The BlueHat Podcast 10.30.24
Ep 40 | 10.30.24

From Software to Security: Arjun Gopalakrishna’s Journey at Microsoft

Transcript

Nic Fillingham: Since 2005, Blue Hat has been where the security research community and Microsoft come together as peers --

Wendy Zenone: -- to debate and discuss, share and challenge, celebrate and learn.

Nic Fillingham: On the Blue Hat Podcast, join me, Nic Fillingham.

Wendy Zenone: And me, Wendy Zenone, for conversations with researchers, responders, and industry leaders both inside and outside of Microsoft --

Nic Fillingham: -- working to secure the planet's technology and create a safer world for all.

Wendy Zenone: And now on with the Blue Hat Podcast. [ Music ] Welcome to the Blue Hat Podcast. We have a special guest today. Well, every day is a special guest. But today we have Arjun Gopalakrishna, who is going to discuss his journey from software engineer into Mr. Manager in the security realm. Arjun, introduce yourself.

Arjun Gopalakrishna: Thank you for having me on this podcast. And as we'll talk about this in this episode, it's been an interesting journey getting to work with all of you people on this call and beyond. But briefly about myself. I'm Arjun. I've been with Microsoft a little over 11 years now. And have been in a couple of teams. I've spent a bunch of time in the Windows Arc. The majority of my career has been in Windows. And about two and a half years ago, thanks to our internal STRIKE platform and a bunch of other guardian angels, I've been able to make the pivot into cybersecurity in Azure security. I currently lead a team of security engineers in Azure security with the mission of securing the Microsoft Cloud. So again, I have been with the company for a little bit. And I'm looking forward to this conversation.

Wendy Zenone: Eleven years. That's a long time. Congrats.

Arjun Gopalakrishna: Thank you. Thank you. Yeah. At some point, I think once you hit like three or four, before you know it, you're being the next milestone. So it's about working through the initial trauma, I guess [laughter].

Wendy Zenone: Now, quick question. Well, we're going to have lots of quick questions. But did you always know you wanted to be in tech? And then, did you always know you wanted to be a software engineer? And then if you could, walk us through what was that thing that sparked your interest in security and brought you to pursuing the big transition?

Arjun Gopalakrishna: Sure. So back when I was in high school, we had a list of subjects of study, including history and social studies and physics, chemistry, and all of that. And we had computer science as one of those subjects. And I still very vividly remember this was back in the days. And to some people this might seem like, "What's a floppy list because of the same icon." But back in those days, when we submitted our project work on floppy risks in our computer lab, there was a classmate of mine who had a virus on one of his floppy risks. And I remember that infected the entire lab. And our professor at the time had to walk us through secure online practices, things like that to make sure that we were doing the right things and not infecting a whole bunch of computers. And that got me curious. There were -- it was also around the same time where edgy high schoolers were passing around the Anarchist Cookbook and other material like that. So obvious place of introduction there to want to get curious about, what is a virus? What's going on here? I also was a gamer, and I continue to be a gamer. And back then I think the statute of limitations as well passed that I can admit that I have played a few pirated games, which I haven't really paid the full price for. And as part of that journey, you install dodgy software on your Windows machine, cracks and keygen -- key generators. So even as part of doing that and, of course, you are messing with the Windows registry and things like that, it got me curious on, what's really happening here? And why does my computer keep powering off ever so often randomly? Because I'm sure my mom and dad love hearing that. I have infected the home PC a bunch of times. But again, it's all those things that got me curious and interested in that. My undergrad was not in computer science. It was in electronics and communication, which here in the US is considered electrical engineering. But then I did a master's degree in computer science. But even during my undergrad, I was interested in Linux and a whole bunch of computer science things. So, it's been a slow burn on getting interested in computer science and ending up in a career in computer science. So, my first job out of college after my master's degree was in -- at Microsoft from 2013. And that was also an interesting time to join the company. The company was going through a period of transition between CEOs. I joined the company as a software development engineer in test what, I guess, now we consider as QA, as every quality assurance. So, I came into the company with a testing mindset. And then, once that discipline dissolved and got merged into just traditional software engineering, that's something I did for eight years in the Windows team. But even in my job there, a lot of it was dealing with security issues, fixing security bugs, things like that. So again, even there, even though I was no longer doing testing work, but I was testing my own security fixes. That's an obvious -- also an obvious entry point to can I get curious about how do I bypass this? And that's very offensive security. So, that piqued my curiosity over the years. And obviously, I would attend STRIKE Talks. I'd attend CTFs conducted by STRIKE. So all of those are opportunities that got me interested in exploring this more seriously. And a thing about me, I love reading. Anybody who has met me and known me for more than an hour will come away with at least a book recommendation or two, including people. Including you, Wendy, I guess I'll be happy to share a couple here. So with all of that voracious reading -- and it's also interesting thinking about it now. What got me into reading was as a kid, I never really had access to television till I was 16 or 17. So books were my escape. And it helped that I had access to a huge selection of books. So, being able to read and learn by myself that's something that also got me interested in security in a more serious manner with books that were foundational about security -- information security knowledge. So building all of that, that's the long and short of how I got into cybersecurity. So TLDR gamed a lot, read a lot, crashed a whole bunch of computers, and here I am now.

Wendy Zenone: Can you walk us through -- you don't just learn security. There are so many areas of security. And I know for myself when I was looking to find my way into cybersecurity, someone said, "Well, what part of security?" And my answer was cybersecurity. And that's just everything. So, how did you get to the point where -- well, you know you're interested. But then how did you hone in on one particular area? Or are you still figuring that out? Or did you just evolve naturally?

Arjun Gopalakrishna: So I think the phrase "it's better to be lucky than good" plays into this -- into my journey here so far. Having been in Windows, it's a very different tech stack than Azure, even though Azure runs Windows. But interesting anecdote, Azure runs more Linux VMs than Windows VMs. I just read that last weekend. Working in Windows, working at a lower level of the operating system, C, C++, code, C++ is something I learned -- I was introduced to in high school. As I was going about that journey, one of the things that I got interested in was, okay, we are in this organization that aims to secure Windows. What does it mean to exploit Windows? And what does that journey look like? What does it look like for when a Windows PC goes unpassed and exploited? So, I was taking a course by myself at that point just out of self-interest. And I thought it might make for a good STRIKE session within the company because there were tons of people around me who were doing the same work as me. And they understood that they fixed a thing. But that empathy of what that meant to not have it be fixed wasn't as obvious. So that's where I got in touch with the STRIKE community. And as I was putting together a talk, two people were chosen. Or I'm not sure if they volunteered or they were chosen by STRIKE to initially review the talk before it went live on STRIKE. And those two people are Michael Hendricks and Shawn Hernan, my previous manager and my current manager. So I was introduced to people in the community within the company as part of my own learning journey. And staying in touch with them, learning more about what their team did, what their organization did got me more curious, obviously. And when I got the chance to work in their space, I jumped at the opportunity. And that's how I ended up where I am. But it's also, like I said, very serendipitous that I met Shawn and Michael as part of my own journey. Because it felt more straightforward to go from software engineering in Windows to security engineering in Windows because the skills are directly transferable. But it also felt I was ready for the challenge of learning cloud security. And it was a pivot that I didn't see coming. It was very people-driven. Michael and Shawn are great people who -- they're great at sharing what they do and nurturing that talent. And I'm grateful to --

Wendy Zenone: Yeah. Yeah.

Arjun Gopalakrishna: -- STRIKE to them for all of those opportunities. So that's how I ended up in cloud security, in application security, in offensive security. It's at the intersection of all of those three disciplines in my team while I was doing low-level OS internals. It's a completely different beast.

Wendy Zenone: Yeah. For those who are listening -- we've mentioned it before on the show. But STRIKE is an internal security awareness training program here at Microsoft. And we use internal folks to create content that the engineering division watches and learns. And that's how we uplevel our security posture amongst other things. But when referencing STRIKE, this is what Arjun is talking about. And you also used a lot of -- you said CTFs. And Hack The Box was one thing that you really enjoyed and that helped teach you different concepts of security.

Arjun Gopalakrishna: Yeah. So when it comes to learning by myself, there were books, obviously. There was the one course I was taking. I mentioned. But there's a lot of very accessible, very affordable cybersecurity training out there today. Like you mentioned, Hack The Box is one of those. TryHackMe is another one. There's CTFs across the industry put out by organizations like SANS. SANS has a Christmas-themed hackathon -- well, not hackathon, a CTF at the end of every year. I forget what it's called.

Wendy Zenone: I didn't know that.

Arjun Gopalakrishna: I don't remember what it's called. But it's very Christmas-themed. They have a Santa Claus. It's almost like an RPG. It's a lot of fun. It teaches you skills and then empowers you to go and hack a few instances of those things. So it's easy to get started nowadays. And like you mentioned, Hack The Box, TryHackMe the STRIKE internal CTF, where that was a bit of a steep learning curve because it's not very -- it back then wasn't very gentle at teaching someone who was completely new to security what was going on. In your own way, with my own Windows knowledge, I'd look at the registry. I'd look at the browsers, debugging tools, maybe cracked a few flags, not more than that. But it definitely got the juices flowing on. Yeah. This sounds interesting, always looking about what's happening behind the curtains. It's always been a thing I've been interested in anyway. So it's like, "Hmm, I can actually get to do this and make this my day job. Check, check." Yeah.

Nic Fillingham: Arjun, sorry. You mentioned earlier. What was the name of the first session that you created and presented at STRIKE?

Arjun Gopalakrishna: So my first STRIKE talk in 2020 was titled A Journey from Engineer to Hacker. And that was patterning my own journey because I was a software engineer. And during the duration of the talk, I would showcase how a Windows machine was hacked. So again, a journey from engineer to hacker. And it's a title of reused over time based on the theme I'm presenting just because it's a title that's near and dear to me. But it's also something that brings in people from outside the fold. I know us security community are a really welcoming set of people. So the more people that can be aware and curious about what we do, the better the overall posture is. So that was --

Nic Fillingham: And was that -- just to recap. So that session was less -- I may have this wrong. So please feel free to correct me. So that session was less about perhaps a piece of unique research on a particular vulnerability or exploit and more using the story of what happens when a machine gets hacked as a way to tell your own journey? Is that -- were you weaving the two together? Because it sounded like maybe you were saying you hadn't necessarily discovered some new exploit or vulnerability. You were showing these two parallel paths. Is that accurate?

Arjun Gopalakrishna: That is exactly right. It was not novel security research. It was a narrative driven presentation that showcased back then what was a 12-year-old vulnerability. So it wasn't new. It was an old vulne. But people in my org back then didn't yet have the empathy for what it meant to have a vulne and what it meant to exploit that. So old bug, old OS, missing a whole bunch of modern protections, but got the point across of, "Oh, so that's what hacking looks like. It's not click, click, click, I'm in." It's more here's the entire end-to-end process of, "Oh, maybe there's a Windows machine. Let's see if it's vulnerable. Oh, I guess it is. How do we attack that? Oh, I guess we've attacked it. Now, what do we do? And that entire attack change showcased made it very approachable to a lot of people who traditionally wouldn't have that level of understanding of what we do in cybersecurity. And a lot of the feedback I've gotten since then is from people who are not in security. It's people across the company who they're practically saying, "Thank you for making it approachable as a topic and making it understandable so we understand what's going on versus just going -- " I mean --

Nic Fillingham: Yeah. You talk about empathy. I think empathy is a fascinating concept in this space. So your goal there -- and I'd love for you to talk a little bit more about perhaps the experience that your colleagues had hearing -- seeing you present this content. What do you think was missing coming into it when you said there was perhaps a lack of understanding or empathy was not there? And how would you then -- to the listeners of the podcast, how would you share tips and tricks for what others can do when they're out there trying to bring non-security people along and into a more security mindset, whether they are software engineers or not?

Arjun Gopalakrishna: That's a very key point, which I also bring up in a separate talk. Turns out I talk a lot. One of the things I've mentioned there -- and, again, this mirrors my own career experience. Being a software engineer and then moving to cybersecurity, it feels like within our independent disciplines of software engineering and security engineering, it seems like we have fairly orthogonal goals. Software engineers want to ship. They get paid to ship software. And they get paid to add features. They get paid the right code that's reliable, scalable, extensible, all of the ables. But security is not necessarily the top priority there. It's one of the things. It's a must-have. But it's not t-zero. And we'll get into maybe Secure Future Initiative in a little bit. But for cybersecurity folks, we are willing to be the gatekeepers and say we're not ready to ship something unless it is secure because we understand the ramifications of insecure software. And for us, it's security above all else. And it's nice to see that those are verbatim the exact words our CEOs are echoing as well at Microsoft now. So with having that disconnect on what it means to be secure and how important it is for software engineers, traditionally, when they're working with security engineers, they're probably on the back foot because they've been called into a meeting where they don't enjoy flaws in their software being pointed out. So they're on their back foot. They're being defensive. And again, this just goes back to being human. It's understandable that when you're having a conversation with somebody and you're pointing out that their baby is ugly, it's understandable that they're not overjoyed about having that conversation. So the empathy aspect is saying, "We're on the same team. We want your product to be successful. We want it to be secure. For software engineers, we want you to understand that we have your best interest at heart as well. It's not -- we are not trying to be power-trippy. We're not trying to be gatekeepers here. It's about making sure that the customer is secure. And the best way to ensure that is to make sure the software is built from a point of view of starting secure and staying secure." So there's a ton of opportunities on bringing people into the fold. I encourage people I talk to within the company to attend some of our brown bags. Even just STRIKE CTFs, the times when I volunteer, I spend time dumbing down the questions for people who are complete nudes at this. And to be fair, that is not an expectation or a fair expectation on their set of skills. It's just a thing that is a skills gap that needs to be addressed. And most of my talks, for better or for worse, are tailored towards this subset of the audience where they have a curiosity but they don't have the means of getting access to someone who will explain it to them in a way that they can understand. So it's less about, "Look at this cool new hack that I found in this one esoteric area that -- " which I mean definitely needs to exist. That's raising the ceiling. And I'll use a phrase here that Shawn, my manager, has used in the past. "In addition to raising the ceiling, you also need to raise the floor. Both need to move upwards." And I've definitely been more curious and interested in moving the floor upwards. And I think bringing software engineers into the fold is the best way to do that. So SFI and the fact that this has been talked about previously, I won't go in the nitty-gritty of it. But it's fundamentally a rehashing of the truth that the attack landscape changes quite dramatically in the modern day. We are facing off against a whole bunch of adversaries. And it makes sense for us to acknowledge that the only way to win is not staying abreast. It's getting ahead. It'll never scale to always be at par with an adversary. It will only scale -- and you only really move the needle if you're ahead of someone. And the only way -- and going back to your point, Wendy, about learning together. I firmly believe that people can learn by themselves and they can learn from others. And there's obviously a whole bunch of learning styles. And tons of people are very audio-based, visual-based, all of that. But again, software engineering and security engineering is a team sport. It's hard to go far by yourself. And I'm someone who spouts off quotes willy nilly. And one that comes to mind here is, "If you want to go fast, go alone. If you want to go far, go together." And it is a team sport. So in terms of opportunities to level up as a company, SFI is something that's moving the needle where it's an acknowledgement. So it's a rehashing that security should be one of the top, if not the top priority for every bit of software that the company ships. I previously mentioned scalability, reliability, extensibility. All of those are good. Security should be a first-class citizen amongst all of that when it comes to any bit of software that's written. And SFI is just a means of ensuring that that top of mind of everybody. And, of course, there's a bunch of unpaid engineering that needs to get paid off. And the company as a whole is coming together to pay that off. And it's working very well.

Wendy Zenone: Is there anything specifically you're working on around SFI?

Arjun Gopalakrishna: So within SFI, there's a whole bunch of work streams, some specific to lower-level OS things, some specific to the cloud. And in my team, in my organization, we are driving a bunch of those mitigation work. We're driving a bunch of work that helps scan services and flag anti-patterns, and drive closure of those anti-patterns. So yeah, there's a whole bunch of work in flight currently being worked on for the future as well. This is definitely a journey, SFI. I think it's also an acknowledgement that this is not a point in time where we can say, "Okay. We're secure. Let's bump it down back to a priority 2 or a priority 3." It's just an ongoing set of waves because that security ultimately is never a state where you achieve. It's a state you asymptote towards and you just get closer and closer, but you can never reach it. So SFI, with all its waves, current, past, and future, my team has multiple fingers and multiple pies.

Wendy Zenone: I wanted to touch a little bit on -- as Nick has brought up, you brought up empathy. And there's -- maybe you've heard -- I'm totally going to butcher the quote, but "You're only as strong as -- " what is it? The lead. Something about your leader, and I can't remember it. But basically whoever your manager is, whoever is leading you, that's how we're successful if we have great managers. And it sounds like in within your career you have met and been managed by some great people. Now that you are a manager in the security space, what are some lessons learned? What are some things that you've taken away from these people that have helped form this amazing career that you have along with your hard work? What are some things that you've taken into this new role as a manager? And then also, how is it going as a manager?

Arjun Gopalakrishna: So, thinking back to all of my managers at Microsoft -- I hope I am not an anomaly when I say it. I've only had good managers. I'd love for that to be true for most if not all of us. And sure they have different working styles over the years because a decades-long career will me I've come across people who work slightly differently. But they're all rowing in the same direction. My most recent experience working with a manager where -- so full disclosure, I manage a team. And it was a team where I was an engineer till very recently. So, the opportunity arose where the position became available. What worked out really nice was I was on a team where I felt completely at home, completely welcome, and the culture was just so strong. And in my own anecdotal experience, that's true for every team I've seen or worked with in security at Microsoft. We have a very, very strong set of values in cybersecurity at Microsoft. And it's easy to being part of a team to absorb those values, to see what's working. We're also experimenative. So we'll try some things. If they work, we'll keep them around. If they don't, we'll evolve them and try something else. So, all of those things that I've observed as an engineer until recently are things that I continue to enforce in my team. Because the primary motivation for me to step into the managerial role was it wasn't blind ambition. It wasn't any of that. It was an opportunity arose and it made sense for my team for there to be continuity with somebody they knew. And, again, I'd been on the team for a little over two years at that point. So it's an opportunity that I've been curious about. But also the timing was right. And I knew everybody on the team and I knew what we all valued collectively. So it was -- it's been a continuation of what's been working in the past. It's only been a little over three months. So there's nothing drastically different. It's more of the same in that sense. But there's also the opportunity to try and put your own spin on a few things. For example, we had the Microsoft-wide hackathon that just ended on Friday. And we've had a couple projects on the team where people across the team have been participating. And people even from outside my current team we have collaborated with on projects like that. And it just seemed like a good opportunity to try to try something new, to try to move the needle in an area which we can prototype and see where it goes. So again, being very experimentative, being very empathetic, understanding. And fundamentally, one thing I believe in is that our jobs, and in particular my job, is less about working on technology with people. It's about working with people first on technology problems. So once you start seeing that differentiation of my work is less a technology task and more a people task -- because -- and that becomes a lot more codified as a manager as well. Once you start seeing it through that lens and you see people for who they are, they have their own lives, they have their own stories which are being written in real-time and you are just one character, not a protagonist in all of those stories, once you recognize those facts, once you recognize people have their own career aspirations, once you find opportunities for them, learning opportunities, growing opportunities, experimenting opportunities, all of those, those are all just qualities of a good team and I think, as a direct reflection of enforcing those qualities of a good manager. So again, it's only been three months. I'm not going to give myself any grade on where I fall on that number line. But I at least feel like the culture of the team has not changed, which I think it's also already a high bar to meet. So I'm happy we're at least keeping that going.

Wendy Zenone: I love that. I want to pivot a little bit. You gave -- you talked to us a little bit about your first STRIKE talk. And just for those listening, this is -- it maintains as one of our highest-rated talks on the platform. But we got you on the big stage. And the big -- by the big stage, I mean, we have internal conferences for STRIKE. And we got you on the big stage. And you gave a talk called Hot Ones (and Zeros): A Scoville Scale for Software Security. And he handed out hot sauce. Can you tell us about this talk?

Arjun Gopalakrishna: So this was part of a STRIKE internal event titled Shift Left. And the audience -- traditionally, STRIKE has different sets of audiences. There's very security-focused talks. But this was not one of those. It was targeted at software engineers, program managers within the company, people who actually do the work, what's on the ground if you want to go with military analogy, but people who write the software. And it was about getting them familiar with how they can leverage our internal cybersecurity community to strengthen Microsoft software. And one of the things that I've always been interested in, in the talks I've either given or the ones that I absolutely have enjoyed is having a narrative of some sort. Because it's easy to come in and say, "Here is all the things you need to do. All right? I'll be in the back if you have any questions. Come catch me later." But that's less engaging. I'd rather come in with a story and have people latch on to some aspect of it. And interestingly enough, the most common bit of feedback I've gotten from the top, you just mentioned Hot Ones (and Zeros): A Scoville Scale is not so much about the security aspect. Most of the follow-up questions are, "Oh, what's your favorite hot sauce?" Or something like that. But it also -- that's also okay to me if that's a takeaway in that it was an entertaining conversation where people appreciated that the talk itself gave them some insight, which might not be sticky. It's not something that they'll go home and remember weeks and weeks later. But they'll at least know there's somebody within the company. I can find my local contact, or they can reach out to me if they have any security questions. So even if that's all they took away, it was a win. But the talk itself was there's a show on YouTube called Hot Ones. It has celebrities. It's an interview-style show where celebrities eat a whole bunch of chicken wings flavored with hot sauces of increasing heat and answer questions. So I wanted a similar number line, a similar increasing intensity scale of software security. And I also like chicken wings. I also like hot sauces. And those are two things I thoroughly enjoy. So putting together a talk in the slot I specifically requested before lunch to make sure that it also drove the point home. And I made sure the talk was, in fact, the one just before lunch. I knew people would be hungry. I knew I could pull them in on a food-related metaphor, talk them through sources they've experienced and put analogies to what they represent in software security. It was not a very long talk. But it got the point across on, "Here is all the things we do within the company. Here is how they rank on a scale of secure to getting more secure. And if you as a software engineer, internalize that my services at this level of security, here's what I could be doing more, that's a big win in my book. So going in the content that's relatable, going with content that's fun and humorous. I'm big on wordplay. The slide deck had a whole bunch of puns and wordplay. Yeah. All in all, it was a good talk. And it's also a talk I've, interestingly enough, given outside the company at the National Cybersecurity Alliance convene, I think it was in August or maybe it was in July, right here in in Seattle. So that was also a talk that is now -- a version of it exists outside Microsoft. And that was also most common question. "What's your favorite hot sauce?" But it was a good talk [laughter]. For now, it's probably Cholula just because it's a versatile sauce. Yeah. Then you have a whole range. And in fact, in the talk I did at STRIKE, I gave a bunch of us different hot sauces. But I also brought a whole bunch of Cholula sauce bottles, which I left at the STRIKE taco bar. So, a whole bunch of people got to try some of my favorite sauce there.

Wendy Zenone: Well, you started something because I think we had another talk that day that was themed around -- once they saw your dry run, they themed it around baking a cake. And so there was a lot of food going on this event [laughs].

Arjun Gopalakrishna: Yeah, especially because the technology landscape itself is evolving at varying rates of acceleration, right? We didn't -- artificial intelligence till about two years ago was a very esoteric field. But with the advent of large language models in generative AI, ChatGPT is now something that -- I was talking to my dad last week or the week prior and he is using ChatGPT. He is 70 years old --

Nic Fillingham: Or were you? Well, you said you were talking to your dad. And I was going to say, Or were you?

Arjun Gopalakrishna: Or was I? [laughs] No, well maybe. I know I --

Nic Fillingham: Maybe he had Copilot up and was -- maybe you were just talking to Copilot. Anyway, keep going.

Arjun Gopalakrishna: I think, luckily for now, I still knew it was him in the future. I don't know how that's going to play out, but --

Wendy Zenone: Got to get a safe word. Got to get a safe word. [ Laughter ]

Arjun Gopalakrishna: Yeah. But going back to your point. Since technology changes so rapidly, the one thing that is a constant is people and the need to upskill to stay ahead and abreast of the various technology waves. So empowering people -- and this goes back to Microsoft's mission itself. It's not something that I meant to memorize or even bring in. It's just so happened that I uttered the phrase there. And I'm sure if Satya or anybody actually hears this at some point, they'll be happy to hear it play out like that. But empowering people is such a fundamental part of being a team player. And even if you're not on the same team from a management hierarchy point of view, we're all on the same team. Every single human is on the team of the human race. We want our human race to move forward in a positive manner, in the manner that we can influence change and affect change in our own little way. It means making sure that people are less sad at the end of a conversation. And if the most you can do is make them happy, that's also a positive engagement. If you can make them a little bit smarter in our own knowledge working at industry, that's also a big win. So again, those are all just fundamental tenets of the way I approach interactions with people. But one thing I would want to call out is that Wendy, you had a question about how do you know what insecurity you want? Because there's just so many sub-areas and so many fields. But I think ultimately, if you have a relentless drive towards being curious, that will unlock a lot of doors, and even being curious about why no is the answer -- is an answer to your question. If you're knocking on a door and you're not getting an answer and you're curious enough to understand what's happening there, even if the opportunities -- and I understand. I'm definitely speaking from a position of privilege because we are facing down times where jobs aren't coming online as happened quickly as they were two, three years ago. All of that remains to be true. But what also is true that for the jobs that currently exist and that will exist in tomorrow, having that relentless curiosity is going to be a prerequisite. And access to -- democratic access to learning now is so much easier. Nic mentioned Copilot, whether using ChatGPT, Copilot, any of those generative AI agents. I'd like to share a prompt here. Everyone I've shared it with has found it really useful. I use it every week at work when I'm learning something new. Usually, you look at generative AI prompting as tell me a thing, and then the agent -- and the model tells you a thing. Instead of that, I go, "What is concept X? Explain that in three levels of increasing complexity." And it gives it to you and here's maybe a high schooler's or happened an ELI5 and explain like I'm five version. And it builds on it. So getting access to knowledge, getting access to learning is so much more accessible today that curiosity is all that's stopping you from knowing things. Of course, there's, like I mentioned earlier on, it's better to be lucky than good. So, you do need some amount of serendipity to unlock some opportunities. But it's also about being prepared for those opportunities whenever they present themselves. And just having curiosity, having access to people who are willing to share that like we do at STRIKE within the company, having access to content either via q and a with a generative AI agent or via books. And since I'm assuming -- and I think I can safely assume that the majority of the audience of this podcast is technical. There's a whole bunch of books based on where you are in your technical journey. A few I whittle off is the Cuckoo's Egg by Clifford Stoll. It's a book about an astrophysicist or someone who worked in the astronomy department at Lawrence Berkeley National Labs in 1960s found a small accounting error of one-quarter of a dollar. And turns out it was an accounting discrepancy caused because of an East German hacker who was hacking into their networks. It's a fascinating book. So the Cuckoo's Egg, I recommend that. North Star Press puts out a whole bunch of good books. There's the Foundations of Information Security if you're interested there. That's a good book. Practically any book in their lineup is a great read as well. And again, there's a lot more authors who are writing books that's tailored towards people who don't yet have the expertise. So ultimately, if you see not knowing as a step before knowing, you'll be just fine

Wendy Zenone: I'll add onto that. And what I enjoyed doing was volunteering for conferences. Go find your local BSides, go find well Blue Net maybe if we were looking for extra volunteers. But I volunteered a lot with BSides. I did AppSec, USA. I did anything that anyone would take me to help with, even LokoMocoSec, which is in Hawaii. You went to that this year, correct? No. Okay. It's -- I mean, it's a total boondoggle. But it's also really informative because the talks were so good. So these are all things. Reading and volunteering I think are great. And the quote I messed up early -- it's not a quote. It's a phrase. And it's "A team is only as good as its leader." So my point of that is you had some really great leaders. And I think by proxy now you are passing that on to your team.

Arjun Gopalakrishna: I certainly hope so. I mean, like I said, I've been fortunate my entire career. And I'm just looking to emulate people I admired over my decades-long career. So, if that means doing the things that I enjoyed as an engineer myself and making those opportunities available to other engineers, it means doing that. And again and standing on the shoulders of giants, that's ultimately what that is.

Nic Fillingham: Arjun, this may be too big a question to try and wrap up with. But just recapping your story here in some ways. You've made this transition from more of a traditional software engineer into the security space. And curiosity really led you into that direction if you allow me that paraphrase. Folks listening to this episode that are interested in security, but they're not in security, they're still in sort of maybe a traditional more traditional software development or software space, what -- I mean, apart from -- I think what you're going to say is, "Go do it." But how -- if someone has that little kernel of an idea or they have that curiosity, what would you say to them in terms of obviously encouragement to pursue it. But maybe what could be a first step or maybe we just talked about volunteering at some conferences and things and some really practical advice. But just maybe almost a thought exercise. What is it that you would want to leave folks with that might be thinking about making a transition into security from a non-security discipline?

Arjun Gopalakrishna: That's a great question because it reminded me of a thing that happened in my life in 2019. This was well before I made the pivot. I was still a software engineer, and I would be for another two years. But I attended my first DEFCON in 2019. And that's not the answer I'm giving you. But being around cybersecurity people is fundamentally different than being around software engineering people because we have such different lenses that I'd encourage. And going back to what Wendy said, besides, if it exists in your city, I encourage attending that or even volunteering for that. OWASP exists the -- what is now called the Open Worldwide Application Security Project. It used to be called Open Web. But now it's called Open Worldwide. So, OWASP has chapters around the world. They have online meetups. And I mean, I'm an OWASP chapter lead for Seattle. So we have sessions where we get people to come and talk about things. We have social mixers. It's fundamentally getting out of your comfort zone, getting out of your zone of familiarity, immersing yourself in another community, and seeing what gets our juices flowing, what gets the juices of people in cybersecurity flowing. What's the point of discussion. Just being even a fly on the wall on those conversations. And to be clear, even the ones I do attend, I am more of a listener than actively speaking for the most part. But I still do get a lot of signal. And it helps increase that signal-to-noise ratio where you're amongst people who you know are there because they want to be there and they're willing to share. So closing up that loop on learning by yourself and learning from others, from people who have learned already and then are willing to share it with you.

Nic Fillingham: That's awesome. For folks that want to either get in contact with you or follow along on your journey, do you have -- are you on the socials or where are you on the interwebs if we want to follow along on your story?

Arjun Gopalakrishna: It's changed a little bit over time. But I'd say my home base is LinkedIn. My username practically across any platform I have a presence on is 247, just the number 247. It was meant to be 24 by 7, but we'll go with that. 247arjun. So you'll find me on LinkedIn. My LinkedIn has links to Twitter, GitHub, Mastodon, a bunch of other places. And I usually update whatever I'm doing on my LinkedIn. So you'll find me on LinkedIn. And then from there you can find me elsewhere.

Nic Fillingham: Awesome, Arjun. Thank you so much for being a guest on the Blue Hat Podcast. We'd love to maybe see you present at a Blue Hat conference coming up. That'd be fun.

Arjun Gopalakrishna: That sounds really fascinating. I'll definitely stay in touch on that. But thank you both for having me. This has been a continuation of our conversation over the years. So, I'm happy to have been on the podcast. Thank you.

Wendy Zenone: Thank you for joining us for the Blue Hat Podcast.

Nic Fillingham: If you have feedback, topic requests, or questions about this episode --

Wendy Zenone: Please email us at BlueHat@microsoft.com or message us on Twitter @MSFTBlueHat.

Nic Fillingham: Be sure to subscribe for more conversations and insights from security researchers and responders across the industry --

Wendy Zenone: By visiting BlueHatPodcast.com or wherever you get your favorite podcasts. [ Music ]