Podcasts
The BlueHat Podcast
Ep 36
The BlueHat Podcast 9.4.24
Ep 36 | 9.4.24

Ryen Macababbad on How Security Can Empower Productivity

Show Notes
Transcript

Nic Fillingham: Since 2005, BlueHat has been where the security research community and Microsoft come together as peers.

Wendy Zenone: To debate and discuss, share and challenge, celebrate and learn.

Nic Fillingham: On the BlueHat Podcast, join me, Nic Fillingham.

Wendy Zenone: And me, Wendy Zenone, for conversations with researchers, responders, and industry leaders both inside and outside of Microsoft.

Nic Fillingham: Working to secure the planet's technology and create a safer world for all.

Wendy Zenone: And now on with the BlueHat Podcast. [ Music ]

Nic Fillingham: Welcome to the BlueHat Podcast, Ryen Macababbad. Ryen, did I do it well? This is like take 12. How was that?

Ryen Macababbad: Yeah. You did well, Nic. Thanks.

Nic Fillingham: Thank you so much for joining us.

Ryen Macababbad: I love your diligence. It's great.

Nic Fillingham: Well, It's important. I have a very boring ye olde English name, Fillingham. I think it means like farmhouse on a hill or something. But anyway, thank you for your generosity in letting me roast the correct pronunciation of your name. Welcome to the BlueHat Podcast. You're sort of internet famous. No, you don't think you're internet famous. I thought you're internet famous. But would you mind introducing yourself to the audience that maybe have not heard about you?

Ryen Macababbad: Sure. It's interesting because there's always people that know me that I don't know how they know me. I don't consider myself internet famous, but I do like to share information. So my name is Ryen Macababbad and I am a Principal Security Program Manager at Microsoft. I recently came back to Microsoft about three months ago.

Nic Fillingham: And what is your current role? And then what was -- you said you were Boomerang, so you were at Microsoft before. Can you talk a little bit about what you did on your first stint or your previous stint and then what are you doing now?

Ryen Macababbad: Yeah, sure. So I actually joined Microsoft right out of the military. I was in the army. I served on active duty for eight years. And then I went into Microsoft into the Identity Product Group as a developer and then program manager. At that time, they were just starting what's now called the CxE or the Customer Experience Engineering Program. And it's gone through many iterations of many names in different teams, in different product groups. But essentially, it is their program managers that are basically working with hundreds of customers over time to gather insights and feedback and feature requests to help them deploy and implement different features to go through private preview with different features before things go public preview or GA so that we can really capture the scenarios and use cases that are relevant to our customers. So I did that in identity and then 2017 hit and a lot of companies got impacted by NotPetya and the AD FS Lockout attacks that were occurring at that time. And for me, I always considered myself as a protector and a defender and I felt kind of helpless to protect and to defend these people that I have built such strong relationships with when we're problem solving. And so I decided to shift my focus into defensive security and I ended up joining the Microsoft Defender Advanced Threat Protection Team, which is now broken up into many defenders, but I specialized in endpoint protection and detection and response. Oh, right. And what do I do now?

Nic Fillingham: What do you do now? Yeah. You left Microsoft?

Ryen Macababbad: I did leave Microsoft, yep. So I had gotten so much experience with enterprise security through the lens of the customer, but not firsthand experience. And I really felt like in order to be holistic and have that holistic view that I needed to have that firsthand experience. And so since Microsoft didn't have any roles at that time that really like yelled at me and said, come and fill me and do the thing, I ended up going to work for somebody who was at another company that had been at Microsoft, her name is -- and she's amazing. She's --

Nic Fillingham: Shout out to Kymberlee Price. Kim Possible.

Ryen Macababbad: Kim Possible. That's right. She's so cool. And she started her own company, actually it's Zatik Security. It's like security team as a service. It's pretty neat. And one of my former direct reports is also working with her on that. So it's like a dream team. But anyway, I went to go work for her and I did security architecture and customer trust engineering. And that was a lot of fun. I went on to work for another company before deciding to come back to Microsoft when a friend of mine reached out and said, "Are you interested in security architecture? Because I'm moving roles." And he is great. Carmichael Patton, he's awesome. And so I backfilled Carmichael, big shoes to fill. And I don't say that just literally. So now what I do, my focus really, all of the projects that I'm working on are really geared towards providing a seamless security experience and productivity experience for our end users. My thought is that you shouldn't have to think about security if that's not your job. Like it should just be built in by default and you should be able to do your work securely without having to be a security expert. So that is kind of how I approach all of the work that I do today.

Nic Fillingham: That is awesome. Well, we're very happy to have you both on the podcast, but also back Boomeranging to Microsoft. Today we're going to talk about a topic that you're obviously very passionate about, security as an enabler, and we'll jump into that in a minute. But you've also just returned from Hacker Summer Camp. You're in Vegas for a couple days. That's always --

Ryen Macababbad: An entire week. An entire week.

Nic Fillingham: An Entire week. Oh, wow. Which felt like several months.

Ryen Macababbad: I was there from Sunday to Saturday. It is a lot. It is a lot. Especially as an introvert, like there is a lot of peopling that goes on there and fitting it all into one small section, it's like, I'm good for another like few months on a few minute interaction.

Nic Fillingham: So there's a ton of events that happen. Obviously the two big ones are really sort of Black Hat and DEF CON, but also BSides and Diana and SquadCon. Which events did you attend and sort of what are some of your takeaways from Hacker Summer Camp 2024?

Ryen Macababbad: Yeah, so I went to Diana Initiative and to BSides Las Vegas. I've done Black Hat, I've done DEF CON for several years. And what I found is that I get more out of talking to the people around those events, so lobby con, if you will, than actually attending them and going through the expo hall and going through all the villages, they get a little bit overwhelming for me. But at the smaller cons, like the Diana Initiative and BSides Las Vegas, you really get more of an intimate environment. You get the opportunity to have more speaker interaction than you might at Black Hat or DEF CON. And I find that to be very valuable. But also I find that the relationships that you build when you are doing things that you are passionate about are so much stronger than just business as usual, right? And so the folks that are putting on BSides, the folks that are putting on the Diana initiative, they're really passionate about including people from all sorts of backgrounds and underrepresented populations. And for me, that really feels like home, because I see people who look like me, I see people who talk like me and who maybe feel as uncomfortable in some socialist situations as I do. And so we can have this kind of understanding and just be comfortable in each other's presence and learning rather than -- I think there's sometimes some insecurity, especially for people who are new to the industry when they're attending things like Black Hat or DEF CON, because there's just so much. And the way that we speak at Black Hat is different than we speak at DEF CON and there's so much to choose from. It can be really overwhelming. So I really enjoyed that. I tried to make it to SquadCon, but I ended up just getting into one of those conversations that just takes off. And so I didn't end up making it to SquadCon, but hopefully next year,

Nic Fillingham: I remember the first time I went to Black Hat DEF CON that that sort of week in Las Vegas for the very first time. And I remember talking to someone for the first time and saying like, "Which conference are you here for?" And they're like, "Oh, I'm just here for the week. I'm not going to a conference." And I was like, "What?" And they're like, well, there's just so many amazing people here and little subgroups and sub communities and passion projects and passion areas that sort of happen spontaneously and as you say, like in the lines and in the hallways and in the lobbies of hotels and things. And that is in and of itself more than enough sort of reason and justification to take the time to come to Vegas. And it's fascinating that there are a lot of people that do that. Maybe they do have a ticket to one of the conferences, but they find themselves in the most engaging conversations in the lobby. It's really fascinating. Now let's bridging to the topic that we're going to talk about today, which is sort of security as enabler and this sort of tension between the history of security teams and I guess to a broader extent, IT being sort of the department of know and locking things down versus sort of enabling people to sort of do their jobs and be productive and not have to worry about it. How did those kind of conversations or themes show up in what you saw at Hacker Summer Camp and then the people that you talked to? Like, that feels like an age-old dichotomy, but it's still there, right?

Ryen Macababbad: Yeah, absolutely. It's interesting because historically, there has been this tension between those who have goals geared towards productivity and implementing access and authorization and those who are trying to secure the network or secure an application or a service, right? Because if you look at it from the surface level, they seem to be in conflict with each other. And I think traditionally, they have been in conflict with each other and there's been this culture of conflict between not just productivity teams like IAM teams, but also with the employee base as a whole, right? Because at the end of the day, employees just want to do their jobs, right? Some of them are coming in with this passion to do their work and they want to do their work, right? And then others are coming in because of whatever reason that they have, like, this is a stepping stone, or this is a job, this is a paycheck that puts food on the table. And all of those reasons are perfectly fine. What happens is that when security gets in the way of those people doing their jobs, then there's a natural conflict and it can be a very personal conflict between the thing that's stopping us from doing our jobs and accomplishing our goals and what security is trying to accomplish. So it makes sense. But what I heard and what I saw in the conversations that I was having at Black Hat -- sorry, at Hacker Summer Camp, because I did not go to Black Hat.

Nic Fillingham: You were in the vicinity of Black Hat.

Ryen Macababbad: Right. I was actually. I was in Mandalay Bay a lot. There's so much good food over there. But anyway, I digress.

Nic Fillingham: Let's digress. What did you eat? What did you love? What was great?

Ryen Macababbad: Oh my gosh. The noodle house, they had these like chili green beans that were really good. Honestly, that's when you really know that you're an adult when the thing that you remember is the vegetable that you bought.

Nic Fillingham: That's awesome.

Ryen Macababbad: The noodle house, it was fantastic. We had several different dishes and I can't actually remember it because the green beans were so good. But in any case, so what I saw. What I saw was that there is a shift that's happening because people are realizing that if you create friction points, if you create barriers to people accomplishing their goals, accomplishing their work, they are going to take the path of least resistance, just like anything else. You put a resistor in a circuit, the energy is going to take the path of least resistance. Water is the same way, right? And so we have to remember that as we are doing security, because if we don't, then what we are actually doing is creating a less secure environment because we're just shifting the oversight away from our purview, right? If people are going around security controls, that just means that you no longer have insight into what they're doing. You can no longer put in mitigations or remediations when there are issues because you don't know, you don't see it. This is for all intents and purposes, shadow IT. And that's the thing that I think that people really need to remember and understand because it's not just on us as technology companies to provide our customers with secure products. Like, absolutely, yes, we have to do that. But in order to really earn the trust of customers, we have to also provide them with the assurance that we have a culture of compliance, that our employees are also compliant with our security controls and the expectations that our customers have of us when we are protecting our own environments. So if we add friction, if we create barriers to folks doing their jobs internally, then we are creating a less secure environment.

Nic Fillingham: A couple of different directions we could go here. One is I was thinking of a few examples here. In some ways, security researchers, especially those that are focused on looking for flaws in business logic and business process, they're really doing that, right? They're putting on the hat or they're taking the role of the end user who either has been blocked from doing something, but needs to do it anyway and so they're looking for a way around it, or even just a user that isn't familiar with the correct process or familiar with whatever the various sort of compliance regulations are. And they're sort of going about something in a way that wasn't as a developer, the architect, the engineer was intending, and they're finding those flaws that aren't necessarily holes in code or they aren't necessarily software vulnerabilities. They're sort of process and flow that can be sort of utilized in ways that weren't initially designed. Is that a good example or am I sort of drawing a very long bow here? Because that's where I went when you were sort of explaining that friction.

Ryen Macababbad: Yeah. So I think that one of the things that's often missed, not just in security, but also like in product development is different approaches, different perspectives, and those edge cases that the end user is using the technology in a way that we did not think of. This is why diversity is so important, because it's not just about doing the ethically right thing, right? Diversity and inclusion, we can all agree that's the ethically right thing, but it's also about what's right for the business. Diverse perspectives are what's right for the business. And when you have security researchers coming in and poking at your different products or your environment, what you have is somebody who is coming from a completely different perspective that is providing you value and allowing you to see where there might be gaps that you didn't think of because you have a different lived experience than they do. You made different assumptions than they will make because assumptions are based upon our lived experiences. And so, like, when you think about it, they're providing an invaluable service, not just to the business, but also to all of the customers and everyone who is using the products. And I like to say that nobody likes to hear that their baby is ugly, right?

Nic Fillingham: Unless you're entering your baby into a world's ugliest baby competition, that might be the edge case.

Ryen Macababbad: That's fair. But also, I have seen some babies be born and they are not always cute coming out, I'm just saying.

Nic Fillingham: That's true.

Ryen Macababbad: And that's okay, because with time, people grow and they change. And same with products. And that's as it should be, right?

Nic Fillingham: I just want to point out that was an attempted humor. You and I are both smiling on our webcams because we just thought our respective jokes were hilarious. But it may not translate into an audio-only medium. For the record there, I don't believe there are world's ugliest baby competitions. But yes, your idiom of no one likes their baby to be ugly or whatever, it certainly holds, right? People don't want to be told the thing they have created, the thing they've put their blood, sweat and tears into has a problem with it or it doesn't work properly or it doesn't do what it should do. That's both reality and then it's sort of a very human reaction to go like, hang on, this is my thing, I made it. You can't tell me it's bad because I'm proud of it and I like it.

Ryen Macababbad: Yeah. And they should be proud of it. They should be proud of it. They should be proud of their work and the effort that they put in. And understanding and hearing about a gap or a vulnerability isn't saying that you did bad work. What it is is providing you an opportunity to learn how to do it better or to learn of a different scenario or even just to learn of a different way of coding something or implementing something that you might not even know about. There are pathways to different technology within the cloud, within the, you know, we're all using connected devices, right? There are pathways that I'm surprised by every day. I remember when I first learned about remote desktop and I just thought it was so cool that I could be on my laptop and I could be like remoting into my desktop. And that was not a thing when I first started learning about computers. And so it's just understanding that these are not criticisms. It could be intended as a criticism, right? Someone could be a not nice person and be intending to insult, offend, or criticize. That's true. That happens. Sometimes there are just not nice people. But you get to choose how you take these things, how you take in information, analyze it, and process it. You get to choose how you feel about it. And so you can choose to be offended, but what does that net you? It doesn't -- all it does is make you feel bad. Like, I don't personally enjoy being angry, I don't personally enjoy feeling offended. Like it is not something that I like having in my body. I do not like the stress and anxiety that comes with those emotions and how they present in my body. So when you hear something that is providing you with more information, take it that way. You can choose to take it that way. You can choose to say, okay, well, maybe that wasn't the best delivery. I'm autistic, so my delivery sucks often, right? I am not reading the room, I am not reading micro communications or social norms all the time. Like, I've learned a lot of it, but I still miss some things. And so I get that. But you still have a choice in how you receive information and you get to choose how you take that. And I have this sign in my shed that says, happiness is a choice. Choose it every day. And I love that. So like, any emotion is a choice, and you can choose to feel that and let that be what drives you or not.

Nic Fillingham: I love that. Happiness is a choice and choose happiness. I feel like I took us down the path here of security research and researchers, and that is because this is the BlueHat Podcast, and we talk about research and response in that space here. But this idea of security as an enabler or moving beyond security as department of no, embracing research, embracing researchers, embracing end users or whoever it happens to be to tell you that they've worked out how to make your widget do a thing it wasn't meant to do, or they found a way to break it, that's obviously important. But is there more to that conversation? Is there more to this topic of how do we -- you wrote me a little blurb here, which is fantastic, and for this podcast, where you said we cannot continue to be the industry of no, we must find the secure way to yes. Our job as security professionals is foundationally not to keep the threat actors out. It is to enable the business to continue its work without disruption. So security research, one facet, one avenue, what are some of the others? Or is there a silver bullet here? Or is this and forever a multi-pronged approach?

Ryen Macababbad: Yeah. I think foundationally as security professionals, what we need to internalize is that our responsibility, our obligation to our companies is to secure the company. And the company isn't just it's technology, it isn't just its facilities, it is also its revenue, how it makes money, how it continues to exist and pay you your paycheck. If you do not protect, if you do not secure revenue-generating activity, then you are working yourself out of a job.

Nic Fillingham: I want to jump in here. So you say you, who are we talking to? In that statement, who is you? Is you everyone? Or is you a subset of individuals within an organization, whether it's the security team or whatever? So when you say you, who is you?

Ryen Macababbad: I think that you is everyone, right? Like, as developers, when we are creating applications or services or products, we are securing, we are helping to secure that revenue for the company, right? That's the revenue-generating activity. And so identifying that security is actually a revenue-generating, revenue protecting activity is something that not just as an industry, I think holistically across the board, companies do not internalize this. And that is why a lot of companies have very low security budgets because they don't look at it as a revenue generating or revenue protecting activity or operations. But it is exactly that because if you lose customer trust, you lose revenue. Look at some of the recent breaches or some of the recent things that have occurred that have lost customer trust on a global level, that loses customer trust. And you have to really work to gain that back. And just like with anything, once you lose trust, it's really difficult to gain it back. It takes a lot more work to gain it back than it took to lose it in the first place. And so you want to maintain that. And so looking at security as this thing that we should invest in, this isn't just about Microsoft, you know, obviously I'm biased because I'm a Microsoft employee, but it's not just about Microsoft, it's about all companies. We have to secure our environments, we have to secure our revenue-generating activity, otherwise there is no company. And so you must have that element and you must invest in that and make security part of everything that you do. But again, going back to the first point that I made at the beginning of the podcast, you shouldn't have to be a security expert in order to do your work securely. That's what my job is to enable people to do their work securely. Not to implement security controls or not to prevent people from doing activities, but to allow them and empower them, enable them to do their work securely.

Nic Fillingham: Is it too broad of a follow-up question to say, okay, how or what does that really mean? So I'm an employee at company X -- well, not X, because I guess that's an actual company. I work for, well, let's say I'm, but no, we won't do that. So I work for a company, I'm not a developer, I'm not an engineer, I'm not in security. I'm a sales person, I'm in support, I'm in manufacturing, I put widgets together, I don't know, what does it mean for me to take on that role, to take on that responsibility? Or is it not my responsibility in the sense that it is the IT and the infrastructure and the security teams to have in place and set up the necessary processes and tools for me to just go about my job and not have to worry about it?

Ryen Macababbad: Well, it's twofold, right? So it's both IT and the end user, right? And the reason why I say that is because again, we only have our lived experiences and the learnings that we have collected along the way. That's not going to encompass every single scenario. It's not going to capture how every person approaches something or thinks about something. And so it's imperative that our end users provide actionable feedback when something is not working, when there are friction points. And it's imperative that security proactively identifies what those friction points or barriers are or might be and seek feedback from the end users in order to provide this experience that allows them to do their work without having to think about it, without having to think about security that allows them to do their work seamlessly in whatever way, whatever persona, whatever role they're in, without having to go and look up and read all of the different policies that we have or all of the different development life cycles, whether it's the software development lifecycle or the secure development lifecycle. People shouldn't have to be experts in that in every single role that they're in, because then they're not going to be experts in the thing that we need them to be experts in. That's really what it is, right? And I think too often, we don't actively seek, we don't proactively seek, we don't put processes in place that provide end users the feedback loop to be able to provide that actionable feedback. And we don't communicate things in ways that meet people where they are, right? Some people, they are all about the Slack or the Teams or the email and others like things to be presented in all hands or team meetings. When you're communicating different security changes or when you're soliciting feedback, you have to approach it from this broad spectrum view in order to get the statistically significant pool of feedback to inform your processes and procedures so that effective changes can be made.

Nic Fillingham: We're sort of coming up on time here, so I wanted to maybe ask, can you distill this down into some sort of go dos or some sort of action items for our listener? And I guess we have a couple different listeners, right? So we have security researchers, that's one person probably listening to this podcast. We have our security responders, we also have sort of generalist security IT technical folks as well. We've also got people, you know, all across the spectrum that listen to the podcast. But I wonder, can you distill this down into some -- I hate to say action items, to me, that sounds very Microsofty. But you know, I've been listening to this conversation, what do I need to go do, Ryen? Either me, Nic Fillingham, or the listeners of the podcast, what do you want them to go do or go think about?

Ryen Macababbad: As an end user, think about how you are trying to approach your work and be able to essentially describe that to somebody who doesn't know how to do your job, doesn't know what your day-to-day looks like, so that that use case, that scenario can be captured. Also, seek ways to provide feedback so that these friction points and barriers can be removed so that you can do your work easily frictionlessly. And then on the other side, seek those different perspectives, identify the personas. Out of everything that you could do, right? Ultimately your user base is the one that has to understand what to do, what the policy means, or how they can be in compliance, right? So you have to meet them where they are. If you are speaking two different languages, right? And you need to communicate something to someone who is speaking a different language than you and you try and speak to them in your language, they're not going to understand what you want. But if you can go to them using language, using nomenclature, taxonomy terms that they understand, then suddenly, you can actually get their commitment or have their behavior match what you're trying to accomplish. But if they don't know, how are they supposed to do any of that? So just meeting users where they are and just looking at, like, what is the impact? It's not just about, okay, I have this risk that I need to remediate, it's, I have this risk that I need to remediate, what are my different options and what is the impact of those different options? Because if the impact is material and it is creating friction, then your actual risk would be much greater with that option than if you were to not do anything at all, because at least, you have oversight into the current risk that you need to remediate, right? And so I think that's probably the biggest takeaways is you really need to meet people where they are, on both sides really, or on all sides. Assume good intent, choose how you feel, choose how you receive something, and try to find ways to effectively communicate needs.

Nic Fillingham: I love it. Yeah. I think if I could sort of echo that back to you. So for the end user, it sounds like there's sort of two ways to think of it, and we're all end users in some capacity. I'm an end user of the Windows operating system. I don't develop that even though I work for Microsoft. But as an end user, understand your role, what is it that you do in your job and what are the sort of tasks and processes that you undertake and how would you explain that to someone that doesn't know and understand your job? And then be on the lookout for feedback that you can provide when you do find something that perhaps creates friction or doesn't work the way that you want it to. So I really like those two go dos for the end user. And then on the flip side, on the responding side or the security side is to, as you say, meet people where they are and to assume good intent and to really sort of take that feedback as a gift, if I can use that idiom, is a sort of a great way. Did I get that right? Would you add anything to those?

Ryen Macababbad: I think that's exactly what I would say.

Nic Fillingham: One of the things I love chatting to security researchers about, especially those that are focused on looking for flaws in business process and business logic is a lot of the time, I feel like what they're doing is they're actually finding the gaps in those two roles, right? Or I should say what they're doing is they're finding where there is a chasm or there is a misalignment between the way the end user is using the thing and the way that it was intentionally built or the way that it was sort of initially sort of architected for. And they're putting on, I think I said this earlier, they're putting on different hats, they're putting on different personas, they're thinking differently about, well, the product might have been built or the technology might have been created to do things in this order, what if I do it out of order or what if I do it left to right or down to up? I think there's a really interesting parallel there in the way that researchers go and tackle this. But then also the way that, as you say, we can bridge that divide between the end users and then the people that are obviously trying to secure things and are securing things so that, as you say, security can be more of an enabler.

Ryen Macababbad: Yeah, absolutely. Find a way to yes. How do we find a way to yes?

Nic Fillingham: And choose happiness.

Ryen Macababbad: Yes. And choose happiness. And then I will say this also just to, like, final things out is that threat actors, they're not going to use your product, your service, your environment in the way that you intended it to be used. They're going to use it in the way that allows them to reach their goal, just like anyone. Everyone is just trying to reach their goal. So security researchers are providing just invaluable insight and perspective into what unintended uses or unintended consequences or gaps come with this package that I have intentionally created for a specific purpose.

Nic Fillingham: Awesome. Before we let you go, what do you like to do when you're not out there trying to help bridge that gap between security as enablers? How do you choose happiness? Did I hear a little four-legged friend maybe at your feet?

Ryen Macababbad: Yes. Actually I have three dogs.

Nic Fillingham: Three?

Ryen Macababbad: I have close to 30 chickens.

Nic Fillingham: Oh, what kind of chickens?

Ryen Macababbad: Oh, all kinds of chickens. I have silkies, bantam, Ameraucanas, ones that I can't even name.

Nic Fillingham: Are these egg layers, meat birds, both?

Ryen Macababbad: They're egg layers and kind of pets. They're mostly pets.

Nic Fillingham: Do they have names? Most of them.

Ryen Macababbad: Some of them do have names, but I couldn't tell you which ones are which. The kids, however, could tell you exactly which one is which. And that's just I don't.

Nic Fillingham: Are you inundated with eggs? Do you have just like more eggs than you know what to do with?

Ryen Macababbad: Sometimes we do. Especially in the spring, we get a whole lot more eggs in the spring. Yeah, sometimes we have to give them away, which is fine because again, these are kind of more pets than food providers. But one day, you know, I hope to have my orchard fully grown and providing food for me and my family and I want to have pigs and cows and maybe some goats because goats are great for blackberries.

Nic Fillingham: They are. And I don't even know where you are in the world right now, right? Are you in the Pacific Northwest? Are you in the sort of Seattle area?

Ryen Macababbad: Yes, I am about an hour outside of Seattle. I think that all of the green really soothes my soul. And I had started working remote before COVID and COVID just made it so much easier for me to consistently work remote. So it's nice.

Nic Fillingham: Absolutely. Now we've got the BlueHat Conference coming up in October. And I know that you have a long history with BlueHat. We'd love to see you in Redmond at the conference or maybe in a village or perhaps even presenting. Is that -- can I sort of plant that seed with you now?

Ryen Macababbad: You can plant it. October is a busy month. We've got the Grace Hopper Conference that's coming up in October and I've got a Women Veterans Entrepreneur Conference that I'll be going to. So we'll have to see where it fits in the schedule if it fits in. But I'd love to be there if it all works out.

Nic Fillingham: Awesome. And for folks that want to follow along with your adventures and read more about your work and your guidance and all of this fantastic stuff that you're doing, where can we find you? Where can we follow you?

Ryen Macababbad: Most of the things that I put out, most of the mentorship that I do is on LinkedIn. I am occasionally on X/Twitter, but that's kind of fallen off of my social radar. I'll also be at Kernelcon in Omaha, Nebraska, April 3rd through the 6th. So if you guys want to come to a smallish less than a thousand people, maybe.

Nic Fillingham: That's kind of smallish maybe compared to Hacker Summer Camp. But maybe for other conferences, that's pretty big.

Ryen Macababbad: You could go there. So that'd be cool.

Nic Fillingham: Awesome. Well, thank you so much for coming on the BlueHat Podcast. It's been a fascinating conversation and we'd love to see you again, either in person or in our ears.

Ryen Macababbad: Thank you so much, Nic.

Nic Fillingham: Thanks, Ryen.

Ryen Macababbad: Bye.

Wendy Zenone: Thank you for joining us for the BlueHat Podcast.

Nic Fillingham: If you have feedback, topic requests or questions about this episode --

Wendy Zenone: Please email us at bluehat@microsoft.com or message us on Twitter @MSFTBlueHat.

Nic Fillingham: Be sure to subscribe for more conversations and insights from security researchers and responders across the industry.

Wendy Zenone: By visiting bluehatpodcast.com or wherever you get your favorite podcasts. [ Music ]

The BlueHat Podcast
Podcast Info
HOST(S):
Nic Fillingham
Wendy Zenone
Nic Fillingham is a Senior Program Manager at Microsoft in the MSRC organization leading the BlueHat program. Originally from Australia, Nic has worked at Microsoft for almost 20 years across multiple continents, brands, and products. Nic created and co-hosted the Security Unlocked podcast and is passionate about promoting the work of security researchers and responders across the industry.
Wendy Zenone is a Senior Program Manager at Microsoft in the MSRC organization leading the STRIKE program. Wendy started her career through an all-women engineering boot camp after quitting her job while still having kids at home. She has worked at top tech companies like Facebook, Netflix, Salesforce, and now at Microsoft, focusing on various areas such as application security, bug bounty, corporate security, third-party risk management, privacy, and security training and awareness.
Schedule: Biweekly
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo. Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft
The BlueHat Podcast