To Comply or Not To Comply

Andrew Alaniz, Director of Technology & Risk at Freddie Mac, joins me on a journey through the essentials of cybersecurity leadership. With years of experience in the industry, I picked Andrew’s brain on what leadership really looks like, and how it differs from being a manager. Focusing on empathy and understanding for the people we lead, Andrew explains how to earn trust from the people around you, inspire collaboration between employees in remote work settings, and create safe spaces where no one has to leave “life” at the office door. 
 
Timecoded Guide:
[00:00] Connecting with the people behind cyber technology
[05:22] Starting a cyber career with less barriers to entry
[14:35] Building empathy and earning trust as a leader
[21:52] Cyber career burnout and employee safe spaces
[31:59] Actions speaking louder than words when leading employees
What is the importance of empathy in leadership?
Many people want to be a better leader in their workplace, but Andrew understands that a true leader leads with empathy. Real leadership cannot be earned from a place of selfishness and real trust can’t be bought. Understanding others, caring about their lives, and opening yourself up to be a safe space builds the foundation of trust and empathy between you and the people you’re leading. There is no “hack” to better leadership or a stronger team performance. Better performances are born from knowing your team and caring about them as employees and as people, with rich lives inside and outside of work. 
“I think that empathy is maybe the utmost requirement for an effective leader. You can take trust, you can buy trust, and you can earn trust. The only way trust is sustainable is if it's earned, and empathy is really essential to that.”
 
When people think about work-life balance, especially in cyber, what does that mean?
The concept of work-life balance has become a daily conversation for leaders around the world, and Andrew encourages us to rethink what we may see as a balance. While everyone deserves a life outside of work, life doesn’t end when you’ve stepped inside an office or logged onto your computer for the day. A balance needs to happen and life outside of work has to be respected, but employees shouldn’t feel afraid to be open about their lives during the workday. Instead, everyone on your team should feel empowered and respected to do their jobs without carrying the baggage of work home with them, or feeling the stress of not being able to share their lives with their coworkers when they’re at the office. 
“[Leaders have to] empower our teams to feel safe about that work-life balance. I think that's important. There's a lot of places where there's a fear of, ‘I've got to keep life separate,’ but the reality is, you can't.”
 
Do you think it's on the leaders to have visibility into their employees’ lives and to help manage burnout? 
Everyone in cyber fears losing an employee or even their own job success to burnout. However, career burnout is preventable and Andrew wants leaders to know that they can help prevent it. We didn’t get to the staffing gap we’re in today without leaders and managers pushing employees too hard for too long. Taking us back to the concept of empathy, Andrew explains that he wants his people to feel empowered and encouraged to do what they need to do to thrive at work. Adopting a “Yes, but” approach helps Andrew and his team acknowledge that there are sacrifices that have to be made in order to take on more projects without ruining work boundaries or causing employee burnout. 
“Customer service is one of my top priorities. Quality is my second priority, but we're going to be a culture of ‘Yes, but.’ ‘Yes, but,’ is the idea that, yes, I can absolutely get to that, but right now it's going to take me two weeks to get to it, or whatever that may be.” 
 
Where do you sit in the debate between remote work and the return to offices?
Remote cybersecurity positions increased tenfold during the COVID-19 pandemic, but many employees are now seeking a return to the office or a hybrid working position for their employees. Considering he’s a director himself, I was curious as to how Andrew views security professionals working remotely. According to Andrew, we don’t have to head back to the office yet (or ever) if we don’t want to, but we do have to encourage remote collaboration and personal connection between our employees and ourselves. Taking advantage of Zoom, Teams, and chat channels like Slack from a less professional standpoint might open up the opportunity for employees to talk just like they would in an office— sometimes about work, but other times about life, events, or new ideas. 
“There's a difference between remote work and remote collaboration. A lot of companies have remote work down, but remote collaboration is completely different. People accidentally collaborated constantly in the office.”
---------
Links:
Keep up with our guest, Andrew Alaniz, on LinkedIn.
Connect with AJ Yawn on LinkedIn and Twitter
Follow ByteChek on LinkedIn and Twitter, or learn more about ByteChek on their websiteListen to more from the Hacker Valley Studio and To Comply or Not to Comply

I invite Val Dobrushkin, Director of Risk & Compliance at Noname Security, into the studio this week to tap into his openness and transparency around his role as a security leader and his personal mental health journey. As compliance professionals, Val and I cover the technical side of his career, including his opinions and experiences with SOC 2, ISO, and GRC. As friends, Val and I dive deep into the difficult topics of workplace stress, labor shortages, career burnout, and mindfulness.
Timecoded Guide:
[00:00] Framework preferences & the benefits of SOC 2 vs ISO
[07:06] Compliance & security from a business perspective
[13:52] Cybersecurity labor shortages & tech skill gaps
[16:50] Workplace stress & the struggle of cyber career burnout
[21:15] Mental health advice for security practitioners 
 
Do you think GRC is a good entry point for cybersecurity? 
Much like myself, Val is a firm believer in GRC as a solid entry point in the cyber security industry. Junior security practitioners need an area where they’re exposed to a variety of positions and functions, and Val sees endless training opportunities for a young professional looking to get their start in GRC. Repeatable processes and teachable functions show entry-level cyber employees the value of compliance and how what we do as cyber professionals impacts the businesses we work with.
“When you rise up the ladder, you may feel like those standard beginning steps are tiring from having done them for many years, but it's those things that are easy to pick up. They're easily repeatable, and a very quick intro to say, ‘Hey, this is what this does for the business. There's some value in it.’” 
 
How do we solve the cybersecurity labor shortages and skill gaps? 
Anyone working in the industry understands the stress of the cyber workforce gap and how it has impacted both understaffed tech companies and overworked cybersecurity practitioners, especially in the wake of the covid-19 pandemic. With so much conversation around cybersecurity talent shortages, I asked Val where he saw potential for solutions. His advice fell on the shoulders of cyber industry leaders, urging them to acknowledge the security skills gap and the staffing issues taking place. Without acknowledgement, Val warns that leaders will not set themselves up for success when welcoming new security professionals to the workforce or training industry outsiders in new positions. 
“When we hire somebody, we can give them a set title, a set function. At the same time, we also have to leave them room so they can grow and do something more, something better, something different.”
 
Why do you think we’re seeing cybersecurity professionals burning out?
Not only are cyber staffing shortages weighing on us, but cybersecurity professionals are burning out at rapid rates. The great resignation feels far from over for many companies, and I have seen security personnel quickly burn out and leave the industry entirely. Considering Val’s vulnerability about mental health, he is quick to sympathize with those skilled workers feeling too exhausted to continue their roles. Security practitioners are often undervalued when businesses see cybersecurity as an expense, not something that can potentially save their business. Undervaluing combined with a lack of cohesiveness in teams and a lack of new opportunities, we are looking at a potential mental health crisis in cyber.
“Security is not usually appreciated. Things go wrong and then, security is often blamed for not fixing things beforehand, or not building these things right. There's always a lot of pressure…It’s really hard to compete.”
 
Can you tell me about your personal mental health journey and how it has impacted your cyber career and company?
Immigrating to America at a young age and pushing himself hard in his career led to Val learning his lesson about mental health the hard way. After struggling with depression throughout his adulthood and managing his mental health through mindfulness and spirituality, Val focuses more of his energy now on showing others the value of lifting yourself up. While focusing too hard on societal and career expectations led to Val’s personal burn out, he’s come out the other side of many of his mental health struggles with clarity and consciousness about what others are going through, as well as a motivation to guide others on a healthier mental health journey.
“I learned early on in my career, when I had my first subordinates, that when people were underperforming, it wasn't because they were bad or they weren't skilled, there was something else going on. Once we were able to figure out what that something else was, they performed well above my expectations.”
---------
Links:
Keep up with our guest, Val Dobrushkin, on LinkedIn
Learn more about Noname Security on their website and LinkedIn.
Connect with AJ Yawn on LinkedIn and Twitter
Follow ByteChek on LinkedIn and Twitter, or learn more about ByteChek on their website
Listen to more from the Hacker Valley Studio and To Comply or Not to Comply

I invite Corey Quinn to take a break from his podcast hosting role and join me on the opposite side of the table on To Comply or Not to Comply this week. As the Cloud Economist at the Duckbill Group, writer of the Last Week in AWS newsletter, and host of the podcast Screaming in the Cloud, Corey is an expert in Amazon Web Services (AWS). Corey joins me in this episode to talk about developing his business focus, being profiled by the New York Times, and making the decision to invest in my startup, ByteChek.
 
Timecoded Guide:
[04:23] Finding a business niche and understanding the value of the Duckbill Group’s AWS expertise 
[11:56] Explaining where the humor of Last Week in AWS comes from and how Corey keeps a lighthearted yet snarky and amusing perspective on AWS issues 
[18:10] Delving into Corey’s vision for the investment portion of his career and what his motivations were for becoming an investor in ByteChek
[26:42] Being featured in the New York Times and explaining the reactions that both he and others had to the article about him
[29:34] Noticing the role that fatherhood has had in his career and how Corey has learned to better prioritize his schedule and his family 
 
How did you develop the focus on AWS for the Duckbill Group?
Although I point out the criticisms specialists in tech often receive, Corey is quick to defend the Duckbill Group’s focus on AWS. His reasoning? It pays well and it’s a very important problem to fix. It might seem like a source of strength to be a jack of all trades or a generalist, but Corey says that there’s rarely a market for generalists. Instead, people and companies alike approach specialists to solve their problems, wanting to pay the money for their expertise rather than take a chance on someone they only knows a general overview of their issue or problem.
“People don't want to reach out with expensive problems to generalists. They want to reach out to someone who they believe specializes in the exact problem they deal with and that they want to get solved.” 
 
What is the feedback like for your Last Week in AWS newsletter?
Corey’s Last Week in AWS newsletter has developed a really decent following over the span of his career, starting only as a fun way to share news and skyrocketing from there. Even with the increased popularity of his newsletter, Corey’s surprising news is that he actually rarely receives email feedback from subscribers. He receives positive feedback in-person, especially from peers enjoying his takes on the latest developments and finding humor in the snarky statements he makes, but Corey finds that email responses and feedback are hardly the norm for him, only receiving the occasional typo correction. 
“Increasingly, I find that when people have problems with what I write, the easiest way to fix that is to have a conversation with them and add a little context. Sometimes I'm wrong, sometimes I'm not, but it's always a conversation that leads to better outcomes as a result.”
 
What was that experience like, to be in the New York Times, talking just about who you are and what you bring to the space?
Although Corey has a following in the AWS space, it was a big surprise to him for the New York Times to reach out for a profile on him and it provided him with an incredible perspective of the impact of what he does not only with Duckbill Group, but with everything involved in Last Week in AWS. This was a source of stress for Corey, who definitely worried about what would come from such a high-profile publication covering his occasionally snarky work, but he’s been incredibly pleased with the response so far and hopes it continues to elevate his platform and spreads the words about the common issues of AWS
“Believe me, I deserve a lot of criticism for the things I say and do, but it was a really interesting experience, start to finish. I didn't expect it to get the level of attention that it did. I didn't expect the positive business outcomes that came out of it, and I'll be forever grateful.”
 
Why are you open to sharing your fatherhood journey with folks out there and how has being a father played a role in your career?
As a father myself, Corey’s dedication and care towards his two children inspires me to continue to share my journey through fatherhood out in the open. While motherhood has become an increasingly visible talking point as we discuss tech work environments, fatherhood can also have a massive impact on the decisions we choose in our careers. For Corey, he’s quick to admit that his fatherhood informs his decisions to unplug from his work on the weekend. He’s willing to set strict boundaries with himself about when he’s working and when he’s not, especially when it means he can be there for his children as they grow up.
“There's always going to be another RSA coming to town, or there's always going to be another event where I'm invited to keynote, but I'm not going to get these years of having young kids back. I want to spend time with them as they grow up.” 
---------
Links:
Keep up with our guest, Corey Quinn, on LinkedIn, Twitter, the Last Week in AWS website, and the Duckbill Group website
Read the New York Times article about Corey Quinn and check out Corey’s podcast, Screaming in the Cloud
Connect with AJ Yawn on LinkedIn and Twitter
Follow ByteChek on LinkedIn and Twitter, or learn more about ByteChek on their websiteListen to more from the Hacker Valley Studio and To Comply or Not to Comply

“The people who make it and end up being successful, are the people who stick with the problem the longest” - Ariana “The Techie”
Have you ever had a vision so clear in your mind that you remained steadfast in your pursuit, despite your less than ideal circumstances? As a 26 year-old black woman and solo founder of Mueshi - a Web3 NFT marketplace for fine art - Ariana ‘The Techie” has had to overcome all odds.  
In this episode of To Comply Or Not To Comply, Ariana joins host AJ Yawn to share:
Her founder’s journey - from ideation to conception 
What motivates her to ‘stay the course’
Representation in tech, or lack thereof
Her advice for aspiring entrepreneurs and founders
A VERY special announcement!
This episode is full of inspiration and motivation to those in pursuit of greatness and we cannot wait for you to hear it!
 
Guest Bio:
Ariana is a Software Engineer by trade and Founder of Mueshi - a Web3 NFT marketplace for fine and contemporary art. Her special interests include: Web & Mobile Applications, and BlockChain Development (NFT's and smart contracts).
 
Links:
Stay in touch with Ariana on LinkedIn and Twitter and learn more about Mueshi!
Connect with AJ Yawn on  LinkedIn and Twitter 
Follow ByteChek on LinkedIn and Twitter or learn more about ByteChek on their website.
Listen to more from Hacker Valley Media and To Comply Or Not To Comply!
 

With a looming skills/people gap in cybersecurity and technology growing at an alarming rate, we need cybersecurity professionals now more than ever before. As cyber threats become increasingly complex, the need for diverse minds and talent is a mission critical issue. In this episode, AJ is joined by Chandler Malone to talk about the state of diversity in cyber – or lack thereof, and the highs and lows of being startup founders in the space.
 
Guest Bio:
Chandler Malone is a three time entrepreneur who is now building Bootup and investing in early stage companies through Atento Capital. His journey began as a college student, building an events business that hosted shows for Billboard top 10 artists including the Chainsmokers before launching his first software company, The Moves, which he exited in 2019. Chandler has a passion for helping underrepresented entrepreneurs and using technology to improve quality of life. Chandler serves as an Investor in Residence at Washington University in St. Louis and a board member at Urban Coders Guild.
Links:Stay in touch with Chandler Malone on LinkedIn  and TwitterConnect with AJ Yawn on LinkedIn and TwitterLearn about ByteChekHear more from shows from Hacker Valley Media

It’s no secret that compliance can suck sometimes. Some see compliance as something to be upheld, while others see it as a tedious obstacle. In this episode, AJ brings two opposing sides, Chris and Rowan, to the table to discuss their stance on the matter. Join them as they explore questions such as: What are the challenges with Soc 2? Where do the problems really lie? How do we make compliance suck less?
 
Guest Bios: Rowan Troy is a Senior Cyber Security Consultant at Littlefish (UK) Ltd. Chris Roberts is currently serving as a vCISO or advisor for a number of entities and organizations around the globe. His most recent projects are focused within the threat intelligence, identity, cryptography, Artificial Intelligence, and services space.
Links:Stay in touch with Rowan Troy on LinkedIn Stay in touch with Chris Roberts on LinkedInTo Comply or Not To Comply: Website | AJ

In this episode, AJ is joined by friend and Director of Information Security and IT at Beam Technologies, Naomi Buckwalter. The two sit down to have a refreshing conversation about internships and entry-level hiring in InfoSec. Naomi shares the story behind her opera singing intern that became a rockstar cybersecurity analyst and why she thinks there are many more folks like this out there. AJ opens up about ByteChek’s commitment to entry-level hiring and reflects on amazing things that can happen when you give people a chance.
 
Key Takeaways:
01:53  Bio
05:10  Hiring entry-level in InfoSec 
07:49  The opera singing intern
12:44  ByteChek’s commitment 
13:55  Cybersecurity is very teachable!
16:44  Self reflection - hiring tips
 
Links:Stay in touch with Naomi Buckwalter on LinkedIn To Comply or Not To Comply: Website | AJ

In this episode, AJ is joined by Jim Goldman, the CEO and Co-Founder of Trava, to discuss why cybersecurity risks are risks to the business itself. The two explore why leaders gain an advantage by understanding the technical landscape, how cybersecurity has earned its seat at the boardroom table, and why being in compliance does not guarantee safety. 
 
Key Takeaways:
00:51  Bio
05:51  Network engineering and security
07:43  Trava - keeping small businesses safe
12:42  Cyber risk IS business risk 
15:03  Cyber’s seat at the table
17:08  Putting a price on risk
20:29  Compliance standards are essential
23:08  Focus on security  
25:36  Jim’s final words - a metaphor for thought
26:13  Stay in touch with Jim!
 
Links:Connect with Jim Goldman on LinkedIn Hear more To Comply or Not To Comply episodes here and connect with AJ on LinkedIn
 

Lisa Hall is the Chief Information Security Officer at Color where she heads the Information Security and GRC programs. With over 14 years of experience in the information security field, she is a welcomed addition to the podcast. Listen in as she joins AJ to talk about being your true self at work, what it takes to do so, and how to excel as a CISO. 
 
Key Takeaways: 
00:59  Bio 
01:47  The decision to be a CISO 
06:24  Using your title for good and impacting others 
08:34  Advocating for yourself and others 
11:25  Showing up as You 
13:10  The hardest part of the job 
16:20  People skills 
20:40  Frameworks don’t update fast enough 
23:50  Auditors and auditor relationships 
 
Links: 
To Comply or Not To Comply: Website | AJ 
Lisa Hall: LinkedIn | Twitter  

In this episode of To Comply Or Not To Comply, AJ is joined by friend, ByteChek Board Advisor, Senior VP & CISO at Epiq, Jerich Beason. The two share their thoughts on preparing for a crisis, how to leverage your confidence and muscle memory in the heat of decision making, and why communication is so vital when handling an incident. Furthermore, Jerich dives into the roles and responsibilities of a security leader and the importance of empathy and saying ‘thank you!’ Lastly, AJ and Jerich reflect on what security compliance is, why we are getting it wrong, and what it could become.
 
Key Takeaways:
01:20  Bio
03:50  Courage and confidence in decision making
06:42  Reacting to a crisis
09:35  Communication is key
13:24  Staying prepared
19:46  Tips for leaders - saying "thank you!"
24:26  Compliance and celebrity vulnerabilities
30:47  Stop saying SOC 2 compliant!
35:17  Drowning in info, but starving for knowledge
 
Links:
To Comply or Not To Comply: Website | AJ
Jerich Beason: LinkedIn | Podcast | Blog