Establishing diverse IT communities — interview with Tanya Janca

We Hack Purple is one of Tanya’s most famous ventures. It’s a blog, online learning academy, community, and podcast revolving around teaching everyone to create secure software. We Hack Purple is an inclusive and diverse community trying to promote cybersecurity for a broad audience and raise awareness about equality and diversity in the industry. Apart from community activities, Tanya has extensive professional experience from her past work for tech giants such as Microsoft, Adobe, and Nokia.

Tanya always manages to present sophisticated and complex IT issues in a friendly and straightforward way, bringing IT closer to non-tech audiences. Her 2020 book Alice and Bob Learn Application Security is an excellent example. We are more than happy to have her on our virtual pages talking to us about diversity, hacker stereotypes, and her colorful and thriving IT career.

How did you become interested in cybersecurity and ethical hacking?

I used to be a software developer, but I was also in bands. So a guy from my office started doing ethical hacking, and he was also in a band. Obviously we became friends, and our bands had to play together. And so, eventually, after a year and a half of knowing each other, he said, “You really need to join cybersecurity. You will be so amazing! You would be my apprentice. I will teach you everything I know.”

It took another year and a half to convince me I wanted to do that. And then I agreed to start as an apprentice, and he taught apprentice stuff. After that, I found more professional mentors, and then I realized that application security rather than pen testing was the right place for me.

What kind of music did you play?

I was a solo folk singer for a long time. I just sang and played guitar. And you can still find me on Spotify and find my albums in various places. I was also in a bunch of punk-rock bands. It was power pop, post-hardcore, electro punk. I play drums and synth and play guitar. Just not all at the same time — I can do only two of those simultaneously.

I like how you manage to present complex IT issues in a simplified language and an approachable, friendly way. What topics do you find the most challenging to simplify? How do you overcome these challenges?

I find abstract concepts that you can’t just go and do for yourself to be the most difficult. So, for instance, Kubernetes container orchestration is very complex, but you can draw a picture of it. You can go and make a Kubernetes cluster and see it for yourself. But, for instance, complex concepts like governance can be a bit more difficult because you can’t go and do some governance. Does that make sense? Quite often, I draw a diagram to understand it better. I ask people lots of questions.

I tend to go and see conference talks a lot. If I see something I’m weak in, I try to sit in on those talks. And sometimes you find someone that explains things the right way for you, or they’ll just draw pictures. For me, reading about the thing and then doing it is the easiest way to voice some mentor topics for myself.

Speaking in general about education, what do you think cybersecurity education should focus on in the future, and what kind of methods should it employ to be more successful and raise awareness?

I think that we really need to work very hard on education. Education also needs to cost a lot less. It needs to be a lot more accessible, and by that, I mean price, languages, formats it’s available in. Because, like I was saying in the last question, I do well by listening to something and doing the thing. Some people don’t need that. Some people need to see and watch, so we could try hard to cover all the different learning styles. I think education is one of our weakest links in security.

I believe we should be teaching this in school. I think the university that teaches computer science should teach secure coding. If they teach architecture, they should teach security architecture. I think that’s the thing the whole industry needs to work on.

I also think that security people need some education on software development, QA, and other things they are trying to secure. Someone who is trying to secure the cloud, for instance, should know that cloud inside and out. How can you work well to help us secure it if you don’t understand what we are trying to do with it and how it works?

Speaking about user awareness, if we compare the current situation with the one before social media, do you think user awareness has improved or decreased?

I would say that users are more aware of cyberattacks and problems, but whether they are better prepared to defend against them, I’m not so sure. I’ve seen statistics of people turning multi-factor authentication back on. And it is pretty low — between 11 to 15 percent. I realize that we don’t need MFA on everything, but I feel like we scare the pants off of many users. I don’t think they feel confident in defending themselves. So has it improved? Yes, they know more, but there are more threats now too.

What can companies and institutions do to improve this situation and make user awareness go hand in hand with emerging threats?

I would say it’s twofold. I think we need to simplify the system and spread the information that the average user is supposed to know. For instance, I drive a car and don’t know what brand of airbag I have. I certainly don’t have to install it myself. I just know it comes with some airbags and is supposed to keep me safe. I have to learn how to drive, but I don’t need to learn all the security features or my car, and I certainly don’t have to install them myself.

But when you buy an iPhone or Android phone, you are supposed to know you need a VPN. But most people don’t know that. You’re supposed to buy a password manager. But most users don’t know that either. The average person doesn’t know. But what if those things were built in?

I just think that we expect the users to know a lot. If I make people understand that much to drive a car and then sometimes a car randomly explodes for no reason, cars would be illegal, but IT is ok for some reason. We have data breaches all the time, and I have to say, if I was a regular user, I don’t know if I would be trusting my IT systems very much. As a cybersecurity person, I definitely don’t.

How do you think the general cybersecurity landscape will change over the next few years, considering that we have more and more data breaches and ransomware cases? Social media also continually gets more intrusive.

I would say in some ways it will improve. In some ways, it won’t. I want to say that the cybercriminals that have been doing ransomware are awful, but I’m impressed with their innovation. Like they are getting smarter and smarter about how they do it, pushing the cybersecurity industry forward to build better defenses. But as building better defenses is good, many civilians are getting hurt, which is pretty awful. So I see security becoming more of the forefront or a thought that is in our heads more often when we are designing systems and launching new products.

When it comes to giving away our data, I hope people will start to think twice before doing it. I’m hoping that security will become a priority in every project. Do I know that’s going to happen? No. But I really hope so. And I think so because of the huge damage cybercriminals have caused.

They say that cybercrime in 2020, I believe, was one percent of an entire world’s GDP at $6B a profit for criminals. That’s insane. That’s wild. And so clearly, it is a priority. If that much money went missing or that much damage was caused, it is a priority, and people should take it more seriously.

Yes, especially if we have in mind that sometimes these ransomware cases are life-threatening and destabilize entire infrastructures, as we witnessed in the Colonial Pipeline hack.

Yes, it’s terrifying. I believe the first death caused by ransomware was last year. They attacked a hospital, and someone died. It disgusts me that a criminal would allow a human to die so that they could get their money. But that’s probably why I’m not a criminal, because I don’t identify with those values. But I feel that things are becoming dire.

As a cybersecurity expert and ethical hacker, what are the most common misconceptions about your profession and cybersecurity in general?

People often say, “Oh, don’t hack me,” which I find humorous because obviously, I wouldn’t. If I did malicious activities, I wouldn’t have a good career. I find it interesting that many people’s first thought when you say you work in cybersecurity is “Do you do hacking?” And my reply is usually like, “Sometimes I do security tasks, and it’s called ethical hacking. And it’s usually pretty boring. You know, you run a lot of tools, and there’s a lot of just hanging out and sitting and beating your head against the wall.”

So many people have misconceptions that hacking is glamorous, that it’s super exciting, but this is what you see in the movies, and it is not real. It’s like doctors doing one cut and the patient is saved! But that happens only on TV. But it is nice to have them think that you are very intelligent when you work in cybersecurity. I’ll take that stereotype any day.

You also co-founded the Women of Security organization promoting gender diversity in IT. It’s nice to see this kind of initiative because IT has been a male-dominated area for quite a long time. How do you think the situation has improved in this area? What are the biggest issues at the moment that still need to be addressed? And what should be done to have more gender diversity in IT?

If I knew the answer to that question, I would be richer. But I believe that enforcing policies and punishing people who do what they should not do in professional settings would be a great deterrent. I’m not sure whether you know how Defcon recently announced how they blocked someone who had done many inappropriate things to women. It is an example of an organization enforcing its code of conduct. Many organizations don’t even have one or have one, but they’re like, “Oh, but that guy really contributes a lot. And he organizes all these things, and we don’t know what we would do without him. Boys will be boys.”

And it’s not always men — sometimes it’s women who are getting away with things they shouldn’t do. And I think if we come down on some of them and hold them accountable, fewer people will keep doing that because they will realize that there are actual consequences to those actions. And as long as there are no consequences to the actions, people who are bad in nature will be bad.

And I think if we were more serious and more intentional about accountability in that area, things would be more friendly, and then we would have more women who would like to join and participate. I’ve noticed improvements, and that’s great, but there are still very stupid things that happen regularly in our industry and are less likely to occur in other industries.

What are your future plans in terms of education and social initiatives?

I’m going to start writing my next book in a few months. So the first book came out in 2020, and I had a year and a half off. I think Alice and Bob need to learn secure coding. I’ve been teaching secure coding a lot in the past two years.

And I’m also expanding the We Hack Purple community. We started with just a few of us, and it got bigger and bigger. I made it free last year so that anyone can join. So we are like a group of volunteers now, and I’m hiring another staff member, and basically, we’re starting to grow more and more. So we want people to be able to write their first blog posts in our community and to be able to give first talks. We want to be that place where if you are at work and you don’t know what to do, you can come and ask us, and one of us will give you an answer.

We have a very strict code of conduct, and, as a result, we are a very diverse online community platform. And we have lots of women, many people of color, and not fully-abled people. We just put together a proposal for a platform of three different things we want to change for visually disabled users because accessibility is one of our core values. So, I’m trying to grow that community to have more safe places for people to be on the internet to learn. And we are also about to add another free course on infrastructure-as-code security. It’s going to be free. And the community is free. There is no upsell — every part of it is free.

What are the biggest challenges you face in your activities in making the community more diverse and trying to involve many people?

My most challenging problem is volume. So many people have joined now. I think we have like 1,300 people. It’s a lot for one person to run. So I’m tackling it by making a team of volunteers, and so now I have many moderators, many people posting content, and people welcoming new members. I guess scaling through volunteerism is how most communities are run. And quite frankly, having a team of volunteers means you have a lot of ideas. And now, because there is a whole team of us, we can actually realize them.

I also want it to be their community, not just Tanya’s community. And so we talked about how everyone can participate in ways that make sense for them because some people are really shy, and they are like, “I’m not ever going to present everywhere. I’m not going to be that person who speaks.” But maybe you will be a person who asks a question I don’t ask, or perhaps some people read dozens of articles every week and could find the best ones and say, “Oh, this article could probably help you.” Everyone has different ways to contribute.

It’s nice to hear because I come from a humanities background, and for me, this whole IT world seemed cold and arrogant at first. So it is nice to see that such initiatives exist, making it more approachable and friendly. So I just really want to thank you for the things you do.

I think that is a thing we need. When I joined cybersecurity, I was surprised because I was a software developer for maybe seventeen years. And then I switched over to security, and I was like, “Why is everyone being mean to me? Why is everyone hostile? Why are there people gossiping?” I met a lot of pen testers who were arrogant. And so I was surprised by that, and then I figured out the places waiting for me where my softer personality type fit in better.

I’m a security person in application security, but I just hang out with software developers all day. And they are just sort of my people, if that makes sense. It’s funny when I used to go to parties before Covid, my friends joked that they would find me in the corner at some point. There would be one or two people quietly talking with me, and it’s always software developers.