1 00:00:00,000 --> 00:00:09,600 Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, 2 00:00:09,600 --> 00:00:14,760 reliability and compliance on the Microsoft Cloud Platform. 3 00:00:14,760 --> 00:00:16,600 Welcome to Episode 100. 4 00:00:16,600 --> 00:00:19,840 This week, it's absolutely everyone here, so it's myself, Michael, with Mark, Sarah 5 00:00:19,840 --> 00:00:20,840 and Gladys. 6 00:00:20,840 --> 00:00:24,520 And we're here to sort of kind of reminisce and just go through things that we've, you 7 00:00:24,520 --> 00:00:28,840 know, sort of discussed and just look at our opinions on various aspects around the world 8 00:00:28,840 --> 00:00:29,840 of security. 9 00:00:29,840 --> 00:00:33,240 So we're going to go through with some sort of questions that we have and we'll sort of 10 00:00:33,240 --> 00:00:38,520 round robin things between Mark, Sarah, Gladys and then me. 11 00:00:38,520 --> 00:00:39,520 So let's just kick things off. 12 00:00:39,520 --> 00:00:42,380 There's going to be no news this week because we just felt like this is an episode that 13 00:00:42,380 --> 00:00:44,720 can kind of stand by itself for a while. 14 00:00:44,720 --> 00:00:47,520 Hopefully we'll have some advice that people can use in here as well. 15 00:00:47,520 --> 00:00:52,800 Again, this is a very sort of practical episode back here, just looking at our experiences. 16 00:00:52,800 --> 00:00:53,800 Let's kick things off. 17 00:00:53,800 --> 00:00:59,000 The first question we're going to raise is, so what got you started in computing or in 18 00:00:59,000 --> 00:01:00,000 security? 19 00:01:00,000 --> 00:01:02,160 So why don't we get, why don't you get going, Mark? 20 00:01:02,160 --> 00:01:04,360 Yeah, I kind of stumbled into both. 21 00:01:04,360 --> 00:01:06,000 Like I was always good at computers. 22 00:01:06,000 --> 00:01:11,680 And so I just applied for a PC job at a small college and, you know, that kind of got me 23 00:01:11,680 --> 00:01:16,600 started in computers and security for me was actually kind of an interesting one. 24 00:01:16,600 --> 00:01:18,760 Like I had some, I did a lot of work. 25 00:01:18,760 --> 00:01:24,160 I've been at Microsoft like 24 years now and I did a lot of work mostly on the support 26 00:01:24,160 --> 00:01:26,200 side and the infrastructure side. 27 00:01:26,200 --> 00:01:28,120 The security was always like a theme on it. 28 00:01:28,120 --> 00:01:30,360 Like I was on the Active Directory team, right? 29 00:01:30,360 --> 00:01:34,640 When it first launched, actually, I got to Microsoft like the day after the big launch 30 00:01:34,640 --> 00:01:35,640 party. 31 00:01:35,640 --> 00:01:38,200 So everybody was telling me how cool the party was. 32 00:01:38,200 --> 00:01:41,280 And there was this popular band from the 60s that had just performed and everything like 33 00:01:41,280 --> 00:01:45,960 that for the Windows 2000, SQL 2000, Office 2000, et cetera, launch party. 34 00:01:45,960 --> 00:01:49,080 And I got there the next Monday and they were like, oh, this was such a cool party. 35 00:01:49,080 --> 00:01:50,080 Did you guys? 36 00:01:50,080 --> 00:01:53,760 I'm like, nope, I just started. 37 00:01:53,760 --> 00:01:58,960 But like in that whole time, like I ended up doing a lot of, I guess, tangential security 38 00:01:58,960 --> 00:01:59,960 stuff. 39 00:01:59,960 --> 00:02:03,640 Like, I mean, the Active Directory team that we supported EFS, Michael, I'm sure you remember 40 00:02:03,640 --> 00:02:04,840 that one. 41 00:02:04,840 --> 00:02:09,960 And certificate server and the security technologies got lumped in with identity because, you know, 42 00:02:09,960 --> 00:02:13,840 identity is like half security and half productivity anyway. 43 00:02:13,840 --> 00:02:20,760 And I did Windows XP baselines to get some approvals and whatnot as a consultant for 44 00:02:20,760 --> 00:02:21,760 some of my customers. 45 00:02:21,760 --> 00:02:25,200 I'm still at Microsoft, but for one of my customers. 46 00:02:25,200 --> 00:02:30,280 And so I've had security exposure throughout it, but I was doing management tools and Windows 47 00:02:30,280 --> 00:02:32,240 and stuff for the career. 48 00:02:32,240 --> 00:02:38,720 And then opportunity came up to do cybersecurity, whatever, 10, 12 years into it. 49 00:02:38,720 --> 00:02:40,640 And I was like, let me try doing this thing full time. 50 00:02:40,640 --> 00:02:42,600 It seems like it's kind of fun. 51 00:02:42,600 --> 00:02:49,880 And I just kind of got the bug from there and got to learn in those kind of first customer 52 00:02:49,880 --> 00:02:50,880 facing teams. 53 00:02:50,880 --> 00:02:55,640 That was brought in as the infrastructure guy, not as a security person. 54 00:02:55,640 --> 00:03:00,440 And I got to learn from some of these really smart people that started the MSRC and went 55 00:03:00,440 --> 00:03:04,960 on to run the Azure Red team and went on to be CISOs at different organizations. 56 00:03:04,960 --> 00:03:10,880 And so I just got a chance to kind of have a leapfrog ahead of where a lot of people 57 00:03:10,880 --> 00:03:14,360 were thinking at the time and got to work on the Pass the Hash white paper and stuff 58 00:03:14,360 --> 00:03:15,360 like that. 59 00:03:15,360 --> 00:03:19,320 So it was just like one of those things that I just happened to have a knack for and the 60 00:03:19,320 --> 00:03:20,800 opportunities lined up for me. 61 00:03:20,800 --> 00:03:25,880 So nothing I can give people's advice to follow my path. 62 00:03:25,880 --> 00:03:30,080 But yeah, that's kind of what got me started. 63 00:03:30,080 --> 00:03:32,440 And for me, I really like it. 64 00:03:32,440 --> 00:03:33,440 I like hard problems. 65 00:03:33,440 --> 00:03:35,160 I like complex things. 66 00:03:35,160 --> 00:03:40,800 And I like reconciling different stuff because security is at the nexus of business, of technology, 67 00:03:40,800 --> 00:03:47,920 of attackers, international politics and diplomacy and economics. 68 00:03:47,920 --> 00:03:51,520 And there's so many different things that apply to it and offer lessons learned. 69 00:03:51,520 --> 00:03:53,400 It's like, I just love that kind of stuff. 70 00:03:53,400 --> 00:03:54,400 I love learning. 71 00:03:54,400 --> 00:03:55,600 I love connecting the dots on stuff. 72 00:03:55,600 --> 00:03:57,480 And so that's what kind of keeps me going. 73 00:03:57,480 --> 00:04:03,640 I mean, there's a lot of hope in it that you kind of got to keep to keep your sanity. 74 00:04:03,640 --> 00:04:05,280 But yeah, that's kind of my story. 75 00:04:05,280 --> 00:04:12,880 Okay, so for me, well, I actually started, well, I should have studied. 76 00:04:12,880 --> 00:04:18,840 If anyone doesn't know, I have a history degree because when I was 17, I knew better. 77 00:04:18,840 --> 00:04:25,000 I was told to go into IT, but I felt like some kind of technology degree. 78 00:04:25,000 --> 00:04:29,640 But I felt like that would limit me to IT, surprisingly enough. 79 00:04:29,640 --> 00:04:32,260 And when you're 17, you're very non-committal. 80 00:04:32,260 --> 00:04:33,600 So I did a history degree. 81 00:04:33,600 --> 00:04:36,520 I hated it, but I did finish it. 82 00:04:36,520 --> 00:04:40,840 And then I wanted to realize I wanted to do tech because it would let me move countries. 83 00:04:40,840 --> 00:04:44,840 That is actually pretty much why I went into it. 84 00:04:44,840 --> 00:04:47,300 But then obviously, I didn't really have any tertiary qualifications. 85 00:04:47,300 --> 00:04:49,200 So I just did help desk. 86 00:04:49,200 --> 00:04:53,520 So front line, first line help desk, which was very interesting. 87 00:04:53,520 --> 00:04:58,560 And I learned the amazingly weird things some people do with their technology. 88 00:04:58,560 --> 00:05:02,600 Then I went into networking, because that's what the IT company around the corner from 89 00:05:02,600 --> 00:05:04,200 my mom and dad's house did. 90 00:05:04,200 --> 00:05:06,600 So I learned all my Cisco networking. 91 00:05:06,600 --> 00:05:09,880 I mean, expired CCNA, CCNP, et cetera. 92 00:05:09,880 --> 00:05:13,280 And then I ended up deploying a lot of phones all around Europe. 93 00:05:13,280 --> 00:05:17,720 I have deployed around 250,000 Cisco phones back in the day. 94 00:05:17,720 --> 00:05:18,960 So that was super fun. 95 00:05:18,960 --> 00:05:19,960 But then I moved countries. 96 00:05:19,960 --> 00:05:21,840 I went to New Zealand. 97 00:05:21,840 --> 00:05:26,340 And the company that employed me told me I'd be doing the same things I'd been doing before. 98 00:05:26,340 --> 00:05:29,200 But when I got there, they were like, oh, hey, you're technical, right? 99 00:05:29,200 --> 00:05:30,600 And I was like, yeah. 100 00:05:30,600 --> 00:05:36,040 They're like, but we don't actually do what you were doing in the UK. 101 00:05:36,040 --> 00:05:38,760 So go help security. 102 00:05:38,760 --> 00:05:40,400 That's actually how I ended up in security. 103 00:05:40,400 --> 00:05:46,800 It was very bizarre, because they had told me that they did networking in Cisco and blah, 104 00:05:46,800 --> 00:05:47,800 blah. 105 00:05:47,800 --> 00:05:49,400 And apparently they didn't, but they gave me a job anyway. 106 00:05:49,400 --> 00:05:53,120 But that's probably a wonderful New Zealand thing more than anything else. 107 00:05:53,120 --> 00:05:59,200 But then after I ended up in security, I realized security is actually really interesting and 108 00:05:59,200 --> 00:06:01,080 fun and there's a lot more going on. 109 00:06:01,080 --> 00:06:03,800 So I stayed and that was like over 10 years ago now. 110 00:06:03,800 --> 00:06:05,840 So there's so much going on. 111 00:06:05,840 --> 00:06:06,840 It changes. 112 00:06:06,840 --> 00:06:07,840 It's fun. 113 00:06:07,840 --> 00:06:09,520 I like talking about it way too much. 114 00:06:09,520 --> 00:06:11,800 I was on a flight back from Texas. 115 00:06:11,800 --> 00:06:17,880 So for anyone who doesn't know, Texas to Australia is a good solid 15, 16 hours. 116 00:06:17,880 --> 00:06:24,840 Ended up at the back giving the flight attendant a lesson on personal security, because that's 117 00:06:24,840 --> 00:06:25,840 how cool I am. 118 00:06:25,840 --> 00:06:33,520 But I do, so I end up talking about it literally all the time and I do still really love it. 119 00:06:33,520 --> 00:06:38,240 Sometimes I know recently, if anyone follows me on Twitter, sometimes it can get a bit 120 00:06:38,240 --> 00:06:41,080 overwhelming I think. 121 00:06:41,080 --> 00:06:44,520 I had to take a social media break recently because I couldn't deal. 122 00:06:44,520 --> 00:06:46,480 But generally still love it. 123 00:06:46,480 --> 00:06:48,080 Not going anywhere for sure. 124 00:06:48,080 --> 00:06:50,320 And yeah, so that's me. 125 00:06:50,320 --> 00:06:53,520 I guess I'm going to show my age. 126 00:06:53,520 --> 00:07:00,160 Eventually there was a set of things that happened that got me into computers. 127 00:07:00,160 --> 00:07:06,000 The first thing that happened is my parents bought me an Atari, right? 128 00:07:06,000 --> 00:07:11,840 And I started playing Space Invaders and all these cool games and I wanted to know how 129 00:07:11,840 --> 00:07:14,380 to make these games. 130 00:07:14,380 --> 00:07:20,360 So eventually they brought radio check type of computer. 131 00:07:20,360 --> 00:07:27,880 And this radio check computer, it was for my father to do accounting type of work with 132 00:07:27,880 --> 00:07:30,560 Lotus 1-2-3 back then. 133 00:07:30,560 --> 00:07:38,960 For those of you that do not know, that was the first type of spreadsheet software. 134 00:07:38,960 --> 00:07:44,320 So I remember that my father was doing a lot of accounting work in there. 135 00:07:44,320 --> 00:07:51,560 He was going to leave to work and he looked at me and he said, don't touch the computer. 136 00:07:51,560 --> 00:07:53,140 This is very important. 137 00:07:53,140 --> 00:07:55,840 Don't touch the computer if you break it. 138 00:07:55,840 --> 00:08:04,140 There's a lot of important work from my business and from the company that he was working on. 139 00:08:04,140 --> 00:08:05,140 So what did I do? 140 00:08:05,140 --> 00:08:07,160 I did touch the computer. 141 00:08:07,160 --> 00:08:14,680 And actually I was playing with the BIOS and I changed some configuration and all the data 142 00:08:14,680 --> 00:08:18,640 disappeared and I had no idea what to do. 143 00:08:18,640 --> 00:08:23,360 But I had until 5 p.m. to figure it out, right? 144 00:08:23,360 --> 00:08:28,920 And I got so nervous that I didn't try first to do all the steps backwards. 145 00:08:28,920 --> 00:08:36,160 I just started reading all the computer manuals and at that time I could drive and I went 146 00:08:36,160 --> 00:08:37,920 to radio check. 147 00:08:37,920 --> 00:08:40,440 I was 16 back then. 148 00:08:40,440 --> 00:08:44,640 And I started asking them questions and they couldn't answer how to bring it back. 149 00:08:44,640 --> 00:08:49,680 Anyway, I went back home and I kept reading and then I said, okay, let me see if I could 150 00:08:49,680 --> 00:08:54,020 I do the steps backwards if I get all that working. 151 00:08:54,020 --> 00:09:02,080 And I did with 20 minutes before my father arrived and then I mentioned it to him and 152 00:09:02,080 --> 00:09:07,400 he looked at me and he kind of smiled, but I know that he was a little bit nervous and 153 00:09:07,400 --> 00:09:09,800 then he was checking his computer. 154 00:09:09,800 --> 00:09:19,640 Anyway, that led me to want to learn to program, to do programming and I wanted to study robotics. 155 00:09:19,640 --> 00:09:26,520 So what I did is I went to the university and the program that did robotics was in the 156 00:09:26,520 --> 00:09:29,080 electrical and computer engineering. 157 00:09:29,080 --> 00:09:36,160 So I started a degree in electrical and computer engineering, but two years into the bachelor 158 00:09:36,160 --> 00:09:41,680 degree, the university didn't have enough students studying robotics. 159 00:09:41,680 --> 00:09:44,240 So they canceled the program. 160 00:09:44,240 --> 00:09:50,160 And what I did is I changed my major to computer science, which was programming. 161 00:09:50,160 --> 00:09:58,100 But during that time, I got an internship with Cox communication and I was supposed 162 00:09:58,100 --> 00:10:02,360 to be working in the engineering department. 163 00:10:02,360 --> 00:10:12,000 They had this Windows NT 3.1 system and they said, well, you're a computer and electrical 164 00:10:12,000 --> 00:10:17,280 engineer major, so you're responsible for making this work because it keeps breaking 165 00:10:17,280 --> 00:10:21,500 and blue screening and this phase that it comes out. 166 00:10:21,500 --> 00:10:22,640 So you figured it out. 167 00:10:22,640 --> 00:10:30,040 So I had to start reading a lot of books into this operating system, ask a lot of questions. 168 00:10:30,040 --> 00:10:32,080 There was no internet. 169 00:10:32,080 --> 00:10:37,960 There were not that many people to ask questions about because everything was in Nobel. 170 00:10:37,960 --> 00:10:46,580 For those of you that do not know, Nobel was a pre prior operating administrative operating 171 00:10:46,580 --> 00:10:49,140 system for networks. 172 00:10:49,140 --> 00:10:57,800 So I actually got certified in Nobel, then eventually got certified in Windows NT, not 173 00:10:57,800 --> 00:11:04,040 3.1, but 3.5 and then 4.0 and then 2000 and so on. 174 00:11:04,040 --> 00:11:13,560 So throughout the work that I started doing, basically it led me to continue the internship 175 00:11:13,560 --> 00:11:22,120 and during the internship, I decided to teach others what I was learning. 176 00:11:22,120 --> 00:11:28,080 And I remember in one of these classes, I was teaching Excel and there was this gentleman 177 00:11:28,080 --> 00:11:34,640 that came to me and said, Gladys, Gladys, look what I did. 178 00:11:34,640 --> 00:11:40,840 Basically he put colors in this table and did some functions, some basic stuff. 179 00:11:40,840 --> 00:11:46,200 But I always remember the brightness and how happy he looked. 180 00:11:46,200 --> 00:11:48,680 The brightness is in his eyes. 181 00:11:48,680 --> 00:11:50,280 And I said, this is what I want to do. 182 00:11:50,280 --> 00:11:54,240 I want to help others accomplish things with computers. 183 00:11:54,240 --> 00:11:59,960 Anyway, eventually it led me to Microsoft and in Microsoft, one mentoring people that 184 00:11:59,960 --> 00:12:05,760 were teaching me about security and eventually I migrated to security. 185 00:12:05,760 --> 00:12:12,560 So it's a long story, but it shows the type of work it was doing. 186 00:12:12,560 --> 00:12:16,560 But I'm proud of it and I love the work that I'm doing. 187 00:12:16,560 --> 00:12:21,200 I continue to try to share my knowledge with others as much as I can. 188 00:12:21,200 --> 00:12:22,200 All right. 189 00:12:22,200 --> 00:12:27,400 Well, my story probably starts further back in time than yours, Gladys. 190 00:12:27,400 --> 00:12:29,800 So it all starts when I was about 16 years old, I think. 191 00:12:29,800 --> 00:12:34,440 And I'm going to talk in New Zealand parlance here just because that's where it all happened. 192 00:12:34,440 --> 00:12:42,560 I bought a ZX81, a Sinclair ZX81, which had a Z80 CPU and it had 1K of memory. 193 00:12:42,560 --> 00:12:47,000 I ended up in the 16K memory pack, which was incredible. 194 00:12:47,000 --> 00:12:48,080 All that memory to play with. 195 00:12:48,080 --> 00:12:53,160 But I actually started writing games in Z80 assembly language, even trying to get them 196 00:12:53,160 --> 00:12:54,160 into 1K of memory. 197 00:12:54,160 --> 00:12:59,640 Actually, we were a small game, kind of defender-esque game in 1K of memory. 198 00:12:59,640 --> 00:13:01,560 That was all assembly language. 199 00:13:01,560 --> 00:13:05,760 That then got me a job at a company in New Zealand called Grandstand who are representing 200 00:13:05,760 --> 00:13:08,680 Sega video games and Sega computer systems. 201 00:13:08,680 --> 00:13:11,680 So I got a job there working on their systems. 202 00:13:11,680 --> 00:13:15,520 And the reason why I got that job is because of the Z80 CPU. 203 00:13:15,520 --> 00:13:17,480 So I actually started just, you know, I picked up a manual. 204 00:13:17,480 --> 00:13:20,720 They gave me like a manual instruction manual on how the systems worked. 205 00:13:20,720 --> 00:13:23,960 And within like a week or so, I'll be honest with you, the guy said, well, you know, do 206 00:13:23,960 --> 00:13:26,640 you know about this and that and the other on the Sega hardware? 207 00:13:26,640 --> 00:13:28,320 I'm like, yeah, sure, I do. 208 00:13:28,320 --> 00:13:29,320 I didn't. 209 00:13:29,320 --> 00:13:30,320 But I knew that I would know. 210 00:13:30,320 --> 00:13:33,600 I mean, just give me a week with some manuals and I'll be fine. 211 00:13:33,600 --> 00:13:38,960 So I was up and running in Z80 assembly language on the Sega's pretty quickly. 212 00:13:38,960 --> 00:13:43,440 Grandstand ended up then taking on a brand, an English brand called Amstrad, which was 213 00:13:43,440 --> 00:13:48,080 owned by a company in the UK, by a gentleman in the UK called Alan Sugar. 214 00:13:48,080 --> 00:13:51,680 In fact, his name, the name Amstrad, actually derived from his name is Alan Michael Sugar 215 00:13:51,680 --> 00:13:52,680 Trading. 216 00:13:52,680 --> 00:13:55,540 And so they were Z80 CPU machines as well. 217 00:13:55,540 --> 00:13:56,540 So guess what? 218 00:13:56,540 --> 00:14:00,120 I was writing stuff for those things in Z80 as well. 219 00:14:00,120 --> 00:14:05,680 Amstrad then ended up bringing up bringing out PCs, which were obviously X86, not Z80. 220 00:14:05,680 --> 00:14:08,120 And so I ended up working on those. 221 00:14:08,120 --> 00:14:12,000 And then Microsoft moved into New Zealand and I know, hey, do you have PC experience? 222 00:14:12,000 --> 00:14:15,700 Well, of course I've been working on these Amstrad PCs for a while. 223 00:14:15,700 --> 00:14:16,800 So I ended up getting a job. 224 00:14:16,800 --> 00:14:18,280 Actually funny, funny story. 225 00:14:18,280 --> 00:14:22,600 I actually worked for a company in between those two that actually represented Microsoft 226 00:14:22,600 --> 00:14:24,260 in New Zealand. 227 00:14:24,260 --> 00:14:32,280 And the guy that ran the company, he's since passed away, his name was Brian Erdly Wilmot. 228 00:14:32,280 --> 00:14:37,040 So Microsoft came into the country and he gave Microsoft a list of names of people he 229 00:14:37,040 --> 00:14:38,040 could not approach. 230 00:14:38,040 --> 00:14:39,580 And I was on that list. 231 00:14:39,580 --> 00:14:42,920 When I found out that I was on that list, I actually resigned from the company with 232 00:14:42,920 --> 00:14:43,920 no job to go to. 233 00:14:43,920 --> 00:14:48,420 But then about a month I was working, I was working at Microsoft and I was working on 234 00:14:48,420 --> 00:14:52,520 Windows 3.x C compiler and C++ compiler support. 235 00:14:52,520 --> 00:14:56,320 Because actually a lot of really good software development was done at the time in New Zealand 236 00:14:56,320 --> 00:14:57,600 and still is. 237 00:14:57,600 --> 00:15:02,280 So I was really sort of thick in the weeds with that stuff. 238 00:15:02,280 --> 00:15:08,520 That ended up getting me a job in Redmond, the Microsoft mothership, working on, it ended 239 00:15:08,520 --> 00:15:12,560 up being IIS, our web server, internet information services. 240 00:15:12,560 --> 00:15:18,200 And that was then bundled with, as part of NT4, I think it was the NT4 option pack. 241 00:15:18,200 --> 00:15:25,320 And that really, even though I'd worked on NT 3.1 and 3.5 and 3.51, I sort of really 242 00:15:25,320 --> 00:15:29,040 became embedded with the Windows NT team back at that point because I was working on the 243 00:15:29,040 --> 00:15:30,040 products. 244 00:15:30,040 --> 00:15:32,480 And so I really got stuck into security, right? 245 00:15:32,480 --> 00:15:35,440 So I was really involved in security in IIS. 246 00:15:35,440 --> 00:15:39,360 But it's interesting, there's a really important inflection point there. 247 00:15:39,360 --> 00:15:45,080 I was hired into IIS as a security guy to work on security features, Kerberos integration, 248 00:15:45,080 --> 00:15:49,800 ACKL, SIDS, privileges, tokens, integration with certificates, TLS, well SSL back then, 249 00:15:49,800 --> 00:15:51,800 all that sort of good stuff, right? 250 00:15:51,800 --> 00:15:53,120 And that was okay. 251 00:15:53,120 --> 00:15:59,040 But the problem was it had a lot of security features, but let's just say they weren't 252 00:15:59,040 --> 00:16:00,800 the world's most secure features. 253 00:16:00,800 --> 00:16:04,720 So I was actually the security PM for 3, 4, 5, and then for the start of 6. 254 00:16:04,720 --> 00:16:11,240 3, 4, 5, lots of security features, but the designs and the code weren't exactly the greatest. 255 00:16:11,240 --> 00:16:15,840 And so 6 was a complete overhaul, in fact, its code name was Kevlar for that very reason. 256 00:16:15,840 --> 00:16:17,400 It was designed to be incredibly robust. 257 00:16:17,400 --> 00:16:22,400 And it was a complete massive code change, massive design change the whole night. 258 00:16:22,400 --> 00:16:25,640 So I was very happy to be part of that. 259 00:16:25,640 --> 00:16:30,160 Then I ended up working in core Windows, working on security. 260 00:16:30,160 --> 00:16:32,320 Then David LeBlanc and I wrote running secure code. 261 00:16:32,320 --> 00:16:34,720 Dave, we gave a copy to Bill Gates. 262 00:16:34,720 --> 00:16:38,040 That was one of the many things that led to trustworthy computing. 263 00:16:38,040 --> 00:16:42,920 Computer led to the security development lifecycle, which I did with my manager at the time, Steve 264 00:16:42,920 --> 00:16:43,920 Lipner. 265 00:16:43,920 --> 00:16:46,840 Steve and I have a magnificent relationship. 266 00:16:46,840 --> 00:16:52,520 He was my longest manager at 10 years and I was his longest report at 10 years. 267 00:16:52,520 --> 00:16:53,640 Really great guy. 268 00:16:53,640 --> 00:17:00,160 And so, yeah, so then I moved into the field because I was working in, I moved to Austin. 269 00:17:00,160 --> 00:17:03,900 And then finally I moved back to Azure data, well into Azure data and security. 270 00:17:03,900 --> 00:17:08,280 And now I'm actually in the secure future initiative team, which is a bit of a bit of 271 00:17:08,280 --> 00:17:11,080 a day job where it feels like getting the band back together. 272 00:17:11,080 --> 00:17:12,080 That's kind of my story. 273 00:17:12,080 --> 00:17:15,640 I know it's a bit of a long story and I sort of missed a few important points out, but 274 00:17:15,640 --> 00:17:20,760 what's interesting is it's interesting how all of us came from really, really simple, 275 00:17:20,760 --> 00:17:21,760 humble beginnings. 276 00:17:21,760 --> 00:17:26,600 It's not like it's, it's not like we were born with a security spoon in our mouths. 277 00:17:26,600 --> 00:17:28,800 You know, we all sort of just fell into it. 278 00:17:28,800 --> 00:17:30,760 Michael, I have a funny story that I have. 279 00:17:30,760 --> 00:17:33,400 Well, I know you know the story, but I have to share it. 280 00:17:33,400 --> 00:17:39,080 So when we started this podcast, I was living in New Zealand, which is another story. 281 00:17:39,080 --> 00:17:43,720 But my neighbor said to me, I was talking to my neighbor and she told her I worked at 282 00:17:43,720 --> 00:17:48,760 Microsoft and she said, Oh my goodness, you work at Microsoft. 283 00:17:48,760 --> 00:17:49,760 Do you know? 284 00:17:49,760 --> 00:17:54,680 And as we know, I'm sure we all get asked this a lot and Microsoft employs what 150,000 285 00:17:54,680 --> 00:17:57,000 people, probably more now. 286 00:17:57,000 --> 00:18:00,960 So the chances of me knowing somebody is quite low, right? 287 00:18:00,960 --> 00:18:01,960 But you never know. 288 00:18:01,960 --> 00:18:05,920 Anyway, my neighbor, my completely random neighbor in New Zealand was said to me, do 289 00:18:05,920 --> 00:18:06,920 you know Michael Howard? 290 00:18:06,920 --> 00:18:09,920 And I was like, I actually do. 291 00:18:09,920 --> 00:18:14,680 Do you remember Michael, the story that my neighbor is someone you worked with back at 292 00:18:14,680 --> 00:18:16,240 Microsoft in New Zealand? 293 00:18:16,240 --> 00:18:17,240 I do. 294 00:18:17,240 --> 00:18:18,240 I do. 295 00:18:18,240 --> 00:18:19,240 Yeah. 296 00:18:19,240 --> 00:18:20,240 It's a small world, especially in New Zealand. 297 00:18:20,240 --> 00:18:24,320 You know, there's a small world, but actually it's interesting to bring that topic up there. 298 00:18:24,320 --> 00:18:28,300 This is something that I teach my kids and I'm a big fan of and that is just never ever 299 00:18:28,300 --> 00:18:32,120 burn bridges, right? 300 00:18:32,120 --> 00:18:34,200 Just never, you know, that person could have said, Hey, by any chance, you don't know Michael 301 00:18:34,200 --> 00:18:35,360 Howard, do you by any chance? 302 00:18:35,360 --> 00:18:39,680 Because if you do stay away from the guy, I always tell my kids like, just never burn 303 00:18:39,680 --> 00:18:40,680 bridges. 304 00:18:40,680 --> 00:18:43,200 It doesn't matter how angry or upset you are, just don't burn bridges. 305 00:18:43,200 --> 00:18:47,360 You have no clue if you're going to meet someone in the future, you have no clue. 306 00:18:47,360 --> 00:18:49,440 So yeah, that's a funny story though. 307 00:18:49,440 --> 00:18:50,440 That is true. 308 00:18:50,440 --> 00:18:54,480 And in fact, Michael, my dad has said the exact same thing to me, though I'm sure plenty 309 00:18:54,480 --> 00:18:55,760 of people bad mouth Sarah. 310 00:18:55,760 --> 00:18:56,800 No, I joke. 311 00:18:56,800 --> 00:19:03,520 It's amazing how people turn up again, completely randomly, like where you need least expect 312 00:19:03,520 --> 00:19:04,520 it. 313 00:19:04,520 --> 00:19:05,520 So you're very right on that one. 314 00:19:05,520 --> 00:19:06,520 Okay. 315 00:19:06,520 --> 00:19:12,760 So next question is, so I want to be honest with you when this question was entered by 316 00:19:12,760 --> 00:19:16,860 Mark, just saying, you know, it said, what are some of the worst blunders you've seen 317 00:19:16,860 --> 00:19:17,860 in security? 318 00:19:17,860 --> 00:19:20,640 And I immediately wrote after that, yikes, I don't think we can talk about that sort 319 00:19:20,640 --> 00:19:21,640 of stuff. 320 00:19:21,640 --> 00:19:23,840 So we're still going to keep that in there. 321 00:19:23,840 --> 00:19:27,000 And which is, so the question now is, what are some of the funniest stories or worst 322 00:19:27,000 --> 00:19:29,200 blunders you have ever seen? 323 00:19:29,200 --> 00:19:32,480 So as soon as you wrote the question, Mark, why don't you kick it off? 324 00:19:32,480 --> 00:19:36,400 This is going back, I heard this like, oh gosh, probably 10, 12 years ago from someone 325 00:19:36,400 --> 00:19:39,120 and it was several years old by then. 326 00:19:39,120 --> 00:19:43,600 But this was in the very early days of cyber when attacks were much rarer than they are 327 00:19:43,600 --> 00:19:44,600 today. 328 00:19:44,600 --> 00:19:49,880 And there was this time where this guy got a call like, Hey, can you come in? 329 00:19:49,880 --> 00:19:55,040 There's like this really big DNS problem that and people can't get to this or that. 330 00:19:55,040 --> 00:19:57,700 And it was like a Friday night or something like that. 331 00:19:57,700 --> 00:20:02,400 And so, you know, they, okay, whatever, you know, tell the kids and wife, you know, had 332 00:20:02,400 --> 00:20:04,400 you know, got in the car, head on there. 333 00:20:04,400 --> 00:20:06,720 And by the time they got to the office, it was fixed. 334 00:20:06,720 --> 00:20:09,920 And it was like, wait, what? 335 00:20:09,920 --> 00:20:12,480 And they dug into it, trying to understand it. 336 00:20:12,480 --> 00:20:18,380 And you know, long story short, effectively, the attackers had gotten so frustrated with 337 00:20:18,380 --> 00:20:23,600 the broken DNS in the organization that they had fixed it for them so that they could get 338 00:20:23,600 --> 00:20:25,520 to the stuff that they wanted to get to. 339 00:20:25,520 --> 00:20:28,500 And that's how the attackers actually got detected. 340 00:20:28,500 --> 00:20:30,280 So I have no idea if it's true or not. 341 00:20:30,280 --> 00:20:33,560 But it's one of my favorite, one of my favorite cyber stories. 342 00:20:33,560 --> 00:20:38,600 Okay, so mine comes from very relatively early in my career. 343 00:20:38,600 --> 00:20:46,360 And I wasn't even in security at the time, but I accidentally created a security incident, 344 00:20:46,360 --> 00:20:48,300 me and a few other people. 345 00:20:48,300 --> 00:20:50,440 We were told to do the wrong thing. 346 00:20:50,440 --> 00:20:52,480 This was one of those hosting things. 347 00:20:52,480 --> 00:20:56,320 This is when you know, before the cloud where people actually went into data centers and 348 00:20:56,320 --> 00:20:57,920 installed things. 349 00:20:57,920 --> 00:21:05,320 And we were given access to the wrong rack in a data center. 350 00:21:05,320 --> 00:21:10,800 And so we installed equipment in a completely different customers rack. 351 00:21:10,800 --> 00:21:15,160 This was like some major areas, of course. 352 00:21:15,160 --> 00:21:20,160 And I was relatively junior at the time, and I ended up on a lot of these war rooms with 353 00:21:20,160 --> 00:21:25,760 some quite senior people who were, let's face it, coming on and swearing a lot and being 354 00:21:25,760 --> 00:21:30,520 very angry, because of course, we had to fix that problem. 355 00:21:30,520 --> 00:21:33,760 I was petrified because I thought I was going to get fired. 356 00:21:33,760 --> 00:21:38,680 But I did not because for us who had done the bit of work, we'd done exactly what we'd 357 00:21:38,680 --> 00:21:40,300 been told to do. 358 00:21:40,300 --> 00:21:43,680 We had just been told to do the wrong thing. 359 00:21:43,680 --> 00:21:51,600 But it was a good introduction into how things can domino as in, you know, there was a mistake 360 00:21:51,600 --> 00:21:57,520 made further up the chain that basically culminated in me and some other folks making a big security 361 00:21:57,520 --> 00:21:58,520 issue. 362 00:21:58,520 --> 00:22:03,640 The best thing about that story was, without getting too specific, was that, which I think 363 00:22:03,640 --> 00:22:08,760 was my favorite thing about this, was that we had a number of data centers across in 364 00:22:08,760 --> 00:22:11,080 different locations in different countries. 365 00:22:11,080 --> 00:22:15,640 And another party that was involved in it basically accused me and the other folks who 366 00:22:15,640 --> 00:22:21,080 had done the work of flying around to these different data centers in a 24-hour period 367 00:22:21,080 --> 00:22:25,160 breaking things, which we definitely did not do. 368 00:22:25,160 --> 00:22:30,840 And it was also a good lesson on finger pointing when things go wrong, when people need to 369 00:22:30,840 --> 00:22:34,400 save their reputations and or jobs. 370 00:22:34,400 --> 00:22:36,800 Probably more specifics than that, I can't say. 371 00:22:36,800 --> 00:22:42,520 But it was extremely interesting and I definitely learned the value of having everything you 372 00:22:42,520 --> 00:22:46,360 do documented just in case. 373 00:22:46,360 --> 00:22:53,760 Early when I joined Microsoft, when I decided to get into security, Microsoft was forming 374 00:22:53,760 --> 00:23:01,240 this team of engineers that would go on site in order to deal with incident response. 375 00:23:01,240 --> 00:23:09,280 They were supposed to help customers basically remediate the issue, stop the attack, remediate 376 00:23:09,280 --> 00:23:11,940 the issue, start cleanup. 377 00:23:11,940 --> 00:23:18,800 For those of you that are familiar with Dart, this is a team of engineers in Microsoft that 378 00:23:18,800 --> 00:23:24,760 are responsible for going inside a customer and help customers with incident response. 379 00:23:24,760 --> 00:23:28,160 This Dart team is a detection and response team. 380 00:23:28,160 --> 00:23:32,840 Well, this was prior to this team being formed. 381 00:23:32,840 --> 00:23:36,800 So I went to this incident. 382 00:23:36,800 --> 00:23:45,800 Eventually we were trying to clean up groups, trying to clean up permissions given to administrators 383 00:23:45,800 --> 00:23:47,520 and things like that. 384 00:23:47,520 --> 00:23:52,760 And it turned out that the company was using Active Directory. 385 00:23:52,760 --> 00:23:58,320 And one of the issues in Active Directory is that you have the capability of creating 386 00:23:58,320 --> 00:24:03,320 groups and nesting all these groups inside of each other. 387 00:24:03,320 --> 00:24:13,280 Well, this company, what had done was created a group policy that gave permissions to everything 388 00:24:13,280 --> 00:24:20,560 to this particular group, which had a group membership so nested that eventually all users 389 00:24:20,560 --> 00:24:24,440 had administrator access to the whole environment. 390 00:24:24,440 --> 00:24:28,760 Hence, it was pretty easy for the attackers to come in. 391 00:24:28,760 --> 00:24:37,120 I think that's one of the worst blunders that I have seen, but it was one that got me interested 392 00:24:37,120 --> 00:24:38,120 in security. 393 00:24:38,120 --> 00:24:40,480 So I have a story. 394 00:24:40,480 --> 00:24:44,840 This is with a customer and they had all these devices in the field that were incredibly 395 00:24:44,840 --> 00:24:45,840 important. 396 00:24:45,840 --> 00:24:49,400 That's all I'm going to say because I don't want to implicate anybody. 397 00:24:49,400 --> 00:24:52,720 And we're designing a threat model for their solution and looking at the designs and making 398 00:24:52,720 --> 00:24:54,160 sure all the correct mitigations were in place. 399 00:24:54,160 --> 00:24:57,240 And one of the questions I asked is, so all these devices that you have in the field that 400 00:24:57,240 --> 00:25:01,560 are taking this critical telemetry, how do you authenticate them? 401 00:25:01,560 --> 00:25:03,240 And they said, well, what do you mean? 402 00:25:03,240 --> 00:25:04,240 How do you authenticate them? 403 00:25:04,240 --> 00:25:05,240 Well, how do you authenticate them? 404 00:25:05,240 --> 00:25:07,560 How do you know that they're the real device and not something else? 405 00:25:07,560 --> 00:25:09,200 And they said, well, we don't. 406 00:25:09,200 --> 00:25:11,760 Well, that's kind of really important. 407 00:25:11,760 --> 00:25:14,680 You really do need to authenticate these devices to make sure they're actually valid device. 408 00:25:14,680 --> 00:25:17,600 And they said, no, we don't have to bother with that. 409 00:25:17,600 --> 00:25:23,440 So the next day, we had one of their guys come in and in front of management, we're 410 00:25:23,440 --> 00:25:25,920 looking sort of going through everything that we talked about. 411 00:25:25,920 --> 00:25:29,880 And they connected to one of their dashboards that showed all these devices, sort of the 412 00:25:29,880 --> 00:25:31,600 health of the devices in the field. 413 00:25:31,600 --> 00:25:33,360 And all the devices are turned off. 414 00:25:33,360 --> 00:25:35,920 Every single one was turned off. 415 00:25:35,920 --> 00:25:39,400 And of course, you know, they started panicking and I started smiling. 416 00:25:39,400 --> 00:25:41,120 And I said, what are you smiling for? 417 00:25:41,120 --> 00:25:43,680 And I said, okay, I'll let you in. 418 00:25:43,680 --> 00:25:45,840 You're actually connected to my laptop right now. 419 00:25:45,840 --> 00:25:49,040 And I'm just mimicking the traffic from these devices. 420 00:25:49,040 --> 00:25:51,200 And basically, the devices are down. 421 00:25:51,200 --> 00:25:54,960 So when you connect, there's no valid traffic coming back from them. 422 00:25:54,960 --> 00:25:56,560 They said, well, how did you do that? 423 00:25:56,560 --> 00:25:59,840 And I said, well, the real reason that it's happening is because you're not authenticating 424 00:25:59,840 --> 00:26:01,020 the devices. 425 00:26:01,020 --> 00:26:06,000 So I just did a bit of DNS poisoning so that you're just connected to my laptop instead. 426 00:26:06,000 --> 00:26:07,400 And back then, it was just a Perl script. 427 00:26:07,400 --> 00:26:09,120 Now, I'm really showing my age. 428 00:26:09,120 --> 00:26:12,720 It was a Perl script that was basically listening or pretending to be a server. 429 00:26:12,720 --> 00:26:18,320 So every single device, it was essentially, you know, the DNS entry was wrong and it was 430 00:26:18,320 --> 00:26:22,440 pointing to my machine instead and just giving it bogus data. 431 00:26:22,440 --> 00:26:25,880 Then they started putting in a plan to authenticate the devices. 432 00:26:25,880 --> 00:26:26,880 Pretty straightforward. 433 00:26:26,880 --> 00:26:29,800 You know, one thing when we're building threat models, one of the questions we do ask all 434 00:26:29,800 --> 00:26:32,960 the time is, you know, when you're connecting to a server, how do you authenticate that 435 00:26:32,960 --> 00:26:33,960 thing? 436 00:26:33,960 --> 00:26:36,560 How do you know it really is the correct thing and not, you know, Baghdad Bob's server? 437 00:26:36,560 --> 00:26:38,080 I mean, how do you know that? 438 00:26:38,080 --> 00:26:39,080 And that's server authentication. 439 00:26:39,080 --> 00:26:41,560 By the way, the correct answer, 99 times out of 100 is TLS. 440 00:26:41,560 --> 00:26:47,360 Yeah, a lot of customers don't think about server authentication that much. 441 00:26:47,360 --> 00:26:50,720 They think about authenticating the clients, only the users of the system. 442 00:26:50,720 --> 00:26:53,960 But you can't lose track of the servers as well. 443 00:26:53,960 --> 00:26:54,960 Next one. 444 00:26:54,960 --> 00:26:56,520 So, Mark, I'm going to kick things off again. 445 00:26:56,520 --> 00:26:57,520 Career advice. 446 00:26:57,520 --> 00:26:58,520 What you got? 447 00:26:58,520 --> 00:26:59,520 That's a good one. 448 00:26:59,520 --> 00:27:03,320 My thoughts on the career advice, and I'm thinking about this, you know, for people 449 00:27:03,320 --> 00:27:05,040 of all career levels, right? 450 00:27:05,040 --> 00:27:09,440 Just starting out, aspiring to security, all the way into, been doing it for a long time 451 00:27:09,440 --> 00:27:10,440 and seasoned. 452 00:27:10,440 --> 00:27:14,080 My number one thing is just to keep learning, right? 453 00:27:14,080 --> 00:27:16,360 Because there's so much to cybersecurity, right? 454 00:27:16,360 --> 00:27:20,320 I mean, it's, I'm working on some standards for the open group, kind of defining like 455 00:27:20,320 --> 00:27:21,640 all the different roles in security. 456 00:27:21,640 --> 00:27:27,960 I think our current count is somewhere around 72 jobs actually have something to do with 457 00:27:27,960 --> 00:27:31,480 security, whether it's a direct full-time security job, kind of a half and half, like 458 00:27:31,480 --> 00:27:35,960 the identity and access and networking kind of teams that really you can't do enablement 459 00:27:35,960 --> 00:27:37,720 or security without it. 460 00:27:37,720 --> 00:27:39,840 Or, you know, CEO, guess what? 461 00:27:39,840 --> 00:27:42,160 You manage risk and direction of the organization. 462 00:27:42,160 --> 00:27:45,320 That includes security of the organization, right? 463 00:27:45,320 --> 00:27:49,400 And so you're ultimately the one that's going to show up and talk to the press and do a 464 00:27:49,400 --> 00:27:53,080 press conference or whatever, or show up in Congress in the worst case. 465 00:27:53,080 --> 00:27:55,880 And so like, just there's so much to it. 466 00:27:55,880 --> 00:27:58,680 I mean, there's so many different roles that have so much work to do. 467 00:27:58,680 --> 00:28:02,240 There's so many different technologies because you're talking about, you know, the attackers, 468 00:28:02,240 --> 00:28:04,360 they have the option of messing with anything. 469 00:28:04,360 --> 00:28:08,120 It doesn't matter if it's, you know, it's like Michael was saying, an IoT or instrumentation 470 00:28:08,120 --> 00:28:15,200 or sensor type of telemetry device, all the way into ancient level OT stuff, you know, 471 00:28:15,200 --> 00:28:21,280 that's controlling a steam-powered, you know, metal press or, you know, endpoints and servers 472 00:28:21,280 --> 00:28:28,560 and containers, codeless and serverless, oh my, just like the whole range of things. 473 00:28:28,560 --> 00:28:33,480 And so there's like an infinite amount of things that, you know, you can learn and there's 474 00:28:33,480 --> 00:28:36,480 always some way that you can apply it to what you're doing. 475 00:28:36,480 --> 00:28:38,080 And that's like part of it. 476 00:28:38,080 --> 00:28:42,040 But the other part I think that the learning is super important for is, say you've been 477 00:28:42,040 --> 00:28:46,280 in security for a long time and, you know, you grew up a network in IDS and IPS and, 478 00:28:46,280 --> 00:28:47,880 you know, SIMs and whatnot. 479 00:28:47,880 --> 00:28:52,800 Those technologies still work for the attacks that were designed for, but they're not going 480 00:28:52,800 --> 00:28:57,840 to be nearly as effective as like a modern day XDR or an identity-based thing. 481 00:28:57,840 --> 00:29:04,120 Like you can't block a password spray attack with a firewall or an AI attack with a firewall. 482 00:29:04,120 --> 00:29:07,160 Like you've got to be able to shift and learn the new stuff. 483 00:29:07,160 --> 00:29:11,160 So no matter how good you get in any given area, you've just always got to be open and 484 00:29:11,160 --> 00:29:12,800 flexible in learning. 485 00:29:12,800 --> 00:29:18,280 So that's, I guess, my main advice is just always keep learning and keep an open mind. 486 00:29:18,280 --> 00:29:24,960 My career advice would be, I think particularly people early in career are super obsessed 487 00:29:24,960 --> 00:29:31,000 with certificates and proving on paper, I say proving in inverted commas, that they've 488 00:29:31,000 --> 00:29:35,000 got loads of security creds and stuff. 489 00:29:35,000 --> 00:29:40,400 I would say that is important to a point, but I want to talk about one of my frustrations 490 00:29:40,400 --> 00:29:45,600 in the industry, which is we say how we desperately have a shortage of security professionals, 491 00:29:45,600 --> 00:29:51,140 which we do, but then it's actually very hard in practical terms for people to get into 492 00:29:51,140 --> 00:29:54,840 security at that entry level. 493 00:29:54,840 --> 00:29:59,120 And I know this because I hear it time and time again, and you look at like the proportion 494 00:29:59,120 --> 00:30:03,080 of jobs out there and it's way more skewed towards experienced people. 495 00:30:03,080 --> 00:30:06,860 So I think that people who are trying to get into security can find it really tough. 496 00:30:06,860 --> 00:30:11,480 So the advice that I give people is it's just how it is. 497 00:30:11,480 --> 00:30:15,240 There's still sort of a prevailing mindset, like amongst some people at least, that you 498 00:30:15,240 --> 00:30:18,440 must have done some other bit of IT to get into security. 499 00:30:18,440 --> 00:30:23,600 I think it helps in some ways because you can go see how people mess up things, but 500 00:30:23,600 --> 00:30:25,840 I don't think it's 100% necessary. 501 00:30:25,840 --> 00:30:30,360 Or what is necessary is to differentiate yourself, and I can tell you, as someone who looks at 502 00:30:30,360 --> 00:30:36,480 some early in career, like who looks at early in career, like resumes, CVs, whatever you 503 00:30:36,480 --> 00:30:42,240 call them in your part of the world, and I know this, and I don't want to disrespect 504 00:30:42,240 --> 00:30:49,120 anybody's tertiary education, but everybody's studied some kind of technical degree. 505 00:30:49,120 --> 00:30:51,880 Everybody's maybe done a couple of basic certs. 506 00:30:51,880 --> 00:30:56,280 That doesn't differentiate you, unfortunately, because I have a hundred resumes that all 507 00:30:56,280 --> 00:30:58,100 say that kind of stuff. 508 00:30:58,100 --> 00:31:04,720 And so what I say to folks is please go and, if you're struggling to get a break in security, 509 00:31:04,720 --> 00:31:06,140 go and do more things. 510 00:31:06,140 --> 00:31:09,560 So what I mean by more things is you've got to differentiate yourself. 511 00:31:09,560 --> 00:31:16,320 So go to community meetups, go to the B-sides, the user groups, there's online ones as well. 512 00:31:16,320 --> 00:31:20,340 Don't spend loads of your own money, like you don't have to, but go and make connections 513 00:31:20,340 --> 00:31:25,200 with people, go and contribute to open source projects. 514 00:31:25,200 --> 00:31:29,160 You may not have the money to travel, which not everybody does, but there's lots of things 515 00:31:29,160 --> 00:31:35,240 you can do from home that will differentiate you, that will help you stand out from the 516 00:31:35,240 --> 00:31:40,000 crowd because have empathy with people looking through resumes and CVs. 517 00:31:40,000 --> 00:31:44,260 They're often, 99% of them are extremely similar. 518 00:31:44,260 --> 00:31:48,120 So that would be my bit of advice, at least for early in career people. 519 00:31:48,120 --> 00:31:55,360 So I'm going to echo Sarah and Michael, but I have a third one, I'm sorry, Mark, but I 520 00:31:55,360 --> 00:31:58,240 have a third one that I want to add. 521 00:31:58,240 --> 00:32:01,240 So first I'm going to talk about learning. 522 00:32:01,240 --> 00:32:06,180 When I first started in computers overall, I started programming. 523 00:32:06,180 --> 00:32:10,080 Then after that I was doing computer engineering, right? 524 00:32:10,080 --> 00:32:15,000 And I went to, I became network Cisco certified. 525 00:32:15,000 --> 00:32:20,160 I became network, previous operating system that I was talking certified. 526 00:32:20,160 --> 00:32:28,040 I went into Windows, I did SQL, I did a SharePoint, I did identity, I did back then SMS, which 527 00:32:28,040 --> 00:32:36,800 was the SCCM or configuration management was the type of replacement or the product that 528 00:32:36,800 --> 00:32:39,860 replaced SMS back then. 529 00:32:39,860 --> 00:32:45,800 And that gave me a visibility all across different functions through the network. 530 00:32:45,800 --> 00:32:50,440 So when I came to Microsoft, I was like, oh yes, I'm awesome. 531 00:32:50,440 --> 00:32:51,680 I know all this stuff. 532 00:32:51,680 --> 00:32:54,920 When I quickly realized I didn't know enough, right? 533 00:32:54,920 --> 00:32:58,560 And I started working heavily and trying to study. 534 00:32:58,560 --> 00:33:04,400 And it was, I basically was spending like 14, 16 hours a day, including weekends, trying 535 00:33:04,400 --> 00:33:05,400 to catch up. 536 00:33:05,400 --> 00:33:10,640 And there was this engineering person that came in to me and said, Gladys, you could 537 00:33:10,640 --> 00:33:14,200 work hard or you could work smart. 538 00:33:14,200 --> 00:33:18,640 Part of working smart is number one, managing your time. 539 00:33:18,640 --> 00:33:26,040 Not everything is about just the work that you do, but you having the time to give to 540 00:33:26,040 --> 00:33:27,320 other things. 541 00:33:27,320 --> 00:33:35,240 He said, have some openings during your week to allow for extra projects to come in. 542 00:33:35,240 --> 00:33:38,520 At first I wasn't understanding what he was meaning. 543 00:33:38,520 --> 00:33:44,440 I kept talking to him and eventually I was working heavily Tuesday through Thursday, 544 00:33:44,440 --> 00:33:50,600 but my Mondays and Fridays, I had some time dedicated for training and I had some time 545 00:33:50,600 --> 00:33:52,040 just open. 546 00:33:52,040 --> 00:34:00,060 Because I went into events like networking events and even conferences, people started 547 00:34:00,060 --> 00:34:05,440 knowing me and saying, Hey, can you help with this thing? 548 00:34:05,440 --> 00:34:07,760 And including people in Microsoft. 549 00:34:07,760 --> 00:34:14,440 So I started getting involved in more projects because I had the time allocated for nothing 550 00:34:14,440 --> 00:34:15,440 else, right? 551 00:34:15,440 --> 00:34:21,760 And that it just allowed me to grow and do more special things and learn even more and 552 00:34:21,760 --> 00:34:24,220 increase my network at Microsoft. 553 00:34:24,220 --> 00:34:32,200 So again, my advice, it will be learning, network and manage your time. 554 00:34:32,200 --> 00:34:37,760 That is not solely for the current job, but for opportunities that you could have in the 555 00:34:37,760 --> 00:34:40,280 future for growth. 556 00:34:40,280 --> 00:34:43,900 You know, I want to echo the first one that Mark mentioned about learning. 557 00:34:43,900 --> 00:34:47,800 This is one of those industries where you can't stagnate at all. 558 00:34:47,800 --> 00:34:48,800 You have to keep learning. 559 00:34:48,800 --> 00:34:51,440 You just keep, you have to keep moving forward. 560 00:34:51,440 --> 00:34:56,640 So one thing I do is whenever I see something I'm interested in, I have a Microsoft to do 561 00:34:56,640 --> 00:34:58,520 on my desk, on my main dev box. 562 00:34:58,520 --> 00:35:01,040 I have it on a couple of my laptops and I have it on my phone. 563 00:35:01,040 --> 00:35:05,600 And basically whenever I see something, I paste it into the to do, Microsoft to do, 564 00:35:05,600 --> 00:35:07,280 and then I just forget about it. 565 00:35:07,280 --> 00:35:11,400 Then every day I have, I think it's about 2.33 o'clock, I have a 30 minute block, which 566 00:35:11,400 --> 00:35:12,440 is learn. 567 00:35:12,440 --> 00:35:13,440 That's all it is. 568 00:35:13,440 --> 00:35:17,200 And then what I do is I spend that time and I go into my Microsoft to do, I look at, I 569 00:35:17,200 --> 00:35:18,360 pick something out of the list. 570 00:35:18,360 --> 00:35:19,360 That's all I do. 571 00:35:19,360 --> 00:35:20,360 I look at it. 572 00:35:20,360 --> 00:35:21,360 It may be of interest. 573 00:35:21,360 --> 00:35:25,160 It doesn't matter, but I learn enough about it to know that I don't care or I do care 574 00:35:25,160 --> 00:35:28,480 or I need more to learn more stuff that, you know, whatever. 575 00:35:28,480 --> 00:35:29,480 So I do that. 576 00:35:29,480 --> 00:35:30,480 So I really want to echo that. 577 00:35:30,480 --> 00:35:31,480 You've just got to keep moving forward. 578 00:35:31,480 --> 00:35:35,920 And on the topic of learning, I think everyone needs to learn the basics of programming. 579 00:35:35,920 --> 00:35:41,360 I don't mean you need to be a super alpha geek programmer who can debug ARM 64 assembly 580 00:35:41,360 --> 00:35:43,480 language, which by the way, I'm currently learning. 581 00:35:43,480 --> 00:35:44,920 You know, you don't need to do that. 582 00:35:44,920 --> 00:35:45,920 You really don't. 583 00:35:45,920 --> 00:35:48,640 But at least be able to, you know, whack a PowerShell script together or a Python script 584 00:35:48,640 --> 00:35:53,640 together, at least be able to understand how coding can help you be better. 585 00:35:53,640 --> 00:35:55,360 So I am a big believer in that. 586 00:35:55,360 --> 00:35:57,520 The very, very last one is write, write stuff. 587 00:35:57,520 --> 00:36:01,280 I'm not going to say write books, although writing a book is a very, very good idea. 588 00:36:01,280 --> 00:36:03,580 I mean, write blog posts, you know, keep it going. 589 00:36:03,580 --> 00:36:04,920 Just keep writing stuff. 590 00:36:04,920 --> 00:36:07,000 Put your thoughts down, your technical thoughts. 591 00:36:07,000 --> 00:36:12,120 You'd be amazed how useful that is when you're going for a job to show a body of work that 592 00:36:12,120 --> 00:36:14,380 shows real diligence. 593 00:36:14,380 --> 00:36:17,960 So I believe in those three big things. 594 00:36:17,960 --> 00:36:20,000 Write, learn the basics of programming, and write. 595 00:36:20,000 --> 00:36:22,920 All right, we're getting close to the end now. 596 00:36:22,920 --> 00:36:24,780 Where do you want to see the industry going? 597 00:36:24,780 --> 00:36:27,640 Where do you see the industry going over the next few years? 598 00:36:27,640 --> 00:36:29,640 I'll pick an optimistic tone, right? 599 00:36:29,640 --> 00:36:33,940 Because there's plenty of cynicism you can throw out there on sort of we spend way too 600 00:36:33,940 --> 00:36:40,640 much time writing the same control standards over and over again, and way too much time 601 00:36:40,640 --> 00:36:46,560 like trying to change out tools as if the slightly better tool from a slightly different vendor 602 00:36:46,560 --> 00:36:51,080 is going to make a massive difference in how things work, right? 603 00:36:51,080 --> 00:36:52,800 We have just those normal headwinds, right? 604 00:36:52,800 --> 00:36:54,320 Because we're just, we're new, right? 605 00:36:54,320 --> 00:36:58,760 We're not, we're what, a couple decades into this thing, like two, three, four decades, 606 00:36:58,760 --> 00:37:02,960 you know, depending on how you measure it at most, compared to centuries and millennia 607 00:37:02,960 --> 00:37:06,680 of building buildings and roads and everything else. 608 00:37:06,680 --> 00:37:08,960 I think the big thing is just we're immature. 609 00:37:08,960 --> 00:37:14,240 And so the thing that I see is I feel like we're getting to a point now, especially if 610 00:37:14,240 --> 00:37:18,800 the zero trust thing sticks and people stick with it long enough to sort of get it, that 611 00:37:18,800 --> 00:37:23,200 like having this practical view of security is going to get us to a place where we can 612 00:37:23,200 --> 00:37:29,160 finally get to, you know, in the, in the maturity model, maturity model parlance, you know, 613 00:37:29,160 --> 00:37:33,400 defined, we can actually say, this is what security, this is what good looks like in 614 00:37:33,400 --> 00:37:34,400 security. 615 00:37:34,400 --> 00:37:36,440 And this is, you know, and this is how it should work. 616 00:37:36,440 --> 00:37:40,640 And everybody knows that this is their part, their job in security. 617 00:37:40,640 --> 00:37:45,800 And so I really see it going into like a little bit more of a professional thing, especially, 618 00:37:45,800 --> 00:37:49,120 you know, I mean, when you, when you look at some of the, some of the big incidents 619 00:37:49,120 --> 00:37:52,840 that are affecting business and organizations finally sort of get their head around and 620 00:37:52,840 --> 00:37:57,880 it's no longer like a fear, uncertainty, doubt type of conversation with the security teams, 621 00:37:57,880 --> 00:38:00,680 but it's actually a genuine partnership thing. 622 00:38:00,680 --> 00:38:07,360 I just, you know, I see us becoming more normalized as security, I guess, is what I hope that 623 00:38:07,360 --> 00:38:12,120 it just becomes part of how everybody thinks about things like, you know, and we can have 624 00:38:12,120 --> 00:38:16,280 a basic security conversation with anyone in the organization and they'll be able to, 625 00:38:16,280 --> 00:38:20,280 you know, the security people have a basic business understanding and then the business 626 00:38:20,280 --> 00:38:22,280 and tech teams will have a basic security understanding. 627 00:38:22,280 --> 00:38:24,620 Like that's, that's kind of where I hope it is. 628 00:38:24,620 --> 00:38:28,880 And that, that really unlocks for the next generation of goodness where people can work 629 00:38:28,880 --> 00:38:30,760 together and bring different ideas together. 630 00:38:30,760 --> 00:38:33,360 So that's just like my own personal view and hope. 631 00:38:33,360 --> 00:38:34,920 Where do I see the industry go? 632 00:38:34,920 --> 00:38:36,960 Where do I want the industry to go? 633 00:38:36,960 --> 00:38:42,320 I would like us to continue to try and be more inclusive. 634 00:38:42,320 --> 00:38:45,040 I think we're going in the right direction. 635 00:38:45,040 --> 00:38:46,760 We've got a long way to go. 636 00:38:46,760 --> 00:38:50,000 Let's be realistic about this. 637 00:38:50,000 --> 00:38:55,120 Something that is a personal bugbear of mine is that I think if you are not, if you are 638 00:38:55,120 --> 00:39:03,360 what considered diverse is, you, you know, whether that's gender, ethnicity, whatever, 639 00:39:03,360 --> 00:39:08,920 I still think a predicator of whether you will last a long time in this industry is 640 00:39:08,920 --> 00:39:14,320 that you need to be quite resilient and thick skinned, which is not the way it should be 641 00:39:14,320 --> 00:39:17,400 more so than your average person at work, I'd say. 642 00:39:17,400 --> 00:39:19,640 So I hope that we continue to work on that. 643 00:39:19,640 --> 00:39:23,080 I think it's going to be a very slow piece of work, but you know, there are a lot of 644 00:39:23,080 --> 00:39:27,160 efforts to try and fix that. 645 00:39:27,160 --> 00:39:30,920 I also just want, I want to see, and we're going in this direction already. 646 00:39:30,920 --> 00:39:34,280 I want to see the gatekeeping stop as well. 647 00:39:34,280 --> 00:39:40,520 So what I mean by that is not the gatekeeping so much within the industry, but I think it's 648 00:39:40,520 --> 00:39:43,160 the industry talking to the rest of IT and the public. 649 00:39:43,160 --> 00:39:46,680 Well, you know, a lot of people are like, ah, security, this is very complicated. 650 00:39:46,680 --> 00:39:49,200 You won't possibly understand it, blah, blah, blah. 651 00:39:49,200 --> 00:39:55,040 When in fact, I think anybody can understand security, at least at a high level in, if 652 00:39:55,040 --> 00:39:56,740 it's explained in the right way. 653 00:39:56,740 --> 00:40:02,920 And I think that's really important because people are not going to lose your job if you 654 00:40:02,920 --> 00:40:07,480 educate other people in the org a bit more about security. 655 00:40:07,480 --> 00:40:10,920 And well, if you, if you're worried about that, then that says to me, you're not good 656 00:40:10,920 --> 00:40:13,000 enough at security to start with. 657 00:40:13,000 --> 00:40:16,520 And we need to become more collaborative with the rest of IT. 658 00:40:16,520 --> 00:40:19,840 This is a massive rant, so I'm going to stop there because we'll be here for a long time. 659 00:40:19,840 --> 00:40:25,640 But we need to accept that other people knowing at least a little bit of security and knowing 660 00:40:25,640 --> 00:40:31,480 some security basics in the wider IT org and in the world is not going to mean that we 661 00:40:31,480 --> 00:40:33,520 run ourselves out of a job. 662 00:40:33,520 --> 00:40:40,480 As I analyze everything that is happening, basically every, almost every day, there's 663 00:40:40,480 --> 00:40:48,040 a major hack, a major data breach happening all across the world. 664 00:40:48,040 --> 00:40:51,240 And all this data is going somewhere, right? 665 00:40:51,240 --> 00:40:54,560 And AI is coming heavy into place. 666 00:40:54,560 --> 00:40:56,800 Quantum is coming heavy into place. 667 00:40:56,800 --> 00:41:05,440 And I just start thinking, okay, when all this is put together and all this data from 668 00:41:05,440 --> 00:41:13,360 the different data breaches are brought together, they basically will know everything about 669 00:41:13,360 --> 00:41:14,360 us. 670 00:41:14,360 --> 00:41:19,280 So, I'm hoping that in the future, I know that we're working toward it. 671 00:41:19,280 --> 00:41:27,200 There's intra-verified ID and Microsoft intra-ID is doing a lot of things, but better ways 672 00:41:27,200 --> 00:41:38,160 to identify the people in order to make sure that people do not lose their savings. 673 00:41:38,160 --> 00:41:44,960 There's things that they have worked heavily for because I keep hearing and seeing all 674 00:41:44,960 --> 00:41:51,640 these institutions that use voice recognition in order to authenticate you. 675 00:41:51,640 --> 00:41:56,280 And I'm like, okay, AI can do this and things like that. 676 00:41:56,280 --> 00:42:05,000 And then I start thinking, okay, how are my kids going to be able to just protect their 677 00:42:05,000 --> 00:42:10,080 money, their resources if this is not solved? 678 00:42:10,080 --> 00:42:16,720 So again, I think we are going through there, but there's a lot of work to do. 679 00:42:16,720 --> 00:42:24,120 And I think that's the place that I want the security to be improved the most. 680 00:42:24,120 --> 00:42:31,240 I have a hope, I think, and that's, I really think we need to see much more work being 681 00:42:31,240 --> 00:42:36,920 done in academia around what it takes to design and build secure systems. 682 00:42:36,920 --> 00:42:43,480 Look, I'm going to be honest, this is a conversation that I've had for 20 plus years and there 683 00:42:43,480 --> 00:42:47,320 seems to be very little work being done. 684 00:42:47,320 --> 00:42:52,560 We hire kids out of school and they just don't understand the fundamentals. 685 00:42:52,560 --> 00:42:56,880 I'm not going to say they need to be cybersecurity nerds, but just at least understand some of 686 00:42:56,880 --> 00:42:57,880 the basics. 687 00:42:57,880 --> 00:43:02,960 And I think that's a bit similar to what Sarah said, but unfortunately we're just not. 688 00:43:02,960 --> 00:43:08,200 And so, don't get me wrong, there's a role for industry to educate people. 689 00:43:08,200 --> 00:43:12,040 Absolutely there is, but there's also a role to be played by academia. 690 00:43:12,040 --> 00:43:14,400 I still don't see that being done. 691 00:43:14,400 --> 00:43:16,800 I've heard people say, well, that's not the role of academia. 692 00:43:16,800 --> 00:43:21,880 Okay, we can have that philosophical debate, but personally, I believe academia has a big 693 00:43:21,880 --> 00:43:22,880 role to play. 694 00:43:22,880 --> 00:43:24,240 All right, we're getting very close. 695 00:43:24,240 --> 00:43:29,680 We've got the last question now, which is a very simple one, which is what are some 696 00:43:29,680 --> 00:43:33,320 of the behind the scenes memories or just something you'd like people to know about 697 00:43:33,320 --> 00:43:35,960 what we do on the podcast? 698 00:43:35,960 --> 00:43:41,240 I'll kick this one off because, and Michael, I'm sorry about this one, but on the very 699 00:43:41,240 --> 00:43:46,640 first episode of this podcast, I remember for whatever reason that day, Michael could 700 00:43:46,640 --> 00:43:48,640 not say the word security. 701 00:43:48,640 --> 00:43:50,520 It is absolutely true. 702 00:43:50,520 --> 00:43:54,360 I think you tried it like six, eight times before you got it right. 703 00:43:54,360 --> 00:43:55,360 It was hilarious. 704 00:43:55,360 --> 00:44:00,040 I do not understand to this day what the heck was going on there. 705 00:44:00,040 --> 00:44:04,040 I mean, were we talking about like accents between New Zealand and American or something 706 00:44:04,040 --> 00:44:05,040 or whatever? 707 00:44:05,040 --> 00:44:07,360 I mean, something had to have messed your head up because you just could not get that 708 00:44:07,360 --> 00:44:08,360 word out. 709 00:44:08,360 --> 00:44:12,080 I mean, you know, a word I've been saying for a long, long, long time and I couldn't 710 00:44:12,080 --> 00:44:13,080 get it out of my head. 711 00:44:13,080 --> 00:44:14,400 Yeah, it's crazy. 712 00:44:14,400 --> 00:44:16,080 I can say the word security. 713 00:44:16,080 --> 00:44:18,360 I can say it, but Michael definitely can't. 714 00:44:18,360 --> 00:44:22,080 And there's also some guests names you haven't been able to say as well. 715 00:44:22,080 --> 00:44:23,080 Yeah. 716 00:44:23,080 --> 00:44:24,080 Ryan's name. 717 00:44:24,080 --> 00:44:26,160 I'm not going to say the last name because I will get it wrong. 718 00:44:26,160 --> 00:44:27,520 But if you go and look at, right. 719 00:44:27,520 --> 00:44:28,520 Okay. 720 00:44:28,520 --> 00:44:30,720 You say it, Sarah, because I'm not going to say it. 721 00:44:30,720 --> 00:44:31,720 Thank you. 722 00:44:31,720 --> 00:44:32,720 If you go to the... 723 00:44:32,720 --> 00:44:33,720 I thought it was Markababad. 724 00:44:33,720 --> 00:44:34,720 Markababad. 725 00:44:34,720 --> 00:44:35,720 Oh no. 726 00:44:35,720 --> 00:44:36,720 Oh no. 727 00:44:36,720 --> 00:44:37,720 Ryan's going to... 728 00:44:37,720 --> 00:44:38,720 Ryan, don't listen to this episode. 729 00:44:38,720 --> 00:44:39,720 Okay. 730 00:44:39,720 --> 00:44:42,720 I'm going to make sure Ryan hears this. 731 00:44:42,720 --> 00:44:45,880 No, in all seriousness, there is an outtake. 732 00:44:45,880 --> 00:44:46,880 It's on the website. 733 00:44:46,880 --> 00:44:50,440 I'll put a link in the show notes to it, to the actual episode, because it is actually 734 00:44:50,440 --> 00:44:51,440 kind of funny. 735 00:44:51,440 --> 00:44:54,000 But yeah, I could not get her name wrong. 736 00:44:54,000 --> 00:44:55,000 That name, right? 737 00:44:55,000 --> 00:44:56,000 Yeah. 738 00:44:56,000 --> 00:44:57,000 It was pretty embarrassing. 739 00:44:57,000 --> 00:44:58,000 Talking about outtakes. 740 00:44:58,000 --> 00:45:03,200 I mean, you've never done this, but Michael, do you want to talk about how all the outtakes 741 00:45:03,200 --> 00:45:08,120 are literally my therapy sessions without going into the specifics? 742 00:45:08,120 --> 00:45:10,520 That's what I was going to talk about. 743 00:45:10,520 --> 00:45:11,520 I was going to... 744 00:45:11,520 --> 00:45:13,400 I look forward to those. 745 00:45:13,400 --> 00:45:14,400 Yeah. 746 00:45:14,400 --> 00:45:19,840 The first 10 minutes of every single one of these things is all Sarah talking about what 747 00:45:19,840 --> 00:45:21,240 she needs to talk about. 748 00:45:21,240 --> 00:45:22,240 Yeah. 749 00:45:22,240 --> 00:45:27,680 And it's just for those listening, it's a running joke that this is basically just Sarah's 750 00:45:27,680 --> 00:45:28,680 therapy. 751 00:45:28,680 --> 00:45:32,400 I just have a lot of things to talk about, usually not to do with security. 752 00:45:32,400 --> 00:45:37,280 Well, actually it's an interesting one because something that I learned from an impression 753 00:45:37,280 --> 00:45:42,000 I give sometimes to people, not that you would hear this on this podcast because Michael 754 00:45:42,000 --> 00:45:47,680 cuts it all out, but sometimes people think that I don't actually care about security 755 00:45:47,680 --> 00:45:52,120 that much because I like to talk about everything else as well as security. 756 00:45:52,120 --> 00:45:57,360 But the answer to that, and it is good feedback for when I am in business context and we have 757 00:45:57,360 --> 00:46:02,200 a time limit, but the answer to that is I just like to talk about everything quite a 758 00:46:02,200 --> 00:46:07,880 lot and I have a lot of stories and I'm a terrible oversharer. 759 00:46:07,880 --> 00:46:08,880 I'm working on it. 760 00:46:08,880 --> 00:46:09,880 I'm working on it. 761 00:46:09,880 --> 00:46:14,400 Actually, those again for the listeners, we do have a couple of rules of thumb with this 762 00:46:14,400 --> 00:46:15,400 podcast just so you know. 763 00:46:15,400 --> 00:46:18,680 The first one is try to keep it 200-ish, 300-ish level. 764 00:46:18,680 --> 00:46:19,680 That's number one. 765 00:46:19,680 --> 00:46:20,920 Number two is no cussing. 766 00:46:20,920 --> 00:46:22,200 This is a family show. 767 00:46:22,200 --> 00:46:26,280 And then the third one is don't break into jail. 768 00:46:26,280 --> 00:46:29,720 That's actually been my philosophy for a long, long, long time. 769 00:46:29,720 --> 00:46:31,200 Be careful what you say. 770 00:46:31,200 --> 00:46:33,960 The last thing you need is to literally break into jail. 771 00:46:33,960 --> 00:46:38,840 So yeah, it's one of the mantras of the podcast. 772 00:46:38,840 --> 00:46:43,560 One thing I do want everyone to realize because I understand why people do this, but people 773 00:46:43,560 --> 00:46:47,360 have said, hey, you guys have been a little inconsistent sometimes on getting the episodes 774 00:46:47,360 --> 00:46:49,680 out and that's absolutely true. 775 00:46:49,680 --> 00:46:52,560 We try to go for every two weeks. 776 00:46:52,560 --> 00:46:54,560 Sometimes we just can't do that. 777 00:46:54,560 --> 00:46:57,280 This is not anything that we do as part of our jobs. 778 00:46:57,280 --> 00:46:59,440 This is something that we do because we enjoy doing it. 779 00:46:59,440 --> 00:47:03,560 Honestly, I'm really amazed that we've been going since the end of April 2020. 780 00:47:03,560 --> 00:47:04,560 I think it's amazing. 781 00:47:04,560 --> 00:47:11,180 We've got an incredible sort of listenership way beyond anything I ever expected. 782 00:47:11,180 --> 00:47:12,480 But yeah, just do be aware. 783 00:47:12,480 --> 00:47:19,640 We do do our very, very best, but I do all the audio editing as well as the website. 784 00:47:19,640 --> 00:47:24,440 And Sarah and Mark and Gladys also get people together to start farming around, to get people 785 00:47:24,440 --> 00:47:26,000 to join the podcast. 786 00:47:26,000 --> 00:47:27,760 We don't have any problems getting people on the podcast. 787 00:47:27,760 --> 00:47:30,280 Everyone loves coming on the podcast. 788 00:47:30,280 --> 00:47:33,120 Sometimes work gets in the way, life gets in the way, vacations get in the way. 789 00:47:33,120 --> 00:47:38,520 It's not like we have some hours set aside every week by our management to do the podcast. 790 00:47:38,520 --> 00:47:40,520 It really is a labor of love. 791 00:47:40,520 --> 00:47:45,260 I can probably say for everyone that we just thoroughly enjoy doing this. 792 00:47:45,260 --> 00:47:46,260 It's a lot of fun. 793 00:47:46,260 --> 00:47:48,000 We get to meet a lot of awesome people. 794 00:47:48,000 --> 00:47:50,680 We get to learn a lot of things from a lot of people. 795 00:47:50,680 --> 00:47:53,960 That's probably another bit of advice for people is grow your network. 796 00:47:53,960 --> 00:47:58,600 I forget who someone touched on before, but do grow your network. 797 00:47:58,600 --> 00:48:03,240 And honestly, I was doing the podcast, we're all growing our own personal networks as well. 798 00:48:03,240 --> 00:48:08,920 So now I know who to talk to about specific issues, which is always a useful thing. 799 00:48:08,920 --> 00:48:11,620 So let's bring this episode to an end. 800 00:48:11,620 --> 00:48:14,140 Thank you so much, all of you for listening. 801 00:48:14,140 --> 00:48:18,120 As I mentioned before, this is episode 100, an amazing milestone and I'm so proud that 802 00:48:18,120 --> 00:48:19,760 we've met this milestone. 803 00:48:19,760 --> 00:48:20,760 Do continue listening. 804 00:48:20,760 --> 00:48:23,080 If you have any comments, send them our way. 805 00:48:23,080 --> 00:48:26,200 If there's any topics you'd like to cover, again, let us know. 806 00:48:26,200 --> 00:48:28,520 So again, everyone out there, thank you again for listening. 807 00:48:28,520 --> 00:48:30,360 Stay safe and we'll see you next time. 808 00:48:30,360 --> 00:48:33,240 Thanks for listening to the Azure Security Podcast. 809 00:48:33,240 --> 00:48:40,040 You can find show notes and other resources at our website azsecuritypodcast.net. 810 00:48:40,040 --> 00:48:44,840 If you have any questions, please find us on Twitter at Azure Setpod. 811 00:48:44,840 --> 00:49:11,840 Background music is from ccmixtor.com and licensed under the Creative Commons license.