About this DevOps Toolchain Episode:
Today's episode delves into the crucial intersection of cybersecurity and powerful people skills. Joining us is Christian Espinosa, a leader in the cybersecurity field known for his dynamic approach to developing effective communication and leadership within high-tech teams.
Together, we tackle the pivotal role of CISOs, not just as technical experts but as vital communicators bridging the gap with board directors and C-level executives. We'll explore the key strategies for securing cybersecurity budgets by translating complex risks into business language that resonates with stakeholders.
Christian brings his invaluable perspective on how aspiring cybersecurity professionals can align their careers with their personalities and why hands-on experience is crucial for certifications. Plus, we'll get Christian's expert take on today's top security trends, such as the growing need for medical device security and the importance of integrating security within the software development life cycle.
But that's not all; Christian will share his revolutionary 7-step secure methodology. This program is designed to develop and enhance people skills, especially for those high-IQ individuals in tech, touching upon awareness, mindset change, acknowledgment, communication, monotasking, empathy, and the pursuit of continuous improvement with Kaizen.
You won't want to miss Christian's insights into overcoming industry challenges, the role of AI and machine learning in cybersecurity's future, and why integrating security from the start of software development is essential.
TestGuild DevOps Toolchain Exclusive Sponsor
BUGSNAG: Get real-time data on real-user experiences – really.
Latency is the silent killer of apps. It’s frustrating for the user, and under the radar for you. It’s easily overlooked by standard error monitoring. But now BugSnag, an all-in-one observability solution, has its own performance monitoring feature: Real User Monitoring.
It detects and reports real-user performance data – in real time – so you can rapidly identify lags. Plus gives you the context to fix them.
Try out Bugsnag for free, today. No credit card required.
About Christian Espinosa
Christian is an author and a dynamic entrepreneur and leader passionate about inspiring others to harness their innate wisdom, overcome perceived barriers, and summon the courage to tread new paths. Christian believes leadership starts with self-leadership, and cybersecurity is one of his many areas of expertise.
Cybersecurity and my books:
Connect with Christian Espinosa
- Company: www.bluegoatcyber.com
- Blog: www.christianespinosa.com
- LinkedIn: www.christianespinosa
Rate and Review TestGuild DevOps Toolchain Podcast
Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.
[00:00:01] Joe Colantonio Get ready to discover some of the most actionable DevOps techniques and tooling, including performance and reliability for some of the world's smartest engineers. Hey, I'm Joe Colantonio, host of the DevOps Toolchain Podcast and my goal is to help you create DevOps toolchain awesomeness.
[00:00:17] Joe Colantonio Cyber attack, an ominous word that strikes fear into the hearts of nearly everyone, especially business owners, CEOs, and DevOps engineers. So with cyber attacks resulting in often devastating results, it's no wonder companies really try to hire the best and brightest and the I.T. world for protection. But are you doing enough? Do you understand your risk? What if the brightest aren't always the best choices for your team and company? That's what we'll be talking all about today. Hey, I'm Joe, and today, we have, Christian joining us to talk all about cybersecurity and his book, The Smartest Person in the Room. Christian is an author, a dynamic entrepreneur, and a leader, passionate about inspiring others to harness their innate wisdom, overcome perceived barriers, and summon the courage to tread new paths. He has a really interesting background. Also, he believes leadership starts with self-leadership, and cybersecurity is one of his many areas of expertise. You don't want to miss this episode. Check it out.
[00:01:15] Joe Colantonio Hey, if your app is slow, it could be worse than an error. It could be frustrating. And one thing I've learned over my 25 years in industry is that frustrated users don't last long. But since slow performance isn't sudden, it's hard for standard error monitoring tools to catch. That's why I think you should check out BugSnag, an all in one observability solution that has a way to automatically watch for these issues real user monitoring. It checks and reports real user performance data in real time so you can quickly identify lags. Plus, you can get the context of where the lags are and how to fix them. Don't rely on frustrated user feedback. Find out for yourself. Go to bugsnag.com and try for free. No credit card required. Check it out. Let me know what you think.
[00:02:04] Joe Colantonio Hey, Christian. Welcome to The Guild.
[00:02:10] Christian Espinosa Hey, Joe. Awesome to be here.
[00:02:16] Joe Colantonio Great to have you. I guess before we get into it, I always like to ask authors, are you ever in multiple books? But the one I think I like to focus on today is The Smartest Person in The Room. Why did you write this book?
[00:02:27] Christian Espinosa I wrote that book because with my first cybersecurity company when I really reflected on the challenges I was having, it was because my staff lacked people skills or emotional intelligence. So I used to hire people purely based on their technical skills. And I realized we're not because somebody lacked the technical skills was because they lacked those people skills. So I worked hard in my first company to fix that challenge, to bring some EQ skills to complement people's already high IQ, and solve that challenge in my first cybersecurity company. And that journey is really what I wrote a book about. And I also want to try to help the industry cybersecurity and other high-tech industries. I feel like there are a lot of people that want to be smarter than other people, and that's how they feel significance. They talk over people's heads, they create all these acronyms. They don't collaborate very well. So it causes a lot of challenges in cybersecurity specifically.
[00:03:28] Joe Colantonio Love it. How did you get that insight, though? I mean, I've worked with a lot of companies, and a lot of times it seems like the hardest thing to do is just like the culture is the hardest thing to fix. So people usually say, oh, it's the tooling or it's our process, and it's really a hard leap to say, no, it's the culture. It's a little toxic. We work on the culture, then we could get to this place. It doesn't seem to be very popular, a popular opinion.
[00:03:52] Christian Espinosa Well, it was my company that I started and funded. I was the only owner and investor, so I wanted it to succeed. So I constantly looked at what my role was as a business owner and a leader in the company and tried to close those gaps, and that was a gap because I noticed clients wouldn't come back to us for a second engagement. And it was because one of my engineers would make them feel unappreciated or in misunderstood and talk over their heads, for instance. So I just had to really do some reflection and some inward-looking and take stock of what the real issues were within my organization, and then come up with a way to fix them.
[00:04:33] Joe Colantonio I also would think it'd be harder to hire for these skills, because a lot of times out with your certifications, here's our technical terms. You know them. Yes. Okay, Check. You're hired. How do you hire then for people with EQ skills? Is it a different kind of process?
[00:04:48] Christian Espinosa 100%. So I changed my interview process. I used to just hire for, like you said, the tech skills, the certifications. But then when I realized that was a challenge, I kind of flipped the script. And I hired for cultural fit based on a set of core values I came up with. So we ask interview questions based on core values and judged people's responses and those core values aligned with emotional intelligence so we could understand what kind of people skills somebody had, what kind of ownership they took over challenges, and then only if they passed that part of the interview, then we would go and ask them the technical skills because I'm a believer that people skills are skills with an infinite shelf life, whereas tech skills have a finite shelf life. You always got to learn something new, so there's no reason why somebody should be resistant to learning those people skills. I think we've tolerated it in cybersecurity and we make TV shows about how the geeks don't have any people skills. And we just sort of created this elephant in the room, I believe. I'm a believer that we get what we tolerate.
[00:05:49] Joe Colantonio You wrote this book, I think, a few years ago, and I think it's more relevant now than ever. I'm curious to get your take on this with AI now in the mix, where a lot of these technical skills can be kind of augmented using AI, it really comes down to what makes you different than ChatGPT as your people skills. Do you see the same?
[00:06:09] Christian Espinosa 100%? I believe I included that in my book because I think AI and other technologies are going to replace things that are technically driven, like even programming. I mean, you can use ChatGPT to help write your programs, but the thing that can't be replaced are those people skills. AI can probably get pretty good at emulating that, but it's still not a human with a soul and emotions and your past and our vision for the future. So I don't think people skills can be emulated by AI.
[00:06:40] Joe Colantonio Nice. So in the beginning of your interview then, when you're doing the EQ type of questions, are there any red flags or any good questions to ask to get to the heart of whether this person is going to fit your culture, or does it depend on each? Obviously, each company has a different culture, what their main tenets are, I guess?
[00:06:58] Christian Espinosa One of the things I used to do is it's sort of a personality assessment called the predictive index. And if somebody refused to take that test, obviously that's a red flag. And I don't believe personality tests are 100% accurate, but they give you an idea of how you see yourself and how the rest of the world sees you. And that will also give me an idea as an employer, what would be a good position for you? Because if you don't like to talk to people, you're an introvert. You wouldn't be good at cells or cells engineers, for instance. So that's a big red flag. And then also if people show up to interview and they kind of skip over the answers of when we ask for scenarios or when somebody has taken ownership of a situation where they had a challenge with another staff member, for instance, if they sort of skim over the answers, then that's a red flag also because I'm looking to see how they took ownership and reflected on themselves with that specific scenario when they got into a conflict with somebody else, for instance, because most people will say it was their fault, versus try to look at what their role was in that conflict or that discussion. And that obviously is a red flag as well.
[00:08:08] Joe Colantonio Gotcha. So I also believe you have a 7-step secure methodology you use. I'm curious to know how this methodology gets to the root problem and culture type of issues. Maybe, we'll go over each of the 7 methods from the secure methodologies.
[00:08:22] Christian Espinosa Yeah. The secure methodology is the 7 overarching steps I came up with to develop people skills and to help people have a path to develop people skills. I think one of the challenges with high-tech or high-IQ individuals is there's a lot of stuff out there about emotional intelligence, but there's not like a clear path. So I try to provide a clear path for those 7 steps and I'll briefly go over those steps. The first one is awareness. I think everything starts with awareness that it's not just awareness of everybody else, it's awareness of ourselves. And in the book, I talk a lot about neurolinguistic programming because my audience is, programmers and high-tech individuals. A lot of people fail to understand is we're very programmatic. Our brains have these neural pathways. That is basically like a program that runs, and often that program is not serving us. So we have to have the awareness to realize this program isn't serving us. I need to control C or stop that program and then run a different program, and eventually, that new program will become the default program. An example of that is like one of my engineers, if somebody asked him a question, his program was to start getting defensive. That's what he automatically ran. Where is a better program would have been? Maybe I should be curious why they're asking me questions or what I didn't quite explain right. And that would change his approach to that situation. So that's awareness. The second step is mindset. I'm a believer that there are two types of mindsets. Carol Dweck wrote a book about this. There's a Growth Mindset and The Fixed Mindset. And if you have a fixed mindset, you kind of just believe you're just the way you are. Your brain is hard-wired and you can't learn anything new, which a lot of people will say, I'm just not good with people. And when you constantly tell yourself that it's a reinforcement, that means you have adopted a fixed mindset and you don't think you can get better with people, which is the growth mindset. Believing that our traits are not fixed, we can develop new traits and new habits and we can rewire our brain basically. The third step is acknowledgment. One of the things I realized as a leader that I had a hard time acknowledging myself. I remember in 2015, I finished the Ironman World Championship in Hawaii, and 10 years before that, I stood under the finish line as a spectator, telling myself I'd do that race one day. And when I finished it, I never once like congratulated myself. Automatically thinking about the next big thing to accomplish. And I realized that if I could acknowledge myself that I was having a hard time acknowledging my staff, which is a leader. Your staff wants to feel understood and appreciated. That was a big shift for me. And then the fourth step is communication. With communication, I'm a believer that the meaning of communication is the response you get so that shifts the ownership back on you to alter how you communicate with someone if they're not responding in the way you want. And in cybersecurity and other high-tech industries, we often say that people don't understand what we're talking about, and we just blame the other people versus maybe we should alter how we're communicating. I think that is a big issue in a lot of tech industries. People talk over other people's heads and we wonder why we don't make progress. And step five is Mono-tasking. Mono-tasking is a little bit controversial. Mono-tasking is the antithesis of multitasking. Is doing one thing with concentrated effort at a time. So that means if I'm programming, for instance, I turn off Slack, I turn off my cell phone. I don't do anything but work on that specific function of the program, for instance. And I'll do that for maybe an hour. The next hour, I'll do something different. We get much more done when we monotask than multitask because when we multitask, we have to constantly switch from one task to another one. That context switching causes us to lose efficiency and actually mix up the tasks we're working on. The other thing that mono-tasking helps with is presence. If I'm mono-tasking when I'm with somebody or communicating, I'm not thinking about something else. I'm not checking my phone. I'm going to be a much better communicator because I'm going to be paying attention, and the person is going to feel better when they're around me because if I go to dinner with someone, they're constantly checking their phone. I don't feel very good about it. I'm like, I just want to leave, right? But we constantly see that. Like, I went to dinner that day with my girlfriend and a couple across a restaurant. They were both just on their phone individually, not even communicating with each other like who are they texting? And then step six is empathy. I think in our society today, it's very hard to be empathetic because there's so much division. We like to focus on the differences. If we constantly focus on the differences like they're the engineers, we're the salespeople, they're the managers, they're the Democrats, and they're the Republicans or provacs or anti-vax. It's hard to see the similarities in us. And when we don't see the similarities within us, it makes it challenging to be empathetic. Last year in February, I had some in my left leg and I had to go to a hospital. And this is an example of empathy. I'm the patient. The doctor's the doctor, and the doctor delivers the news to me about these blood clots. And I asked what it meant. Instead. It meant I could die, which is pretty like not good to hear or have a stroke at any minute. And I was kind of freaking out about it because I was there by myself. And then he said, he just said to me the kind of dismissive way he said, don't worry, I see this all the time. I think he was trying to be pathetic. But I responded, well, I just wanted him. I was like, well, I don't, this is a first for me. I think in his mind he was trying to be pathetic. But what he failed to understand, which I think is really the issue with empathy, is I'm a fellow human being. He was looking at me as a patient and him as a doctor, and that's how he was kind of approaching this situation versus this is a pretty bad news, somebody's got maybe we should approach this situation a little bit differently. And then the last step is Kaizen. So Kaizen is a Japanese word that means continuous and never-ending improvement or can I? And the thing about Kaizen is mastery is a journey. If we start any of these steps I've already talked about, we're not going to get it right the first time, probably not the second time. And if we adopt the mindset of Kaizen, we just have to realize that as long as we're making improvements, that's what matters. Adopting that mindset of Kaizen gives you the courage to start something because a lot of people will start something and then it doesn't work. And they're like, well, I'm just going abandon it. And then they'll just say, that doesn't work for me. But if you adopt a mindset of Kaizen, you realize you have to get worse before you actually get better at something. And as long as I'm taking those steps, I'll accomplish quite a bit in three years, even though I couldn't do it in a week. So it's that incremental improvement.
[00:15:00] Joe Colantonio Love it. I mean, they all seem very difficult to change though. Like I think of Kaizen, if you're in, security or tech, a lot of times you have a process and you must follow the process. And to get people to deviate from our make it better sometimes is a struggle. Do you see that being an issue, or how do you get people to embrace more the kaizen to make these incremental changes?
[00:15:23] Christian Espinosa Well, I'm a believer in the process. You have to step back and look at the process because the processes are not always efficient, or there may be some issues that were skipped or left out of a process. I'm not suggesting you change the process all the time, because I think that's inefficient. But analyzing the process, if it's your software development pipeline and you're doing DevOps, which you mentioned earlier, but you're not doing DevSecOps, maybe you need to add some security in your process. So that'd be adopting the Kaizen. And the security is not giving you the clean code you want and still has security issues in it. That maybe makes some more changes. So that's the increments I'm talking about. But it's not like you just flip a switch and make all the changes at once, because sometimes you don't know what's going to work until you take the small steps.
[00:16:09] Joe Colantonio Absolutely love it. So like I said, a lot of these are more obviously the soft skills. How does someone get better at I think I saw you have a course. Do you have a course on this to help people?
[00:16:18] Christian Espinosa I have a course on the secure methodology. It's available through my website.
[00:16:23] Joe Colantonio And that goes through all seven of the ones that you just went over?
[00:16:25] Christian Espinosa It goes through all 7 steps with some exercises for each of them. Yes.
[00:16:29] Joe Colantonio Nice. Nice, awesome. So now, besides a toxic culture, what are some other challenges you think may impede someone from getting better at cyber security?
[00:16:39] Christian Espinosa Industry acceptance, I think is a big one. Like I said before. I'm a believer that we get what we tolerate. And for some reason in cybersecurity, we just assume that there are our penetration testers, our software developers, whatever that is. Okay, they don't have people skills. We just sort of tolerate it and we don't measure their performance on those people skills either. And if we don't do that, then we get what we get. I think as an industry, as a collective, we need to start focusing on that as well. Because of those skills that you alluded to, those technical skills, a lot of them are going to become obsolete with AI. I mean, I use ChatGPT all the time and it can do a lot of stuff. I was using it the other day to troubleshoot a website. It could tell me exactly what part of the code was wrong. And that's going to continue to evolve. And pretty soon the people skills will become even more and more important.
[00:17:32] Joe Colantonio Do you also see why you mentioned DevOps and DevSecOps? Do you see communication as being one of the reasons why maybe DevOps? You have a security team that maybe is like away from everyone rather than communicating, hey, we need to make this part of a process. The communication breakdown is what causes you to have to make a DevSecOps to get people to remember security belongs in DevOps, I don't know if that makes sense.
[00:17:55] Christian Espinosa It does make sense. Well, that's why we had to create a DevOps to begin with, right?
[00:17:59] Joe Colantonio Right, right.
[00:18:00] Christian Espinosa It's not just the developers in isolation from the people to actually using the software. I think it forces that collaboration because otherwise, it's not going to happen. So we have to have this framework, like DevSecOps, to include security and have a process where they are collaborate with the developers and make sure it doesn't impede operations too much with the security controls or trying to recommend that developers put in place.
[00:18:25] Joe Colantonio Awesome. I also know I think you wrote a book on macro versus micro experiences moments. Micro moments. I'm just curious to know. Is there a way you can apply micro-moments to help tech engineers or leaders if they're in the moment during a cyber attack, maybe it helps them to be more grounded of knowing how to react or the appropriate measure.
[00:18:46] Christian Espinosa For sure with the in-between a micro-moment, what is really like the moment right in front of you? And I'm an advocate for showing up with intention in the moment, in front of you. If you show up with some intention, you can kind of control the narrative and control what's going to happen a little bit better than it just becomes circumstantial. So if you're going to a meeting and you're a developer talking to a security engineer, if you both show up with some intention that you want to come to a joint solution versus just kind of randomly letting things happen, then it results in a much better outcome. And that's with anything like if I set the intention and when I go to dinner with my girlfriend, then I want to make sure it's a great experience, then that is the intention. That's the vision for the night even if the waiter messes up or somebody spills something that shouldn't derail my experience, that intention is important.
[00:19:36] Joe Colantonio How do you measure these types of characteristics of a team member? A lot of times people like, okay, if we implement this, we get X amount of return. Is there a way to measure that, like a change in the culture or a tweak in your culture to follow these 7 methods you went over? It will benefit them X amount or anything like that.
[00:19:53] Christian Espinosa Here's a couple of ways to measure it. With performance feedback, I would rate people on how well they adhere to our core values which really aligned with those 7 steps. And then the other thing is the client experience and how that is improved before it implemented the people skills in my company. And that results in an increase in revenue, because a lot of our clients, after my staff develops the emotional intelligence, they would come back and become an annual client versus a single project client. They value the relationship with us, not just the transaction, basically.
[00:20:29] Joe Colantonio Well, that's a great measure. I'm thinking of NPS score.
[00:20:32] Christian Espinosa Yeah.
[00:20:32] Joe Colantonio For the user.
[00:20:34] Christian Espinosa Yeah, the Net promoter score. Yeah. We actually did Net Promoter Score too and that did go up as well.
[00:20:41] Joe Colantonio Awesome. So what do you see now then, we've mentioned AI. It's going to be disruptive I don't know people I talked to. A lot of them are ignoring it. I think they're going to be in trouble. But where do you see the future then of maybe cyber security? Obviously, you need to work on the people skills, but are there any skills you think they should know that a technical that would help them in the future?
[00:21:01] Joe Colantonio I think learning AI and how to use AI is definitely something that people in cybersecurity should be learning, as ultimately we're already kind of facing this right now. It's sort of AI versus AI to some degree. Like the cybercriminals are using AI to their advantage to try to bypass our security controls. So we need to use AI to stop their attempts to bypass our control. So it's important that we understand ML, machine learning, and AI and how to use that in our arsenal. Otherwise, we're going to just lose the cyber war to the cybercriminals.
[00:21:37] Christian Espinosa If we're then more in touch with our people skills. Would that help us know, hey, this is an AI attack because we'll be able to identify that this is not how maybe a human would behave?
[00:21:48] Joe Colantonio I think so. I think AI, if you look at a blog post or an email written by AI, there are certain things that it puts in there that a human would not do. In certain ways, it constructs the messaging. I think that would certainly help if you are better with people's skills because you would have that foundation to realize that this is not how people interact because you're used to interacting with people versus if you're not, you don't actually understand that. That's probably not a person that's a bot or an AI.
[00:22:20] Joe Colantonio Absolutely. I also checked out one of your YouTube videos on, a CISO role, what their skills should be. I was kind of surprised by it. I guess it was more you shouldn't hired, for technical skills. It should be more of, soft skills, I think. I don't know if you call them soft skills, but any views on that? I don't know if you remember that video.
[00:22:39] Christian Espinosa I do remember the topic. I'm not sure what I said exactly in the video. I do a lot of videos, but yeah, a CISO, the chief information security officer, their role is not hands-on keyboard. It's communicating with the board of directors, communicating with other C levels, and funneling that roadmap or message down to a technical team. I think they need some technical skills, but primarily those people skills and the communication skills. One of the challenges a lot of people talk about in cybersecurity, they always say they can't get the budget, the company won't get them a budget. And I am a believer that the main reason cybersecurity organizations or the part of a company do not get the budget is they don't communicate in terms of what the business risk is to the board of directors or whoever's in charge of the budget. They just talk technical jargon without showing the actual return on investment and how this is going to help the company. So if the CISO has those skills, they will likely get a budget which will help the organization overall.
[00:23:46] Joe Colantonio Awesome. Are there any other skills you think people getting into cybersecurity now should know other than the seven went over for the kind of personal skills and AI?
[00:23:58] Christian Espinosa I talked to a lot of people that want to get into cybersecurity. And there's like, I want to get in this. What the phrase get into cybersecurity. It's sort of misleading because cybersecurity has a lot of different facets in it. And I'm a proponent of having someone take a personality test like you can go to 16 personalities.com to kind of understand a little bit more about yourself because if you think you want to get into penetration testing, which is ethical hacking because everyone wants to do it. It sounds sexy, but your personality doesn't align with that because that's very you just constantly have to learn stuff. You have to learn new technologies, new languages, new tools, you have to bang your head against the wall like 100 times before you actually break into something. It's a certain type of personality that is drastically different than somebody in cybersecurity that does auditing. I think it's important you understand, like what your personality is and pick up a path in cybersecurity. It aligns with your personality. If you're not quite sure, you can try a little bit of pen testing, try a little bit of digital forensics, try some auditing, and kind of get a feel for it before you like, go all in on something, because I've had people that have majored in one thing and then they get into the real world and they realize this degree they got in penetration testing is not really what they want to do. They actually want to do digital forensics. So if they would have like maybe taken some time before they went to the whole degree program, they could have figured it out sooner than later. Because the degree, a lot of degrees are basically theoretical versus practical, which you have in reality, obviously.
[00:25:28] Joe Colantonio Right. I have noticed with security jobs, a lot of times they say, .... must have the certification or did you still you believe are there any certifications you think security engineers should have, or is it all based on culture and how well you can train them once they join your company?
[00:25:45] Christian Espinosa I have a lot of certifications. I teach some certification courses. I used to teach a lot of them. I think certifications serve a purpose if they have a practical component. One of the challenges today with certifications is almost all of a multiple-choice test. You can go online, find a brain dump, and basically, find all the questions and just memorize the questions to go take the test. And the certifications often differ from reality. So if it's a certification like the OCP or OSWE, there are certain ones for pen testing where you actually have to break into stuff in practice. A methodology is not just a multiple-choice test. I think there's validity in those. So multiple choice test ones, I think there's some validity, but I think you have to be careful by making a hiring decision just based on that because the person could have basically cheated the exam.
[00:26:39] Joe Colantonio So it is the new year when we're doing this interview, I always drop my top 12 trends for 2024 curious to get your top trends for maybe security related that you see coming up this year and years coming up.
[00:26:54] Christian Espinosa Yeah, I would say there are two main things. One of them is medical devices. My company, Blue Goat Cyber, we focus on medical device security. And the FDA has become pretty hyper-tuned to this with some new changes to the regulations as well. On average, there are 14 medical devices connected to a hospital bed. And we just assume they're secure. But there's been a lot of cases where people have been able to break into those devices, such as like a drug infusion pump or an X-ray machine or anything like that, even like a device that tracks the movement of your eye for Lasik surgery. These are becoming more and more important because if someone steals your credit card, it's not that big a deal. It's little bit of an inconvenience, but if someone breaks into a drug infusion pump, it increases the flow rate of morphine and kills you. That's a much bigger deal. It's much more tangible. So I would say medical devices. I guess the overall theme is tangible devices, physical devices that can actually hurt somebody because, like, I live in Phoenix right now and I take a Waymo all over the place. It's an autonomous driving car. There are only in three cities in the U.S. And I always wonder, like, what are the cybersecurity risks for this car? If someone hacked into it and spun it up and caused me to get an accident and kill me, that's a pretty big deal, right? So I went to a website. It says they've done testing, but I've also done testing on aircraft and other cars before. There are ways into it. As we migrate to more and more things that are physical that have technology or AI behind them, we have to be more concerned with the cybersecurity because I know they're trying out like flying taxis in certain countries and cities. Same concept if what if somebody hacks to that taxi and crashes it into a building?
[00:28:38] Joe Colantonio All right. So those types of devices, I would assume once they're in the field in the wild, it's a little too late to make them secure. So how can we make sure that we're building for security in mind? A lot of times sometimes people don't think of as a coding, hey, is this secure? Is there a way or the you recommend shifting it left? So when developers are starting from the beginning, they're thinking, not only do I make this perform it, but how can I make it secure so that you're not waiting to have to and everything's built and baked in before you go? Hey, that's a security risk.
[00:29:07] Christian Espinosa 100%. I'm a proponent of the secure software development lifecycle. The sooner you can design the security, the security requirements, the better. I think the challenge we have, and I know this from experience, I used to run a software development shop is most developers don't actually understand security. They were taught how to code and how to create functions and how to go for functionality. And they didn't understand security. And this is very evident when I hired a software developer to be a pen tester for my company. After he learned all the pen testing skills, he thought back on all the code he wrote. He realized how almost all the code he wrote was full of bugs that somebody could have exploited. I think we need to teach our developers more about security and do it as soon on in the life lifecycle as we can because like you said, we tend to like wait to the end to try to bolt security on and it doesn't really work. I'm hoping that the autonomous car was designed with security in it, and I read Teslas every now and then and whatever it says, it needs to update the operating system. It always, like, freaks me out for some reason.
[00:30:17] Joe Colantonio Awesome. So I think any developer-friendly security tools should think everyone should have as part of the software development lifecycle.
[00:30:24] Christian Espinosa I think it depends on your software development pipeline. I think from an awareness perspective, the OWASP website, the OWASP top ten is a good place to look at common ways that attackers break into software. There are also cheat sheets on there on how to secure your code for mobile development, for APIs, for web apps, and for other things as well.
[00:30:48] Joe Colantonio Awesome. Okay, Christian, before we go, it's there one piece of actionable advice you can give to someone to help them with their either personal skills or security efforts? And what's the best way to find contact you and learn more about either your company or your books?
[00:31:01] Christian Espinosa I think one piece of advice would be to do some reflection delivery day. We often just go through our days like a zombie and then wake up the next day and repeat the same thing before we go to bed. I think it's important to reflect on your day and think of a couple of things you could have done better, and that programs your brain while you're sleeping to actually work on that stuff. And that's a much better way to, like, go to bed than to watch a bunch of TV, then go to bed because it's garbage in, garbage out, basically. And people can get a hold of me on my website, Christianespinosa.com or my company's website, Bluegoatcyber.com. They need help with cyber security, and I'm on pretty much all social media as well.
[00:31:39] Joe Colantonio Remember, latency is the silent killer of your app. Don't rely on frustrated user feedback. You can know exactly what's happening and how to fix it with BugSnag from SmartBear. See it for yourself. Go to BugSnag.com and try it for free. No credit card is required. Check it out. Let me know what you think.
[00:31:57] And for links of everything of value, we covered in this DevOps toolchain show. Head on over to TestGuild.com/p137. That's it for this episode of the DevOps Toolchain show, I'm Joe. My mission is to help you succeed in creating end-to-end full-stack DevOps toolchain awesomeness. As always, test everything and keep the good. Cheers
[00:32:24] Hey, thanks again for listening. If you're not already part of our awesome community of 27,000 of the smartest testers, DevOps, and automation professionals in the world, we'd love to have you join the FAM at Testguild.com and if you're in the DevOps automation software testing space or you're a test tool provider and want to offer real-world value that can improve the skills or solve a problem for the Guild community. I love to hear from you head on over to testguild.info And let's make it happen.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.