used, or which command we used to call a certain tool or access a certain console. If we were only able to have those technical conversations in a very attack path manner- " we got in and we called the console and then we pushed this branch of code to production," - that doesn't help them at all that doesn't help them do their jobs better. It's one of those things where it helps you get on the same page with the teams who are going to be picking up the ball, where you leave it off, like you hand the baton to them. You need to be able to give technical lead ins and give them a starting place or you're actually doing your technical teams, a disadvantage."Wow, we found something really bad. We found something really cool." Like Nathalie, I'm sure you're going to, you're going to speak to the,"I found something really cool. And I do not know how to tell you how to fix it, but here it is." What would you even do with that?

Nathalie Baker: 4:59

Figure out how you got in and then where our securities were lacking at.

That's what I would figure out: 5:05

is how you got through and like where we need to put an extra layer of security in place at, where we need to maybe alert at a little bit more. Maybe we need to tune in some alerts or tune out some alerts, depending.

Maril Vernon: 5:19

I feel like so many people, it is important to come in, even if you don't have that technical vocabulary yet. I don't want that to be a barrier to your entry into cyber. Definitely come into cyber first. You can learn the jargon on the job, but for me, the first thing I do every time I'm studying a new certification or a new subject matter is I flip to the back of the book to the glossary. I go to the glossary, and I memorize those terms because if you're using a term- the first time I encountered the word SIEM, I'm thinking, so these logs will go to the SIEM. Oh, what is a SIEM? Like, I gotta go back there. It's the events manager. Okay, so every time the logs go - what you're saying really is to the events manager, the thing that's correlating the things: now I understand what that means. If I was just like, the logs are going to forward to the SIEM via API, and then it's going to go to the SOC and then it's like, " Aw, snap we're three acronyms deep, and I have no idea what's going on."

Nathalie Baker: 6:07

Especially when I'm training entry level, I don't even like using acronyms. I spell it out for them, unless I'm quizzing them on an acronym that I've already taught them. So if I say DNS a lot, that's going to be an acronym that I'm making sure that they understand right from the get-go. Because that's something that's really important, for us to know which logs are doing what, what we're looking at when we're looking through these logs. I like to ensure that from the very beginning we get on a base level, we say, "Hey, what do you know? What don't you know? And let's fill in the gaps." Every now and then I'll quiz 'em. But I don't start using that term regularly out of context - like DNS - I don't just throw that out there randomly until I know that everybody's on that same level.

Maril Vernon: 6:55

No, it's like learning a foreign language, like showing up to French day one of high school. This is a brand new language where we have our own syntax and our own grammatical rules. I had to explain TTPs to someone the other day. The person said, "Well you explain TTPs as like all the things, but you'll also refer to one TTP, but isn't one TTP, technically just a procedure?" It's just one of those things where I'm like, you're right, but colloquially, we will call them all TTPs and call one a TTP as well. It's got its own rules, all those other rules are out the window. But I agree when I'm introducing someone to a new concept, I'll say," We're going to forward it to the data loss prevention, the DLP system." So data loss prevention, and you want to reinforce data loss prevention, DLP, the data loss prevention, DLP. And then the next time you'll say,"Hey, can you get into the DLP console and check that thing?" They should know, "oh, data loss prevention."

Nathalie Baker: 7:42

I take it a step further. I'm like, "do you know what DLP means? What does it do? What is the name of it?" I'll quiz people on it. You think that you know, so what is it?

Maril Vernon: 7:51

I was just going to say that the next thing is that people just start using the acronyms as the noun, without knowing what the noun is. They're like, "yeah, we send that to a DLP system, which checks it for us." I'm asking, “Do you know what that is?” They’ll be like, “Yeah, the DLP,” and I'm like, “Yeah, do you know what the DLP is? Do you know how that functions?” They’ll say, “No, I just know that we use it.” And I'm like, okay, you can't just reference the thing without knowing what's behind the meaning of the word that you're saying. It makes you lose a lot of cred and certain technical audiences. It tells me immediately that "oh, I can't speak on that level with you, I need to take it a few steps down and water myself down a bit. Bring myself to some layman level like, 50 layman/50 technical. I flip to the back of the book first. This is basic situational awareness for literally any job, no matter what job you start. You're an auditor, you're a crime scene forensic investigator, you're a cop, you're a lawyer.

Nathalie Baker: 8:38

You're a paralegal.

Maril Vernon: 8:39

Yeah. Yeah.

Nathalie Baker: 8:40

You start getting into some really Latin phrases.

Maril Vernon: 8:43

Yeah, lawyers aren't even fair, you just switch into Latin when you feel like it.

Nathalie Baker: 8:49

And it's at whim. So for the longest time I was calling, I forget what it was, but there was like the certain type of document that we were filing and I would call it something that was like completely off. My boss had to correct me about five times.

Maril Vernon: 9:01

I feel like I would be like that scene from the bridesmaid. I'm like, "yes, and then the, Lorem Ipsum was filed." I don't know what I'm talking about. Its basic situational awareness. If you want to be able to keep up in those conversations with Nathalie, you want to be able to keep up in those conversations with us, you need this foundational knowledge. You need to at least know what the terms that we're throwing around are, even if you don't know how they work or how they function together, you need to know simply what the definition is. It's going to enable you to excel in your role quicker, because again, if I'm like sending you random things to Google or having you put a presentation together or having you write a report- it reminds me of when I used to do I.T. Recruiting. I would call and be like, yes, and they are looking for,"dot net, do you have that?" They're like, "Well, I've used dot net." I didn't even know how to ask, what the thing was that I'm talking about. You need to know this, it's going to help you learn your role. At least to be able to hear conversations and start synthesizing things and start drawing broader themes together and not just sitting in a book or in an isolated lab. It helps you keep up in conversation. If you hear a bunch of us at the water cooler, I know offices still use those. I ain't been in an office for a minute, never going back by the way. But, if you hear us at the water cooler talking, or we're like, "Oh My God, can you believe they unplugged the F-five? And now we gotta re-route the ARP tables and the blah, blah." And you're like...

Nathalie Baker: 10:30

What? You can just say, "What?"

Maril Vernon: 10:34

Yeah. Please come ask us what, that's how you learn, but wouldn't it be so cool to be able to keep up in those conversations? And even if you don't have an opinion,

Nathalie Baker: 10:42

You start to, you start to after a while. I always tell my people, the first year in you're going to learn so much and it's not going to feel like you learned a lot at all. You're going to feel like you still have no clue what you're doing. To this day, I still sometimes wonder, do I really have a clue? And then something happens and I'm like, "blah, blah, blah, blah, blah." It's just like natural for me. Then I'm like, "oh yeah, I do have a clue!" It's the imposter syndrome that, you have, everybody has, but, one day, something's just going to click, and it's going to keep clicking for you because you're just building on that foundational knowledge. Eventually, two or three years in, you're keeping up with some very advanced conversations that two years ago, you didn't think you could even have, or hold or understand what was going on.

Maril Vernon: 11:29

Exactly. When people find out I'm three years into this field, like the way I talk about my work and I can talk about protocols and ports and certain frameworks, and like how certain things, how I do my job, they're like, "Wow, you speak like someone who's been doing this for years." I'm like, yeah, I learned the teeny, tiny pieces first and how to accurately say things before I started sounding unintelligent. But Nathalie's right, imposter syndrome. If you don't know the jargon, if you don't know the words, don't be afraid to listen. Don't be afraid to join the conversation even if you don't have an opinion, you can just absorb. I was always afraid to admit, I didn't know something, and literally I told these people, you're giving me a job in information security, knowing that I know nothing about information security, nothing technical at all. I don't even know what IP addresses are. Okay, so I have like carte blanche to be the stupid person in every room. And yet in meetings still, I was afraid to be like, "I don't know what that means. Can you explain that more?" So I'd be like Uhhuh."Google that, Google that later." And my 20 year architect said, "I've worked in this industry a long time and come across a lot of technologies. I have no idea what you're saying. I'm going to need you to back it up," and I'm like, "oh, okay Bob doesn't know, I don't feel bad now." it just goes to show you, no matter how long, you will never know it all. There's constantly new stuff I'm being exposed to. And I don't feel dumb being like, I don't know the difference between your SOAP API and your REST API and how this applies to my question. Can you give me some context? So, leap right in. We don't know it all. I don't know it all.

Nathalie Baker: 12:51

No, I don't know it all either. And when I first started in the field, I mean to me, I would take the computer throw it out the window and that's how we fix the problem, got you a new computer, you're done. That's how you fix the problem of any issue on a computer: that was it. That was the whole solution, was just get rid of the computer, and get a new one in. It's so funny, because that first year of just going every day, and doing different tasks, I remember the first time I sat through one of our like major audits that we had, that meeting, and everybody's just throwing the tech jargon across the table left and right. And I'm just like, "What in the world, is any this?"

Maril Vernon: 13:32

Words flying like bullets. You're like,

Nathalie Baker: 13:34

mehhh I guess like because I'm a handwritten note person, I'm not really a typing note person. I'm like shorthanding as much as I can, and like just taking down the main points. At the end of this meeting, the biggest thing that I found that I took notes on was that if you left your CAC unsecured, one person in the entire organization left their CAC unsecured, your entire unit failed the audit. So I would go around and start stealing people's CAC cards and we made a whole game.

Maril Vernon: 14:08

Look at you go, insider threat is always the biggest threat people. People will bypass our enterprise solutions every time.

Nathalie Baker: 14:16

But it just made everybody else so much more aware because everybody's like, "I hope Baker doesn't come and find my CAC, unsecured. Oh, I better keep that with me because she'll come and grab it."

Maril Vernon: 14:25

I mean, that's a brand, that's a rep.

Nathalie Baker: 14:28

Yeah.

Maril Vernon: 14:28

That person, I'm just here to keep you accountable. I remember when I first started attending meetings, I would literally, I don't know if people thought I was not paying attention, because I'm the person who's always typing. I don't literally stop, and I'm engaged. You can tell, I'm not answering emails, but I came out of every meeting with a list of words to Google, go Google this word. And then I wrote the phrase that people used it, I'm like "forward to SIEM, SIEM. Okay." And I spelled it S-E-E-M or something. Go find out what the seem is. And I'm like, ah, that thing, yes, I know what that is! Yeah. I like we'll have the seem/sime debate some other time, but yeah. Are you a simmer or a seemer?

Nathalie Baker: 15:05

SEEM

Maril Vernon: 15:05

I'm a seemer too. Are you a CISO or a CESO?

Nathalie Baker: 15:09

CISO.

Maril Vernon: 15:10

CISO? I say CESO. CESO, anyway.

Nathalie Baker: 15:15

There's no, yeah. I say CISO cause there's no E in the letter.

Maril Vernon: 15:20

That makes sense.

Nathalie Baker: 15:22

But the I comes before the E in SIEM. So it's SEEM.

Maril Vernon: 15:26

I take the niche approach. I don't say nitch. I say niche. That's probably my French influence. I'm going to blame that on my French. Anyway, but Gen-Z, the reason why talking technically is relevant to you again, the key takeaways, please, don't be afraid to join in on the conversation. You need to do a lot of absorbing, before you'll know enough, to feel comfortable enough to inject yourself into those conversations.

Nathalie Baker: 15:46

Everybody has to start somewhere,

Maril Vernon: 15:47

You have to start, and you have to start qualifying. I have never met anyone, who's looked me dead in the eye and been like,"You don't know what that means? You're a freaking idiot." So please don't be afraid to ask the questions. We will always be like, "oh, what he is talking about is this thing. Anyway, continue.- Oh, and what we're talking about is how this thing is, blah, blah, blah, blahing with the other thing. Okay, continue. You were mad?"

Nathalie Baker: 16:07

And the ones that don't do that are the ones that usually don't know what the jargon means.

Maril Vernon: 16:13

Yeah. Or they're just jerks

Nathalie Baker: 16:14

Yea, that's true.

Maril Vernon: 16:16

Either way, good to be aware who the jerks are. But it's one of those things that eventually when you do show up, and you are able to speak, and you're like, "I had a question about how the rule on this port is forwarding traffic, blah, blah, blah." It really helps you demonstrate your job. It really helps you communicate without needing to actually see your job performance, that you understand how these things work together and that you can be trusted. Because Gen-Z, we gotta tell you, we love so much about you. We'll say it every episode, we love so much about you. But we had to fight this battle when we got here, the millennials did. People can't stand you. People can't stand you already, you have an inherit bias against you. I'm sorry, it's there. You're going to have to deal with it.

Nathalie Baker: 16:55

People keep mistaking your generation for millennials.

Maril Vernon: 16:59

Yes. Millennials have to be the intolerable ones first,

Nathalie Baker: 17:03

I'm like "Hey, the millennial generation is over."

Maril Vernon: 17:07

Yeah,

Nathalie Baker: 17:07

It's been over. Stop.

Maril Vernon: 17:09

Yeah. So we paved the way for y'all to walk on in uncontested. You're welcome.

Nathalie Baker: 17:13

Yeah!

Maril Vernon: 17:14

Because a lot of people can't stand you and because you're behind on this learning curve already, it really goes so far into showing that you can handle the job. We are going to start hiring y'all as entry level people with no experience. You can say, listen, I don't know what that thing is today, but ask me in a week, and I will be an expert in these three terms that I didn't know today. I will only not know that thing once, I will prove to you that I can keep up with this subject matter, with this curriculum, and I can take it and excel in it. Otherwise, no one's going to trust you with the job, you're definitely not going to get promoted, and you're going to get bored. We know you guys too, y'all have the attention span of gold fishes, especially when it comes to projects.

Nathalie Baker: 17:55

So do I.

Maril Vernon: 17:56

Fair, fair me too. So I want to hack something different every day, but it will be the number one hurdle to you getting ahead and excelling. If you're someone who's just showing up to meetings, showing up, delivering value with your words, letting the technical people know that, "oh, when we have a question, we go to Nathalie because Nathalie can always explain it to us in the way that we want to receive it versus Maril. Maril just keeps it too high level. Maril just doesn't get into the weeds enough with us. That's not actually true. I'm good at my job. It is the number one thing, that's going to build you an internal brand for yourself and people are going to come to you as a subject matter expert. I can't, like the day that I started to be able to communicate in jargon and keep up with conversations that weren't my lane in jargon. I'm not a developer, but the day I understood what the developers were saying. I was like, "Ahhhh, I've made it you guys, like Holy smokes, yes, I'm one of you! We're tribe people now." I can speak your

Nathalie Baker: 18:46

language.

Maril Vernon: 18:47

Yes, day six with the natives. No one suspects a thing, cuz I sound like them. That's what you want in tech. You don't want us to be like"Yep, you're different," no you're not different, you're fine. So speaking layman, great. A lot of cyber people don't have the ability to do the reverse. They don't have the ability to speak layman. They can't take something like kerberoasting, and break it down into simple explanations and tell a stakeholder why it's bad. Which is why those of us with non-technical backgrounds like me, have a niche, have an entry in. I became the face person for my team. I went to all the meetings and explained all the things, but don't lose that technical piece. You need that technical piece to float you with the teams where the cred actually matters. So develop these skills. We're going to add some resources in the notes if you've got an interest. We're also going to keep a running list of all the new terms we use in every episode to make sure that you can keep up with the conversations that we are having. And if you come across any terms, we haven't explained, feel free to drop those in the comments.

Nathalie Baker: 19:49

We'll gladly answer them, and explain what they do. Because it's important to know what they.

Maril Vernon: 19:55

It is important to know what they do. It's important to, I always tell people you don't need like an A+ or a Net+ level of understanding, but you need a Sec+. You need like the data flow overview. I don't need to know how a firewall communicates with the router. I just need to know the purpose that each of them serves the aspects of security, they address and possible ways to attack those things.

Nathalie Baker: 20:15

See, whereas, on my side of security, you have to know how they interact and where to put rules at. Because where the rules lie at in the ACL, which is the, your access control list, it's really important. If you have it too high, up too high down, you could be, letting things in that you don't want to let in.

Maril Vernon: 20:34

I know what that is and what it does. I know the ACL is the thing that interprets whether or not you can have access to those things, but do I care about how it works for you? That's why having so many different people in cyber is so important. Having your different goals is important. You know, so help me God, if one more person brings their laptop to me and says, "Maril, I know this isn't your job, but can you help me fix this?" I'm like, that's literally the opposite of my job. My job is to break it. If you don't want it more broken take it down the street. I cannot help you. So next time we'll have a lesson in offensive security and exactly what we're capable of doing. I'm also like even if I knew how to fix your problem, hopefully our group policies don't let me, because I shouldn't have local admin access to your machine.

Nathalie Baker: 21:17

Yep, yep. You, yeah. Have to put in a ticket.

Maril Vernon: 21:24

Do I? Do I?

Nathalie Baker: 21:27

Sometimes the minute you say ticket to a user, they're just like " What's a ticket? I just call the number."

Maril Vernon: 21:32

Ticket is where hopes and dreams go to die.

Nathalie Baker: 21:35

Yeah, sometimes. Depends on who, has the ticket.

Maril Vernon: 21:39

Yeah. Depends. Okay, that's all we've got for this episode. Thank you so much for joining us again. We hope that above all else, you understand the importance of learning to speak technically. We hope that you aren't afraid to enter those conversations with your peers and ask questions. We hope you're never afraid to be the quote "stupid person in the room," even though no one is really stupid. No one woke up knowing all this stuff intrinsically, I definitely didn't. Nathalie, your favorite key takeaways.

Nathalie Baker: 22:09

Don't be afraid to ask. Make sure that you understand what the person is actually telling you, so if they're explaining it to you in a way that you don't quite understand, one of my favorite things to do when I'm training somebody, is every now and then I'll ask,"do you understand what I just said?" They'll be like, "yeah." And I'll be like, "so can you re-explain it to me in a different way?" Just to check on their learning so that I can ensure that my ADHD didn't get in the way of them actually learning the concept and the fundamental. Make sure that if you don't understand what they're actually saying, you ask them to elaborate or explain it differently. Sometimes it might take two or three times for somebody to explain it to you differently.

Maril Vernon: 22:50

And you cyber professionals, if someone comes to you and asks you a question, don't be that jerk.

Nathalie Baker: 22:54

Yep.

Maril Vernon: 22:55

You didn't know this all out of high school either. So...

Nathalie Baker: 22:57

Nobody knew this day one, and it's just so mind boggling that people still feel that they need to be jerks about it.

Maril Vernon: 23:07

If that's you, we're going to find you The Cyber Queens. We're going to get

Nathalie Baker: 23:11

We're the vigilantes of justice,

Maril Vernon: 23:14

Just protecting people, one jerk at a time. That's what we do. All right, thank you so much for spending time with us! We love you. We hope you go out there and succeed. Please leave your questions in the comments and hit that subscribe button for more useless, just kidding, for more great cyber tips. Bye!