May 27, 2022

Representation Without Technicalities with Mari Galloway

by Hacker Valley Red

Show Notes

We’re breaking down the concept of difference makers this week and we couldn’t help but call upon Mari Galloway, CEO of the Women’s Society of Cyberjutsu, to be our guest during this conversation. As a black woman in cybersecurity who has dedicated a large portion of her career to helping women and girls become a part of the cyber community on both the technical and non-technical sides, Mari is a stunning example of making a difference and creating a path to expand cybersecurity beyond stereotypes. 

Timecoded Guide: 

- [01:29] Defining the difference makers and explaining the OODA loop

- [13:52] Introducing Mari and the Women’s Society of Cyberjutsu 

- [20:14] Finding her purpose in helping others find their purpose 

- [25:06] Explaining the roles and paths available outside of strictly technical 

- [30:31] Understanding imposter syndrome and forging a freedom-based career journey 

Sponsor: 

Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life! 

Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone 

PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley 

 

What is that like to see people go from taking that original red pill all the way through starting their career in cybersecurity? 

When we talk about making a difference, many of us don’t get to see our impact as clearly as the Women’s Society of Cyberjutsu sometimes gets to see. Mari tells us numerous stories of women throughout this episode, including herself, who became a part of this industry because of the instrumental work they do in outreach and education. For Mari, seeing women change their minds and majors to become a part of the tech industry shows how vital this work is. 

“These are the moments we're waiting for, whether it's one person or 50 million people. We want you to feel confident enough to get the skills you need, get in the industry, continue to refine those skills, and be super successful.” 

 

What would you equate your purpose to, and how does everything you do fit into it?

Like many of us, Mari isn’t entirely sure what her purpose is, but she knows that she enjoys helping the next generation and making a difference in the landscape of cybersecurity. Working with a nonprofit is not an easy job, even if it is rewarding, and Mari still prioritizes her freedom alongside meeting her purpose. No matter what Mari’s future holds, she knows that this work and this purpose to help others will always find her. 

“I think as I get older, as I start to take steps back to just kind of look at what's happened and the impact that I'm having and others around me are having on the next generation of folks coming up, I think my purpose is to help people. It's to help other people see their potential.” 

 

How do you feel like creating that safe environment has affected others? 

Helping others find their footing in the cybersecurity industry can be extremely rewarding, especially when Mari found herself in a situation of uncertainty when she first joined the Cyberjutsu Tribe. The community of cybersecurity and the stereotypes around hackers can feel incredibly uninviting from the outside. Offering people, especially women and young girls, an opportunity to step into a safe space where they can ask anything has been huge for Mari. 

“We call it our Cyberjutsu Tribe, and we want to make sure that anybody that comes to us feels like they can reach out and touch us and ask us questions and get answers and just have a conversation with us.” 

 

How do we invite more people in and let them know that there are opportunities in cyber outside of technical roles? 

Whether you’re hacking, selling, managing, or marketing, there is a space for you in the cybersecurity world. You don’t have to code or to be extremely technical to fit in this industry anymore, and you don’t have to have a certain look. The Women’s Society of Cyberjutsu prioritizes educating people on every role involved in the industry and showing them that they don’t have to be a tech wizard or a computer guru to find a satisfying and profitable position. 

“You don't have to look like this to be a hacker. You can look like me…That stereotype, I think, is dying, as we see the number of women coming in and men coming into the space that don't look like that anymore.” 

 

Hacking the Vocabulary: 

OODA Loop: Observe, Orient, Decide, Act. A four-step approach to decision-making that focuses on filtering available information, putting it in context and quickly making the most appropriate decision. 

CISO: The chief information security officer, a senior-level executive responsible for developing and implementing an information security program

Taking the red pill: The terms "red pill" and "blue pill" refer to a choice between the willingness to learn a potentially unsettling or life-changing truth by “taking the red pill,” or remaining in contented ignorance with the blue pill. 

--------- 

Additional resources to check out: 

Spend some time with our guest, Mari Galloway, on LinkedIn, Twitter, her website, and the Women’s Society of Cyberjutsu website

Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.

Follow Ron Eddings on Twitter and LinkedIn

Catch up with Chris Cochan on Twitter and LinkedIn

Continue the conversation by joining our Discord



Transcript

Axonius Ad 00:21
Hey everyone, it's me, Simone Biles. You might be wondering why you're hearing my voice on a cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast like me, or an IT, or Security Pro, complexity is inevitable, and I've learned that the key to success is focusing on what you can control. Go check out my video at Axonius.com/Simone. That's Axonius.com/Simone.
Chris 00:55
We are back with another episode of Hacker Valley Red, where we are exploring the nexus between offensive cybersecurity and humanity. Again, I am one of your hosts. I'm Chris Cochran.
Ron 01:07
And I'm your other host, I am Ron Eddings, and we are looking at cybersecurity legends. That's the theme for this season, and we're going to continue down that path. But today, we're going to speak about something very important, I think, something that we don't highlight enough in cybersecurity, let alone the technology industry as a whole, and that is difference makers.
Chris 01:29
Difference makers are so important. There's actually a Sans event called Difference Makers, where they give awards to the people that are making a difference in this thing we call cybersecurity. So, what are we talking about when we're talking about difference makers? We're talking about the folks that are making an impact, whether you're talking about from a technological perspective, you're talking about a cybersecurity team, or you're talking about their community, across the board. When I think of difference makers, I think of the people that can see something is missing, figure out how they can interject themselves into that process, make a decision, and then take action. And there is a very perfect framework in order to do this. What is that Ron?
Ron 02:08
The framework is OODA, or an OODA Loop. I'm sure everyone has heard of it, especially because you hear in the military and a lot of cybersecurity practitioners and professionals have come from a military background. Thank you for your service, Chris. I was not, but I still think that this idea of OODA is really powerful, and it's an acronym. It stands for observe, orient, decide, and act. And I think that when you do this, whether it's in cybersecurity, or life in general, you're going to have much better outcomes.
Chris 02:40
100%. So, from the framework of looking at red teaming, you can say, maybe your organization doesn't have a red team just yet. Or, maybe they haven't really done any red teaming engagements, you can observe and say, "I see a lot of my peer organizations that are utilizing red teaming to a great degree, and they're able to fill those gaps and close out those holes that is in their security posture." But it isn't until you observe like, "Okay, what is missing here? What do we have going on within our context that makes this important?" So, first, you have to be aware, which is that observe part.
Ron 03:14
Yes, and then you have to orient. Orient is really important because after you observe, you're going to see that maybe things are on fire, especially if you are an attacker and you just broke into an organization's network. Hopefully, it's paid and it's ethical, but if you just broke in and you set off all of the alarms, what do you do next? You're not going to just make another action and try to hide your logs and hide your activity, you have to first assess the situation. You've observed that there is logs that are being produced, then you have to orient. You have to decide and understand where you are in the world, and then move on to the D.
Chris 03:53
The D is making decisions. This can be an especially crucial part of this entire process, whether you're talking about red teaming at the high level, bringing it in from the programmatic standpoint, or even to the decisions of like, how do we basically bring red teaming into our organization? There's a big spectrum, you could bring an entire red team, a team that specializes in red team and have very, very select objectives. Or, you could do something very small scale, something you could do maybe in a part-time perspective for the folks that are already on the team. Making a decision as to how deep and how much we want to spend from both a time and a money perspective, in order to meet these goals. Really, it's going to be incumbent upon you. What are your resources? What are you trying to affect?
What changes, what differences, right? What differences are we trying to make within our organization in order to make our security posture that much more tough?
Ron 04:53
Yes. And that leaves us with the A for act. When you are making an action, you're taking all have the experience, the understanding of the past, and doing something with it. You're making an action. And that's what we've just kind of walked through, observe, orient, decide and then act. You're taking the OOD part of the OODA loop, and using that to make an informed decision and action. From a red team perspective and offensive operator perspective, I would love to have a plan. I have an operation plan where I've observed the network, I've oriented and started to understand: Am I on the inside? Or am I on the outside of this network? I'm creating a plan. I'm creating a decision plan on how I'm going to act, and then I carry out that action.
Chris 05:40
Exactly Because when you're making that decision, you're like, "Is this a canary? Or Is this legitimately a token that I can take and use for my own purposes?" So, it's dicey to make a decision and take that action. Sometimes, you're taking a risk. But the OODA Loop is a perfect framework for anyone to really think about how to bring in red team from the programmatic perspective, like we were talking about, or even down to the small details of the red team engagement. When we talk about difference makers, we're also talking about the specific people that make a difference. I remember back when I was at Netflix, one of the big difference makers for my career and honestly for the network at Netflix was Scott Barrons. Scott Barrons was on the podcast a long time ago, I think he might have been like, guest
number one, to be honest with you, which is really crazy to think about. Scott Barrons is like a jack of all trades. He's done red, he's done blue, he's done purple. I was leading a purple engagement at Netflix, and he was leading the red side and I got to sit in and I would listen and I would watch all the things that he was doing, from a planning perspective for this particular engagement. And just being able to watch him orient himself to the network, make decisions on where to go, and then ultimately take the actions that would lead to us filling the gaps and closing out the vulnerabilities that we had in our network was beyond important. One of the things I did a little different, and I get a lot of hate about doing this, but I thought it was very valuable is: I had a blue teamer that would sit in the middle of the red team engagement, they would just sit there and listen and they would take notes. And they would
take notes about different contexts for, "Oh, wow, that's interesting that they're gonna go that route. We've never thought about that on the blue team." They don't give them any hands, or anything like that, but they just sit as a silent observer, to observe, right? Then orient like, "How do we look?" Then make a decision, "Oh, we definitely need some detection logic for this particular thing." And then ultimately, at the end, take an action to make sure that that is not a vector that someone can exploit in the future.
Ron 07:42
Let’s talk about difference makers. You just brought up Scott, right? Was he the first difference maker that you really clung on to and thought, "Wow, this is really impactful for Netflix, my organization," or does it go back even further for you to think about difference makers in your eyes for red teaming and offensive operations?
Chris 08:02
It goes back so far, to be honest with you. It goes back to childhood, some of my friends, they were little hackers, right? And I was the guy that was trying to break in, and was like, "Hey, I need to learn all this hacking stuff," and the first place they pointed me to was books at the library. And this is before there were really any hacking books, so I grabbed an 8+ book, and I'm reading it like a novel trying to learn about technology, the terminology, how are things connected, and I think that was very useful for me, because it made it easier once I got into intelligence, and I was focused on technical things, I had a decent understanding of all that stuff. But even when I was at the National Security Agency, one of my best friends in the world, Maurice Gross, he was really focused on the red side as well, and he taught me a lot about that side. I wish I could go into much more about what we did and what he taught me,
but I can't, given the nature of the classified information that I'm a part of, but just know there are difference makers in the red side across the board, and sometimes, they're not what you might think.
Ron 09:04
You know, for me, difference makers go way back as well. I got started in cybersecurity by luck. I was working at this public access channel and then one of my early mentors walked in Marcus Carey, and he had Johnny long, Joe McCray, and a few other hackers with them. And these guys taught me that very important detail that you just mentioned, and that's books. Some of them have written books, Johnny Long wrote the book on Google hacking, but they introduced me to other writers that have also created awesome works, whether it be on exploitation, malware analysis, network intrusion, and analysis. And I really took these books and made these people a part of my circle, even though I had never met most of them. I made them part of my circle, because they made a difference on my life, but not only did they make a difference in my life, they've created these frameworks, these methodologies for me to use and learn from. Just like the OODA Loop, we're are using this framework for hundreds of years. It's military tactics, but these military tactics often work in cybersecurity, because this is the one field where we have adversaries, whether you're on the blue side of the house or the red side of the house.
Chris 10:15
Absolutely. And one thing we have to talk about is our sponsor for this particular episode. And really, this entire season of Hacker Valley Red, and that's PlexTrac. PlexTrac has a complete tool that you can use, a platform that you can use to have those conversations between the blue and the red side, because a lot of times, when we're talking about making a difference, it's about communication. It's about taking the information that you found during your red team engagement and putting it in the hands of the people that are going to take those actions and make those decisions to improve the security of your organization. So, when you're looking at making a difference, Ron, when you have something like PlexTrac, where you can enable those communications, what is the main thing that you're looking for on the blue side once the red team gives you that information?
Ron 11:05
What I'm looking for is, and this is a selfish answer, is I'm looking for the biggest opportunity to provide an impact because honestly, I do want the recognition, I want the involvement from other team members, and then the delivery from me to get some credits, share the credit with my team members. So, I'm looking for that report that I can make into actionable decisions, whether it be from remediating a misconfiguration, resolving a vulnerability. I want to take this report that the red team is going to give me and ultimately, decide quickly. I don't want to make this a year-long engagement where I have to take a report and do something with it. I want to do it immediately. So, from a blue perspective, that is my answer, taking a report and making it impactful so I can look great with my team and my technology. And that's exactly what PlexTrac does, right?
Chris 12:00
Yeah, exactly. That is exactly what PlexTrac does. If you're interested in PlexTrac and being sure that you have that conversation, that communication, that impact that you're getting from the offensive side of cybersecurity, be sure to visit www.PlexTrac.com/HackerValley. That's PlexTrac.com/HackerValley.
Ron 12:24
So, let's continue on the topic of difference makers. We've actually brought in a difference maker this episode, because this guests that we've brought doesn't just make a difference with technology. They make a difference with bringing people into the industry and helping underrepresented groups, helping groups of all walks of life, really get into the field and make a difference. Who is our guest Chris?
Chris 12:48
Our guest today is Mari Galloway. She is beyond impactful when it comes to special interest groups and in technology. It is an honor to sit down with her. Let's jump right in. Welcome back to Hacker Valley Red where we're exploring the nexus of offensive cybersecurity and humanity. I'm one of your hosts. I'm Chris Cochran.
Ron 13:10
And I'm your other host, I am Ron Eddings. And we are joined this episode by Mari Galloway, the CEO of the Women's Society of Cyberjutsu, and a close friend of us here at Hacker Valley. Mari, thank you for joining us on Hacker Valley Red.
Mari 13:27
Thank you for having me. I've been waiting for this moment. I seriously have been. So happy to be here, excited to be here. Looking forward to it.
Chris 13:36
We're so excited to have you as well. All the things that you've built for the community, for the people out there that are in cybersecurity, and even outside of cybersecurity, cannot go unnoticed. But for the folks that don't know who you are just yet, we'd love to hear a little bit about your background and what you're doing today.
Mari 13:52
Well, what I do now is I'm a Sales Engineer and Systems Engineer for Palo Alto Networks. I started with them about a year and a half ago as a Customer Success Architect. Prior to that, I worked for the Venetian and the Palazzo here in Las Vegas as a Vulnerability Management Analysts, building their vulnerability management program. And as an architect for the casino, for all of the casinos actually, there's three different locations. Prior to that I worked in the government, so I've worked in a number of three letter agencies across DC and North Carolina, before making my trek out here to Las Vegas and did anything from network engineering to insider threat management to some stock work a little bit at US CERT before I left. That's my professional life. I also run the Women's Society of Cyberjutsu, a 501c3 national nonprofit, providing hands-on training to women and girls looking to enter and advance in this in this space. We do workshops, we do conferences, Cyberjutsu Con is coming up in June, if
anybody's available. We do study groups, we go to conferences together for lobby con, all kinds of cool stuff to just give women more involved and get them feeling confident about being in cybersecurity and about advancing in this space. Outside of that, I teach for the University of Maryland, their Global Campus. I also run a bookkeeping and cybersecurity company. So, if anybody needs some bookkeeping assistance, I got you covered. And I make wine in Las Vegas.
Chris 15:16
Hey!
Ron 15:18
So, little bit of everything! Sales engineering, architecture, CEO of Cyberjutsu, and wine. I didn't know that one.
Mari 15:27
Yes, yes, four years in the making, five years now, actually. Red wine.
Ron 15:32
So, we titled this season cybersecurity legends. And we knew we had to talk to you because we spoke to Lisa Jiggets on a previous season, and all she could do was brag about you. "Mari is so amazing. She's helped me build this organization, so I made her the CEO of the organization that I helped found." I think that's really great. That's impressive. And I also worked at Palo Alto Networks, and there's a whole story about that we're not going to get into, ut I would love to know a bit about what is this drive for you? We're talking about legends. I think legends have this extraordinary drive. And you have this drive to almost, it seems to reinvent yourself constantly. Where's that come from?
Mari 16:15
I don't consider myself a legend, but I think— My mom was in the Air Force, she did 25 plus years and so that was my role model. That was who I saw. She did accounting and taxes and financial things, and I think it just came from that. She was always doing stuff. She was always impacting somebody. And so, I was like, "I gotta do the same thing." Plus, I just like to do a lot of stuff. Cybersecurity is my first love and it pays the bills, but then I also like to do the winemaking and running a nonprofit, because I'm a serial volunteer. I've been volunteering probably since I was in middle school. I was gonna say how many years ago that was, but I'm only 25 in air quotes, but I think the drive for me to just give back started when I was younger. It was just always there, I was in Girl Scouts and volunteering with that stuff, and then, when I got to high school, I was in this program called Avid, so Advancement Via Interpersonal Determination. And so, they put you in these advanced courses, and you have to be really smart or something. But when I graduated high school, I ended up volunteering for that program, too, at other schools, just to be able to help somebody see their potential and just kind of grow into what they're supposed to be. It's kind of what drives me, and I get to do that every day with Cyberjutsu, because I get to help women that think they can't enter the space and they can't be in cyber, and it's like, "No, you can, you have the skills. You don't have to be technical, but you have the skills." And so, to be able to see them see themselves in a space is what drives me.
Chris 17:46
Yeah, that's incredible. And that's something that I want to become myself, I want to bring people to cybersecurity. I would love to bring people to technology, but I have to imagine that when you first bring someone to cybersecurity, when they're just finding out about it, I'm sure sometimes you give them that red pill, blue pill sort of scenario, you can be a breaker or you can be a builder. Tell us about the people that choose to be breakers and you watch them grow into pen testers and red teamers, and all the like. What is that like to see them go from taking that original red pill all the way through starting their career?
Mari 18:23
It's pretty fascinating. Take Tanisha Martin, she's been a member of Cyberjutsu since the beginning. Now she's running her own organization, helping other people become hackers and pen testers. And it usually starts with their first cyber competition. And it's like, "I can't do this, I can't do this, I can't do this." And then they go, and they solve that first challenge and their face lights up. And it's like, "Oh, I can do this. I know what to do. I know how to ask the questions, I know how to navigate." And so, to see folks do that— We've had a number of folks that have transitioned into cybersecurity from other fields, and to see that they've been successful, to become managers and leaders in their own organizations, it's really powerful, I think. It's really powerful, plus, it helps others coming behind them see the potential that they could have. So, there's a lot of days I don't want to do this anymore, right? I don't want to run a nonprofit as a volunteer anymore. It's frustrating, but then when I get those emails and say, "Hey, you know, you did this presentation, or you did this workshop, you guys had this event,
and now I'm doing XYZ," it's like, this is why we do this. These are the moments we're waiting for, whether it's one person or 50 million people. We want you to feel confident enough to get the skills you need, get in the industry, continue to refine those skills, and be super successful.
Ron 19:40
It almost reminds me of, in some ways of having a purpose, like you are driven for cause and it sounds like part of the cause is to see other women, other people in the cybersecurity community succeed, which I love and it's also influencing me, making me a better person. But I'm curious as to: What is your purpose? It seems like you have all of these skills, whether it's from being an architect, being a winemaker even, and also leading a nonprofit. What would you equate your purpose to, and how does all this fit into it?
Mari 20:14
That is a great question, and I'm still trying to find that out. I asked myself that every single day. I think as I get older, as I start to take steps back to just kind of look at what's happened and the impact that I'm having and others around me are having on the next generation of folks coming up, I think my purpose is to help people. It's to help other people see their potential, whether that's in tech, whether that's in education, whether that's in winemaking. I want you to be able to see your potential, and I think that's what's becoming my purpose. On the work side, that's probably consulting or something, but yeah, I'm still trying to figure that one out. I don't know for sure, but I know I'm going that route, to be more engaged and to be more helpful to the folks that I come in contact with.
Ron 21:02
It almost reminds me of mine, sorry to cut you off. It almost reminds me of mine, because my purpose is to acquire these rare and valuable skills, and my kryptonite is when other people don't understand my value. I'm trying to share something with them, and they don't quite get it, but for you, it's like, you're helping others understand the value that's within them. Let's say you're a consultant for helping people realize their dreams in some ways.
Mari 21:28
I thought about being a career coach. Somebody else asked me that and they were like, "You should be a coach." And I was like, "Yeah, see, I don't think people want me to be their coach." I mean, there'll be great information and valuable, but I'm gonna hold you accountable. And a lot of folks don't want to be held accountable. I don't know, that might be my next thing, when I get to that retirement age in a few years is to coach people to find their potential, to start tapping into what they're good at, and utilizing that and sharing it and being proud of it.
Chris 21:57
You say you don't know what your purpose is, but it seems like, evident just by the stuff that you put out into the world, and even this conversation right now, that you found it. You want people to have a place to become their best self, and that's one thing that we talk about quite often is having a learning environment. Because if someone's going to enter into something that can be pretty vulnerable, ifyou're learning something like a martial art for the first time, going into a place where you can make mistakes and learn and grow, that's where you're going to have the most growth. If you go somewhere where no mistakes are allowed, and if you make a mistake, people make fun of you, no one wants to be in that type of environment. So, when you think about the organization that you lead, and all the other things that you do, how do you feel like creating that safe environment has affected others?
Mari 22:42
It invites them in, right? When somebody feels safe enough to ask a question, you've just opened the door to so many possibilities for them. And that was the whole point behind Cyberjutsu. When Lisa decided to start it, she was in a number of different hacker groups around the DC and northern Virginia area, she was literally the only woman, and then she said, "You know what? We need our own space." And when she did that, what she realized was there was other women that wanted that same thing. There was other women that wanted to, even if it was just to figure out, 'Okay, what does this cybersecurity thing mean? What does this hacking thing mean?" There was other people and other women that wanted to do the same. And so, having that ability— When I first found the group, it was about six months after she had started it. It was for a study group, I had failed the CISSP, and so, I wasn't trying to find a study group, but I was looking for a safe group to go to where if I didn't know the
answers, I wouldn't feel like, "Ooh, I'm not smart enough." And when I found the group, that's what I got from it. You know, everybody was helpful and everybody was like, "Yeah, you got this." They were encouraging. It's like a little family. We call it our Cyberjutsu Tribe, and we want to make sure that anybody that comes to us feels like they can reach out and touch us and ask us questions and get answers and just have a conversation with us.
Ron 23:57
What do you see as being that next frontier? We talked a lot about just, as a community, bringing more people of color in, bringing more women in, and now, we are here. There is a lot of women in the field, there's a lot of people of color. We got three of them on this episode right here with us, especially difference makers at bat. What do you see as the next opportunity for people to make a big difference in cybersecurity and technology?
Mari 24:23
That's a good one. I think it's going to be educating people, taking the knowledge that you've gained from your experiences, whether it's from 5 years or 20 years in the space, and educating people. Actually educating folks, not just talking at them, but talking with them, having these conversations about what's possible. Yeah, I think we're going to start seeing more folks in leadership positions to be able to make change in organizations. That's a hard question, even though we're here, there's still a lot of work that needs to be done. We still need those opportunities and so, with folks like us and other folks that are in our positions, just allowing those opportunities to be given to those that want it and don't realize it, and those that want it and do realize it.
Chris 25:06
One thing that I think about all the time is that, when I was coming into the space, it seemed like everyone had to be technical. If you weren't technical, you weren't worth your weight in anything, if you didn't have those technical chops, but I think now we're getting to a space where you could be focused on the strategic, you could be focused on the business side, or the accounting side of cybersecurity, the compliance, the GRC side of cybersecurity. When you think about the whole spectrum, from people that are doing red teaming and malware analysis all the way through to the folks that are doing more leadership and strategic focus things, how do we invite more people in and let them know like, "Hey, you don't have to necessarily be the person that's with the ones and zeros, you can do other things on the offensive and on the defensive side of cybersecurity?"
Mari 25:51
It starts with awareness and it also starts with stepping outside of where we typically see folks at, right? So, we go to the same conferences, we go to the same career fairs, we go to the same schools and all this stuff, we never step outside of that circle. And so, for folks to get awareness about the opportunities in cybersecurity, outside of just technical, is really important, which means we have to start at the younger age, middle and high school, to give them that awareness to say, "Hey, there's an opportunityhere, you don't have to be super technical." You can be the strategy person, or you can be the person
that has the critical thinking skills, or whatever it is, and still be successful in this space, and still utilize whatever skills you gained from middle school to high school, and college if you go to college in cybersecurity. But I think it boils down to just stepping outside of the normal channels that we usually use to reach those populations, and give them that hope and then representation, right? For me, I've been technical most of my career, but I've always wanted to move into the more managerial leadership type of roles, but it's been difficult, because I feel like if I go that route, I'm gonna not be seen as smart and cyber anymore, which isn't the case, but the way that it's set up is like, you have to be that technical. And so, it's been a struggle, but having the representation at those higher levels helps.
Ron 27:13
That was going to be the next thing I was going to talk to you about is, we've been in the game for a while. Chris has been in it longer than me, I'm not sure how long you've been in cybersecurity, like, 12 years. Exactly. I've been in it for 11 years now. So, even at 11 years, I can't see the new pathway. I don't know how to re break into cybersecurity, I only know where I'm at today and there's getting more technical, or becoming a CSO, becoming a CEO, but I don't think it has to be that way, right? Like, we're seeing people break into cybersecurity in a completely different way, from marketing, from sales, from engineering, even having just a programming background, all of a sudden, they learn these little facets about cybersecurity and there's always companies that need marketing, sales, or even engineering. What have you seen as the future of new pathways created from just cybersecurity becoming more present and people becoming more aware? Is there other things besides being a
manager or leader? What are these other pathways that you've seen?
Mari 28:20
Entrepreneurs. I mean, I think we're all entrepreneurs on this call. Especially with COVID, and people leaving their jobs, entrepreneurship is a great way into cybersecurity without having to be super technical. Project management. I mean, it's still kind of management, but we need folks that have the ability to manage these projects that we're working on, and manage budgets, and manage all of those things. I work with a number of ladies that do marketing for cyber companies, which I've never even thought of, but as soon as we opened up that bubble of what cybersecurity entails, from pen testing and digital forensics type of stuff to everything else, you started to see folks coming in. And so, education, marketing, what else? Consulting, the sales side, even. Even though there's a lot of folks on the sales side now, a lot of people don't realize that you can get into cybersecurity on the sales side of things. You can either be a sales rep or a sales engineer, right? You can make commissions, you make money. I think as long as we start to advertise that, "Hey, there's money to be made outside of just being technical," it'll start to open the eyes of everyone else. Like, "Hmm, I do have education skills, like I was a teacher, I can be a teacher on the cybersecurity side, and I don't have to be deep in the weeds to do that." Does it help? Maybe, but it's not a requirement. You don't have to look like this to be a hacker. You can look like me. You can wear heels. You can have fancy colored hair, you can have long fingernails or short fingernails. You can wear khakis if you want. That stereotype, I think, is dying, as we see the number of women coming in and men coming into the space that don't look like that anymore. And for me, when girls see me or Lisa, or Tanisha, or Alyssa, they can see themselves in the space, it's not going to keep them from being in this space. And we've seen it, we have a girls’ program for cyberjutsu out of the east coast, and we've had a number of girls that have come through the program, and then hit us up couple of years later and say, "Hey, I changed my major in college. I was going to do X, now I'm going to do computer science," or technology, or things like that, because they saw
someone that looked different than what was on the TV.
Ron 30:31
This topic makes me think of what we know as impostor syndrome. I was lucky enough that I never felt like an imposter in cybersecurity, because I didn't know that other people felt that way, so I had no expectation for that myself. But as we start to shape this new paradigm of what a hacker is, and what it can be, I would imagine that more and more people are going to start to feel like maybe they don't belong, just because there's such a wide variety of people. Everyone's talented, everyone has talents, God given or just learned, and people can acquire skills, they can learn skills by reading a book, but when you look around and you see that someone knows something you don't, you might get a little selfconscious. How do you help the ladies or the young women that are trying to break into the field, they have talents, they have skills, but they still look around and notice the skills that they don't have that other people have? How do you coach them through that?
Mari 31:27
Oh, I have that problem all the time. I look at folks all the time, like, "Dang, maybe I should have known that." But I usually tell folks to take that energy and put it into learning what you don't know. The same thing with negative energy, take all of that energy, because all it is just an energy you feel like, that feeling of, "I'm not smart enough," isn't necessarily true. You just know different stuff than this person does because what you know, they may not know either. And so, take that energy, put that back into yourself, and learn what it is you need to know, and realize that you're not going to know everything, because we're not built to know everything, unless you're a super genius. And that's okay, it's okay to say, "I don't know." I've learned that a lot working at Palo Alto, when customers ask me questions. "I don't know, let me get back to you. Let me figure it out," you know what I'm saying? And they respect that, and people understand that. And so, impostor syndrome was just having doubt in yourself, you have to learn that you're only as good as what you do, right? If you're only doing the bare minimum, you're only going to be as good as the bare minimum. But if you start to go above and beyond what you're normally used to and get out of that comfort zone, you're going to be successful and after a while, that whole, "Oh, they know more than me." Okay, cool. Well, you got to do that stuff, I'm gonna go do this stuff over here. I want people to look at me and say, "You know what? If she can do it, I can do it." And it doesn't matter if it's a man or a woman, because I've had a number of guys come to me and say, "I've been following you, and you post all this stuff, and blah, blah, blah." And it's just like, "Really?" I think the biggest thing is, I want them to be able to see themselves in the same position. If that means I have to do extra stuff, then that means I have to do extra stuff. But they're the future. Once we retire, once we're out of this game, they're the ones that take the lead at that point and I want them to feel confident that they can do that.
Ron 33:19
Sometimes it's scary to look and see yourself out of that picture. I know for me, I'm like, "No, I want to be the future still, I want to reinvent myself and keep going."
Mari 33:31
And it's possible that can happen, right? But at some point, like our ancestors, they did their thing, they left things for us to continue to do, and that's our job. We've done our thing, now let's leave something for that next group of folks to have something to do, to strive for, to push even further than what we were able to do.
Ron 33:49
I'm doing my best to contain myself from asking this question, but you know what, I'm gonna bring it up anyways, I'm gonna bring it up anyways. And what I really want to know is this retirement concept, before we jumped on a hit record, you were like, "Hey, I might actually retire in the next six years." How does a cybersecurity professional, a technology expert, get to the point to where you're at and have this idea of retirement before the age of 60?
Mari 34:19
Well, because I get tired of working and it's retirement from having to work. Most of the folks that work, they have to, they don't have a choice, because of financial reasons, because they have families, because they have kids or there is some kind of financial issue happening in life. For me, I want to retire at 45, in six years, because I want to enjoy my life a little bit more. And I want to be a little bit freer with what I do in cybersecurity, right? I don't want to be limited to, "Because I work at Palo Alto, I can't do XYZ things or I can't do these things." I want to be a little bit freer with what I'm doing in this space, and I can't really do that right now. And I want to travel more, right? I want to be able to travel more and educate folks in other countries that may not have the same resources that we have. That's that nonprofit side of things, again, that volunteer side of things, again, and just be able to give back in a different way than what I've been able to so far. Plus, cybersecurity can be stressful. I'm not gonna lie, this industry can be stressful, it can wear you down, it can burn you out, and I'd rather just have a little bit more freedom when it comes to that kind of thing.
Ron 35:29
Right. So, what is freedom? What exactly does that mean?
Mari 35:33
More wine. Honestly, being able to do what I want and still making an impact. I even thought about running the nonprofit full-time, right? That would be kind of cool to run a nonprofit full-time, but the pay in some of them sucks. And so, it doesn't make logical sense, but being able to just do you, be you, and there might be companies out there that allow you to do that. I haven't found them yet. I'm still looking, but the company I'm at now is pretty good about giving you that freedom to do some stuff, but it's a mindset. Being free from whatever it is that's holding you back. In our case, it's financial stuff.
Ron 36:14
It's a mindset and a state, not only do you have to have the mind, the personal freedom, but I mean, you're describing something that is really important. And that's the other component is financial freedom. Having the resources to finally say, "Yes, because I really mean it," or, "No, because I really, really mean it."
Mari 36:31
Right. My mom was in the military, and I saw some things, but she's still working. She's still young, she's not going to retire until she's 65. And I don't want to work until I'm 65 and then only have another 10 years to just like really, really enjoy life.
Chris 36:47
Mari, there's someone that's listening to this episode, or watching this episode right now, that wants to build their own community. What advice would you have for them about going about it?
Mari 36:59
So, yes, it takes hard work, but it's more about opportunity. And I've been seeing recently, it's hard work doesn't get you to where you want to get to. It's about opportunities, and I will say that I've been fortunate enough to have a number of different opportunities that have led me here, most of them from my network, right? So, if you're getting started in this industry, you have got to build a network. You have to talk to people, you have to put yourself out there a little bit and be vulnerable, because that's when the opportunity starts to come. And I talk about this a little bit in my upcoming course that I'm working on right now for launching your career, you have to tell your story, you have to know why you want to be in cybersecurity, and then you have to share that with folks, because that's how the opportunities come. Once I started sharing how I got here, what my origin story was, and where I've come from, people started to look at me and say, "Hey, let's bring her in. Let's bring her up." Honestly, that's how I got to where I'm at. Hard work and opportunity.
Chris 38:00
Mari, thank you so much, from the bottom of our hearts. For the folks that want to stay up to date with you and all the great things that you have going on in your world, what are the best ways that people can do that?
Mari 38:01
LinkedIn and Twitter. So, I think my LinkedIn is the Mari Galloway, and my Twitter is @MariGalloway. So, definitely those are the best places. You can also check me out on WomensCyberjutsu.org. Check out all the events we have coming up, join the membership, be a part of the fun, be a part of the Cyberjutsu Tribe. And if you're ever in Vegas, let me know. I'd be happy to take y'all to the winemaking place and the winery that we go to.
Ron 38:36
I love it. We will be sure to drop all of those resources in the show notes, and we highly recommend everybody to check out Mari and Women's Society of Cyberjutsu. Thanks again, Mari, for joining us, and we'll see everyone next time.
Chris 38:51
What an incredible conversation with an incredible person, I learned a lot about making an impact. Whether you're talking about technology, you're talking about your team, or you're talking about the community, Mari is making a huge impact in community and bringing in that next wave of cybersecurity practitioner. What did you take away from the conversation, Ron?
Ron 39:12
I took away that we just have to start somewhere. We could try to be all of the things, Mari did describe herself as a winemaker, an offensive operator, a security architect, she's really everything, but all of that success, all of the difference that she made, started with just taking that first step. And that's really what I took away from this episode with Mari, but just working into the red side of the house, you start with that initial access, and then you work from there, and I think that's what it's all about.
Chris 39:42
When we're looking at the context of being a difference maker, going from zero to one and one to 1,000, we've said it before that person is going from zero to one. First, they have to observe, they see where the difference can be, they see what could be better and then they orient: How do they make an impact and how does it work? Reflect on their environment, on their community, whatever it is, and then they decide. They make a decision to make that difference. How do they make that difference? They have to make several decisions in order to get there and then, ultimately, they take the action, they make an improvement. They take their intention and make it real, and that's what it's all about in cybersecurity and the offensive side of the house.
Ron 40:20
Love it, and that's what we're going to be doing throughout this season. We're going to be taking the OODA Loop, we're going to be observing the greatness from our guests, we're going to be orienting ourselves within this world of offensive operations and red teaming. We're going to be making decisions along the way with our great partners at Axonius and PlexTrac, and acting, sharing this information with you all trying to present it in the best way possible. And we love that you're on this journey with us, we want to make sure that you continue on this journey along this season. So, if you love the content, it would mean the world to us if you shared it on social media, or subscribed on your favorite streaming platform, and also joined us in our Discord. We just launched a Discord and it's buzzing with over— It's
hundreds of people at this point and we would love if you joined and stayed up to date with us, and you can find that at HackerValley.com/Discord.
Chris 41:14
Definitely join the discord. Let us know that it was this episode that you're coming from. And as always, thanks for joining us and we will see you in the next Hacker Valley Red episode.

Axonius Ad 00:21
Hey everyone, it's me, Simone Biles. You might be wondering why you're hearing my voice on a cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast like me, or an IT, or Security Pro, complexity is inevitable, and I've learned that the key to success is focusing on what you can control. Go check out my video at Axonius.com/Simone. That's Axonius.com/Simone.
Chris 00:55
We are back with another episode of Hacker Valley Red, where we are exploring the nexus between offensive cybersecurity and humanity. Again, I am one of your hosts. I'm Chris Cochran.
Ron 01:07
And I'm your other host, I am Ron Eddings, and we are looking at cybersecurity legends. That's the theme for this season, and we're going to continue down that path. But today, we're going to speak about something very important, I think, something that we don't highlight enough in cybersecurity, let alone the technology industry as a whole, and that is difference makers.
Chris 01:29
Difference makers are so important. There's actually a Sans event called Difference Makers, where they give awards to the people that are making a difference in this thing we call cybersecurity. So, what are we talking about when we're talking about difference makers? We're talking about the folks that are making an impact, whether you're talking about from a technological perspective, you're talking about a cybersecurity team, or you're talking about their community, across the board. When I think of difference makers, I think of the people that can see something is missing, figure out how they can interject themselves into that process, make a decision, and then take action. And there is a very perfect framework in order to do this. What is that Ron?
Ron 02:08
The framework is OODA, or an OODA Loop. I'm sure everyone has heard of it, especially because you hear in the military and a lot of cybersecurity practitioners and professionals have come from a military background. Thank you for your service, Chris. I was not, but I still think that this idea of OODA is really powerful, and it's an acronym. It stands for observe, orient, decide, and act. And I think that when you do this, whether it's in cybersecurity, or life in general, you're going to have much better outcomes.
Chris 02:40
100%. So, from the framework of looking at red teaming, you can say, maybe your organization doesn't have a red team just yet. Or, maybe they haven't really done any red teaming engagements, you can observe and say, "I see a lot of my peer organizations that are utilizing red teaming to a great degree, and they're able to fill those gaps and close out those holes that is in their security posture." But it isn't until you observe like, "Okay, what is missing here? What do we have going on within our context that makes this important?" So, first, you have to be aware, which is that observe part.
Ron 03:14
Yes, and then you have to orient. Orient is really important because after you observe, you're going to see that maybe things are on fire, especially if you are an attacker and you just broke into an organization's network. Hopefully, it's paid and it's ethical, but if you just broke in and you set off all of the alarms, what do you do next? You're not going to just make another action and try to hide your logs and hide your activity, you have to first assess the situation. You've observed that there is logs that are being produced, then you have to orient. You have to decide and understand where you are in the world, and then move on to the D.
Chris 03:53
The D is making decisions. This can be an especially crucial part of this entire process, whether you're talking about red teaming at the high level, bringing it in from the programmatic standpoint, or even to the decisions of like, how do we basically bring red teaming into our organization? There's a big spectrum, you could bring an entire red team, a team that specializes in red team and have very, very select objectives. Or, you could do something very small scale, something you could do maybe in a part-time perspective for the folks that are already on the team. Making a decision as to how deep and how much we want to spend from both a time and a money perspective, in order to meet these goals. Really, it's going to be incumbent upon you. What are your resources? What are you trying to affect?
What changes, what differences, right? What differences are we trying to make within our organization in order to make our security posture that much more tough?
Ron 04:53
Yes. And that leaves us with the A for act. When you are making an action, you're taking all have the experience, the understanding of the past, and doing something with it. You're making an action. And that's what we've just kind of walked through, observe, orient, decide and then act. You're taking the OOD part of the OODA loop, and using that to make an informed decision and action. From a red team perspective and offensive operator perspective, I would love to have a plan. I have an operation plan where I've observed the network, I've oriented and started to understand: Am I on the inside? Or am I on the outside of this network? I'm creating a plan. I'm creating a decision plan on how I'm going to act, and then I carry out that action.
Chris 05:40
Exactly Because when you're making that decision, you're like, "Is this a canary? Or Is this legitimately a token that I can take and use for my own purposes?" So, it's dicey to make a decision and take that action. Sometimes, you're taking a risk. But the OODA Loop is a perfect framework for anyone to really think about how to bring in red team from the programmatic perspective, like we were talking about, or even down to the small details of the red team engagement. When we talk about difference makers, we're also talking about the specific people that make a difference. I remember back when I was at Netflix, one of the big difference makers for my career and honestly for the network at Netflix was Scott Barrons. Scott Barrons was on the podcast a long time ago, I think he might have been like, guest
number one, to be honest with you, which is really crazy to think about. Scott Barrons is like a jack of all trades. He's done red, he's done blue, he's done purple. I was leading a purple engagement at Netflix, and he was leading the red side and I got to sit in and I would listen and I would watch all the things that he was doing, from a planning perspective for this particular engagement. And just being able to watch him orient himself to the network, make decisions on where to go, and then ultimately take the actions that would lead to us filling the gaps and closing out the vulnerabilities that we had in our network was beyond important. One of the things I did a little different, and I get a lot of hate about doing this, but I thought it was very valuable is: I had a blue teamer that would sit in the middle of the red team engagement, they would just sit there and listen and they would take notes. And they would
take notes about different contexts for, "Oh, wow, that's interesting that they're gonna go that route. We've never thought about that on the blue team." They don't give them any hands, or anything like that, but they just sit as a silent observer, to observe, right? Then orient like, "How do we look?" Then make a decision, "Oh, we definitely need some detection logic for this particular thing." And then ultimately, at the end, take an action to make sure that that is not a vector that someone can exploit in the future.
Ron 07:42
Let’s talk about difference makers. You just brought up Scott, right? Was he the first difference maker that you really clung on to and thought, "Wow, this is really impactful for Netflix, my organization," or does it go back even further for you to think about difference makers in your eyes for red teaming and offensive operations?
Chris 08:02
It goes back so far, to be honest with you. It goes back to childhood, some of my friends, they were little hackers, right? And I was the guy that was trying to break in, and was like, "Hey, I need to learn all this hacking stuff," and the first place they pointed me to was books at the library. And this is before there were really any hacking books, so I grabbed an 8+ book, and I'm reading it like a novel trying to learn about technology, the terminology, how are things connected, and I think that was very useful for me, because it made it easier once I got into intelligence, and I was focused on technical things, I had a decent understanding of all that stuff. But even when I was at the National Security Agency, one of my best friends in the world, Maurice Gross, he was really focused on the red side as well, and he taught me a lot about that side. I wish I could go into much more about what we did and what he taught me,
but I can't, given the nature of the classified information that I'm a part of, but just know there are difference makers in the red side across the board, and sometimes, they're not what you might think.
Ron 09:04
You know, for me, difference makers go way back as well. I got started in cybersecurity by luck. I was working at this public access channel and then one of my early mentors walked in Marcus Carey, and he had Johnny long, Joe McCray, and a few other hackers with them. And these guys taught me that very important detail that you just mentioned, and that's books. Some of them have written books, Johnny Long wrote the book on Google hacking, but they introduced me to other writers that have also created awesome works, whether it be on exploitation, malware analysis, network intrusion, and analysis. And I really took these books and made these people a part of my circle, even though I had never met most of them. I made them part of my circle, because they made a difference on my life, but not only did they make a difference in my life, they've created these frameworks, these methodologies for me to use and learn from. Just like the OODA Loop, we're are using this framework for hundreds of years. It's military tactics, but these military tactics often work in cybersecurity, because this is the one field where we have adversaries, whether you're on the blue side of the house or the red side of the house.
Chris 10:15
Absolutely. And one thing we have to talk about is our sponsor for this particular episode. And really, this entire season of Hacker Valley Red, and that's PlexTrac. PlexTrac has a complete tool that you can use, a platform that you can use to have those conversations between the blue and the red side, because a lot of times, when we're talking about making a difference, it's about communication. It's about taking the information that you found during your red team engagement and putting it in the hands of the people that are going to take those actions and make those decisions to improve the security of your organization. So, when you're looking at making a difference, Ron, when you have something like PlexTrac, where you can enable those communications, what is the main thing that you're looking for on the blue side once the red team gives you that information?
Ron 11:05
What I'm looking for is, and this is a selfish answer, is I'm looking for the biggest opportunity to provide an impact because honestly, I do want the recognition, I want the involvement from other team members, and then the delivery from me to get some credits, share the credit with my team members. So, I'm looking for that report that I can make into actionable decisions, whether it be from remediating a misconfiguration, resolving a vulnerability. I want to take this report that the red team is going to give me and ultimately, decide quickly. I don't want to make this a year-long engagement where I have to take a report and do something with it. I want to do it immediately. So, from a blue perspective, that is my answer, taking a report and making it impactful so I can look great with my team and my technology. And that's exactly what PlexTrac does, right?
Chris 12:00
Yeah, exactly. That is exactly what PlexTrac does. If you're interested in PlexTrac and being sure that you have that conversation, that communication, that impact that you're getting from the offensive side of cybersecurity, be sure to visit www.PlexTrac.com/HackerValley. That's PlexTrac.com/HackerValley.
Ron 12:24
So, let's continue on the topic of difference makers. We've actually brought in a difference maker this episode, because this guests that we've brought doesn't just make a difference with technology. They make a difference with bringing people into the industry and helping underrepresented groups, helping groups of all walks of life, really get into the field and make a difference. Who is our guest Chris?
Chris 12:48
Our guest today is Mari Galloway. She is beyond impactful when it comes to special interest groups and in technology. It is an honor to sit down with her. Let's jump right in. Welcome back to Hacker Valley Red where we're exploring the nexus of offensive cybersecurity and humanity. I'm one of your hosts. I'm Chris Cochran.
Ron 13:10
And I'm your other host, I am Ron Eddings. And we are joined this episode by Mari Galloway, the CEO of the Women's Society of Cyberjutsu, and a close friend of us here at Hacker Valley. Mari, thank you for joining us on Hacker Valley Red.
Mari 13:27
Thank you for having me. I've been waiting for this moment. I seriously have been. So happy to be here, excited to be here. Looking forward to it.
Chris 13:36
We're so excited to have you as well. All the things that you've built for the community, for the people out there that are in cybersecurity, and even outside of cybersecurity, cannot go unnoticed. But for the folks that don't know who you are just yet, we'd love to hear a little bit about your background and what you're doing today.
Mari 13:52
Well, what I do now is I'm a Sales Engineer and Systems Engineer for Palo Alto Networks. I started with them about a year and a half ago as a Customer Success Architect. Prior to that, I worked for the Venetian and the Palazzo here in Las Vegas as a Vulnerability Management Analysts, building their vulnerability management program. And as an architect for the casino, for all of the casinos actually, there's three different locations. Prior to that I worked in the government, so I've worked in a number of three letter agencies across DC and North Carolina, before making my trek out here to Las Vegas and did anything from network engineering to insider threat management to some stock work a little bit at US CERT before I left. That's my professional life. I also run the Women's Society of Cyberjutsu, a 501c3 national nonprofit, providing hands-on training to women and girls looking to enter and advance in this in this space. We do workshops, we do conferences, Cyberjutsu Con is coming up in June, if
anybody's available. We do study groups, we go to conferences together for lobby con, all kinds of cool stuff to just give women more involved and get them feeling confident about being in cybersecurity and about advancing in this space. Outside of that, I teach for the University of Maryland, their Global Campus. I also run a bookkeeping and cybersecurity company. So, if anybody needs some bookkeeping assistance, I got you covered. And I make wine in Las Vegas.
Chris 15:16
Hey!
Ron 15:18
So, little bit of everything! Sales engineering, architecture, CEO of Cyberjutsu, and wine. I didn't know that one.
Mari 15:27
Yes, yes, four years in the making, five years now, actually. Red wine.
Ron 15:32
So, we titled this season cybersecurity legends. And we knew we had to talk to you because we spoke to Lisa Jiggets on a previous season, and all she could do was brag about you. "Mari is so amazing. She's helped me build this organization, so I made her the CEO of the organization that I helped found." I think that's really great. That's impressive. And I also worked at Palo Alto Networks, and there's a whole story about that we're not going to get into, ut I would love to know a bit about what is this drive for you? We're talking about legends. I think legends have this extraordinary drive. And you have this drive to almost, it seems to reinvent yourself constantly. Where's that come from?
Mari 16:15
I don't consider myself a legend, but I think— My mom was in the Air Force, she did 25 plus years and so that was my role model. That was who I saw. She did accounting and taxes and financial things, and I think it just came from that. She was always doing stuff. She was always impacting somebody. And so, I was like, "I gotta do the same thing." Plus, I just like to do a lot of stuff. Cybersecurity is my first love and it pays the bills, but then I also like to do the winemaking and running a nonprofit, because I'm a serial volunteer. I've been volunteering probably since I was in middle school. I was gonna say how many years ago that was, but I'm only 25 in air quotes, but I think the drive for me to just give back started when I was younger. It was just always there, I was in Girl Scouts and volunteering with that stuff, and then, when I got to high school, I was in this program called Avid, so Advancement Via Interpersonal Determination. And so, they put you in these advanced courses, and you have to be really smart or something. But when I graduated high school, I ended up volunteering for that program, too, at other schools, just to be able to help somebody see their potential and just kind of grow into what they're supposed to be. It's kind of what drives me, and I get to do that every day with Cyberjutsu, because I get to help women that think they can't enter the space and they can't be in cyber, and it's like, "No, you can, you have the skills. You don't have to be technical, but you have the skills." And so, to be able to see them see themselves in a space is what drives me.
Chris 17:46
Yeah, that's incredible. And that's something that I want to become myself, I want to bring people to cybersecurity. I would love to bring people to technology, but I have to imagine that when you first bring someone to cybersecurity, when they're just finding out about it, I'm sure sometimes you give them that red pill, blue pill sort of scenario, you can be a breaker or you can be a builder. Tell us about the people that choose to be breakers and you watch them grow into pen testers and red teamers, and all the like. What is that like to see them go from taking that original red pill all the way through starting their career?
Mari 18:23
It's pretty fascinating. Take Tanisha Martin, she's been a member of Cyberjutsu since the beginning. Now she's running her own organization, helping other people become hackers and pen testers. And it usually starts with their first cyber competition. And it's like, "I can't do this, I can't do this, I can't do this." And then they go, and they solve that first challenge and their face lights up. And it's like, "Oh, I can do this. I know what to do. I know how to ask the questions, I know how to navigate." And so, to see folks do that— We've had a number of folks that have transitioned into cybersecurity from other fields, and to see that they've been successful, to become managers and leaders in their own organizations, it's really powerful, I think. It's really powerful, plus, it helps others coming behind them see the potential that they could have. So, there's a lot of days I don't want to do this anymore, right? I don't want to run a nonprofit as a volunteer anymore. It's frustrating, but then when I get those emails and say, "Hey, you know, you did this presentation, or you did this workshop, you guys had this event,
and now I'm doing XYZ," it's like, this is why we do this. These are the moments we're waiting for, whether it's one person or 50 million people. We want you to feel confident enough to get the skills you need, get in the industry, continue to refine those skills, and be super successful.
Ron 19:40
It almost reminds me of, in some ways of having a purpose, like you are driven for cause and it sounds like part of the cause is to see other women, other people in the cybersecurity community succeed, which I love and it's also influencing me, making me a better person. But I'm curious as to: What is your purpose? It seems like you have all of these skills, whether it's from being an architect, being a winemaker even, and also leading a nonprofit. What would you equate your purpose to, and how does all this fit into it?
Mari 20:14
That is a great question, and I'm still trying to find that out. I asked myself that every single day. I think as I get older, as I start to take steps back to just kind of look at what's happened and the impact that I'm having and others around me are having on the next generation of folks coming up, I think my purpose is to help people. It's to help other people see their potential, whether that's in tech, whether that's in education, whether that's in winemaking. I want you to be able to see your potential, and I think that's what's becoming my purpose. On the work side, that's probably consulting or something, but yeah, I'm still trying to figure that one out. I don't know for sure, but I know I'm going that route, to be more engaged and to be more helpful to the folks that I come in contact with.
Ron 21:02
It almost reminds me of mine, sorry to cut you off. It almost reminds me of mine, because my purpose is to acquire these rare and valuable skills, and my kryptonite is when other people don't understand my value. I'm trying to share something with them, and they don't quite get it, but for you, it's like, you're helping others understand the value that's within them. Let's say you're a consultant for helping people realize their dreams in some ways.
Mari 21:28
I thought about being a career coach. Somebody else asked me that and they were like, "You should be a coach." And I was like, "Yeah, see, I don't think people want me to be their coach." I mean, there'll be great information and valuable, but I'm gonna hold you accountable. And a lot of folks don't want to be held accountable. I don't know, that might be my next thing, when I get to that retirement age in a few years is to coach people to find their potential, to start tapping into what they're good at, and utilizing that and sharing it and being proud of it.
Chris 21:57
You say you don't know what your purpose is, but it seems like, evident just by the stuff that you put out into the world, and even this conversation right now, that you found it. You want people to have a place to become their best self, and that's one thing that we talk about quite often is having a learning environment. Because if someone's going to enter into something that can be pretty vulnerable, ifyou're learning something like a martial art for the first time, going into a place where you can make mistakes and learn and grow, that's where you're going to have the most growth. If you go somewhere where no mistakes are allowed, and if you make a mistake, people make fun of you, no one wants to be in that type of environment. So, when you think about the organization that you lead, and all the other things that you do, how do you feel like creating that safe environment has affected others?
Mari 22:42
It invites them in, right? When somebody feels safe enough to ask a question, you've just opened the door to so many possibilities for them. And that was the whole point behind Cyberjutsu. When Lisa decided to start it, she was in a number of different hacker groups around the DC and northern Virginia area, she was literally the only woman, and then she said, "You know what? We need our own space." And when she did that, what she realized was there was other women that wanted that same thing. There was other women that wanted to, even if it was just to figure out, 'Okay, what does this cybersecurity thing mean? What does this hacking thing mean?" There was other people and other women that wanted to do the same. And so, having that ability— When I first found the group, it was about six months after she had started it. It was for a study group, I had failed the CISSP, and so, I wasn't trying to find a study group, but I was looking for a safe group to go to where if I didn't know the
answers, I wouldn't feel like, "Ooh, I'm not smart enough." And when I found the group, that's what I got from it. You know, everybody was helpful and everybody was like, "Yeah, you got this." They were encouraging. It's like a little family. We call it our Cyberjutsu Tribe, and we want to make sure that anybody that comes to us feels like they can reach out and touch us and ask us questions and get answers and just have a conversation with us.
Ron 23:57
What do you see as being that next frontier? We talked a lot about just, as a community, bringing more people of color in, bringing more women in, and now, we are here. There is a lot of women in the field, there's a lot of people of color. We got three of them on this episode right here with us, especially difference makers at bat. What do you see as the next opportunity for people to make a big difference in cybersecurity and technology?
Mari 24:23
That's a good one. I think it's going to be educating people, taking the knowledge that you've gained from your experiences, whether it's from 5 years or 20 years in the space, and educating people. Actually educating folks, not just talking at them, but talking with them, having these conversations about what's possible. Yeah, I think we're going to start seeing more folks in leadership positions to be able to make change in organizations. That's a hard question, even though we're here, there's still a lot of work that needs to be done. We still need those opportunities and so, with folks like us and other folks that are in our positions, just allowing those opportunities to be given to those that want it and don't realize it, and those that want it and do realize it.
Chris 25:06
One thing that I think about all the time is that, when I was coming into the space, it seemed like everyone had to be technical. If you weren't technical, you weren't worth your weight in anything, if you didn't have those technical chops, but I think now we're getting to a space where you could be focused on the strategic, you could be focused on the business side, or the accounting side of cybersecurity, the compliance, the GRC side of cybersecurity. When you think about the whole spectrum, from people that are doing red teaming and malware analysis all the way through to the folks that are doing more leadership and strategic focus things, how do we invite more people in and let them know like, "Hey, you don't have to necessarily be the person that's with the ones and zeros, you can do other things on the offensive and on the defensive side of cybersecurity?"
Mari 25:51
It starts with awareness and it also starts with stepping outside of where we typically see folks at, right? So, we go to the same conferences, we go to the same career fairs, we go to the same schools and all this stuff, we never step outside of that circle. And so, for folks to get awareness about the opportunities in cybersecurity, outside of just technical, is really important, which means we have to start at the younger age, middle and high school, to give them that awareness to say, "Hey, there's an opportunityhere, you don't have to be super technical." You can be the strategy person, or you can be the person
that has the critical thinking skills, or whatever it is, and still be successful in this space, and still utilize whatever skills you gained from middle school to high school, and college if you go to college in cybersecurity. But I think it boils down to just stepping outside of the normal channels that we usually use to reach those populations, and give them that hope and then representation, right? For me, I've been technical most of my career, but I've always wanted to move into the more managerial leadership type of roles, but it's been difficult, because I feel like if I go that route, I'm gonna not be seen as smart and cyber anymore, which isn't the case, but the way that it's set up is like, you have to be that technical. And so, it's been a struggle, but having the representation at those higher levels helps.
Ron 27:13
That was going to be the next thing I was going to talk to you about is, we've been in the game for a while. Chris has been in it longer than me, I'm not sure how long you've been in cybersecurity, like, 12 years. Exactly. I've been in it for 11 years now. So, even at 11 years, I can't see the new pathway. I don't know how to re break into cybersecurity, I only know where I'm at today and there's getting more technical, or becoming a CSO, becoming a CEO, but I don't think it has to be that way, right? Like, we're seeing people break into cybersecurity in a completely different way, from marketing, from sales, from engineering, even having just a programming background, all of a sudden, they learn these little facets about cybersecurity and there's always companies that need marketing, sales, or even engineering. What have you seen as the future of new pathways created from just cybersecurity becoming more present and people becoming more aware? Is there other things besides being a
manager or leader? What are these other pathways that you've seen?
Mari 28:20
Entrepreneurs. I mean, I think we're all entrepreneurs on this call. Especially with COVID, and people leaving their jobs, entrepreneurship is a great way into cybersecurity without having to be super technical. Project management. I mean, it's still kind of management, but we need folks that have the ability to manage these projects that we're working on, and manage budgets, and manage all of those things. I work with a number of ladies that do marketing for cyber companies, which I've never even thought of, but as soon as we opened up that bubble of what cybersecurity entails, from pen testing and digital forensics type of stuff to everything else, you started to see folks coming in. And so, education, marketing, what else? Consulting, the sales side, even. Even though there's a lot of folks on the sales side now, a lot of people don't realize that you can get into cybersecurity on the sales side of things. You can either be a sales rep or a sales engineer, right? You can make commissions, you make money. I think as long as we start to advertise that, "Hey, there's money to be made outside of just being technical," it'll start to open the eyes of everyone else. Like, "Hmm, I do have education skills, like I was a teacher, I can be a teacher on the cybersecurity side, and I don't have to be deep in the weeds to do that." Does it help? Maybe, but it's not a requirement. You don't have to look like this to be a hacker. You can look like me. You can wear heels. You can have fancy colored hair, you can have long fingernails or short fingernails. You can wear khakis if you want. That stereotype, I think, is dying, as we see the number of women coming in and men coming into the space that don't look like that anymore. And for me, when girls see me or Lisa, or Tanisha, or Alyssa, they can see themselves in the space, it's not going to keep them from being in this space. And we've seen it, we have a girls’ program for cyberjutsu out of the east coast, and we've had a number of girls that have come through the program, and then hit us up couple of years later and say, "Hey, I changed my major in college. I was going to do X, now I'm going to do computer science," or technology, or things like that, because they saw
someone that looked different than what was on the TV.
Ron 30:31
This topic makes me think of what we know as impostor syndrome. I was lucky enough that I never felt like an imposter in cybersecurity, because I didn't know that other people felt that way, so I had no expectation for that myself. But as we start to shape this new paradigm of what a hacker is, and what it can be, I would imagine that more and more people are going to start to feel like maybe they don't belong, just because there's such a wide variety of people. Everyone's talented, everyone has talents, God given or just learned, and people can acquire skills, they can learn skills by reading a book, but when you look around and you see that someone knows something you don't, you might get a little selfconscious. How do you help the ladies or the young women that are trying to break into the field, they have talents, they have skills, but they still look around and notice the skills that they don't have that other people have? How do you coach them through that?
Mari 31:27
Oh, I have that problem all the time. I look at folks all the time, like, "Dang, maybe I should have known that." But I usually tell folks to take that energy and put it into learning what you don't know. The same thing with negative energy, take all of that energy, because all it is just an energy you feel like, that feeling of, "I'm not smart enough," isn't necessarily true. You just know different stuff than this person does because what you know, they may not know either. And so, take that energy, put that back into yourself, and learn what it is you need to know, and realize that you're not going to know everything, because we're not built to know everything, unless you're a super genius. And that's okay, it's okay to say, "I don't know." I've learned that a lot working at Palo Alto, when customers ask me questions. "I don't know, let me get back to you. Let me figure it out," you know what I'm saying? And they respect that, and people understand that. And so, impostor syndrome was just having doubt in yourself, you have to learn that you're only as good as what you do, right? If you're only doing the bare minimum, you're only going to be as good as the bare minimum. But if you start to go above and beyond what you're normally used to and get out of that comfort zone, you're going to be successful and after a while, that whole, "Oh, they know more than me." Okay, cool. Well, you got to do that stuff, I'm gonna go do this stuff over here. I want people to look at me and say, "You know what? If she can do it, I can do it." And it doesn't matter if it's a man or a woman, because I've had a number of guys come to me and say, "I've been following you, and you post all this stuff, and blah, blah, blah." And it's just like, "Really?" I think the biggest thing is, I want them to be able to see themselves in the same position. If that means I have to do extra stuff, then that means I have to do extra stuff. But they're the future. Once we retire, once we're out of this game, they're the ones that take the lead at that point and I want them to feel confident that they can do that.
Ron 33:19
Sometimes it's scary to look and see yourself out of that picture. I know for me, I'm like, "No, I want to be the future still, I want to reinvent myself and keep going."
Mari 33:31
And it's possible that can happen, right? But at some point, like our ancestors, they did their thing, they left things for us to continue to do, and that's our job. We've done our thing, now let's leave something for that next group of folks to have something to do, to strive for, to push even further than what we were able to do.
Ron 33:49
I'm doing my best to contain myself from asking this question, but you know what, I'm gonna bring it up anyways, I'm gonna bring it up anyways. And what I really want to know is this retirement concept, before we jumped on a hit record, you were like, "Hey, I might actually retire in the next six years." How does a cybersecurity professional, a technology expert, get to the point to where you're at and have this idea of retirement before the age of 60?
Mari 34:19
Well, because I get tired of working and it's retirement from having to work. Most of the folks that work, they have to, they don't have a choice, because of financial reasons, because they have families, because they have kids or there is some kind of financial issue happening in life. For me, I want to retire at 45, in six years, because I want to enjoy my life a little bit more. And I want to be a little bit freer with what I do in cybersecurity, right? I don't want to be limited to, "Because I work at Palo Alto, I can't do XYZ things or I can't do these things." I want to be a little bit freer with what I'm doing in this space, and I can't really do that right now. And I want to travel more, right? I want to be able to travel more and educate folks in other countries that may not have the same resources that we have. That's that nonprofit side of things, again, that volunteer side of things, again, and just be able to give back in a different way than what I've been able to so far. Plus, cybersecurity can be stressful. I'm not gonna lie, this industry can be stressful, it can wear you down, it can burn you out, and I'd rather just have a little bit more freedom when it comes to that kind of thing.
Ron 35:29
Right. So, what is freedom? What exactly does that mean?
Mari 35:33
More wine. Honestly, being able to do what I want and still making an impact. I even thought about running the nonprofit full-time, right? That would be kind of cool to run a nonprofit full-time, but the pay in some of them sucks. And so, it doesn't make logical sense, but being able to just do you, be you, and there might be companies out there that allow you to do that. I haven't found them yet. I'm still looking, but the company I'm at now is pretty good about giving you that freedom to do some stuff, but it's a mindset. Being free from whatever it is that's holding you back. In our case, it's financial stuff.
Ron 36:14
It's a mindset and a state, not only do you have to have the mind, the personal freedom, but I mean, you're describing something that is really important. And that's the other component is financial freedom. Having the resources to finally say, "Yes, because I really mean it," or, "No, because I really, really mean it."
Mari 36:31
Right. My mom was in the military, and I saw some things, but she's still working. She's still young, she's not going to retire until she's 65. And I don't want to work until I'm 65 and then only have another 10 years to just like really, really enjoy life.
Chris 36:47
Mari, there's someone that's listening to this episode, or watching this episode right now, that wants to build their own community. What advice would you have for them about going about it?
Mari 36:59
So, yes, it takes hard work, but it's more about opportunity. And I've been seeing recently, it's hard work doesn't get you to where you want to get to. It's about opportunities, and I will say that I've been fortunate enough to have a number of different opportunities that have led me here, most of them from my network, right? So, if you're getting started in this industry, you have got to build a network. You have to talk to people, you have to put yourself out there a little bit and be vulnerable, because that's when the opportunity starts to come. And I talk about this a little bit in my upcoming course that I'm working on right now for launching your career, you have to tell your story, you have to know why you want to be in cybersecurity, and then you have to share that with folks, because that's how the opportunities come. Once I started sharing how I got here, what my origin story was, and where I've come from, people started to look at me and say, "Hey, let's bring her in. Let's bring her up." Honestly, that's how I got to where I'm at. Hard work and opportunity.
Chris 38:00
Mari, thank you so much, from the bottom of our hearts. For the folks that want to stay up to date with you and all the great things that you have going on in your world, what are the best ways that people can do that?
Mari 38:01
LinkedIn and Twitter. So, I think my LinkedIn is the Mari Galloway, and my Twitter is @MariGalloway. So, definitely those are the best places. You can also check me out on WomensCyberjutsu.org. Check out all the events we have coming up, join the membership, be a part of the fun, be a part of the Cyberjutsu Tribe. And if you're ever in Vegas, let me know. I'd be happy to take y'all to the winemaking place and the winery that we go to.
Ron 38:36
I love it. We will be sure to drop all of those resources in the show notes, and we highly recommend everybody to check out Mari and Women's Society of Cyberjutsu. Thanks again, Mari, for joining us, and we'll see everyone next time.
Chris 38:51
What an incredible conversation with an incredible person, I learned a lot about making an impact. Whether you're talking about technology, you're talking about your team, or you're talking about the community, Mari is making a huge impact in community and bringing in that next wave of cybersecurity practitioner. What did you take away from the conversation, Ron?
Ron 39:12
I took away that we just have to start somewhere. We could try to be all of the things, Mari did describe herself as a winemaker, an offensive operator, a security architect, she's really everything, but all of that success, all of the difference that she made, started with just taking that first step. And that's really what I took away from this episode with Mari, but just working into the red side of the house, you start with that initial access, and then you work from there, and I think that's what it's all about.
Chris 39:42
When we're looking at the context of being a difference maker, going from zero to one and one to 1,000, we've said it before that person is going from zero to one. First, they have to observe, they see where the difference can be, they see what could be better and then they orient: How do they make an impact and how does it work? Reflect on their environment, on their community, whatever it is, and then they decide. They make a decision to make that difference. How do they make that difference? They have to make several decisions in order to get there and then, ultimately, they take the action, they make an improvement. They take their intention and make it real, and that's what it's all about in cybersecurity and the offensive side of the house.
Ron 40:20
Love it, and that's what we're going to be doing throughout this season. We're going to be taking the OODA Loop, we're going to be observing the greatness from our guests, we're going to be orienting ourselves within this world of offensive operations and red teaming. We're going to be making decisions along the way with our great partners at Axonius and PlexTrac, and acting, sharing this information with you all trying to present it in the best way possible. And we love that you're on this journey with us, we want to make sure that you continue on this journey along this season. So, if you love the content, it would mean the world to us if you shared it on social media, or subscribed on your favorite streaming platform, and also joined us in our Discord. We just launched a Discord and it's buzzing with over— It's
hundreds of people at this point and we would love if you joined and stayed up to date with us, and you can find that at HackerValley.com/Discord.
Chris 41:14
Definitely join the discord. Let us know that it was this episode that you're coming from. And as always, thanks for joining us and we will see you in the next Hacker Valley Red episode.

Keeping It Open Source with Metasploit’s HD Moore

July 1, 2022 Hacker Valley Red

00:00:00