Put your finger on the human pulse of cybersecurity with Maril Vernon, a standout star shaking up the scene. Tune in as she unpacks the power of empathy, true diversity, and her unique journey from social media marketing to top-tier hacking. Discover why human connection is vital for making it in this space - and changing it for the better!
Cybersecurity has a human heartbeat.
The variety of backgrounds that people in this space have enriches an industry that is day by day more interested in its human side. Different experiences bring new perspectives and ways of doing things to a community that craves human connection.
Our guest, the extraordinary Maril Vernon, is the perfect example. Coming from the social media marketing space, Maril took the cybersecurity industry by storm, becoming the 2023 Cybersecurity Woman Hacker of the Year, claiming the 2023 CyberJustu Pentest Ninja Award, and being recognized as one of the Top 10 Women Influencing Cyber by CyberSHEcurity.
Maril is the Senior Application Security Architect at Aquia Inc., Contributing Writer at CSO Online, COO at Teach Kids Tech, Co-host and Co-founder of The Cyber Queens Podcast, Purple Team Program Manager, and a 24/7 advocate for amplifying female and LGBTQ diversity in cybersecurity.
Throughout our conversation, Maril shares her thoughts on creating space for recognizing emotions in the workplace, how she sees and experiences empathy in cybersecurity, and the positive impact of her social media marketing background on her development as a hacker. Maril also talks about remote work cultures and human connection, generational differences, self-care, her commitment to increasing equality and diversity in cybersecurity, and more.
Listen to this episode to learn:
Resources from this episode:
Connect with Maril:
Let's connect!
[00:56] Andra Zaharia: Today, we have an absolute powerhouse in the cyber world, a guest whose journey has inspired many, and whose achievements are nothing short of spectacular. I'm talking about Maril Vernon. From a novice in the cyber world to becoming a one-woman Purple Team, Maril's ascent is a story of sheer tenacity and passion. Her credentials span an impressive roster of accolades: Maril is an award-winning ethical hacker; she's a senior application security architect and Purple Team program manager. And did I mention that she's also the 2023 Cybersecurity Woman Hacker of the Year, Cyber Jujitsu, Pentest Ninja Award winner, and featured in the Top 10 Epic Women in Cyber lists? Yes, and if that's not enough, Maril also co-hosts and co-founded the Cyber Queens podcast, which advocates for more diversity in cybersecurity. She is also the COO of Teach Kids Tech, and she's bringing technology to underprivileged children. Her voice resonates even further because she's an active contributor to CSL Online Magazine and the contributing editor for MITRE ATT&CK Enterprise Matrix. Her journey's an inspiration: as a single parent, Maril switched from social media marketing to cybersecurity, and in record time, shattered ceilings. So, sit tight, listener, we're diving deep with Maril to explore an unmatched journey and uncover the experiences that shaped her growth, and the ones that inspire her future. She left me highly optimistic and full of energy. So, if you haven't had coffee today, honestly, you might not even need it. Enjoy this episode.
[02:52] Andra Zaharia: So, Maril, what was the last experience you remember when you were on the receiving side of an empathetic gesture, or just the general empathetic attitude?
[03:05] Maril Vernon: Oh, wow! That's such a good question. I would say that my wife shows me a lot of empathy. So, there was a day this week, that was just a day, and it was like it had been building, and I hadn't been sleeping well, and I'm in back-to-back meetings a lot of the days. She came home and she was like, "Did any of that get done?" I'm like, "No." She's like, "That's okay." So, she does a lot of empathetic things for me, just taking things off my plate. I'm an "acts of service" kind of person. But from our industry, I'm in a group chat with quite a few InfoSec peeps. We're a little camp that met up at RSA this year and have been in a group chat ever since then. And we are a group of people who don't just talk about technical things. We're not just like, "Oh, this bug dropped," or "Oh, this zero-day, patch your phones." We're like, "My kid got a gold star at school," or like, "I am not doing well today, guys, I need to be pumped up." It is just my little blanket family. I go to that chat when I'm like, I know we're all here lifting each other up, everyone in there is so genuine. We're all going to stay in a big Airbnb together this year, instead of staying in separate hotels. We're all going to spend time together as people. That is just one of my favorite doses of empathy I get just about every other day – those five or six people really fill my empathy cup. Sometimes they talk me off the ledge, like, I'll be crying – I'll be like, "I'm crying right now." They're like, "No, no, no!" And one of them will call me and say, "Let's just talk about it." So, I would say this is just like an ongoing dose of empathy that I get.
[04:27] Andra Zaharia: I love that. And I love that you're actually emulating that in the recent Discord that you just launched for Cyber Queens, which I absolutely love. I mean, you're doing just that; you're creating. The way you describe this Discord and what you want to achieve with it, the kind of space you want to create for people. So, could you just kind of recap that for people who haven't seen it yet or joined it yet? Which I'm hoping they do soon?
[04:54] Maril Vernon: Yeah, thank you. So, Cyber Queens has been around for just over a year. We launched last September — yay, birthday! But we have a lot of people coming to us in the DMs just saying, "Wow, I resonated so much with what you said in this episode," or "I've been there. I've been on the receiving end of that. And what you said made me feel like I'm not alone." We realized that what the InfoSec community and the women InfoSec community specifically didn't need was another technical Discord. There are so many people out there doing that really well – teaching you blue team skills and giving you access to red teamers and things like that if you want to ask questions about learning something or upskilling. But we're like, what people really need is, again, that warm blanket place, like a squat; they just need a place where they can come and be who they are, and get some psychological safety, or talk about things with us – people who understand that they can't talk about with people at work, there might be repercussions there. So, what we really want to do with this Discord community is if you are afraid to ask questions, if you're like, "God, I've been looking at that for a minute, that cyber thing over there, and I want to go after their and pet it, but I'm afraid." That's what we're here for. We're here for: it's okay to be a noob, it's okay to ask your stupid questions, it's okay just to say, "My coworkers tore me down today," or "I want to celebrate a small win: I submitted five job applications today." We have a channel in there called "fails" where we're celebrating failure because I think normalizing failure is a great thing. A lot of people look at my success and my story and say, "Oh, my gosh, if I'm not Maril, I'm failing at life," and I'm like, "No, no, no!" I always say everyone determines their own rate of success. I've failed along the way. I've experienced several setbacks. I don't pass certification tests the first time sometimes; sometimes I do, but sometimes I don't. I don't get every job that I've gone after. So, I don't want people to see my awards and my success and think that if they're not where I'm at in their career that they're behind.
[06:42] Maril Vernon: So, the Discord is just a place where you can come and find this tribe, you can get some study help, you have access to the Queens – unfettered access – if you're like, "I have a question, this one versus this one, do you have a link for this? Do you have a resource for that?" and I'll just shoot you what I've got and send you off. We don't have time to mentor everybody in-depth and really hold their hand and work one on one because there are so many of you who need us, we've realized. So, this is a place where you can come and learn from others at your spot. Come and learn from us who've already been there and we'll reach behind and help you. Come and find safety, find empathy, find some human in this very technical industry that we work in.
[07:15] Andra Zaharia: And speaking of this technical aspect — and again, thank you for creating this discord. I can't wait to be a part of it. I couldn't wait to watch it grow. I can't wait to see just people being kind and supportive of one another. Just to see it, just to be on the sidelines of that, I feel like it restores your faith in humanity, which we need a lot of these days, in general, but particularly these days. Speaking of the technical aspects, you mentioned something before we started recording that I think is such an important point; you said that people seem to be a lot more interested, nowadays, in the human side of security, and all that it entails: communications skills, relationship-building abilities, and so on and so forth, more than they care about the technical side. And I thought we might unpack that and why that is happening because I feel like it's such a very interesting and very helpful thing to look at, in our community, in this industry.
[08:15] Maril Vernon: Yeah, we were each talking about our podcasts and where the concept for them came from. We both feel like we're not doing very well. But from the outside, we both think each other is doing really well — so, there's some imposter syndrome for you. But, yeah, when we were talking about the Cyber Queens, we were like, "Guys, do you feel like we're touching on too many soft topics? Do you feel like we're not being technical enough considering that we call ourselves a cyber podcast?" And I said, "There are a lot of technical podcasts out there. There's Cyber News, there's Cyber Bugs, there's Exploit Podcast, Darknet Diaries, things that dive into the technical a lot if that's what you want." But our most successful episodes recently, because we tried to do a little bit of that in the beginning, and we haven't always intended on circling back and sprinkling some of that content in there, like Red Team exposure that I've gotten, things like that, and exploring different verticals, which we will still do for the people who need to know about those jobs. But the most successful episodes we've had have been the ones focused on people and focused on empathy and emotion. So, recently, by far and away, our most successful episode recently was with Emily Keel, who is a blind person looking to get a job in cyber, and she has since gotten a job in cyber — so happy for her. She is an accessibility adviser. People leaned in; people wanted that to be unpacked and wanted her to tell her stories, wanted to hear her struggles, and wanted to resonate with her. We also had a Sacred See Salon, Shannon McPherson. She's someone who is trying to be more intuitive, more people-centric, more leaning into that. I'm not a woo-woo person; I'm really not, but she brought a lot of that empathy and was getting over blocks and getting out of your own way and treating people like people and not just being these toxic go-getters that a lot of us can tend to be. And people loved that episode too. It just shows me that people do want a dose of that empathy. This is why I think your podcast is such a fantastic idea.
[10:02] Maril Vernon: I say it all the time; tech and cyber are still people industries. We're still people who work here. I used to be the kind of person, very early in my career, when I was like '19-'20, who would come in and be like, "Did you get my email?" And they're like, "Hi, Maril. Good morning. Nice to see you, too." And my boss was like, "People need that sometimes, people need to connect with you for a minute." And I'm like, "Right. Good advice." So, it's true though. Even more so now that I work fully remote. I work for a fully remote company, we’re a Slack-first culture and stuff like. I cherish and savor that connection when I get it. I got three hours with my fellow co-hosts at BlackHat. And it was still my favorite chunk of time from the whole week that I got to spend with them because we've been cyber besties for a year online, and we got to meet up in person and hug each other and giggle and jump up and down. So, it's true. I think everyone in cyber is really craving human connection because we are feeling beings that think; we are not thinking beings that feel sometimes.
[10:56] Andra Zaharia: I dedicated an entire episode to the role of emotions in cybersecurity, in general. And that's actually the most listened-to episode up until now. So, people, again, are clearly interested in this topic. This actually ties in really well with something that I'm reading right now. I'm reading Gabor Maté's "The Myth of Normal," which dives in really deep into the causes of stress and health problems that stem originally from our disconnection from what community means, from our disconnect from other people, from failed relationships, even from our inability to connect to others in certain situations. And that actually makes us physically sick; it produces inflammation in the body, and so on and so forth. And I feel like we're finally emerging from a stage in our culture, generally speaking, where the conversation around work has always been like, "This is something that's very methodical, and you can leave your humanity at home because we got a job to do here."
[12:00] Maril Vernon: "We don't have time for that here."
[12:02] Andra Zaharia: Exactly. And now we're realizing, forcibly, after the past few years, that this is actually instrumental because if we don't have this, then we can't have anything else. We can't have good security, we can't have thriving companies, we can't have good products. And I was wondering how that perspective applies to your job, especially being in a company that's totally remote, that adds like an extra layer of effort that you have to do. So, how do you deal with that?
[12:33] Maril Vernon: It's so interesting you bring that up. I don't call myself a know-it-all because I have the kind of brain that can learn a lot of things; I call myself a learn-it-all. I want to go learn it all, I have to pick and choose though. But in college, two of my passion subjects outside of my major were physics and anthropology. So, it's so interesting you bring that up because I can see because I was a linguist, I speak multiple languages, and I love learning languages. And I love learning about the culture and the evolution of people and how that happens. I see how people had to harden themselves and isolate themselves because the times were so hard. People will form how they act, depending on the experiences they've had, the world event experiences. It was a time of a lot of war and depression and scarce resources, so people had to harden themselves and tell themselves that by serving me and my family, I'm not hurting someone else, even though it's all kind of cause and effect. And I think we're coming out of that now. We've gotten to a place as a society where we have comforts, luxuries, ease, and things are readily available. When the hard things are taken care of, we can focus now on the things that we forgot. We did forget that. We started with our grandparents. I'm a millennial, so my grandparents were very isolationist, slept in separate beds, like you go to your smoking room and read a book or a newspaper and I'll talk on the phone with my friends. They were separatists. My parents grew up seeing that and kind of were like, this is still how it is supposed to be especially at work — like don't bring your emotions to work. At work, you're the perfect employee, everything is fine. And that's where that notion of "Don't hire the person with the with the resume gap. Don't hire the mom because the moms got responsibilities at home that are going to affect work. Don't hire anyone with anything going on that could affect work." And it's like, "Are you kidding? We're all people."
[14:16] Maril Vernon: If the boss's wife was in an accident, he would leave. And then we, as millennials, came in and said, "But it's okay to be imperfect. It's okay to be human." So, how I deal with that at work, to get back to your original point, we have things where it takes a lot of proactivity. When I first started in cyber, thank goodness, my first six months on the job were right before we all went remote for the pandemic. And I could lean over a cubicle, or touch my coworker, or we used to toss tacos at each other. It helped build camaraderie. So, when we did go remote, I still felt like I had those connections. But joining a lot of a lot of remote cultures, like working at Zoom, working where I work now, it takes proactivity. I reach out to people and I say, "Hey, I see that you live in Washington. We're planning a vacation there. Just give me your intel for the area." And we end up talking about some life experiences. I put myself out there as an ally online. So, I've had coworkers come to me and say, "I'm not LGBTQIA+ but my partner is, or my sister is, and she's considering moving, and she wants to move to a place that's safe for her. How do you like where you live? Would you move anywhere else?" And they come to me for those opinions. So, we try to reach out as coworkers across those lines.
[15:21] Maril Vernon: And I work in government subcontracting, which is even more of a siloed environment. I'm on a team of two; we have a team of 15. That's the biggest one. We have contracts with one where Aquia only has one seat sitting on that contract sometimes. So, we try to reach out as employees, and we do trivia happy hours remotely, of course. We do donut conversations. I have little collab calls I have where I say, "We're not going to talk about any work. Don't bring up your contract, don't bring up a follow-up item from someone on this call. We're not talking about that here. We're only talking about other things." So, it's one of the ways you can deal with it. I want to bring this up, I saw a post recently that said, "Conferences are not worth it, change my mind. They're overpriced. The networking, really, you can do that all online now. You're paying a bunch of money for recorded sessions you can get online later," and all these things. And I was like, "That's true, pragmatically." But I still look forward to cons, and I'll still spend my educational budget on cons because like I said, I met those people earlier this year, and we've been in a supportive group, and we're gonna see each other again next year, and we're excited for our one-year friend-versary. I'm excited to be in the same room with my people, with other hackers, with the newbies who otherwise would be too afraid to approach me online, to meet the managers that I would be too afraid to approach online. I still think that the in-person factor is just one of those things you can't put a value on, you can't put a dollar value on. You can pragmatically make the argument that cons are dead all day, but I will still spend thousands of dollars to go meet up with my people because I miss them.
[16:49] Andra Zaharia: And I think that that's a matter of how in touch you are with your own self, with your own needs in this area. And if you treat work just like something like a silo in your life, or if you treat work as a source of connection and achievement in the sense of, "Hey, look at the great thing that we're building together, look at the great things that happen when people truly care about this." And that's one of the things that I love about the cybersecurity industry, that it's packed with so many generous, incredible people who will open their hearts to you and give you an hour of their time, like you're doing now, and pour out their hearts, and be vulnerable and open, and provide an example that it's okay, I mean, you can be vulnerable and thrive, and that's not going to affect your perceived persona and so on and so forth.
[17:40] Maril Vernon: It's gonna make you better. We have our divas in our industry, but I ran into Jen Easterly at SquadCon, the smallest, newest of the cons. Jen is one of those people who's a celebrity; everyone wants to talk to her and they want two minutes of her time. But in those two minutes, she's there giving you her undivided attention for those two minutes. Despite that there are 30 people around there waiting their turn, looking at you. She really builds a connection with you and makes you feel like, "I hope I answered your question. I would love to follow up with you, or my people will follow up with you. I'm so sorry, I have to move to the next thing now." But she gives you that. So, it is a very inclusive community. And now, I've seen the converse; my wife, unfortunately, works in an industry right now, and at a place where she does the opposite. There is no psychological safety; there's a lot of toxicity. And what I say is, just go in with 10% of your brain on, do your job. Go in with 10% of your brain, do your job, be a robot, and then the rest of your time, we spend outside of work. We will pour a lot into that human side, or the hobby side, or fill your cup in other ways, but it does suck because she works 10-12 hour days sometimes; it's a majority of her day. She does not want to connect. She's tried, don't get me wrong, but it's just an industry that's still in the diversity stone ages. I've seen the opposite, where people are forced to compartmentalize and segregate their roles a bit to protect their mentality. But I wouldn't say that I've had to do that in cyber, but I know some of you do. And if you do, join my Discord, and we'll talk about it and dox those people.
[19:11] Andra Zaharia: I hope that Gen Z will — Well, I see it changing a lot of these things. I see them challenging and taking things head-on and not being afraid to speak like, "No, this job is bullshit. No, I won't get paid that little because it's not something I can survive on. No, your values are antiquated, and they don't make any sense. You're also not practicing what you preach."
[19:36] Maril Vernon: There's someone very successful on TikTok right now, Veronica, and her tagline is "act your wage." She's like, "Hey, just a friendly reminder, someone's getting paid way more than you to do way less than you. Act your wage. If you're not being paid to do it, don't do it." There are pro and con arguments for the quiet quitting thing. But I agree, don't just pick up someone else's slack for the same amount of salary. You're doing two jobs for the one job you were hired for. But Gen Z, well, going back to that generational thing, "We're just happy to have a job at all. We just need the money." Again, loyalty: "Thank you for taking care of me and my family." And then Millennials come along, "Well, could we change that, though?" But I would say we asked for a lot and we settled out of court for 20% of what we asked. We are like, "Will you make these small changes for us as people — better work-life balance, better benefits, great." But Gen Z is coming on in: "I'll go live in the woods on no money at all. I don't need your job; you need me." And that's true. We don't currently have enough people coming into the workforce to replace the workforce we have; there's going to be a talent scarcity problem coming up real soon. And Gen Z isn't having your crap culture; they're not. They don't give two weeks' notice; they'll walk right off the job if they're unhappy. They're like, "Oh, work drains me. I'm just not going in today. Those people suck. That mission sucks. I'm not going; I won't do it." And I'm like, "But at least Millennials will show up out of a sense of obligation." Gen Z don't have kids; they don't have those obligations. They were raised to seek social justice. They are not gonna have it, so best of luck to y'all out there who have a lot of change to make in the next five years. Because by 2030, 60% of the workforce will be Millennials and Gen Z. The older generations will be in the minority. So, get ready.
[21:13] Andra Zaharia: I'm really looking forward to watching what happens and to see what happens to us as things evolve and as that generational gap deepens, because it does. I feel myself sometimes. I feel old sometimes next to these kids, and they're like, "Oh, I don't like that about me. I need to work more flexibility." Wait, I'm not turning into my mom.
[21:38] Maril Vernon: I try to reach across and understand them. I'm like, "I understand your point of view. But I don't know what 'bussin' means. I don't know how to talk to you." I listen to Gen Z TikTok sometimes, and I had to send it to my best friends and be like, "Guys, it happened. I don't know what they're saying."
[21:54] Andra Zaharia: You still have a chance because you work with kids as well.
[21:57] Maril Vernon: I do, but that’s Gen Alpha.
[22:02] Andra Zaharia: And I was curious, how do you see them? Which values do you see them resonate with so young, when they're so malleable, and they're so open to things, and they're so curious, and a lot less biased than we are, of course.
[22:15] Maril Vernon: My gosh, I see such beautiful inclusivity and diversity in Gen Alpha. So, Gen Alpha, for those of you who are unaware, are the people who come after Gen Z. And I can't remember their years exactly, but they're 10 years of age and below right now. But they are such beautiful minds, beautiful little people. My daughter has friends of mostly not her ethnicity — very few Caucasian-looking friends. She drew me a picture the other day, and with no prompting whatsoever, she chose to color it like this because she thinks her skin tone looks good with purple. I don't have to tell her like, "Baby, stop coloring people that look like us." She just sees it, and she just has it intrinsically. She is the type of person who's like, "We got a new friend today. His name is Vladimir; he's from another country. Isn't that so cool?" I'm like, "That is cool. You should ask him what it's like over there and stuff." They don't see different as bad; they see different as neat. They want to get over there and put their hands in it, and like, "Be my best friend." Gen Alpha has a really special little style of mind. It's interesting, though, that Gen Z is coming up right now, but Millennials weren't their parents. Some Millennials were their parents, older Millennials. But still some of those Boomers were their parents. But Millennials are the parents of Gen Alpha. My kids are Gen Alpha and I'm a Millennial. So, it's interesting that they're gonna grow up with us as parents, and I can't wait to see what Gen Z's kids are like, man. That's going to be wild. It's kind of come full circle. Millennials had to disrupt a little, and Gen Z is going to really disrupt; they're going to draw some lines in the sand and force people to pick a side. But then Gen Alpha is going to come in and clean it all up with a big dose of humanity, a lot of empathy, and a lot of "These people have been my friends for years. And this is just how I think; I don't see those differences that you see." So, that's going to be an exciting evolution in the workforce. I can't wait for that.
[24:03] Andra Zaharia: It really is, and so many reasons to be optimistic about this. I think that one of the reasons behind this is that many of them are getting a much safer, much more psychologically comfortable, and safer home base, whether it's their family, it's their friends, whatever it is, they have a home base where they can return to and they feel safe to go explore because they have that secure attachment that makes them happy. I feel like, us, working in security, no matter our role, that's our job. It's a very kind of parental instinct to protect and to just ensure that safety — that people feel safe talking to us, asking questions, making mistakes, knowing that someone has their backs, and I feel like this is the new paradigm that the cybersecurity industry needs to step into.
[24:52] Maril Vernon: I would agree. I would say Millennials started to take up space a little, like older generations kind of hug the wall and like, "Don't pay attention to me. I'll just sneak by." We started to take up space a little bit, and then Gen Z audaciously took up space. But yeah, I think Gen Alpha is going to be one of those Gens that is going to be the glue between a lot of different people.
[25:11] Andra Zaharia: Speaking of these kinds of diverse inputs from our cultural environment, what was it like for you when you started in cybersecurity because we know we're still struggling in terms of diversity, we have a long way to go. We are making progress, but still a long way to go. Hence, the Cyber Queens podcast, and most of your work.
[25:31] Maril Vernon: A long way to go, y'all. In fact, it might have seemed like when we started Cyber Queens, I was like, "Do we need another female podcast? What is going to be our message? What's gonna make us different? Why would people listen to us?" And then we started doing the market research and realized there's really not that many. First of all, we could benefit from another one, period. And second of all, we have a really unique voice that we bring. But diversity, although it seems like it's moving forward because we've got the "Race is Excellence" in like Latina cultures awards, we've got "Women in Cybersecurity" awards of which I'm a winner. We've got all these women-centric awards now existing, but diversity is sliding backward. It's actually going backward. We're losing women; we're losing minorities. And you've heard multiple pushes. You've heard it from multiple places, multiple times - RSA’s theme was "Stronger Together." We can only innovate and move forward with diversity of voice and diversity of thought. We're not going to get anywhere new by looking at each other and saying the same things and guessing each other. There is still so much room for diversity, to push for diversity. Like I said, it's actually starting to slide backward a little, which is frightening. I'm sorry, what was the original question? What did you ask?
[26:38] Andra Zaharia: What was it like for you?
[26:40] Maril Vernon: So, I only entered cyber y'all four and a half years ago, I almost qualify for a CISSP next year. Next April, I'll qualify. Let me tell you, so much difference has been made even in those four years. In those four years, there weren't these big pushes for diversity. Cons weren't theming diversity-themed cons and things. There weren't all these groups that active that are active now. So, I had to go to a pool of people that I knew and relied on. I went to my Vet Sec community, Veterans Security. Because there, if you've put your time in, you're welcome if you're a man, woman, elephant, purple, green, polka-dotted. If you've been in the military, we are all comrades together — camaraderie. So, I went to Vet Sec first. And that was the first place I felt safe being stupid and asking my beginner questions, and seeking help from people I knew wouldn't tear me down for it. But it was a very different landscape. I would say diversity really benefited from all of us going remote because of the pandemic. Not because of the pandemic, I didn't say that, but when we all went remote for the pandemic, my career was able to accelerate so quickly because all of these people and knowledge and things that I would have had to go somewhere for, and I was a parent of a two-year-old and a less than one-year-old at the time. So, traveling for me was out of the question. I was living with my parents. I didn't have the money. I didn't have a professional education budget because my org couldn't afford it, and I lived with my parents; there was no one to take my kids because my parents both still work full time.
[28:02] Maril Vernon: So when we all went remote for the pandemic, people started making all these resources and having free virtual cons and getting really jazzy speakers. I got to hear from Phil Wiley, Pancakes Con was a thing, Hacks4pancakes, and InfoSec Sherpa. And all these people started giving away their time for free and making resources and putting them out there for free. And all of a sudden, I didn't have to be in the same room with those people or attending expensive talks to get this knowledge; it was available freely. And so much innovation happened as a result of that, that it really was friendly to the remote worker. A lot of people don't realize that cyber training and materials don't meet a lot of diverse people, women, minorities, impoverished people, persons of color, persons who grew up in communities where their school can't afford a STEM program, hence teach kids tech. But cyber doesn't meet people where they're at in life. "You have to spend $10,000 and you have to spend two weeks at this remote location to get this certificate." Okay, I can't do that. So, can you offer it cheaper? Can you offer it remote? Can you offer it with subtitles for those who are deaf? So, diversity has a long way to go still, because we're not being very inclusive. As much as it seems like we're being inclusive, I would almost say that's diversity theater — like security theater, diversity theater. It looks like we've got all these jazzy initiatives, and we're moving things forward. But we're losing numbers. We're not doing enough to accommodate the average person where they're at in life. And the pandemic forced the industry to do that for me personally, which is one of the reasons I'm where I sit today, four years later. I made 10 years of professional progress in four because of all these things that have become available since, but when I joined, oh, man, it was a different playing field. It was, "It sucked for us. So it's gonna suck for you. You just got here, sit down and calm down. And that's gonna take you two years to even figure that out, to even qualify for that, to even be able to get that thing." And I'm like, "Just because it took you two years doesn't mean--" And I was the first person to start breaking those molds and saying, "Okay, you said this master's program will take me 24 months, I did it in six. You said it'll take me two years to get my SEC plus, I got it in two weeks." I'm like, "Don't tell me how fast I can do something." But I am unique. Not everyone who is a single mom, who is where I was at in life, is as resilient and tenacious as me. And we need to reach our hand back and help those people or cyber is not going to benefit as an industry, we're not going to go forward, we're not gonna go anywhere, we're gonna stay here. 10 years from now, we'll be here.
[30:27] Andra Zaharia: If we are a culture of people who are free thinkers, challenge the status quo, and rebels because that's at the heart of the hacking culture of cybersecurity in general, if we are to honor those values and that spirit, tenacity, perseverance, and also that idealism, then we need to work on ourselves first. And then, to be able to make sure that other people see that it is possible, and not that it's possible, but how it works. And this is one of the things that I really appreciate about your work because you're shedding light on how things happen, not just like, "This is what you can do. There's plenty of opportunity." We know, but it's also overwhelming — like, just how. Because the how is just as important as the why first, and then it's usually the most obscure part of it all, even for the most well-meaning people who want to see beyond the surface.
[31:26] Maril Vernon: Yeah, I agree. A lot of the advice you'll see out there, it's like a recipe that is missing pieces. It's like an SOP you're trying to follow. So, you're at this dashboard. And from there, you're like, "No, no, wait, how do I get to the dashboard? Where's the URL? What are the credentials?" So, it's like, "Go get your security plus, and when you have that--" Wait, wait, wait, how do that? Are there alternatives? Where do you start? People aren't going deep enough. And we who work in this industry every day think that we're giving enough steps, giving enough info. And we're not. I'll quiz people who come out of certain Pentest Plus, Security Plus, Coursera programs, or boot camps. I'll be like, "Okay, what is this versus this?" And if they can't answer, they're like, "Oh, we didn't cover that. I don't know." And I'm like, "Okay, well, just think about it. Think about it as a situation, as a problem. If you approach this, how would you think this is different from that?" "I don't know." And I'm like, "Gosh!" We are a bunch of free thinkers, and we are taking people's ability to think away by not giving them enough and not going deep enough. So, things need to be broken down a lot farther to accommodate the average learner.
[32:32] Maril Vernon: A lot of people say cyber isn't an entry-level industry, like, "You need to work in IT for a few years before you get into entry-level cyber." So, you should already be mid-level in your career. And I say, "No." I say some of the best cyber practitioners I've ever seen come immediately from non-traditional backgrounds, and they've got a lot to contribute. My own mother, who's in her 60s—she'll kill me for saying that, I love you, Mom, it's math—just started in her first GRC role. She worked in the banking industry for years and years, and then in customer service. She's slaying it at the compliance game. She's like, "Oh, big documents. Oh, regulations. Oh, translating — I can do that in my sleep." And she's just wiping the floor with everybody else because she brings a unique perspective. It's phenomenal to see. I wish more people gave more opportunities because the fact is your jobs are going unfilled, you're still suffering breaches. So, giving the newbies and the non-traditional people a chance, you're not going to be worse off, you might be better off, but you won't be worse off tomorrow than you are today. So, I just say, give them a chance.
[33:33] Andra Zaharia: I love that story. I love how you're inspiring so many people in a very practical way, in a way that feels attainable, in a way that feels achievable to actually try to get their footing in this industry. I'm trying to save on the communication side. I do think that there's a huge need for comms people who are actually passionate interested in this industry, who want to make a difference, who want to help, who want to help engineers acquire more communication skills so they can develop better relationships. So they can build healthier companies and teams, so they can promote their work in a more meaningful way that doesn't feel arrogant and doesn't feel devoid of substance, and so on and so forth. This is like I'm taking a chance if you're a communication person who is looking to niche down, or just looking for something new and challenging and fascinating to work on. There's so much room for you around here.
[34:32] Maril Vernon: Let me tell you, that is so true; reporters make the best auditors; customer service people make the best program managers. People with this skill set, where they've been serving in other capacities when they apply those to cyber, god, they shine, man, they do.
[34:48] Andra Zaharia: What did you take from your previous experience, which was non-cybersecurity? Because I bet you took a lot from that, especially your insane storytelling skills, the energy, and just the raw intensity and vitality that you give off.
[35:05] Maril Vernon: First of all, I've always been a very intense person; that has been since I was little, man, that has not changed. And everyone's like, "I wonder if it's just an online thing. But when you meet her in person, if she's kind of quiet." No, it's like full frontal Maril energy. My interns put me on decaf, mandatorily, for like two weeks one time. But what I took from my old job, I used to be a social media manager and a copy editor. So, I'm a writer by trade; I love to read and I love to write. Hence, the languages and a lot of the articles that I publish and things like that. But I was able to take a lot from my old life. So, I am someone who loves structure and direction. So, I went the military route very early; I did ROTC, I did the reserves, and then I did the guard. And from my social media—and I say this all the time—when I got to cyber, I knew nothing about cyber, I was a completely non-technical individual, but I knew everything about getting a message out and amplifying a brand on social media. So, I leveraged that. I brought to cyber, I was like, "I am hella good researcher." I can go through a lot of information very quickly, jist out the important pieces. And I'm like, "I'm gonna do that for you guys. Because if I'm doing all this hours and hours of research, y'all shouldn't have to do it." I started giving that away. I was like, "I'm brand new. I researched these six things today. Here's what I learned. Here's what's valuable. Here's why it's valuable. Here's what I'm going to skip and why. Here's what I'm going after and why. Here's how I'm leveraging what I've got." All I had was the ability to, again, learn really quickly in my academic aptitude and communicate technical concepts to non-technical people. So, I grew up with a dad as an engineer; my dad's a SCADA engineer, which is an ICS automation control language. I grew up with my mom, who, again, that softer side, left-brain side of things, and I was like, "This is the value I can provide: I can take all the information you give me, I will attend all the meetings, I'll debrief all the people, I'll bring all the stakeholders up to speed, I know how to speak to higher level management. I got experienced briefing generals who have like two seconds of attention span in the military, and making them care about my update or care about my mission, or give me the budget that I need." So, this is my strength, this is where I'm good at. It was this communication skills. It was the pitching myself and speaking to other executives and speaking to other departments, and not being the cyber person who doesn't know how to read the room, not being the cyber person who only speaks in technical jargon.
[37:21] Maril Vernon: I can break things down into analogies, I can give people a relatable point and anchor to relate with me as a cyber person. And that was what I brought first. And then I did that on social media. That's what I brought from my social media background. So, I leaned heavily on my military and my social media to be successful in cyber. My mom is leaning on her literally collection skills and her banking skills to be successful in compliance. My sister was successful in math, and she is now a business intelligence developer. My wife was a manufacturing production manager, but she handled a lot of the compliance, safety, and auditing. She's an ISO-9000 certified internal auditor; I'm like, "What? You could come in and be a GRC analyst tomorrow." I think she would slay it in compliance. I think she'd be bored, but she would slay it until she learns coding or something. So, I always say, if you're a teacher, guess what your strength is? You can deal with a lot of people and make them do a thing they don't want to do. Did you ever see that video that was like, "As a teacher, you have to make the kids know math"? And they're like, "Oh, great. Do the kids want to know math?" "No, but you need to make them know it anyway." "Okay, great. What kids?" "Just the kids who live around the building." "Okay, great. Do I make a lot of money from making the kids know math?" "No, we're gonna pay you very poorly, and you're gonna work twice as hard." Teachers bring so much strength to the cyber industry; they can make a whole group of engineers, developers, managers, or stakeholders do things that you don't want to do, without getting them to realize that they're doing it. And how do they do that? Let's all come together. Let's all do an affirmation; let's all sing Kumbaya, hold hands, and rally up the team. They are the greatest team builders and outreach and evangelists that you will find. So, I think everyone, no matter where you come from, has something to bring to this industry. I firmly do.
[39:05] Andra Zaharia: I couldn't talk. I kept nodding my head here. I'm gonna pull a muscle from how much I was nodding my head in agreement and excitement as to what you were saying. Yes, there's something in us that connects cybersecurity to the mission of helping others. Because when we feel there's a bigger goal than just the job, just the money, just the KPIs, just whatever it is, then it just clicks; it clicks with your values, it clicks with who you are as a person. And if you can take that to work, and then take that in a way that's meaningful, that's going to help you make a heck lot of progress. And we can see that in you and everything you've done so far, which is just so wonderful and fascinating to watch. And I want to ask this: How do you show yourself self-empathy? How do you practice that? Because you challenge yourself a lot. You go at a really, really fast. How do you take care of yourself, so you can do all of this?
[40:11] Maril Vernon: So, first of all, this is Maril version 14.0 speaking. Maril version 1.0 was not this enlightened. But I do like to go fast and I do like to set myself really big jazzy goals because I need those things to work towards. I have a whole lot of energy; I gotta point it in a direction or it's just going everywhere, like a laser. I do aim so high that if I do fall short, I give myself grace. I tell myself, "That is okay, man. You had to cancel the podcast two weeks in a row because you're building up the charity, that's okay. It's okay to be tired from a big conference and not have the energy to do this thing today." I give myself a lot of grace. I don't guilt myself anymore. I used to do that a lot. I don't do that anymore. I balance as best I can. I'm a very proactive planner; I'm a backward planner; I'm really good at thinking 12 steps ahead. That's one of my superpowers. So, I've tried to adequately plan out my days and stuff. But if something goes by the wayside, someone throws a wrench in there, I have my priorities and I try not to miss the things that really count. But some things do fall through the cracks, and that's just humanity for you. So, I also give myself permission to have done enough for the day; there's always one more thing I could do, one more Slack message I could send, one more piece of feedback I could give, one more thing I could plan out, one more podcast episode that I could schedule, one more set of notes that could look better. But I just have to call it done sometimes and give myself time walk away and decompress. Also, even though I'll have 10,000 things on my to-do list, I take time with my family, I take time where I slow down, I drink a cup of coffee outside, I watch the kids play, we play a board game, I watch a show with my wife. I will put the amount in off and I'll boil it one part at a time, and it might take me months, and that's fine. But I have to give myself that grace and that time to slow down or I'll burn out.
[41:55] Maril Vernon: People wonder how I haven't burned out yet. I came very close a few times. I have like one or two mental breakdowns a year, and then I'm good for like six months. There have been times where the Queens, me and Erica, get on the phone and we're yelling at each other. And then we walk away for two days, and we go, "I miss you. I'm sorry, I love you. I was just having a moment." We're allowed to have moments. And I am superhuman. And a lot of people in my personal relationships expect me to be superhuman all the time, a lot of my exes. If I cry, or if I crumble, or if I crack, they're like, "Why don't you have it together? Why don't you have the answer? What's wrong with you? Stop that." And I'm like, "I'm human. I'm allowed to feel things. I'm allowed to not have a good day. I'm allowed to not be in a good mood." And it's not your fault. I'm not projecting onto you. It's just how my day is going sometimes. I'm allowed to not get a thing done and to need more time. If other people can ask for it—and sometimes I need to see someone else ask for it first—but I'm allowed to ask for it. But it's hard. We're all our own harshest critics, we all want to be our very best, we all want to give back and eat, sleep, and breathe cyber, everyone thinks that I have a lot of really heavy lifts. But doing the Cyber Queens and doing Teach Kids Tech, those align very naturally; they are in the same vein of work. So, a lot of the projects that I accept are only a small percentage more to scale up to that project. It's not like I have to accept a whole new thing over here that's gonna take a lot of my time and attention. I choose calculated risks very carefully and I scale my time intelligently. Because one of my favorite mantra is, everyone says, "Manage your time," but I say, "Manage your energy." "You don't have energy for that." That's not my energy budget; I'm not going to have energy for that today. So, I move through life unbothered by a lot of things. And some things stick with me that shouldn't; I'm not perfect, but I really try to manage my energy. It takes 10 times more energy to guilt myself about something than to just let it go. I'm either suffering from my memory or suffering from my imagination. Neither is worth it.
[43:40] Andra Zaharia: Oh, the guilt thing, it spoke to me so deeply. And that's something that I still wrestle with sometimes. But I feel like the more you practice these things; they seem small but they're so important. But the more you practice them, the more you realize that they're doable and that there are some things that we can just let be and let time fix some of the things that we want to push up the hill by ourselves. We can just let it sit, and then watch what happens. Plus, one of the things that you mentioned that I wanted to highlight, I actually came across this on Pinterest, which serves me with a lot of mental health stuff, which I love.
[44:16] Maril Vernon: Pinterest is phenomenal; go there.
[44:19] Andra Zaharia: It really is. I'm not on Facebook, I'm not on Instagram. So, I gotta get something from somewhere besides LinkedIn. And I saw that there was a thing that said that a safe person is confrontable. And having those people that you can go to, to talk about, "Hey, I don't like myself today," or, "Here, I have something to say about you." And that person, knowing that it's not about them, and you're lashing out because you have some unmet needs. I feel like it's one of the most precious gifts that we can offer each other and just be there and create that space and just sit there with being uncomfortable and just letting the other person just vent.
[44:58] Maril Vernon: I have a whole Maril minute on "get comfortable being uncomfortable." If something scares you, make that thing your best friend till you make it your bitch. If it's being in your own brain, confronting your flaws, if it's the cloud, figure it out. I love that. But I would say that that is one of the gifts you can only give yourself if you're willing to do the hardest work that exists on this planet. And the hardest work that exists that nobody wants to do is to confront themselves, to look inside, to do that true introspective work. Because it's not comfortable; you're like, "I didn't do that. I'll just ignore that interaction. It will be better next time." It's so uncomfortable to tell yourself that you're not perfect, that you are messing up somewhere. But it's really the only way it's going to change. And it's not to say you're a bad person, or that everyone dislikes you, or that you've lived your life the wrong way. It's just to say that, hey, let's bring a behavior to your attention, and let's take proactive steps to curb it. And you'll mess up, you'll fall off the wagon; it's a very slow progress at first, but consistency over perfection. My wife loves to interrupt me. And it's just one of my pet peeves. I don't like being being interrupted, and then I start to yell, and I start to get angsty. It's a snowball effect. So, I was like, "You know what, I still love you, you know that. But I'm going to point it out to you so you can start spot-correcting because you don't realize when you do it." And she doesn't, she really doesn't realize. She has an idea, it comes to her head, it comes to her mouth, right out of her brain. So, it's the hardest work we have to do is to realize that we might not be doing something as well as we could be and to try and take painstaking efforts to change that.
[46:28] Andra Zaharia: Thank you for illustrating that idea of accepting ourselves so we can accept others. Only the things that we do for ourselves and to ourselves. And the things that we feel, whose emotional consequences we feel. It's only those things that we can do for others meaningfully, and in a way that has some bearing over their lives. Thank you so much for sharing all of this with me today, and with all of the listeners, and thank you for being such a positive force that provides this energy to be bold, and to be optimistic. You help us point our energy in a direction that serves us and serves others, and just continue to fuel that virtuous cycle that keeps us going. So, I really appreciate that, and I appreciate you for doing this today.
[47:21] Maril Vernon: Thank you so much. This has been one of my favorite podcast interviews today. I was really excited and I was like, "She asked me to be on — this sounds like a great idea, phenomenal idea." So, thank you so much for creating this project and for having these conversations, and for just giving everybody that reminder that things are okay and we're constant works in progress. That's what we do in security; we continuously improve. No one's project is perfect when they shove it out the door. Look at how many bugs there were with Apple iOS. Sometimes things get out the door that are not perfect and we just gotta do what we can to pivot and save it. You're the same. By the way, tacos fall apart all the time, and we still love tacos, don't we?
[47:58] Andra Zaharia: Yes, we do.
[48:00] Maril Vernon: Yes, we do. We just pick those pieces up, put them right back in the shell, and keep going. It's okay to fall apart. It's okay to be who we are. It's also okay if that journey takes time. No one's saying you have to go stare yourself in the mirror tomorrow and tell yourself the 10 ways that you suck. But I think that that's the biggest gift you will give yourself and the people around you. You can tell the people are very selfish or people who are comfortable with their flaws. I chose to get comfortable with mine so that they couldn't be used against me because if people know that "Oh, she's headstrong," or, "She makes rash decisions," or, "This is her trigger; we can trigger her." I'm like, "I want control over how I get triggered." Someone's like, "Well, you're just gonna blah, blah, blah." I'm like, "I know, probably. I'm gonna go add some things to my heart. That's my toxic trait." But I know that about myself and I accept it.
[48:42] Andra Zaharia: So, radical acceptance, one of the key lessons of this conversation. To you, who's listening: Go listen to the Cyber Queens podcast. Get your strong dose of motivation, inspiration, acceptance, and everything else that's good. And I can't wait to see what you do next. It's so good to have you in this community; it's fantastic.
[49:05] Maril Vernon: Thank you. I try to be a force of good. Please come join the Cyber Queens podcast. If you don't know what you need, but you know you need something, we're here for anyone and everyone. Not "join the podcast," join the Discord. We're not a highly technical Discord. We're not going to talk about bugs and things like that. We're just literally here to be here for each other in the world of cyber. Just know that we, the Queens, love you and wish you all the success. And if you need advice, our DMs are always open. You can find us on LinkedIn, Instagram, and TikTok; I respond to every DM myself. I've had many coffee chats with people, so I'm always willing to give you an hour of my time to help you out.