About Jessy Irwin

Jessy is Founder at Amulet. She enjoys the challenge of translating complex cybersecurity problems into relatable terms, and is responsible for developing, maintaining and delivering comprehensive ecosystem security strategy that supports and enables the needs of the people who depend on Tendermint and the CosmosSDK.

Links Referenced: 

• https://twitter.com/jessysaurusrex


• 
  https://jessysaurusrex.com 

Transcript

Announcer: Hello, and welcome to Screaming in the Cloud with your host, Cloud Economist Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.

Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I'm joined this week by Jessy Irwin, who today—doesn't matter at all what she does today because she used to have the best job title in the universe: security Empress at 1Password. I just want to let that sink in for a minute. Jessy, welcome to the show.

Jessy: Hello. Thank you so much for having me.

Corey: So, it's got to be challenging to know that when it comes to job titles, you have peaked, not just as a person but for the entire industry a couple years back, and it's all sort of downhill from there. But what are you up to these days?

Jessy: Yeah, I'm sad that I'm no longer the Empress in my previous place, but I actually have decided that I wanted to set up my own organization to work on security problems. So, these days, I'm not sure if I'm technically Supreme Ruler of the Amulet Universe, but I'm working on my own project where hopefully I can help make security stick better for people. That's my catchphrase: “Help make security stick better.”

Corey: I like that. You’ve become famous in small circles which is, I guess, probably the best way to put people who are big deals on Twitter. But what's always been interesting to me about your approach to security has been the human-centric piece of it, where it's not about trying to talk about the far-future advanced persistent threats, although you certainly can do that, but more along the lines of how you effectively raise the security bar for day-to-day, folks. What got you to focus on that?

Jessy: So, this is the part where I get to tell you that majoring in art history in college was basically the best life decision I've ever made. And I'll tell you why. Art history is interesting because you have to study objects and images, you have to be able to do analysis, especially technical analysis. But when you step back, you are looking at objects that represent societies, and cultures, and lives. And what I remember most about my art history classes and my time as an archaeologist in college is really that people have been engaging in security behaviors pretty much ever since human settlements started. 

We've had to protect ourselves from each other, and from external threats in so many different ways, and risk management is something we've done long before computers ever happened. Unfortunately, computers make everything easier to do, especially remotely. So, the same problems we had a very long time ago—keeping our coin hoards safe, for example, we still have those, and it's easier than ever for somebody who wants to separate you from your identity, your data, something that is valuable or important to you that, online, to do that. And I just really think that a lot of times the focus is too heavy on the technical side. 

If we're talking about PGP and ZTRP, and we're throwing the alphabet soup together, we're really forgetting the part where somebody just wants to pay their online power bill, or somebody wants to log into their bank account, and know that they're not giving another person all of their money, or all of their personal information in a way that will harm them. And I think that's way more important, and really the core of what we should be doing, instead of engineering these perfect invisible systems that nobody understands, and everyone has to become an engineer to use.

Corey: And that's always been, sort of, the weak spot of security. It's not the advanced super deep-dive breaking into things. It's the fact that someone isn't trained and falls for a spear phishing attempt, and emails the company payroll to someone. It's the human side of people entering their credentials into the wrong website, and it's always seems like it's never the big stuff. In the world of cloud, we see this all the time, whereas you have the S3 bucket negligence story of people failing to secure their S3 buckets, and instead exposing company database backups, people's social security numbers, etcetera. 

Then you also do see the more advanced attacks like the one that Capital One was subject to, where there was effectively four or five different misconfigurations that were then chained together in order to result in something kind of neat. But to the outside world, those two things look the same, but they're very much not. It comes down to fixing usability. I've spent an awful lot of time trying and failing to find a legal way to patch humans, and I've never been able to do that. Is this problem ever fixable? Is this something that we're going to continue to see iteration on, on the human side, without getting anywhere? Or is there light at the end of that tunnel somewhere?

Jessy: I'm a little optimistic about this. I hope that after realizing that we can only create so many protocols and so many new whiz-bang code things, that the code is not the answer is now really starting to hit people in the face, or in the feels, or wherever they need to be hit to change their point of view. But ultimately, we have two problems to solve. All security is actually behavioral economics and policy that you have to stick together and align towards a specific outcome. And I think right now, every company is essentially its own little nation-state with its own little national security stance, whether they've got a thousand security engineers keeping one of those many-numbered threats out of everyone's email in the morning, or whether they're a small business down the street. 

And it's our job to make security into something that is part of your launch checklist, or your productivity tool, or so normal and so mundane that it's like the cyber equivalent of vacuuming the house. A lot of people refer to what we should be doing as setting up cyber-hygiene programs. That's cool, but we also need to make sure we are thinking about what the people abiding by those programs, or following them, would actually you need to do. You're going to get, realistically, 30 seconds of attention from someone. Even on YouTube, someone bounces from a video after 12 seconds, if it looks sort of boring, so when you think about this problem overall, and this war for attention that we've created with technology, plus all of the new products that come out and all of these sneaky side menus and configurations you have to know, there's always something more to do. And there's always another way to spend more hours of your life trying to secure something that you should. It would be nice to just have 10 commandments that we focus on. And for those of us who are in a position to build products, and to work with product teams or product managers, to just take the core security stuff, put it at the top of the list, and get it done with as early as we can so that we're not all having to freak out and become firefighters and incident responders, with or without tons of resources.

Corey: The challenging part that I found across the board with infosec as a whole, is part of the reason that I've always found you to be such a refreshing voice in the space, is that by all perceptions, from everything you say online, you have an incredibly rare skill in the infosec space, by which I mean, you are not a massive jerk to everyone. There's definitely an asshole problem in the world of infosec. And it's something that you have never exhibited that I've ever seen. How is it that it is, first, so difficult to find people who aren't being obnoxious in the world of security, and, two, how have you avoided it?

Jessy: I think that everyone has an opportunity and a choice about whether they want to be an asshole or not. I tried really hard not to be a giant one but, more than anything, an attitude that has been exhibited to me over the past 10 years I've been playing in security, and the past seven years where I've had direct jobs in security, there's a lot of gatekeeping going on. I mean, I come from a background with lots of humanities, and creativity, and writers, and I love that, but ultimately, the world is a better place when we have more people thinking about these problems, not less. And the attitude that I've seen come from the community around security, and a lot of the industry around security has been to use some of the stupidest things you could ever come up with as a way to intimidate someone from taking a first step into learning more or getting interested because if you have more people who aren't like you join the industry, people who've been around the longest, or people who feel like they get power from their roles, lose that. 

And I get it. That's scary. But this is a specific problem where we need to be making friends. Like, we should be in a land grab to make eve