All about identity access management with the Identity Jedi | Guest David Lee
How does a childhood curiosity turn into a groundbreaking career in identity and access management? Join us for an engaging conversation with David Lee, the Identity Jedi, as he recounts his fascinating journey from tinkering with computers as a child to becoming a sought-after expert in IAM. Lee shares the pivotal moments and unexpected opportunities that transformed his career, providing invaluable insights for anyone looking to break into the cybersecurity field. We explore the essential technical and soft skills that have propelled Lee to the forefront of his industry, along with his unique strategies for navigating complex IAM landscapes.
0:00 - Identity Access Management (IAM)
3:04 - First interest in cybersecurity
8:32 - Identity and access management cybersecurity
13:38 - Computer science and higher education
18:00 - Necessary soft and hard skills for IAM
22:16 - Larger organizations and IAM
24:21 - Defining identity in cybersecurity
29:18 - Variety of identity ideas
33:03 - African American representation in cybersecurity
38:28 - Cybersecurity equity
41:33 - Financial inequity and working in cybersecurity
48:35 - Cybersecurity solutions for more equitable hiring
53:22 - Less racism in the tech industry
57:51 - Best piece of cybersecurity career advice
59:13 - What is identity Jedi?
1:00:04 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
Transcript
Chris Sienko:
CyberWork and InfoSec would like to introduce you to our new Cybersecurity Beginner Immersive Boot Camps. They're designed to help you gain and enhance your expertise in the cybersecurity field. Join our live interactive virtual classes led by InfoSec's highly skilled instructors, who will guide you through the material and provide real-time support. And, as part of InfoSec's Immersives training, each student will have access to career coaching aimed at helping them start or switch to the cybersecurity field. You heard that right. We aren't here to just teach you the concept of what a security professional does. We want to prepare you to enter the job market with a competitive edge in six months time. Now I've told you about InfoSec certification boot camps, and if you're trying to hit your next career target and need a certification to do it, that's still your best bet. But if you're an entry-level cybersecurity professional or want to be, or you're switching your career and want to experience a career transformation, infosec's immersive boot camps are designed to make you job ready in six months. To learn more, go to infosecinstitutecom. Slash cyberwork all one word C-Y-B-E-R-W-R-K. And learn more about this exciting new way to immerse yourself in learning with InfoSec.
Chris Sienko:
Now let's begin the show Today on Cyber Work. I'm pleased to welcome David Lee, the Identity Jedi. David is a force in the identity access management area of security and a force for good in his work creating awareness and action plans to bring more diverse workforces to cybersecurity. David goes all the way back to his days taking apart and putting together computers, tells how his first major IAM job out of college was literally dropped in his lap, and we talk about all the whys and the ways to hire more diversely, the unspoken financial costs of even applying for tech jobs, and David provides tons of resources and concrete examples of how to get started in identity access management and how to make the cybersecurity industry a more welcoming, equitable and agile place in the future. This is a full hour of insight, so keep it here for today's episode of Cyber Work.
Chris Sienko:
Hello and welcome to this week's episode of the Cyber Work podcast. My guests are a cross-section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends and how those trends affect the work of InfoSec professionals, as well as leaving you with tips and advice for breaking in or moving up the ladder in the cybersecurity industry. My guest today, david Lee, transitioned from software engineering to becoming a harbinger of change and inclusivity in the tech world. With over two decades of experience, he has left his mark on government agencies, fortune 500 companies and numerous fields specializing in identity and access management, recognizing that for technology to truly transform the world, it must embrace diversity. David serves as an agent of transformation, inspiring individuals to unlock their full potential. His influential voice and actionable insights have solidified his reputation as a respected figure in the ever-evolving tech landscape. When he speaks, people listen. He is, in short, the Identity Jedi. Thank you very much for joining me today, david Lee, and welcome to CyberWork.
David Lee:
Hey, thanks for having me, Chris man. I'm excited to be here, Great.
Chris Sienko:
I am excited to Cyber Work. Hey, thanks for having me, chris man, I'm excited to be here. Great, I'm excited to have you. I, yeah, to give our listeners a little introduction here as to what we're going to talk about. We're going to talk about all of your different facets. We're going to talk about identity and access management and we're going to talk about your incredible work in helping to bring diversity to the cybersecurity industry, which has not always been great with that. So let's get it started here. So, yeah, I always like to get to know you a little better, our guests. So what was your first interest in computers and technology and cybersecurity? What was the initial spark? Was it in class? Did you learn it on your own? Did you have a family computer or something else?
David Lee:
Yeah, so it started when I was younger. I want to say it's about, you know, as you get older. You can't remember the exact age, but it was like 10 or 11. Right, my um, my stepdad, used to always build computers and he always had like the you know, like the latest kind of computer and he always had like the coolest games on it, right. So I would go and like play like all these kinds of like you know little, like shooter games and stuff like that or whatever, and so I loved like being on his computer and he taught me, like you know, how to load up the games and stuff like that. And so then one day he was working on building it and, dude it was.
David Lee:
It was just so fascinating to me, right, to see, like you know, where the motherboard went and at the time, right, this is when everything was color coded, right, so this is like early 90s. And I was just fascinated and he's like, ok, like clearly this is something you like. So then he takes me to Fry's. So for all of my West Coast people, right, fry's was like the Walmart of electronics. This was like the Disneyland for nerds everywhere. I walked in there and I was just like, oh, my God, like everything was in there.
David Lee:
And I was like this is so. I was like, wait a minute, so we can just literally walk up and down these aisles and here's everything you need to build a computer. So I was kind of hooked from from that point on right, I I never had a um, as you know, software started to go in the internet, started to progress. Like I didn't have like a fear of the computer, they were just interesting to me, right. I kind of I'd already seen how they worked on the back end. So then I would just kind of mess around with you know software programs and figure stuff out Like wasn't, wasn't a hacker by any sense, right, I won't even, you know, I won't even hold you and say anything like that. Like, but I was just interested in it. And so then, um, when I was getting ready to graduate high school, I had, you know, so I really love to debate. I really loved research, you know writing. So I was like, okay, loss, you know, being a lawyer seems like you know the thing to do. And then I saw like how long law school was and I was like, nope, I'm going to go do this computer science thing. So I didn't really learn how to program until I got to college and after that I was just, I was just hooked.
David Lee:
Last thing I'll say is the cybersecurity aspect came as I was learning, probably my junior year. Ok, I learned we started to talk about like security and different things, and we started to learn like truly what like hacking was, and I was like, oh, this is, this is interesting, right, I saw it as a big game of like how do you basically get a computer to get a program to do something that it's not intended to do? Or how do you reverse engineer from the outside? Like, oh, this person you know Stack Overflow was like the first one that I kind of found. It's like oh, this person didn't expect this much data to come through. Therefore, now I can send in this command.
Chris Sienko:
Like I just thought the whole thing was interesting. So, yeah, it all, it all made sense to you. Yeah, I was going to say I'm, I'm also curious because you know, we have a lot of guests on here who talk about you know, breaking things and putting them back together. And I mean you have, you know, you know a stepfather who is very knowledgeable about this stuff. So there's, there's, I think you could probably be very you know, you could really go in on it and not worry that it's not going to come back together, like you know there's.
Chris Sienko:
there's that that backup. I mean did. Did you ever like break you know? Did you in that that backup? I mean did. Did you ever like break you know? Did you, in taking one of these apart, either like software wise or tech wise, did you ever like break it so bad that it was like dad or whatever? No, no, it all made sense to you, yeah.
David Lee:
Yeah, no, it just it kind of all made sense to me. I'd be like I, I think for me I feel like I grew up like right, the stuff was color coded. So it's like, hey, like on the, when you break down, except for the actual circuits, I put in the motherboard like he, he did that stuff, whatever. But then like, okay, now I got to hook up like the different components and this is, you know, dating myself back when we had like the rgb components like that, but on the back of the computer all the ports were color coded. So it's like, if it's a, if it's a pink circle on the back, then you take the pink cord and put it. It was just it. Okay, you just follow the colors and stuff like that.
David Lee:
So yeah, and you know I would, most of my tinkering would become like when we would be like loading up the operating system and stuff like that, and so I would try to have a commitment. And again, it was nothing to your point. Like I was lucky in that aspect of like if, if I worked in anything up too bad. Like he's like, uh, hey, this thing doesn't turn on anymore. Like, what do I do? So? Um, so I think I was lucky in that regard.
Chris Sienko:
No, that's great, Well and then. But also, yeah, I think I think people who have that sort of lifelong comfort with it it really does help later on in terms of uh, uh, not feeling like you're sort of have been left behind or whatnot. So, um, yeah. So I mean, mean, you know, I want to talk about your work here. I mean, it shouldn't be a huge surprise, given your name you're the Identity Jedi. It's right there behind you.
Chris Sienko:
But a whole bunch of your past jobs have revolved around identity and identity access management, which is the topic I love. We've had a couple of guests on here talk about it, but one of the things I like talking about I am is that when I talk to people trying to find their way in security, I mean, it's not really a role that immediately jumps to mind when you compare it with traditional career paths. It's not a SOC analyst, it's not a pen tester. You're not working help desk.
Chris Sienko:
These days, even GRC, I think, is more popular. It sets you up for so many different career and skill progressions and paths, though, I mean, and it sets you really up for any number of like pivot jumps that you can make in your career. I mean you can really go a lot of different directions, so I want to learn about what. What hooked you on identity and access management originally? Was it a job role you actively sought, or was it a move you made while working elsewhere, like when you were a software developer for ITOS? Because I see I am architecture going at least as far back as 2006.
David Lee:
So, yeah, yeah. So I got bait and switched right. This is like this is not something that I actively sought out. It was, um and it's funny you bring it by to us so like that's, that's exactly kind of. When this started, I um and for those of you so I was a beltway bandit for the for those of you that don't know that term, right, I started my career out, uh, doing contract work for the federal government. So you know, lucky martin, um, saic, all or whatever. So I worked for all the government agencies back then. That was my first job out of college and at the time I2S was a small contract, you know, contractor to the federal government, and there was a program called I2S. So that was really always confusing.
David Lee:
But I applied for this Java software J2EE developer position. I was like, oh great, yes, right, because I came out comp sci, right, java developer. Like I was like I'm going to be the best Java developer ever. My career path is I'm going to end up being a CTO, like I'm going to be the smartest engineering room. That was my thing. So I was like, okay, I wanted to get a like a mid to senior level J2E, j2ee developer role and I applied for one, and so I was like, hey, I got it started on the contract and I was like I'm ready. And they said, hey, we're going to be building like this, you know, access request system. We're going to be, you know, building an interface to allow people to request access to all these things. I was like, dude, this sounds amazing, like, this sounds like a great program to go and build. Right, I was just excited to go in and build an architecture program.
David Lee:
So I get in there first week and, uh, the, the, and he drops these three big manuals on my desk, right, sun Identity Manager. Never heard of it. Drops them on my desk and goes welcome, kid, this is the system we're using. I'm going on vacation for two weeks. By the time I get back, I need you to have a demo set up. Oh, by the way, we need to be in production in six months, good luck. And walks out and I'm like, what the? Okay? So I started flipping through these manuals and I'm like, well, this is, I'm not building a system, the system's already built. Like, I don't need to.
David Lee:
And so I start, you know, installing this sun identity manager and figure out what this thing does. And and the way my, my mind works and it's I'm, I'm big picture first and then come back down. Right, I need to understand, like, how something fits in to the greater puzzle. What are those typical you know kids. I always took things apart, like. And once I understood, like and that's a good part I'm like oh well, this, this wheel goes over here, connects to this, and here's the pulley system, like, you know stuff like that or whatever, right, so I just start debugging the heck out of this freaking product. Oh, it's calling this, it's doing this, it's doing this.
David Lee:
And so I spent the next I don't know, two, three months, right, just debugging the heck out of Sun IDM. And then I understood what it was doing. But then the bigger thing, when I started research is like but why is it doing these things? What is? What is a directory? Why is it? What is identity management and what is it trying to do? And so that just dove me down a rabbit hole, and I'm a I'm a person that loves to learn, I love challenges, a lot of new puzzles, and this was just one big puzzle to me.
David Lee:
And then, once I understood what identity management was, then I understood what access management was, and then I understood what. What this thing was trying to do now was like oh so we're trying to manage how people request access and we have things like policies and we need to manage access at a very specific level. I was working for the federal government, to where you know, they had different levels of clearance, right. So we had scenarios where, let's say, you're my boss, chris, but I'm read into different levels of access than you, so you have to prove my access, but you can't actually know what you're approving because you don't have the clearances I do, but you still have to approve it, right, yeah, so like, and I just found that fascinating.
David Lee:
So that's, that's what dove me into identity and access management. Right, I just I dug in. I got really good at Sun IDM and then the rest is kind of history. Right, we got it deployed at the end of the year. Then I became one of the go-to people that everybody was asking how do you do this, how do you do this? They finally sent us to training. We go to training and, like, the first day, the trainer, like I'm sorry to ask all these questions. He's like okay, you stop asking questions, I'm going to deal with you after class. You're scaring everybody else.
Chris Sienko:
Because I had like debugged this thing.
David Lee:
And so, yeah, I ended up and that's just it was. It was history from there. Right, I just from contract to contract. I got really good at that and then now I'm understanding all of identity and access management and 20 years later, I am still doing the same thing.
Chris Sienko:
So love that. Well, yeah, I feel like there's two reactions. Like if someone you know, the average person listening as they drop these books on your desk and say I'm going to be gone for two weeks, you're on your desk and say I'm going to be gone for two weeks, you're on your own. I think a certain personality is like great, you know, and then you put your hands together and you get into it and I think other people would just faint because you know, you know the idea of not having anyone to ask questions to. But I think that's really.
Chris Sienko:
It's interesting how methodological you said you start from. You know, I need to understand the system, and then I I need to go line by line and then I got to see why the failures are happening and so forth. And I guess I want to ask you about that, because you said that was your first uh job out of college. So, uh, you know, on one hand, my you know, knee jerk reaction, as someone who is, you know, works for a cybersecurity training uh company and stuff, is like well, you just did that without formal education. On the other hand, you did have a formal education. So I'm curious about what your computer science training if you feel like learning that on a higher ed level was sort of very helpful in terms of figuring out the sort of IAM troubles as well Is that the framework in your mind?
David Lee:
So it definitely was for me, and I've had this conversation so many times with younger people trying to get into tech or cybersecurity and I tell them it's different now, right, like I mean, I graduated in 2003. I don't want to calculate how long ago that was. It's going to make me feel bad about myself, but you know, it was just it was a different time. But for me, and also like the personality, how I'm built, so computer science helped me because it I literally learned the theory of computing and so I understand how computers work, understand how languages are compiled, so I know what's going on and I'm very comfortable with that. So therefore, you can throw any computing language at me and I can figure it out, because I'm like, okay, well, I know, at the end of the day, like it needs to be able to do these fundamental things right, like I know the theory of how it needs to compute and get it, and you give a computer instructions and what it goes through.
David Lee:
So now I just have to learn syntax right and that's all. Like different languages are like okay, well, this, you know what objects are available in object-oriented program, all this stuff, whatever. So where it helped me was understanding the you know software applications that we were using, right, and that's again like I said, with sun idm I spent all my time in a debugger because I'm like, okay, this I know. Like I didn't know, I didn't exist management, but I know computing, I know software, yes, right, so I know that this thing is sending across these commands and wants to go. Now I know the commands and instructions to send the, the, the software to do the things I wanted to do, and so that gave me that comfortable. That uh, comfortability is not aware, but to be able to be comfortable doing that, and I can kind of apply that to anything, and so to that aspect, I could break down like technical things fairly quickly because I just kind of had that background of it and then I would say so that helped me in the beginning but I, but probably like mid career in my identity and access management career. You know, what helped me more was really picking up like the soft skills understanding.
David Lee:
Once I understood everything about access management, understanding communication, project management, right, how to, how to break down and manage what these big concepts were and explain it to non-technical folks, because what I started learning was an identity. Most of the time it was we're taking all these things and these backend systems and we're talking to these administrators and they're telling us how the processes actually create the accounts and set the permissions, but then the direct users are not our business folks, right, they're non-tech, they don't understand any of that and they more often than not are driving the requirements of what needs to be there and they're the ones that need to use it. So if those two are disconnected, like right, you're not going to get kind of the job done. So what I really started to hone in on was my ability to both be able to talk technical and talk business, right, and then and be that bridge between the two. So to kind of wrap it up, I would say it's two parts, right. So it helped me.
David Lee:
Computer science helped me from understanding the technical aspects of any software program and what was being created to manage this stuff, and that was that kind of gave me a leg up, but I don't think it's a huge leg up to where nobody could. You know, you don't have to have that degree to go do that, it's just you just have to have a technical acumen. But then the other side of it was like developing those those kind of softer skills that they say, like you know, better communication, project management, right Understanding how to align business values and and, and really explaining what we were doing and the importance of it to the business.
Chris Sienko:
So yeah, you're, yeah, you know your, your skills will get you through that first project.
Chris Sienko:
But then the soft skills are what gets you through a career of those types of projects, and so forth absolutely what it makes me think of and this is maybe uh, you know, this is certainly a lot lower level, but in terms of what your degree did. With regards to solving because you described it as puzzle solving I also like playing, like puzzle solving games and so forth I feel like it's. You know, sometimes you're playing a puzzle game and like the user interface is so bad that you're like, well, I'm not solving these puzzles because I don't know what you want from me. You know.
Chris Sienko:
And then, once you start going, oh, I see I have to click over there and I got to do this thing and, and you, you didn't let me know that at the beginning. So I feel like you, you get the leg up by sort of understanding, intuitively, like the UI of this whole thing and then within that then you can say, okay, now we can actually play the game, so to speak. Right, Right, yeah, yeah, yeah, yeah, so, yeah, so, let's, let's talk about some of the preparations and studies that would prepare new professionals. Like you said, you talk to people who are trying to get into this and it's totally different now. But can you talk about we'll talk soft skills in a second, because you did just that but can you talk about, like, what hard skills are required? Is it the usual kind of computer networking security trio or is it something that can be done well by people with a less tech intensive background? It sounds like you really kind of need to know all of it, programming and the whole thing.
David Lee:
Yeah, so it, man, it's. I hate giving this answer, but it is. It is really the truth. It depends on where you're trying to go, like for security, right? Sure so, but but I'll say this to the average person. That's like I've got a lot of people that want to break in. I tell them first, do this right, you won't go wrong.
David Lee:
Like studying some of the stuff from the CISSP. I am not a CSP zillet, I don't get me started. I'll get on a whole different rant about that thing. I don't knock anybody. That's got it. That's great.
David Lee:
But like, but it covers a lot of the domains. So I tell at least want to understand like the different domains and where this fits in from an identity and access management standpoint. Then I say, okay, now let's start learning technologies where they are and where they fit right. I always draw this. I'll explain like identity and access management. Iam is actually like three or four different like subdomains underneath there. Right, there's identity management, there's access management's governance. Right, there's privilege access management right. So start to understand what those things are. And and unfortunately it's confusing and I and I am, because we call the tools the same thing as the actual like domain. I was like, but understand the domains separate of the tools, now that you have that right and you can go and kind of research that on the internet. Once you have that, now again like what, really, what really resonates with you and you go, hey man, I really under, I really like this whole access management thing and, you know, sign on and set that up. Great, now let's go learn the technologies right now. Learn the technology. And those are the hard skills right, go learn um. It's now entre, right, entre, sso, octa, right, um, you know there's there's a bunch of new ones coming out there now beyond, beyond, I am like beyond identity, like, but so there's all these kind of like SSOs. Go learn that right. Um, I, I tell people now, like it's, it's unfortunately it's not as as big as it used to be, but like I loved when Forgerock had like all their open source products and you can still go find them right. But now you can go install your own identity and access management infrastructure. You can get a directory, you can get an SSO, you can get a governance product right, go install those, learn those. Understand, like, how these tools work, right, but you've already understood the domains, why they work in that place, and then now we can start to kind of figure out and kind of plot your career and where you want to go from there.
David Lee:
The other side of it, I say but there's also like this need for, like the, the kind of business analyst side, right, understanding what identity means in the organization. So that's where I would tell people is, if you start with the CISSP, like, understand all this stuff around policy, around GRC, right, because a lot of that stuff will apply to an IAM level where it's like, how do you go about, like, creating these policies and what do these policies need to be? How do you need to configure these tools right? What's right for the business? How do you handle something like Sarbanes-Oxley? Right, pci 4.0, which is introducing a lot of stuff around identity. Right, nyfds, which is the new New York compliance that's forcing companies to do things right. So there's this whole policy management, understanding of it too, right.
David Lee:
So I tell people you don't have to necessarily be tech, because people struggle understanding this right. All this is needed for identity right, and I'm biased right Because it's been my career and I love it. Like identity is so interesting because it truly does sit in the middle between business and technical Right, and so you have to kind of like understand all these things not as much as cybersecurity. Like you can truly be technical in cybersecurity and be fine. Like you can go on a pen test and just be a pen tester, right. Never give a crap about policy, never. You don't have to explain anything to anybody about policy. You never could. You don't have to explain anything to anybody. It's like oh, I'm going to go do a pen test, I'm red team and I'm doing all these things, or whatever identity, not so much, right. You do need, you do need to kind of have to have that understanding of the business, um, to kind of help, uh, not only promote the program but like make sure that things are being done successfully.
Chris Sienko:
Yeah and yeah, and I asked that specifically for that reason, because I think a lot of our listeners want to get in, don't necessarily have the sort of heavy red teaming pen testing either skill or impulse, and think, well, surely that can't be the only way in. And I think it's. And I just want to sort of clarify as well. It sounds like, especially if you're working for a large company, you're not going to necessarily. If you're in IAM, you're not going to be having to necessarily handle every aspect of that, right, like you said, you're going to be working on the governance, possibly, or the actual access management or whatnot. Is there? Is this a sort of thing where a larger company might have a team and then sort of, uh, different people doing different things?
David Lee:
yeah, so the, the larger organizations, which you usually see is there is a, there's an access. Well, okay, I'll break it down. There's an identity team, right, yeah, and that team is composed of, like, usually, the access management team. So they manage the directory, so this is your, your entre ids or your active directory, and they manage the access management side, your single sign-on, so they usually have like the octas and stuff of the world. Then you kind of have your, your privilege access management team, which is this is your CyberArcs or Beyond Trust. They're managing, like all your privilege, all your admin accounts. So think about your root accounts on a Linux box, your domain admin accounts on your Active Directory boxes, excuse me, you know. So you have that team. And then there's the, the governance team, which is handling your. You see this like what your sell points, your Zillows, your conductor ones, where they're doing the access requests and the governance, the request. You go in company right, the more hall that comes down to like, yeah, you're, you're the guy.
David Lee:
Yes, yeah or in some cases you're the guy, the girl that's doing all of that right, all of it right, okay, so, so, if you want, if you want to be that person, by all means, there's people that will be glad to hire you, but you don't.
Chris Sienko:
You know, I want to make, make people aware that you don't have to be, you know, atlas and carry, like the entire burden. Like you're going to, you're almost certainly going to be focusing I mean, unless you are working for a mom and pop like you're almost certainly going to be focusing on one aspect of this large field or another. Is that right? Right, yeah, okay, so you, you mentioned the sort of distinctions and this. I apologize if this is kind of overly sort of philosophical question or whatever, but can you talk about the difference between identity and identity in within access management? Because I have Colleagues and people who have been on the show who are in the sort of like the deep inquiry of identity, and it feels like I'm talking to people like floating on the top of a mountain, you know, cross-legged.
Chris Sienko:
You know, like there's the, there's this sort of philosophical like what is identity? You know, I mean, can you talk about like? Like you know, can you you sort of like, can you break that down or whatever? Like there are identity people and then there are identity people, you know. So like what is? What is the study of identity look like? As you know, separated from identity and access management.
David Lee:
OK, so, man, we're all it the administration and governance around digital identities within a workforce or on the consumer side and I'll come back to that separation in a second. But mostly you're talking about how do I administer and govern these digital identities, the creation of that digital identity, the attributes that they get assigned, the applications that they interact with, right, and so how do I make sure that these accounts and the entitlements that are associated with those accounts are managed in a way that, at any given time, I know who has access to what right? So when, to make it simple for listeners, when you hear IAM think who has access to what? That's what that's doing either for the workforce or for the consumer.
David Lee:
There's, on the more philosophical side of, just like you know, identity right and I don't, people can kind of go different places with that. There is a bigger conversation around like what does it mean to kind of have and own your identity in this digital realm of today's world? Right, because we have, you know, the last 20 years we just kind of exploded with everything online. We kind of made a lot of assumptions in the beginning because, I'm going to be very honest, it was a lot of us nerds who were creating this stuff and we live and breathe this stuff and then, all of a sudden, like we didn't expect, when, when we, when the internet was first created, we were sending scientific documents to each other Like nobody was HTML.
David Lee:
Like so all this stuff kind of built on top of it, and so we look up and we build web commerce and e-commerce and social media, and then we'd get all these things and we never truly took a step and said like, hey, what does, what does this mean? How do you represent yourself online? And how do you represent yourself online and how do you protect that information? How? And so, though those are discussions that that are happening, that it's. It's. It's in the realm of identity, but it's identity in itself. It's, I hate to say, but it's kind of siloed right.
David Lee:
There's there's some of us who work within a workforce and then a consumer we're dealing with this stuff and then there's people, when you get into the decentralized identity and what that means, and like, how do you turn around and make sure that everybody has access to these things, things that are going in, like the digital wallets and phones and things like that, which I'm very much in yeah in tune to and having conversations around, because it for me it was kind of a thing that was like okay, like yeah, I get that, but I was so entrenched in what's going on like in businesses and we weren't using it in everyday life yet.
David Lee:
But, um, not to give apple all the credit, but I've kind of made the joke sometimes that like like apple's kind of like the biggest identity player in the world that nobody's ever heard of like from an identity perspective.
David Lee:
I was like because when you think of, like what they, what they, what the ecosystem that they created.
David Lee:
Like I've got my iphone, it's got my apple wallet, I've got Mac, like everything kind of logs in and with face ID, I can log in, I can make payments, all these things or whatever, like it's to the point that I can leave my house with just my iPhone.
David Lee:
Yes, I'm in a state of Georgia, so I have, like Georgia, you know digital ID and it's not accepted everywhere. But the point is like, I have it, like I can, at any given time, like show you, even verify these things, right. And so we're now to the point where that aspect of it of like what is a digital identity, what does it mean to be an identity online, is more and more of a question, because we use this stuff every day and we're and we're putting in more and more places, and so there's there's lots of discussions. I just came from identiverse last week and we've got entire tracks on this discussion of what we're building, how we're doing inside the technology. It is time for us to start, you know, um, sorry, fellow nerds, right, we got to step out of the shadows a little bit and have these conversations, because we're building these things over in a vacuum and we're giving them the services to people who they still think all this stuff is magic.
Chris Sienko:
Okay, like we understand it's ones and zeros.
David Lee:
But the average person is like no, it's just magic, I click into, something happens. So sorry, I don't want to. I don't want to go too far.
Chris Sienko:
Oh no, that's fine. I just have one more thing I want to ask about that. So you do sort of have feet in both worlds, it sounds like. Is it sort of? This is another sort of abstract metaphor, but you know, we see, like those you know, couture, fashion shows and you're Is it something like that where these are, there's these big identity ideas happening in almost kind of think tanks and then it's sort of it's sort of trickling down into IAM and the way people sort of do business day to day Is that is that one, yeah, absolutely, and I and I use Apple.
David Lee:
I've used this analogy before. I use Apple face ID and touch ID as a perfect example, like. Like so, when Apple first released touch ID, god I id and touch id is a perfect example. Like so, when apple first released touch id, god I used to have the dates memorized. I don't know who they are, so I'm gonna screw these dates up, guys. So when you're listening to this, like just google it, but just realize I'm just gonna pick a date, let's whatever it is, let's say it was 2003, whatever.
David Lee:
They came out with touch id. Like two years later they came up with face I d, right, like it moved super, super fast. And touch id. That was the first time we had ever massively had any kind of biometric sensor on a device. Right, and we were just like, oh my God, this is what, what is this? I can you know going on here, yeah, right, right.
David Lee:
And it's so quickly became into the masses that now it came to face ID and now it's just, you don't even think about it, right, it's just, you know you're using biometric, you know sci-fi stuff, man, that we would see in movies and so, yes, these things are happening. It's interesting to make it and you're seeing it trickle down. But also Moore's Law is coming into play, right. So it is happening so fast, like as soon as we get one thing, like you see, that the next adaptation of it that much quicker. And so what we're seeing around on that digital identity space is, you know the way we authenticate and verify, like anybody that. I travel a lot, so if you've traveled, like TSA and clear and the digital ID they're taking, they're taking photos now to to verify, like this stuff is getting more and more into the everyday and I think over the next five years it's going to get accelerated and it's one of those things that like, to your point, like the think tank and these are good ideas which is probably about seven years ago. To your point, like the think tank and these are good ideas, which is probably about seven years ago Now, like they're, they're in, it's infiltrated into the community where everybody uses it. And the next time it's not going to be seven years, it's going to be three years, right, because it's going to happen like that much faster. So it's definitely something that you know we need to, we need to hone in on, we need to make sure that we are, you know, watching and and not only watching, but getting involved on how some of these things are happening, checking some of these, these vendors and things that they're creating.
David Lee:
There is a big, big discrepancy when it comes to a lot of these data, data, data learning algorithms and AI algorithms. When it comes to people of color, right, again, we'll go on a tangent I've talked about this before but like, yeah, I mean, these are, these are things that are that are important, because now we're dealing with technology that has the ability to impact a mass amount of people. Right, and where accidents now are, you know, whether intentional or non-intentional, right, they have real damage. Right, it's not just, oh, so you can't log in. Now, it's like, all of a sudden, somebody can't verify themselves, they can't get access to services, because… All sorts of things shut down?
Chris Sienko:
yeah, yeah, absolutely. Services because all sorts of things shut down? Yeah, absolutely. And again, just to sort of button up that, that last point there, I think you know again, I'm always trying to sort of lower the barrier to entry with these regards. You know so, when, when I talk to people about like cryptography and careers in cryptography, like there's a lot of careers in implementation of cryptography, but the idea that you're going to be one of the people writing the encryption, like there's only like a handful of people that are necessarily that can be the thing you get to eventually. But it doesn't. You don't have to, you don't have to. You know everyone says boil the ocean these days or whatever. But you can. You can be deeply involved in identity without having to be one of the people pushing identity forward and you can still have a very satisfying career. Yeah absolutely.
Chris Sienko:
Okay, Well, good, let's you, you, you, you brought us into the next topic of conversation here and you did it. You know partly, you. You foregrounded it by talking about how tech people have been very sort of insular and have written things that make sense to them and don't make sense to common people, and I think there's, you know, a larger and more pernicious aspect of that today, because we're here to talk about the remarkably low African-American representation in the field of cybersecurity. So one of the things we talk about on CyberWorks all the time is the multifaceted benefits that come from making a strong, intentional decision to recruit and hire a diverse and inclusive workforce in cybersecurity. I have the things I've heard before around this topic, but I'll shut up and let you talk about this instead. So you know, can you elaborate on your statement here, which was quote creating a more radically, a racially inclusive workforce benefits everyone and is vital to better identify the technological risks and vulnerabilities. Tell me what that means to you.
David Lee:
Yeah. What that means to me is, like we are, we've crossed the chasm of where you know tech and software can actually do human harm, right, uh, I remember, you know, studying about this when I was coming in college and it was like, okay, yeah, but like we don't.
David Lee:
We use software for accounting for, like you know like reports like we didn't, we didn't use technology to that, to that standpoint.
David Lee:
Now it's everywhere, like it's in our cars, it's in our medical devices, it's in our homes, you know, it's now, you know, being integrated into access to services, right, uh, so it very much has an impact on on people's lives, and so, you know, one of the things that we've really got to get comfortable talking about in this space is that, listen, the numbers are the numbers, right.
David Lee:
Tech in general, and then even down to cybersecurity, is a white male driven field, right, and so this is, you know, this isn't to make anybody feel bad, but it's like, if you've got, if you've got, a team that's developing something and say, um, I'll, I'll pick on, pick on Snapchat a little bit Like this is years ago, right, when they first did their filters, right, um, they bit like they did this years ago, right, when they first did their filters, right, um, they, it was a small team, they were testing all these filters and they were like, hey, these filters work great and they put it out there, right, the problem was people have melanated skin. The filters wouldn't work because snapchat's test database was all white.
Chris Sienko:
Yeah, it was, yeah, so it was just one of those things like they weren't trying to exclude anybody.
David Lee:
They just you know they never occurred to them like yeah right it never occurred to them because nobody in the room no, they were testing was like they didn't have any of that test results. Then, once they had the data, they fixed it right. And that's those some of the things, and like that, that's kind of like the, the, the microcosm of what's happening like and within tech. It's like you have all these, these teams that are trying to do and solve these problems and and and put out these services, but they don't have a diverse set of ideas, they don't have a diverse set of experiences, they don't know how this is going to work. Like they think of it their way, right, like, hey, well, for instance, like we talked about in my history, like my stepdad was, was in the computers, things like that or whatever. So, like I'm around around this stuff, like I have a comfortability with it, and so I think of it a certain way. Right, but what's the? And it's so crazy that happens in cyber security. But what's the thing about cyber security? Our whole thing is we think differently, right, we try and look at something and go. But wait a minute, I know you're supposed to go down this way. But what if I do this? Right? Yeah, like, what if I hit this api and I send it this data instead, like that's what we like, we thrive on, that. We want ways to think differently, and it's like I think the one area that we should be leaning it's that it's cybersecurity and we don't. And so what it means to me. Like that, when we're having these conversations and we're building these teams and we're having, you know, communities that are not affected, and that's like we're not hearing their voices, we're not, we're not getting their ideas, their perspectives, but also we're doing're we're going to put something out there that directly affects them. Um, because we just didn't think about it.
David Lee:
Simple things is like um, you go to, you go to log into an application and say put in first name, last name, and then we put in and we expect, like American names or Anglo-Saxon names, to have more than three characters. There's an entire culture that their last name is two characters. And then we go invalid login, can't log in. Uh-huh, you just told this person that their identity is invalid. No, it's not, it's just right. Right, you didn't right. You assumed that this was the case.
David Lee:
And I use these very simple examples that go like we're making those, those. I don't want to call them mistakes, but we're making those snafus there like we're making them everywhere else. Right, and and this is why now we need to be be intentional about how we're building these teams. And that's the key word. When everybody asks me, like, how do we fix this, it's like it's be intentional, like, and I don't know why people act like it's rocket science. It's like like Chris, right now, if you told me you're hungry and I said, okay, what do you want to eat, chris is like ah, pizza or burger. You're going to intentionally go and find a burger. I may bring you a salad, I may bring you a taco, I may bring you a burrito, but you're like no, no, no, I want a burger.
David Lee:
Like you're going to go you're going to go find a burger. It's the same thing, right? So when I hear the excuses of well, we're trying to hire more people but we can't find them, okay, yeah, like you're not looking.
Chris Sienko:
Like you're not going to go.
David Lee:
Look, you're just saying oh, I'm just going to take what's here, like I really wanted a burger, but you gave me a salad, so I'll take a salad. That's fine. No, go, find's also, I think, if you're you know of a certain disposition.
Chris Sienko:
there's also a stop point where you're like, okay, no, no, no, that's enough, I don't want to, I don't want to know too much about this or whatever, or or I don't want to deal with that.
Chris Sienko:
You know, one of the examples I always give from a disability perspective is one of my colleagues had to do a thing to identify herself where she had to simultaneously hold an ID next to her face and hold her camera and they have arthritis, you know, and it was like I just about couldn't get the two things and it was the only way in, you know.
Chris Sienko:
And so it's another one of those things that you don't think about, you know, until someone says this doesn't work, you know, and and there's just once you start thinking in that in those terms, it just spiders out in every direction where you know, and again, maybe this is a stretch, but we, you know, we're so into like DevSecOps now, the idea of like thinking about security before we start the development or thinking about it at the start of the thing, and I think a lot of this if you have a team who is diverse and is thinking about all these things, you're not having to do these emergency patches at the end. You're thinking all the way what about this, what about this, what about this? And so you're, you're, you're, you're hitting it. You know, you're, you're thinking about all of these ways that it's going to be more useful to a greater number of people and and, like you said, it just is better for everybody.
David Lee:
that right right, you know, you know simple things is like, even like even your, your test group, that you test them on right or or like and um. But even beyond that, right, I mean for those of the, for those of you that have been on a team, right like when you're just a programming team man, right like I, and it's it always baffles me because, like I, I loved I don't program as much as I did anymore, right, or as I used to. I love programming and what I loved even more was like pair programming and like getting on team and like those hackathons, man, where it's like it's it's like three or four of us and we're just, and I loved it because, like the ideas start flowing, I'm building something this way and you, like chris, you'd be like, oh, like, hey, here's what I did, this interface and I use these classes. I'm like, oh, dude, that was dope. I never thought about that way and you know what I mean.
David Lee:
It's like yeah, yeah, let's do this, and it's like all that creativity just starts happening and like it doesn't everybody. Just they respond to oh, we have too many people, not, you know, too many, too many cooks, I don't know. It's like dude, like no, like it's not going to slow things down, it just means you're gonna have to be better at communicating and making decisions. But like that's where, like I just wonder, like how many did you guys not have late night hackathons? Like that's where, like most of the, some of the best things happen.
Chris Sienko:
That's where all the fun stuff happens.
David Lee:
Yeah right and and we're not saying we have to be perfect am I saying that if you have a more diverse team, you, you'll never make a mistake? No, right, yeah, right, that's life. Right. But like it to your point, it won't be like these emergency patches, it'll be like oh, like we thought about this, oh, but we didn't think about this case. Ok, well, let's bring that in. Right, you? Just, it's more input, more data that you have to be able to create a stronger solution every time. I'm an LA kid Right. I grew up voting for the Lakers. I'm a big Kobe fan Right. Get one percent better every day, that's it. So if I have a chance to add something to my team that's going to make us one percent better, why would I not take that? Right? And then we're all getting one percent better every day.
Chris Sienko:
Yeah, yeah, love that. So I want to talk from there about other sort of stats that are that are coming out that regard kind of workplace culture and so forth. So you noted that 20% of Black individuals face poverty and limitations in accessing IT courses and opportunities. Like you said, you had access to this stuff early on and it's not always the case. And what's even more distressing to me is that you say, quote 51% of Black adults lack the financial resources to apply for tech jobs. So, david, can you speak further to these roadblocks and where the shadow financial costs of applying for tech jobs are located that we might not be thinking of again, and also if there's ways to sort of break these financial barriers to application and employment barriers?
David Lee:
Yeah, so again, another thing that kind of makes people uncomfortable, right. But like I always say, like, get comfortable. Being uncomfortable is, I think sometimes we look around and we just we assume that like well, everybody's got access to internet, right, everybody's got access to a phone. Like I got an iPhone 15, like whatever that's a, that's a $1,200 phone right now. I've been, I've been in tech a long time. It's, it's a very lucrative field. But like that's somebody's mortgage payment, right, that might be two or three mortgage payments for some people. Like, so, like the, the, the costs for some of this stuff, like we just don't think about it. We're so used to having access to internet and things like that or whatever.
David Lee:
There's a lot of people that that that don't. And, um, the, the bigger aspect that that that faces like, um, you know, black communities is there, there is a lot of communities, you know, close on the property line so they don't have access to Internet, right, then it goes to their communities. They don't have, you know, libraries or public places where they can go get free access to, to, to get Internet, things like that Some of the school systems aren't, aren't really set up for that. So I mean, this is it? This isn't just a one layer problem. There's, there's a bunch of stuff in there, right, I don't take that lightly. There's a lot of things kind of to fix there, and so is there. Is there a silver bullet? No, there's, there's a. There's a couple of different initiatives that that have to be, you know, put in place to to have to fix some of these things, and so do I think it's all on the tech companies to fix that.
David Lee:
No, but, like, again, that's something you need to kind of take in consideration. But, again, go, go out to where the people are, right, and and and do more, you know, be more present in in the communities, whether it's, you know, high school events, hbcus right, there's, there's HBCUs all across the country, right, you know, connecting with these kind of high school events, things like that. Do something, right, instead of freaking spending you know $90,000 at RSA for a booth, why don't you just go to a couple of high schools? And, hey, how about we sponsor, you know, freaking Fast Internet for the day? I don't know. Bring some, some whatever Like, be creative again.
Chris Sienko:
Be intentional about it to go.
David Lee:
Do that? Right, there's, there's, there's areas to go and do that, you know, for the black community it's, you know, one of the things, that two things it's teaming with the local, um, the local high schools and things to make sure that stem is something that's taught. We've got to do a better job in the black community making sure that our kids are interested in it. Right, because that's another addition to the pipeline. Problem is like we've got to get more people interested in it, and part of that is just having this discussion. Part of that is kind of hoping from some of the tech companies to see and say what this looks like. Right, again, representation absolutely matters.
David Lee:
I didn't, I didn't really think about this until the last couple of years of like how important it is for all of us to see ourselves in something else. We're trying to be. Right, you know if, if I asked you right now, um, I don't know like you know if I asked you right now. I don't know like I'm trying to think of a good example, but like, hey, you know, chris, you want to go be a Formula One driver and you look OK, but I don't see another. I can do that, but and the perfect example of this is, you know, the four minute mile.
Chris Sienko:
Right, yes, you know, for years, all the time, yeah, yeah, it was seemingly a physical impossibility for a long long time, right.
David Lee:
And then the amazing thing is, if you look at the numbers, it's that's like, once it was broken, like we started breaking, he started breaking it like, breaking it like over and over again. Why? Because we knew it was possible. Yeah, right, we knew it was. It is possible. So that means what? That means what? Right, because before it was like oh, it's physically impossible. Like you will, like they pretty much like you, you the body would shut down, like you would die if you tried to do that first. So now it's like when you're running and, like your, your lungs are filled with air, you're like well, I know I'm not going to die. Like you know what I mean. Like I already know that it is possible.
David Lee:
So now your brain just starts working on. So I just have to find a way to go get it there and done. It's the same thing, right, like we've got to be able to see that. Like, oh, this is a career path, these are things that I can do, yeah, and now I can kind of start working towards it. So you know it is, it's, it's a multi. Um, I'm going to nerd on you guys. Right, it's, it's a multi-body problem, kind of like the three body problem, right, um, but it's not impossible to solve like the three body problem but it's one of those things that there's.
David Lee:
There's multiple like, there's multiple things that have to kind of take play Like number one, like we need to do. We need investment in STEM and and, um, you know, I would say black and brown communities, right? Um, the fact of the matter is those education systems are are sometimes subpar, right, we need investment. And so, again, this is where this is where tech can get involved. These big tech companies get involved and help with some of that investment from the community perspective. Hey, you know, don't be afraid of of of STEM, right, get your kids, you know, in the engineering, mathematics, and sometimes some of the parents, you know it's they don't push it because you know they weren't great at engineering and mathematics. So it's like, how am I going to help them? Right?
Chris Sienko:
But you know, get them involved.
David Lee:
There's. There's tons of free resources now, um, like when you can get them available to. You know, internet there's I mean, mit has open sourced a bunch of their courses, but even before that you get to, you know, um, you know Google's got a lot of free courses out there. So, and then just YouTube man I, this generation, oh, my gosh man, like everything's available on YouTube, right, like, so you can find people teaching these things on YouTube, um, and so there's, there's, there's effort there, um, but there's bigger things financially, that we have to do to make sure that these communities kind of have the same access that we do.
David Lee:
Um, you know, one of the things that's that I, that I would, you know, love to see, is we have to start thinking about internet like, like, like utility, kind of like water, like. It needs to be a basic, basic um thing that everybody has access to. Like. I love the city of uh chaduga actually in tennessee, right like it is, internet is provided by like, like, like water, like everything else, like it's utility, right, and they've got um set cost services that they deliver to make sure everybody in the city can have access to internet.
Chris Sienko:
I freaking love. That right should not be hard, but uh, it's, it's. You can literally count on a couple of hands the number of cities that, especially in this country, that have done that. I think if you go to europe, you find a whole lot of examples of that. But uh, uh, yeah and and and. I don't understand why that's not, why we're not yelling about that constantly, honestly, because that is, that is such a, that is such a barrier, I mean, and it is such a utility. That's exactly the right wording. So I want to go back. I want to go back to the burger here.
Chris Sienko:
So, this is a recurring discussion on the show. You know, like you said, companies with bad diversity hiring track records say just what you said. Like you said, companies with bad diversity hiring track records say just what you said. Well, we'd like to hire more diversely, but no people of color slash, women slash LGBTQ people. Candidates applied and you know. Of course, the follow up question always has to be do they know you exist? Have you told them that you want to hear from them? You know so. I know we're not going to solve this in an hour, but I want to. I'd still like to document some concrete solutions that we could speak out, amplify, disseminate into the industry as a whole, Like what are some initiatives and policy changes and intentional actions that you have to happen to bridge, to employ the employment gap in cybersecurity? Oh, man, Okay.
David Lee:
All right, here you go, I got it. I got it. I got the list man. Good. So number one Okay. So.
David Lee:
So, number one be intentional about where you're going to search for your candidates, right? Um, I get that. There's been a big, huge pool of now new employees and so, most of course, you can just sit back. Everybody's going to apply. Okay, well, you've got to go, be active.
David Lee:
So, number one like, I don't care where you are in the country, like, started building a relationship with an HBCU. If you don't know how to build a relationship with HBCU, you can reach out to me. Hit me up on LinkedIn. I will gladly walk you right into North Carolina A&T, aggie Pride and connect you with who you need to get to. But there are HBCUs you can connect with. You can get to their campuses. You can do that. Right, that's the first place that I would start.
David Lee:
Number two after that you go okay, you need to address your biases that you have in your hiring Because, newsflash, you have them. You know why? Because we're all human, we all have biases. Stop getting sensitive about it. It's OK, like, but you need to address it and know what those are. You need to look at your hiring process and go where could we possibly be putting bias in? Right, start making you know real checks and balances to how you do that. Something very simple is in the first screening process, take off the names. Just look at the experience. Right, only pull the names in when you've selected a candidate and go yeah, this is the one I want. Now you pull the names in because, like it or not, we make judgments based off of names and background and experience. Right, we do that. What I would take off, I would take off name, I would take off college, because that's another thing that kind of people look at and they make judgments on. So get that out of there and then just look at the experience.
Chris Sienko:
I imagine because you, you, you're, you're sitting there going. Well, that, uh, you know. I know enough people who have said like, oh well, it would just be too hard of a commute for them. You know, it's probably best just not to even ask whether or whatever.
David Lee:
Yeah, there you go. I like that, let's say that as well. Right, like, get to the point where you keep saying that we hire the most experience. Then focus on that. Focus on the experience first. Now you've selected that candidate, now you bring in the rest of the information. Because, quite honestly, why do you need to know somebody's name or where they live or college they went to, to know whether or not they've got the experience to do the job? Right? I get that. They may come into a factor later, but don't do that in the beginning.
David Lee:
Number three actually check your you know. Again, back to bias, check your hiring managers, like. What kind of culture are they building? Right, like, you know, talk to your actual leaders within a system, and I know that this is you know. This means, hey, executives, yes, you actually have to talk to your senior leaders about you know and understand what their thoughts are, what their biases are, and make sure that that's understood. Um, the the. The next thing after that which is interesting is take a hard look at are you? Are you a place where somebody would want to come? Right, if I go to your about us and I look at your leadership and I see basically the picture of a middle of a of a white man from 20s to 50s, and that's your entire leadership example I'm gonna look at that and go.
David Lee:
I don't really know if this is a place where I want to be like you can't now, I'm not knocking you for that, that's not but like. You have to realize that like people outside looking there to look at that and go, I don't know if I fit there when I go, look at your website and I see pictures of your team or whatever. Do I see anything of color or or LGBTQ Like? Do I see anything that makes me feel like, am I going to be the only one there? Like, nobody wants to be there. It doesn't matter if you guys are the nicest people in the world and you support everything about that person. They don't know that from the outside looking in.
David Lee:
So you're going to have to promote like, like and show that you are a place. And if you're not, like what? If you're saying, well, dave, we aren't this and but we're trying to then be honest and say that, right, like, but you're going to have to show that like, yes, this is, this is important to us and we're creating a place like. Like anybody wants to be welcome with open arms, right, and they don't. Like, nobody wants to feel like. They're on the outside looking in and they get in there and then it's like everything's different, like they're, they're the, they're the person, like this back when we were in grade school right, we're the kid that doesn't get the inside joke.
Chris Sienko:
Right, I moved around a lot, right?
David Lee:
So for those of you, that didn't move around as a kid. Like it's, you move in, everybody's got their inside jokes, they've got their like, and you just feel like an outsider right, like you're just waiting to integrate, like that happens. And so that's the things you have to, can combat, and again, all these things takes intent. I listen to all these things and people probably saying this is like a lot of work, Uh yeah, it's a lot of work.
Chris Sienko:
Yeah, it should be a lot of work. Yeah, yeah, if it was easy, everyone would be doing it, right, well, okay, let's talk about the About Us page and the Silverworks. I do want to talk about any recommendations you have for not just bringing more Black cyber professionals into the industry, but also making sure that we have a strong plan to help them advance in the industry, because you note that 77% of pulled Black employees are not satisfied with their role in tech companies. 50% report suffering from racism in the tech industry. So what are some of the big changes that can be made to change entrenched cultural biases and also make it so that we have this deep bench that will, uh, that can, sort of move up you know, move up through the corporate hierarchy and not just, uh, you know, well, all of our you know, our whole sock is diverse, you know.
David Lee:
Yeah, so this is uh, is uh, this. This is the hard one, man.
Chris Sienko:
This is because this, this touches some very requires you to knock some walls down.
David Lee:
Yeah, it does and it touches some deeply, deeply flawed things that we have within our environment, which is that a lot of these leaders just don't care. Right, you've gotta've. A lot of these leaders have created a culture around what's comfortable to them. Most of these leaders have never interacted with a person of color in their life and, again, does it make them evil people? When I say this, I don't that doesn't make you a bad person, right, but it's just the reality. And we build around our comfort. And so to increase some of these numbers, right, again, a lot of these, I let me. Let me say I'm assuming that a lot of these people feel this way, um, with these numbers, that the black employees aren't satisfied or experienced racism because they're the only one, and it's literally like when I wrote my book, it's like the only one in the room. That's been my entire career. Yes, right, where it's like I'm one of one, of one, sometimes one of two, one of three, right, and it's little things such as like hey, like we all like to go play golf or do these things. I don't play golf in this case I do, but whatever, it is like, yeah, it's these little things. And again, it's not passing judgment on what other people like to do, which, just, you've got to be cognizant of the fact that I've got a different culture coming in, and so what can I do to make sure that they feel and like, interact with them on some of the hey like, what are some of the things you like to do? Right Like, let's, let's, let's, let's do some of those things. Like, when we think about culture events as a company, let's, let's include all of that. Right Like, again, this is this one's. It's touchy, it's hard, because, you know, people want to politicize and all this stuff, whatever. It's just about making another human being feel seen. That's honestly, at the end of the day. That's it. Man, like you know me, you can go hang out and we'll start figuring it out. Like, chris, you like different things than I like, but if we're friends, and I want and we're trying to establish a friendship, guess what that means, chris, sometimes I'm gonna come, do the things that you want to create a culture to where these people don't feel like, they feel like seeing, like make sure they feel seen.
David Lee:
And unfortunately, though sometimes it's, it goes back to that bias, right, and this is why I literally would drive a lot of the executive leaders. Please, for the love of like, invest in this bias training. Understand that. You have it. It is there and it may be simple things. It's like well, no, no, I, I, I approved based on merit. You may think you do, but you may find out that that that you don't Right, and it's these little things, um, microaggressors is a big thing. Right, there's, there's, there's little key words that, like, black people are triggered by and we have trauma based on was like oh, like he speaks so well, why would I not speak so well?
Chris Sienko:
Oh right.
David Lee:
You know, she can be a little feisty or testy. It's like, oh well when. When John yells at the meeting, he's being a leader. He's when initiative. When Sarah pushes back, she's being feisty. But we all know the term, I'm not going to say it here.
David Lee:
I don't know, I don't know You're listening to the podcast we know the term that gets used, right, and so now she's labeled that and you're like, I don't know, she'll make executive material, but john can go get drunk right, yell at you and it's just, it's john being john right. There's a lot of that stuff. That that's how we fix that, but it's again, it's intent. We actually got to want to face it because here's, here's the, here's the reality. Chris, a lot of these people, a lot of the toxic leaders that are there, but also some of the most successful, exactly.
David Lee:
And so now was it as a. If I'm a, if I'm a CEO, I'm executive, I'm going. Okay, this guy brings in a ton of money, but he's also probably one of the worst people for our culture. Culture Now you have to make a choice. What do you care more about? Building a culture and a great company, or making money?
Chris Sienko:
Yeah, and your and your investors are like great.
Chris Sienko:
I'm so glad that you uh lost money in the interest you got to learn to tell those stories as well, because that's that's an important part of it, like you know. But but you know, I think there's also you know so much to be said about that that level of systemic change that you are going to see it pay back. It might not be in one quarter or one finance, you know fiscal year or whatever, but it's going to be there. So, yeah, yeah, so I could talk to you all day. I mean, we're at the hour here so I want to. I just want to wrap this up a little bit, but one thing I like to always ask our guests, and I'll ask you right now what's the best piece of career advice you ever received?
David Lee:
Man, I got this question. I was like dude it. It took me so long to come up with it, but I think it was I'm going to go with and I'll actually shout them out. Uh so Mark McClain, ceo of CellPoint, Um, and I was leaving I was, I was getting released CellPoint. We sat down we talked about everything, but he said this he goes always make sure that you're running towards something and not running away from something. And that stuck with me and it has stuck with me ever since. So whenever I'm coming up with something or facing a decision and I was like I want to do something different, I asked myself am I running to something or am I running away from something? And yeah, I really appreciate him sharing that with me.
Chris Sienko:
That that's that's stuck with me the past seven years now. That's great. I'm very excited Our listeners get to hear that. I think that's a that's a great, uh great piece of advice. So, uh, yeah, we're. We're at a time. I want to. I know that you have on the corner media, which is your podcast group. Your work is identity, jen, I tell you, tell our listeners anything you want to tell. Tell them about yourself.
David Lee:
Yeah, I would say this, that the biggest thing is my website. I am David Lee dot com I. It encompasses all of that, One of the things that I love to do. Obviously. I love talking about cybersecurity, identity. I love talking about diversity, inclusion, any way that that I can, that I can be of service, that I can help, or if you want to get in touch about you know, maybe speaking at one of your events, just hit me up there. You can find everything there my book, newsletter, all that stuff. So I made it easy for you all in one place.
Chris Sienko:
Awesome and hopefully people can LinkedIn you as well if they want Absolutely. We have very LinkedIn savvy listeners, so hopefully you'll get some user requests from there. Well, David Lee, thank you so much. This was an absolutely fantastic conversation. I really enjoyed talking to you. Yeah, Thanks, Chris, and thank you to everyone who watches and listens and writes into the podcast with feedback. Keep doing that. If you have any topics you'd like us to cover or guests you'd like to see on the show, drop them in the comments Before we go.
Chris Sienko:
Don't forget infosecinstitutecom. Slash free is still where you can get a whole bunch of free and exclusive stuff for CyberWorks listeners. There's our promo trailer for WorkBytes, which is our great security awareness training video series, in which a very strange office staffed by a pirate, a zombie, an alien, a fairy princess, a vampire and others navigate their way through age-old struggles of yore, whether it's not clicking on the treasure map someone just emailed you making sure your nocturnal vampiric accounting work at the hotel is VPN secured, or realizing that even if you have a face as recognizable as the office's terrifying ITI bone slicer, you still can't buzz you in without your key card. So go to the site, check it out. I love it. I watch it all the time.
Chris Sienko:
Also, don't forget to check out our free cybersecurity talent development ebook. You'll find our in-depth training plans and strategies for the 12 most common security roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy management secure coder, ICS professional and lots more. Once again, that's infosecinstitutecom. Slash free, Go check it out. So one last time. Thank you so much to the Identity Jedi, David Lee, for joining me today, and thank you all for watching and listening. This is Chris Sanko signing off, saying until next time, happy learning.
Subscribe to podcast
How does your salary stack up?
Ever wonder how much a career in cybersecurity pays? We crunched the numbers for the most popular roles and certifications. Download the 2024 Cybersecurity Salary Guide to learn more.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.