Hacker, Researcher, and Security Advocate

Category: Uncategorized

I’m here and I’m human

Hi, here I am. I am Alyssa. I am a 44-year old woman and a parent of three wonderful children. I am an executive leader at one of the oldest and best-known financial firms on Wall Street. I am a public speaker who travels internationally to share my work at large conferences with 10’s of thousands of people a year. I am an author, my first book is currently in production and will be in print soon. I am a soccer referee, and I officiate some of the highest levels of competition in the Big1G. I am currently enrolled in flight school and planning to get my Private Pilot Certificate. I am also transgender.

Alyssa in blue cast lighting with a wireless microphone on her cheek looking up to the right.

Now if you didn’t know me, you might read those first six sentences and be left feeling like “wow, this woman has really accomplished a lot in her life”. I’ve come to accept that yeah, that’s right, I really have. I’ve been very fortunate to have opportunities I could have never dreamed of. I’ve taken those opportunities and made the most out of them. I’ve used my privilege and wealth in many ways to give back to my community, to those who don’t enjoy such privilege, and ultimately to try and make our world a little better place. Everything our society asks of a person I feel I have done in some way.

Except there’s that last sentence in that first paragraph. The one that tells you how I don’t fit into society’s view of human beings. The one that some people get stuck on and will focus on despite the impressive list of accomplishments that precedes it. It’s the sentence that gets me subjected to bullying, discrimination, and ultimately hatred from the people around me (even when they’re perfect strangers). That word, transgender, has been used by politicians, supposedly devout religious people, and fascists as an excuse for their hatred and even violence toward people like me.

People will use that word to tell you that I’m some sexual deviant. They will say that I have an incurable mental illness. They will say that I just want to break into women’s spaces so I can spy on them. They will tell you that my intentions are to erase women and make them irrelevant. They will tell you that I’m so disgusting that I don’t deserve access to healthcare, that I shouldn’t even be able to make my own medical choices with my doctor. They’ll say that I shouldn’t be allowed to play sports, and many will even suggest I shouldn’t be allowed to go to a public bathroom because I’m such a monster.

Of course none of that is true. I’m not a sex offender of any fashion. I don’t have a mental illness (trust me, trans people are forced to undergo tons of mental evaluation to confirm this). I advocate for women’s rights every single day, including those that don’t directly impact me. I work to uplift all people and especially to level the playing field for those that are marginalized. And when I go to the bathroom, I can assure you my only goal is to pee, poop, wash my hands, and then go on with my day. Yet the narratives of how horrible I am persist and far too many people still believe them.

This is the reality of being transgender in America today. Over 150 bills have been proposed across 47 states in the first three months of 2022 that target transgender people specifically and seek to treat us differently than other Americans. That’s literally legalized discrimination. Transgender people have become the convenient target for political ideologies that love to bully others. We’re easy targets, easily the most vulnerable right now because any protections we have against discrimination in law are dubious at best. We’re not easily seen. Transgender people are estimated to only make up 1% of the population and not all of us are easily detectable when we’re in your midsts.

Picture of protesters holding signs that say protect trans kids

But today is transgender day of visibility. It is the one day a year that transgender people devote to being visible. To letting society know that we are humans just like you, we have the same human needs each of you do, we have all the good and bad traits that exist across the beautiful rainbow of our society and our people. Transgender women, Transgender men, Non-binary, and other gender non-conforming people are still people just like you. Yet so many in our world want to vilify us and see us erased from this planet. But it’s all based on that false narrative they’ve painted of who we are.

So today, I want you to see me as just one example of who transgender people really are. Not all are like me, not all have the same wants, needs, and desires as me. However, one thing we all universally want is to be treated with the same dignity and respect that would be afforded any other human being on this planet. I ask that you stand in solidarity with ALL HUMANS and recognize that no matter what color, what gender, what sexuality, what religion we come from, we’re all HUMANS and that is a pretty damned good reason to look in awe and just how wonderful each and every one of us is.

Image of a red stamping of the word plagiarism

Plagiarism at EC-Council, an Open Response

Cases of plagiarism by cyber security certification company EC-Council have been documented for over a decade. As I wrote previously, I personally was one of many victims of this behavior recently. On June 27, 2021, I was contacted by email by the CEO of EC-Council, Jay Bavisi, to inform me that they had released a statement regarding the issue.

On the surface, the statement appears genuine and direct. However, I knew after sitting with it for some time I’d start to see the issues more clearly. So while I immediately shared it on social media, I did not offer any reaction. I’m ready now to openly share my thoughts on this statement.

A Lengthy Response

The statement from EC-Council is long and clearly took some considerable thought to assemble. It touches on some points of accountability and offers some transparency into how EC-Council plans to address the situation. So I’m going to go point by point, offering my reactions to each here.

Their explanation

Graphic with the greeting and first three paragraphs of the EC-Council statement.

In these first couple paragraphs, Mr. Bavisi attempts to address the silence from his organization. Remember this statement came a full week after I first reported the plagiarism. While I’m glad they addressed this issue, why it took a week to investigate and admit wrong-doing is a mystery. Clearly crisis communications are not EC-Council’s strong suit. Still, I’m glad to see he came prepared to face the music. Let’s see what they’ve learned.

What they learned

A graphic showing the first bullet from the EC-Council statement expressing disappointment about the events.

OK, this looks like a good start. This is the first time in the week since my report that EC-Council has used the words “plagiarism” and “sorry”. They go on to loosely explain it as a series of missteps. This is a bit of minimization considering these accusations can be found dating back to 2011. However, nice to see ECC finally admit culpability.

A graphic showing a bullet point from the ECC statement talking about anti-plagiarism tools

The second bullet and things are getting shady already. In their previous statement, ECC claimed their blogs were checked for plagiarism by “industry accepted software.” However, now they contradict that. Alright, so gaps happen. However, it’s the rest of this point that’s troublesome to me. Bavisi attempts to distance this situation from their certification and course content. Of course he does, because those are the primary sources of ECC’s revenue. They are the crown jewels and this situation has undermined their credibility in the market.

The problem is, there is a high profile case of plagiarism in ECC’s exam questions documented on the internet as well. So this becomes a divide and conquer maneuver. Bavisi is already attempting to treat this as a one-off event rather than consider the bigger picture of the culture at his organization.

Whatchya gonna do about it Jay?

Graphic of another bullet in which Jay Bavisi says he takes full responsibility

Um so what does this mean you take full responsibility? You’re the CEO, of course you do whether you like it or not. But this is a meaningless platitude if not met with action. Maybe your following bullets will help explain it more. The unreserved apology is nice, the second time contrition has been presented without caveat. That’s a far better response than the first statement you released.

Bullet saying the blog will no longer be managed by the marketing team

This is an interesting response. In most organizations, blogs such as ECC’s which serve a very specific purpose fall under marketing. It’s called content marketing for a reason. Your blog is setup to offer free materials in order to market your products. So could this be a shift in how ECC plans to leverage their blog? I’ll be staying tuned as that could be something potentially, dare I say, innovative?

Bullet stating that the blog will remain off-line and that they're establishing an editorial team.

This sounds like a great idea. Bring in people who are technical experts to create original content that is high-quality and of value to the community. I think Jay actually read my previous blog and is taking my suggestion on this. Value contribution is a principle I called for them to apply and this sounds like they’re moving in that direction. Well done!!

Bullet stating they are planning to hire an editor with experience in technology and security

Any of my skilled writer friends need a job? I know someone who’s hiring. In all seriousness though, this is a good move and a good investment. Time to bring in someone that knows what they’re doing. Someone connected with the industry and with journalistic practices would be a big improvement.

Graphic of two bullet points that seem to reiterate the previous two bullets

I’m tackling these two together because they seem to go together and express pretty much the same thing I got from the previous two points. These are good moves. An advisory board, and hiring subject matter experts. In the past ECC has relied on free contributions from whoever they could get to provide them with such content. That’s not a recipe for getting the best and brightest. Pay people for their knowledge. That’s how you get quality work!

Bullet stating they'll hire diverse people

Yes you should be hiring across a diverse set of candidates. Your writing pool should represent the same diversity that is in the community you serve. Thinking this is a callback to the situation in April.

Bullet stating they're creating a VLOG to help avoid plagiarism

A Vlog is an interesting approach. However, Jay, be aware that this will not “ensure that plagiarism won’t happen again”. It is possible to plagiarize via spoken word as well. However, it is also harder to find. So, I truly hope that you don’t think just because it’s live or recorded content being spoken on video means that it can’t be plagiarized material. Tread lightly on this one.

Bullet that asks victims of their plagiarism to reach out to them.

I’m not sure what this is asking. Jay, are you asking for all currently identified victims of the plagiarism to contact you at this email? Are you offering compensation or something similar for the works your organization stole and profited from? Or are you looking for further victims to make themselves known? If the latter, I’d say with how trivial it was for us to find additional plagiarized content, perhaps your team should be doing that work. Especially now that the blog is offline so searching it requires use of the WayBack Machine.

Bullet stating they hold themselves to rigorous standards

Oh cool, the rest of EC-Council too? So does that mean you’re making improvements in exam question authoring as well? You need to come through on this promise. I’m sure your missteps so far this year have had an impact on your bottom line. Don’t want anymore of that.

Bullet announcing the resignation of a Marketing Executive

Well, um, what? Jay, I thought you were taking full responsibility? Also, how senior was this marketing executive if they weren’t even listed on the executive team page on your website? This one bothers me. Not that there wasn’t good reason for this person to resign. However, it screams of scapegoat-ism. It ignores that the problem goes higher. Given how long this has been going on and the number of issues (not just plagiarism) at play, clearly there is a cultural shift needed. What is the rest of your executive team doing to make real change happen Jay?

Wrapping things up

Graphic with the concluding five paragraphs of the statement

So the conclusion begins with another apology and Jay again saying he takes full responsibility. Still wondering about that executive marketing leader. Then he announces the upcoming release of their diversity report that they committed to back in April/May. Clearly he wants us all to know ECC is trying to get better. Fair.

The third paragraph is wonderful but perhaps should have appeared early in this statement. Jay actually acknowledging (I believe for the first time ever) that there has been a lengthy history of this behavior from ECC. That’s important because, as I’m sure Jay with his law degree knows, this puts him legally on the hook now. If things don’t get better after this, he has no plausible deniability.

The next statement is nice if it isn’t platitude. Jay reaching out to the community for their thoughts on what ECC can do to get better. Yes, that’s a great invitation, but I hope there’s some substance behind that. I also hope this isn’t a lazy attempt at finding your issues without doing the hard work of introspection. Interacting with and hearing from your community is important, so maybe a good step? We’ll see.

The verdict

Well as I said when I shared this on social media, some good info and some problematic statements. I’m not convinced at this point. Given ECC’s history of this kind of behavior they’ve got a long road to travel. From the responses I’ve seen privately and publicly on social media, it seems much of the industry feels the same way.

I don’t wish for the failure of EC-Council. I don’t think that would be good for our community in long run. However, my opinion could be changed if EC-Council themselves continue to cause damage like this. So for me for now, I’ll be keeping them at arm’s length. They need to show me they’re actually changing. That they’ve learned it’s ok to make profits but that those profits should come from building up the security community not draining from it.

Banner: Speaking at RSA Conference 2020; Human Factor

RSA Conference Schedule

Where to find me at RSA

As I’ve announced previously through social media, I’ve received the great honor of being accepted to speak at the RSA Conference in San Francisco this year. One thing has become very apparent thus far, this is a huge networking event and everyone wants to meet up. So as my calendar gets more and more full, it’s harder to coordinate and share with others. Therefore I thought it best to share it here. Contact me if you’d like to schedule time to meet up.

DescriptionLocationTime
Monday 24-Feb
Panel: GDPR, Supply Chains, and Other Policy Game Changers AGC Partners Cyber Security Summit11:30-12:15
Panel: Power Up Your Personal Pitch She Speaks Security
Moscone West
2:00-2:50
Table Talk Discussion #3: Your Pitch She Speaks Security
Moscone West
2:50-3:05
Tuesday 25-Feb
Media InterviewsRSA Media Room
Moscone South
10:00-11:30
Presentation: Stranger Danger, Finding Security Vulnerabilities Before they Find YouTrend Micro Booth #672
Moscone South Expo
1:00-1:10
Presentation in Vendor ExpoMoscone North Expo2:00-2:15
Women of Security (WoSEC) Crashes RSACMoscone South Room 3033:00-5:00
RSA Scholars DinnerPrivate5:00-9:00
Wednesday 26-Feb
Losing Our Reality: How Deepfakes Threaten Businesses and Global Markets Sandbox Stage
Moscone South
10:40-11:10
Presentation in Vendor ExpoMoscone North Expo12:30-12:45
Presentation: Stranger Danger, Finding Security Vulnerabilities Before they Find You Trend Micro Booth #672
Moscone South Expo
2:00-2:10
Media InterviewsOff-Site4:30-5:00
Thursday 27-Feb
Birds of a Feather: Overcoming Candidate Skills and Diversity Gaps in Hiring Engagement Center Moscone West9:20-10:10
Presentation: Stranger Danger, Finding Security Vulnerabilities Before they Find You Trend Micro Booth #672
Moscone South Expo
12:00-12:10
Braindate Session: Processes for Threat Modeling in DevSecOpsEngagement Ceter Moscone West1:00-1:40

Red sign with white lettering that reads "for hire"

It Shouldn’t Be This Hard

Why is a career in cyber security so difficult to build?

There it is again. Another headline about the cyber security skills shortage. It’s getting worse, says the author. A different article puts the number at 4 Million open jobs with no relief in sight. Training platforms market their programs in an effort address the problem. Conferences host career fairs and villages. We have volunteers doing resume reviews and interview coaching. Yet despite all this effort, studies tell us the problem is growing.

This pattern would suggest that more jobs are being created than there are people to fill them. But if that were the case, who are all the people attending these career building events? Why are there people who’ve been searching for over 12 months to find a security role? If there are 4 Million unfilled jobs, shouldn’t it impossible to locate a job seeker who hasn’t been able to get called back on their applications? Truly these people exist and look at any Mentoring Monday Twitter thread and you’ll see they exist in large numbers.

The Blame Game

When you ask these questions of people around the security community you’ll get some interesting results. Employers point their fingers at academia for not offering relevant instruction. Hiring managers blame candidates for applying to positions they’re not qualified for. Aspiring security professionals often point out that entry-level jobs are hard to come by. Seasoned professionals, like myself, point to the myriad of unrealistic job listings that discourage candidates from even applying.

With all the postulating about who and/or what is to blame, it’s hard to know if there even is really a skill shortage. I previously wrote about my belief that this shortage is overblown if not an aberration all together. Two things are certain here. One, entry-level and experienced candidates searching for jobs often spend months to a year looking for work. Two, many cyber security roles sit open for months to a year or longer.

The real costs of this problem

Businesses pay dearly as a result of this situation. There is a concept in the recruiting world known as Cost-of-Vacancy (COV). Most people understand that actively recruiting for a position costs money. However, what many fail to account for are the other costs of having an open position. These include:

Two women sitting across from a third that they appear to be interviewing.
  • Increased attrition
  • Lower productivity
  • Lost sales or renewals
  • Increased travel and other expenses

Business are not the only ones bearing the costs of the problem. Obviously, the job seekers themselves take on much of the cost. Searching for jobs costs money as well as time. Mental and physical health suffer as a result of staying in a bad situation or just the job search process itself. Even family life can suffer as a result of this increased stress and demand for time.

Finding the solution

OK, so everyone pays a price as a result of this seemingly disconnected situation between hiring organizations and job seekers. Why then don’t we have a solution? It’s time for the industry to do better and be better. Predictably, that begins with building a better understanding of the reality we face. To that end, I recently announced via social media that I teamed up with Manning Publications to write a book. The focus of this book will be building a career in cyber security. Unlike the precious few other books of its type on the market, I don’t intend to focus heavily on training strategies and technical skills. Instead, my work will take a long hard look at the human factor. I’ll address the unseen challenges and provide ways to overcome them.

With that said, my first step is research. I want to find practical answers to the problems I’ve detailed above. This is where you can help me help others. I’ve created two data gathering surveys. The first targets experienced security professionals. I want to gather insight into the journeys others have taken in their careers. The second is for aspiring professionals. In other words, those who never worked in cyber security but want to. I want to understand the problems from their perspectives. I want to learn about their experiences and the skills they bring to the table. Both surveys are quite short, only 3-5 minutes to complete, and both are completely anonymous. I’ve included the links below and would appreciate if you could spread the word. Additionally, of course, if you fit either description above, I’d love if you could complete the appropriate survey.

Improving our situation

Thank you in advance for your assistance with this. I truly believe there is much to be gained from this work. I’m teaming up with others in the industry to understand their research as well. My goal is to finally bridge the real gap that I see here. The gap between expectations of job seekers and hiring organizations. That is how I think we’ll improve our community and the digital world as a whole.

Experienced Professionals Survey: https://s.surveyplanet.com/LupYIHiV

Aspiring Security Professionals Survey: https://s.surveyplanet.com/lmI4b4fB

Powered by WordPress & Theme by Anders Norén