Stand Up for Security: How Comedic Resilience Can Help Improve Your Security Program
Amanda Fennell: Welcome to Security Sandbox! I'm Amanda Fennell, chief security officer at Relativity, where we help the legal and compliance world solve complex data problems securely—and that takes a lot of creativity! One of the best things about a sandbox is that you can try anything. This season, let's explore how curiosity and personal passions inspire stronger security. Grab your shovel and let's dig in.
In today's episode, our sandbox heads to the Comedy Cellar for an ad lib conversation on the importance of being comfortable with being uncomfortable—both in security and in standup comedy. Joining me today are two of my cybersecurity colleagues, who share a similar passion for humor: Thomas Quinlan and Marc Bleicher. So let's hit the stage and hope these jokes land better than a cat-one incident alert.
Before any questions, I want to add a bit of context to how we know one another. Today is our first time with all three of us back together after nine years, since 2012. Tommy and I first met at Guidance Software, and after many overnights in a cold forensics lab in New York City, we went to work at Booz Allen Hamilton to support the government. I followed not long after when he went there. Our trio was complete and we found our third amigo when Marc came on to support the Veterans Affairs project. So good jokes and, you know, we have to have characters in the setting. We've now got those two requirements. Let's dig into some plot. You ready, Tommy? I know. Here we go. Get ready for this. You authored Adventures in Cybersecurity, which is a humorous, autobiographical account on some of those years that we had together and others. What's one of the funnier moments that you remember when all of us were together at Booz Allen Hamilton?
Thomas Quinlan: So I reread my own book, which was a weird experience, and I found that when I was discussing those times, largely one person kept coming up.
AF: Oh, I know who it was.
TQ: Yeah, I won't say any names. He has a code name in the book. His name is Rahul. And yeah, just the antics out of that one in particular with the deep-dive analysis team and all of these fun things that he used to do to try and hijack our team. Get us all in trouble for—
AF: Every great story has the bad guy, right? So this is our bad guy. That's true. There are a lot of moments that I remember with that. Marc, you remembering this?
Marc Bleicher: Yeah, you had me a "deep-dive." I knew exactly who Rahul is. [Laughter]
TQ: It was a polymorphic malware, so we had to make sure that all our ducks were in a row because, like, well, you didn't find this one file, and that one file happened to be a text file of all the things that happened to have a timestamp that was very similar to our investigation. And so we're going back and forth with this general person.
AF: But wait, wait, wait. There was, like, a five-star general in the room. This was like, every climactic thing you could think would have happened in this moment. Like the movie, like Swordfish. Everyone's in this room. But okay, go ahead.
TQ: Yup. I'd say the customer, but it was essentially the government. And to your point, lots of very important people in the room. And effectively, he gets to this point, he said, "Well, why didn't you know about this piece of malware from this threat feed?" And I was like, "What threat feed?" He's like, "You know, the threat feed that we all get!" And I'm like, "I don't get that threat feed." And then he looks at me like, "Why don't you get the threat feed?" I've never heard of it before. And then he turns to the other people in the room. He's like, "How about you guys? Did you get them?" And everybody around the table is looking at this guy like, we've never even heard of that. What are you talking about? So he looks at Rahul and he says, "What's going on here? Why are they not getting this threat feed? Why don't they have this information?" "They're on a need-to-know basis, and they don't need to know."
AF: Oh my God! This might be, Tommy, one of the only times I spoke up in that five years together—that I actually was like, who determines "need to know"? And it's hard to be the only woman in the room a lot of times, so I didn't normally have much to say, and I was also in a learning phase in my career. But I remember asking that question: Who determines "need to know"? And he said, "I do."
TQ: Exactly. And to be clear, that was Rahul saying that, not the general guy.
AF: One of the things that we were going to talk about here today is this moment of uncomfortability and being comfortable with uncomfortability. Marc, it took me a long time to realize that you were joking so often because you have such a dry delivery. Speaking of which, I love whenever I've seen either of you quote-unquote "angry"—it's very difficult to ascertain because it's covered with so much humor and dry delivery. What are you trying to say and what are you talking about? What do you mean? In those rooms and those moments where we had these difficult conversations, you always handled it pretty comfortably. And I don't think anybody would have thought you were ever angry or frustrated. I think everyone would have just thought you were very professional. And I think it comes from being on a stage, and I think it comes from having to deliver jokes and people not laughing because you're not funny. [Pause] Ohhh! [Laughs] That's a dry delivery. That's dry. Go for it, Marc. So you didn't train for standup?
MB: No, I didn't. I mean, you can't train. That's something I always wanted to do. And when I was out of college, rather than get a job like most normal people, I was like, oh, I'm going to try and do standup comedy. So I hit the open mic circuit in D.C., and after going for like three months before I built up the bravery to do it—and you've heard about live performance. Once you get that first laugh, it's, you know, it's pretty addicting. So you go back, despite not getting any laughter, until you get more laughter, if that makes sense. You hone your craft. And that really does make sense why you can't tell whether I'm angry, I'm happy, or sad. I often hear that a lot.
AF: From Julia? She says that? She's like, I don't even know if you're mad?
MB: No, I'd say more of my professional career. Julia definitely knows that I'm angry, so maybe I'm more comfortable being comfortable with people I'm comfortable with. Kind of like a comfortable inception.
AF: [Laughs] It is inception! So how do you know whenever you're in a room and things are going too far and you have to pull back?
MB: I mean, I think that just comes with me really having basic social awareness. You know, obviously if there's an incident and you get it ... can we curse or no?
AF: Yeah, you can. Are you going to curse? Let's warn everyone with the bleep button.
MB: You know, if you're getting crapped on, you know—
AF: That's your curse word?!
MB: Yes. [Laughter]
TQ: Captain America and The Avengers! LANGUAGE!
MB: If you're getting s*** on a client call, it's an intense situation. I do have my limit, you can tell, and I've had people tell me recently, uh-oh, this is Mad Marc, and my voice does change. It will start to crack a little bit. But again, I mean, if it's a professional situation, I'm not going to risk my professional career on trying to one-up them, so I tend to fight back with humor. That's always been my defense, pretty much with anything, whether it's been a bully in the schoolyard or a Rahul the bully at Booz Allen.
AF: Yeah, for sure. Alright, numbness. I'm going to move this to Tommy. So security, standup comedy ... we've all been in a room with executive boards. Are you always prepared to fail and not get that laugh or in your case, not get that somebody who resonates with the information that you're explaining? And how do you learn to be comfortable with being highly visible where an error could be catastrophic to your career? And by the way, Marc, just a headline, this is coming to you after Tommy.
MB: Okay. I gotta do some research.
AF: Let me Google that for you.
TQ: Yeah, I was going to say ... mute yourself and start typing. The easiest thing to do is to prepare as much as possible, but there's always going to be situations where you're just not prepared. We have a saying that there's always somebody in the room who's trying to play "stump the chump," and you effectively have to sort of plan for that person. And in order to do that, you have to be prepared. And there's always going to be things you don't know. So if you don't know something early in your career, you'll be like, "Oh, I just attach the flange and things work," and you just make something up. But that doesn't really hold water once you get past, like, the first five minutes of your career. So you just tell them, "I don't know, I'll go look it up" kind of thing. Or "I'll get back to you." But I mean, sometimes it can be very difficult to actually maintain one's cool when people are just obstinate and they're being obstinate on purpose. I mean, the things that we do are essentially trying to convince people to change the way that they're doing technology, and there are a lot of people who really don't want to do that, even if it is better in the long term.
AF: It will be. I mean, okay—it's interesting that the adoption cycle for things in security or in technology takes, like, five years for people to get on the bandwagon. And I say this as somebody who works at a cloud like, you know, SaaS, company. Cloud adoption is painfully slow. Even though everyone acknowledges it's the right thing to do, it's better in a lot of different ways—infrastructure, security, and so on. But the adoption is super slow. And so you have to learn how to have that interaction end up being positive for that person, even when they're obstinate. If someone's just obstinate, you have to keep navigating through it, and you have to keep trying to make sure that the light gets lit within them so that they follow it.
TQ: The other thing that I find particularly useful is trying to imagine what other people are afraid of. They're not being purposefully obstinate. They're just afraid. They don't want to change, and it's that sort of thing. And when you understand it's about emotional intelligence—basically, when you can understand what the other person is going through—then you can lift the rock. You can identify, hey, there's this rock here. This person is hurting, afraid, et cetera. What do I have to do to try and make things better for that person? There won't always be an answer—the rock might be too heavy for you to lift; the person maybe holding onto the rock. But at the same time, if you make that effort, you're always going to be in a better position than if you don't.
AF: I think that's how I've tried to train people that I work with over the years. The easiest thing to do is to always think about what that person is solving for and all they're wanting to hear, so that you can understand what their experience is and things like that. And so there's a lot of empathy involved. I have a story that I stole from my boss, and I don't know where he stole it from, and it doesn't matter. But it's a great story and it's very short. And it's just basically that the difference between empathy and compassion ... Say you come upon someone who's in the road and laying down and has a huge rock on their chest, and this person is saying, "Oh my God, this hurts and it's very painful," et cetera. Somebody who lays down next to them and says, like, "Oh, this does hurt really bad and is so painful, and I can totally feel it"—that's empathy. But compassion is when the person helps them remove the rock from their chest. And so empathy is useful, but compassion can be better. Alright, Marc, you Googled this. You've had the time to look it up. Were you always comfortable being in the room whenever something was going to be a difficult conversation or did you learn anything over time?
MB: No. I think Tommy hit on it. I was horrible, absolutely awful, in front of clients, especially high, I guess, high-stress clients. I've been asked to leave class before—we all have, or asked not to be part of something just because they didn't agree with the recommendation. It has come with experience. It probably took me at least 10 years to be comfortable with myself and really just not giving up and just trusting my own instincts and reading the room.
AF: The decisions you make in fear are the worst decisions of your life, and I've seen that, consecutively, time over time. So stop any time you're feeling that pressure and that fear. Just stop and breathe through it and recognize beyond that, because the beyond is where you're going to get a better idea of what to do and calibrate better. Marc, I interrupted you.
MB: No, that was good.
AF: That was baller. That was it.
MB: I guess, had I stuck with comedy—I often think about this—could I have gotten to the same level that I have in my career now with comedy? But obviously, one pays the bills, the other doesn't for a while.
AF: Are you going back to comedy? Are you planning to go back?
MB: I think that's what I'm saying. This is my reintroduction. Watch out, world!
AF: Here we go! Okay, Officer Hoyt, let's go!
TQ: Just bought new shoes for the kids. Time to go back to comedy.
MB: [Laughs] That's right. So what was the question? I'm just—
AF: Being comfortable with not knowing the answer …
MB: I'm pretty comfortable being uncomfortable now, to be honest. I never had empathy when I did stand-up comedy. It was just about, to be honest, it was just I wanted to make these jokes hit. But with incident response? You know, that's where I chose when we diverged from our paths. I spent my career there since. I think that's the number one thing you need to have in order to be good at your job, and especially what I do now with ransomware—you're going into a situation where there is a rock on their chests. And having done this day in and day out for the last few years, you have to approach it with empathy. So I don't know how that applies to standup comedy. What I am trying to say is I didn't have any empathy. But now I do.
AF: I think situational awareness, et cetera, does apply for standup comedy. To be in the room and so on makes sense. But sometimes it's not about the empathy. But in this job? Yeah, it makes sense that you have to understand what you're solving for and what their pain is, because that's all they want to hear is, how do we make this go away? How do I make this better?
So I had this conversation with my sister earlier about something for a job development, but she asked me, "Did I fail at this part of what I was trying to accomplish?" And my question was like, did you give it everything you had? And she said yes, and I said, so you couldn't have done any more. So you should just be comfortable and confident that you did all you could. And if that wasn't enough, then it's not the right fit. It's almost like a relationship. You gave it 110 percent, and that still wasn't good enough. That might not be the person you want to date. You know, you may want to be with someone else, because you'll spend the rest of your life trying to be better, better, better all the time in a way that you can't get to. So I think there's a moment of being comfortable that, look, I did the best that I could. And if this isn't what you're looking for and this isn't the right fit, then it's just not where I should be. Be comfortable with that. So, okay, we got there. I don't know that I've ever been booted out. Tommy, did we ever get booted out somewhere from a client site?
TQ: Not that I can think of.
AF: Marc has though. Look at that, Marc is just cursing up a storm with that "crap" word all over the place. [Laughs]
MB: We should edit that part!
AF: Tommy, you mentioned this earlier about emotional intelligence, being a little bit aware of what's going on. So we read the room—we read every room, and we have situational awareness. Do you see an overlap between when you're reading the room and a possibility to interject humor? Or is your default, I'm here to do my job and do the read out and that's it, and I'm not going to look for an opportunity? Because I actually look for opportunities to joke around all the time. So I'm curious if anybody else does.
TQ: No, I do the same if the potential prospect-slash-customer is one that I'm comfortable with, and they're comfortable with me. I'll joke around with them all the time. I mean, I can't always say that I'm funny, but ...
AF: Dad Joke #4... So exactly what's your go-to topic in material that you always go back to whenever you're joking or referencing? Is there a movie or any kind of a show or anything that you always lean back on?
TQ: Oftentimes it'll be The Office.
MB: I knew it!
AF: Oh, you knew it, Marc? I knew it! I knew it!
TQ: But I get to use the British one and the American one! Ha-ha!
AF: Oh, that's right! On the other side of the pond.
TQ: Exactly. And then, I mean, typical geek stuff. Star Wars, Firefly, things like that essentially. Depends again on the audience.
AF: That's your typical geek stuff? Firefly comes up often? Because a lot of people are like, oh, I didn't watch it, so...
TQ: Well, I didn't say it always lands.
AF: So Marc and I have ... It's interesting; over the years that we've gone on in our different jobs, Marc and I have kept in touch at different times. We will text about something or an issue comes up. Tommy, you and I keep in touch because, you know, again, your wife is a good friend of mine, and our kids are both named Maxwell, so we have a lot of closeness there. But one of the things that Marc and I always reference ... I don't know that I could do a text exchange with you, Marc, without referencing it. What is it? What movie?
MB: Training Day.
AF: It is Training Day! [Laughs] Officer Hoyt?
MB: [Imitates Officer Hoyt] Okay! Alright!
AF: That movie is just rife with quotes that should be used in cybersecurity, like so many different moments. Is there one that speaks to you, Marc, more than any other quote in that movie? That you're like, yeah, this is it, you have to use it.
MB: There is, but I can't express that verbally. I communicate with the one GIF that's on Microsoft Teams. It's just Denzel in the driver's seat, shaking his head. That can apply to any question, any situation. So that's my calling card.
AF: I might use ... my calling card from that might be actually, he goes, whenever he's nodding, he goes, "My man!" That one.
MB: That's the one! That's the one.
AF: It's absolutely valid. Let's just mention, as we tie out this part of this, we have a few things that are useful references for making jokes. Star Wars is just a good reference, period, and so is Firefly. Like, I just don't see ... I think those are just, like, you have to in the geek realm. Be prepared for those. And Star Trek if you're also geeky. I'd also like to put a little bit of a shout-out for Babylon Five, which recently got looked upon again for a reboot. I know nobody watches it but me, but I'm just making a mention that J. Michael Straczynski, they're coming out with a new one. So we have some references in the sci-fi world. Are there any other ones that we need to make sure people know if they're listening to this podcast? You better be ready for the comedy here. The Office, I think you mentioned earlier. Futurama, Tommy. Anything else we're missing?
TQ: Well, I guess it depends on the medium, too.
MB: I was going to say Ben-Hur. [Laughing] Sparticus? [Laughing] Reeeally my jokes are not hitting, but I'm comfortable with that. I did a callback.
AF: No, you got it. Yeah, you got it, man. We're going to do Spartacus.
MB: This is like my first open mic. [Laughing]
AF: Tough crowd. Tough crowd.
TQ: There's only two of us.
MB: Where did the hacker go? Where did the hacker go? He ransomware! [Laughing]
AF: So you opened up a door, by the way. You brought up the r-word. So ransomware. Marc, how tired are you being asked about ransomware?
MB: Pretty tired. I don't know.
AF: Yeah, so let's ask about it!
TQ: I have zero interest that he is going to want to talk about this.
MB: Yes. We should end it right there. That's a mic drop. [Laughing]
AF: Okay, we're going to do a wrap-up. There are some things I think are our major themes that I've picked up. I's been nine years since the three of us have been together. And then, however many years in addition to that that we've known each other, which—it's been a long time. Couple of things that are big takeaways for me. And the first one is going to be that humor can be a good way to fight back and speak up in a charged setting when you're feeling uncomfortable. It's not always opportune for us to make a comment or, you know, speak up in a way that's very assertive and confrontational, but humor can be the way that we do that. So it's a useful tool to have in our toolkit.
The second one is that our jokes can work in standup or at work, but it depends on your audience, so you have to read the room and hopefully there's some familiar references that you share with the people that you're talking to, which are helpful. So if it's sci-fi, et cetera.
The last thing—because I always end on three—is never let go of the best people who become your friends from work. Because of you two, I will say never let go of the good people that you find that become your most treasured friends, that you can bring on a podcast many years later.
Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments, give us a rating—we'd love to hear from you!