Rachel Tobac: Find a way to laugh. [CEO]
Rachel Tobac: Hello, my name is Rachel Toback and I'm a hacker. Sometimes people call me a ethical hacker or a friendly hacker. I'm also the CEO of SocialProof Security.
Rachel Tobac: My favorite movie growing up was Harriet, the Spy, which is probably not a super big surprise. Um, I carried around a little notebook and wrote observations about my life and hoped that I could use that uh, for what? I don't know, I was only a child. But I think that that really kind of helped me predict how I would use my skills later in life. I have a very non-traditional path to InfoSec. I went to school for neuroscience and behavioral psychology. I worked in a rat lab. I was a teacher. I led a UX research team. Now I'm a hacker and CEO. So it's, it's pretty different than people might expect.
Rachel Tobac: I was always interested in the human brain and how people make decisions, how they are persuaded. So I knew that I wanted to go into neuroscience right after I took AP Psych and I went through all of that pre-med stuff, which was grueling. And I was trying to figure out what it is that I could do in my career and I didn't wanna work in the basement in, in a rat lab anymore. I wanted to go out and be in the sunlight with people, cuz I like the human element of everything. So I was like, you know what, I'm going to use my skills and I'm gonna be a teacher. So I was a teacher for children with disabilities and uh, absolutely loved that job.
Rachel Tobac: I moved from the Pittsburgh, Pennsylvania area to the San Francisco Bay area and I'm like, you know what? I think it's time for a change. Maybe I wanna try something else. And my friend living in Silicon Valley goes, well, you know you're really close to Silicon Valley, you could work in tech, and I no joke go, what's that? Like, did not know what Silicon Valley was and she was like, are you serious? You live like 10 minutes away from where Facebook, Twitter, Instagram, like all that stuff where all that stuff was built. And I was like, oh, okay. Let me look into that, like that's how much of a tech nube I was. I applied to a hundred tech-based roles and um, I ended up getting about 15 interviews from that, five final interviews and three offers. That was the path. And I ended up taking a job at an ed tech company, which felt like a really fitting position, cuz of course I just came from education.
Rachel Tobac: So worked in the ed tech role. Started as a, uh, community manager. Worked my way up to a senior community manager. Then I started the UX research function at the company and became a UX research lead, which really just married a lot of my interest in all the studies that I did in college. So I was able to lead that function there and while I was at that company, my husband was like, Hey, you should come to this cool conference in Vegas. It's called Defcon and I'm like, nah, I'm okay and he is like, no, I really, really think you would like it. So I was like, all right, I'll go. I ended up seeing a few calls and was like, oh, absolutely, I wanna do that. So, ended up competing at defcon. Applied, made a really weird, uh, twin peak style application video and ended up getting in and competing and getting second place three years in a row, which super launched me into InfoSec.
Rachel Tobac: It was pretty organic actually. So from Defcon, people started reaching out and saying, Hey, I saw you live competing at Defcon. Will you come to my company and talk about how you hack and how we can avoid falling for your tricks? So I started doing that and had, you know, a bunch of the big names in Silicon Valley as my clients, and I was like, yeah, I should probably LLC to protect myself. So I created my LLC. It was first things like keynotes, and then social engineering prevention training, then security awareness training, protocol update workshops to change the way that you verify identity through customer support flows. One of my main ways of attacking and then from there, penetration testing.
Rachel Tobac: The majority of my week, um, are virtual live programming and events. So companies will ask me to come in and do a live hacking demonstration and walk through with their executives or their all hand style team or their finance team about how specifically they would get hacked and how they can avoid falling for those tricks and what technical tools to implement so that they don't have to just rely on the human element of security and then, um, other calls throughout the day that pop up are usually random media requests. Then other weeks it's different. It's things like I have a pen test and I've pretty much blocked off the rest of my week so that I can actually hack the company. It's kind of silly, but it's like a little bit like method acting where you kind of have to stay within your role. If I'm doing that, I try not to mix and match and have to be myself and also my pretext.
Rachel Tobac: I try to just be as authentic as I can possibly be. I feel like a lot of people, when they get into a position of leadership, they can get a little stuffy and a little, I don't know, like corporate speak. Um, I try to stay professional while at the same time maintaining my personality cuz I don't know, I like to laugh. I think it's fun. Um, and like having fun woody banter with people doesn't make you any less of a leader. I think sometimes people get confused about that.
Rachel Tobac: The way that I deal with adversity is through humor, usually. I find I get a lot of perspective when I can take a step back and laugh at something, um, whether it's like a meme on TikTok or an SNL sketch or just going and watching live improv or just laughing at whatever's going on in my life in general. I think in the security world sometimes we take ourselves pretty seriously and a lot of times it's because we're dealing with really serious topics, and so in the moment we have to be extremely serious. But when you get a five minute break in between your crisis meetings, find a way to laugh if you can, otherwise you might drive yourself wild.
Rachel Tobac: I hope that people look back at the work that I've done and they think, man, it's really annoying to try to hack into companies now. I hope scammers, cyber criminals, and even pen testers think, oh God, Rachel was here. I can tell because I just tried to call their customer support team or their finance team, or I texted their exec team and I tried to get them to go to this link or install this remote access software or send a check to this different bank and they wouldn't do it. They have a second method of communication and they have a password manager and they have all these MFA tools that they use, and it's just annoying. I hope people see that and they think, "wow. Rachel made our lives really annoying to hack." that's the goal, right? Um, so yeah, maybe if it's really annoying to hack a company, it'll be like, Rachel was here.