I remember the first time I stumbled across Alyssa Miller on X. I felt like I had seen sunlight for the first time. Here was this incredibly eloquent, outspoken powerhouse using her voice to shine a spotlight on inequities created by a well-meaning yet ill-advised event that put the members of its community in potential harm’s way. She wasn’t raising noise for her brand, and she wasn’t being volatile and chaotic; she was a one-person movement and I would’ve gotten behind almost anything she said.
And, to this day, I do.
It’s that reason that I chose Miller for my first Rising Tides profile series for SecurityWeek, where I highlight people who have made change in our industry and community through tech or soft skills or everything. “Equity and justice for all human beings,” Miller said, when I asked what she stands for. “It sounds abstract and cliche but I assure you it’s not.”
Miller has been in cybersecurity for roughly 20 years and is now the CISO of Epiq Global and a board member for Epiphany Solutions Group (ESG). She started like many did, as a kid, saving up her money to get a computer and taught herself to hack. She’s also a pilot. Her story is unique, and I am grateful she shared it with me here.
Q: Tell me a little bit about your cybersecurity journey and how you got from your start to where you are now?
I got into consulting and ultimately ended up leading an application security program practice for one of them. I then spent a few years working for a major reseller, then a year at a security startup (Snyk) before being connected to an opportunity through a friend to be the Business Information Security Officer (BISO) for S&P global ratings. I knew that was the final step before achieving my career goal of being a CISO and sure enough 18 months later, through other colleagues, I got connected to the executive search and was joined Epiq Global as their CISO.
A: I’ve been a hacker my whole life. From my very earliest memories I was one of those kids who loved to (and wasn’t afraid to) take things apart to try to see how they worked and oftentimes to try to modify how they worked. I bought myself my first computer when I was 12, I learned BASIC programming and then assembly. In college, after three semesters of pre-med, I decided that wasn’t the right path for me and discovered the Computer Science program. This was during the dot-com era so shortly after switching majors I found a job working as a programmer for a national Financial Services provider. The first 9 years of my career were spent writing and maintaining software before I fell into a cybersecurity job when one of the Information Security managers asked me to join her Security Testing Team. I did another 6 years of penetration testing (mostly App Pen tests) and management of the team at that org before deciding I wanted to see life outside of that one company.
Q: What do you think sets you apart from others? What do you have to teach up-and-comers in our industry?
A: I feel like I’ve always had a very strong mind for both the technical and the business side of things and excel at communicating across those audiences. I once had a manager who called me the “great translator” because I could always see when technical and non-technical people were not speaking the same language and could resolve misunderstandings by speaking in a way that both could understand. That eye for the business side while also having the technical chops to effectively make strategic decisions about our security program I think is a much needed skillset.
If there was one thing I would love to, and in fact do try to, teach newcomers to this industry, it’s how to see past the technology. How to see the big picture not just in terms of security but how security fits into the organization or even the world at large. Being able to understand the motivations of non-security and/or non-technical people and influence them in meaningful ways is the key to a successful long term career. Even if your goals are to stay in technical roles, you’ll still be regularly put in positions where you need to influence people to make effective decisions to enhance defensive capabilities.
Q: What do you think is our industry’s, or community’s, greatest challenge in regard to fighting against adversaries right now?
A: I think it’s our propensity to over focus on technology and lose sight of how important the human aspects of our roles are. We have so many tools, so many products, and we expect that those technologies will protect our other technologies. But we are not good at taking the time to understand motivations, to see how our own actions while making sense to us and maybe being well-intended are actually counter-productive to achieving the outcomes we seek. For example, a 3-strikes and your out approach to phishing simulations. Punitive responses to those who fall for phishing simulations actually drive more insecure behaviors but we often don’t see that. We like to accuse others of not understanding or not caring when in reality we as security professionals cultivate those behaviors unintentionally because we don’t understand and we don’t care.
Q: Somewhat similarly, what do you think is our best opportunity for solving some of the short- and long-term challenges of fighting against adversaries?
A: I believe we need to truly embrace the reality that we can’t defend against a broadly diverse set of attackers and threats if we ourselves do not have similar diversity in our ranks. Teams of monochromatic humans all from similar IT backgrounds, who come from similar socio-economic situations are going to look at problems in similar ways. We need to truly focus our efforts and broaden the mindsets of our teams by intentionally seeking voices that do not match our own. We need to stop recruiting for cybersecurity roles based solely or even primarily on a laundry list of tools and skills we expect our candidates to have. Instead, hiring managers need to focus on finding those individuals who have novel perspectives and challenge us to look at what we thought was common knowledge in a new way.
Q: One of the reasons you’re the first person I picked for this “Rising Tide” profile series is because of how outspoken you are about your thoughts on the industry and community dynamics. Some people don’t speak up. What makes you brave?
A: Probably naivete to some degree. Throughout my career, I never really considered the risks of making what I can only look back on now as bold choices. I just acted. Sure that has and still does get me in trouble sometimes. But I truly believe most people can learn and change and that most want to be better humans. While maybe it seems dramatic, I think speaking up is a form of education. When I call out bad behaviors, I always seek to share what would be better behaviors.
Now add to that the privilege that I have. I’ve got a successful career, a large audience on social media, and a recognizable name in the industry. I haven’t been given those gifts for my own enjoyment. They come with responsibility. To use that platform, that recognizability, that high-level career position to advocate on behalf of others. If those of us in positions like mine don’t speak up, who will? And who has the opportunity to be more effective than those that have prominence in our industry.
Q: What do you think of the dynamics of our overall cybersecurity community and / or industry at large? Do you see it growing or shrinking in exclusivity? Do you see more or less gatekeeping, for any reason?
A: I see the gatekeeping becoming less and less. I do see things improving. Part of the evidence I see for this is that those who still want to hold onto the toxic behaviors have become louder and more desperate. They see the erosion of their false kingdoms they thought they had built and the lash out. As I see it, we have stronger voices from the traditionally under-represented demographics than we’ve ever had in the past. I think those voices feel more secure in speaking up and standing up for themselves in the face of toxicity and that is a key.
Q: You talk a lot about flying. And you don’t simply fly, you are a “pilot’s pilot.” Please tell us how you got started in aviation and what you love most about it?
A: I’ve always had an interest in aviation. I grew up in Milwaukee within a mile of a small municipal airport. I saw planes flying overhead all the time. Watched them land merely feet over my head as I drove down the street. I was fascinated by it all. When I started traveling on commercial airlines that fascination grew. So recently I found myself in a life situation where I could make that dream happen. The thing I love most about aviation at this point is just the freedom of it all. To be able to see the world from a new perspective, one that very few people get to see. To have the ability to travel longer distances on a regular basis and explore parts of our nation that I’d never get to see otherwise. It’s a peaceful release for me that takes me away from the stresses of my regular everyday life.
Q: Given your high-pressure job, is flying a way for you to take the “controls” elsewhere and control a more beautiful experience, or is it something else?
A: I think it’s less about control and more about an escape. When I am up in the skies I can focus on one thing and only that thing. There are no cell phone alerts, no emails, no Teams messages. Just me and my plane, floating through the sky with all the stresses and frustrations left below on the ground.
Q: Your bravery in speaking up against inequities in our industry has resulted in some great awareness and change. Of which are you most proud? Which do you wish more people paid attention to?
A: It’s hard for me to say I am proud of any. I’ve been happy to see a number of organizations own up to their errors and make meaningful changes. However, I don’t take personal pride in that, because it’s not about me. In those cases I feel like I am just a mouthpiece, amplifying the voices of so many in our industry. Those moments have afforded me the opportunity to speak with many executives and organizational leaders. Some had true interest in being better, others simply were kowtowing in an attempt to quell the backlash. When all is said and done, if the community gets the opportunity to see which way these orgs decide to go in such situations, that’s a success in my book.
Q: What advice would you give yourself 10-years-ago, now? What would you warn yourself about, or, what would you better encourage yourself about?
A: I think I would encourage myself to embrace authenticity. It wasn’t until I accepted myself, my whole self, and brought that to the industry, that I began to really see success personally and in my career. When your mind is filled with the pressures of trying to fit someone else’s mold of who you should be, you can’t focus on the things that matter. When I stopped trying to fit others’ image of me and instead embraced who I was whether anyone else liked it or not, that freed me up to focus my energy on simply doing all I can to make our world a little safer for all of us.
Q: What is the most important takeaway that you hope people in cybersecurity learn from you?
A: Do better, be better. I’ve been saying that for years but here’s what it means to me. You can’t be better if you don’t do better on a daily basis. None of us are perfect, so admit your mistakes to yourself and if they impacted others, admit it to them too. But then seek to learn from it. Every single one of us has the ability to impact other people in a positive way. Don’t underestimate just how impactful to someone’s life even the smallest gestures of kindness can be. There’s a saying about rising tides raising all ships and I believe in that. The more kindness and positivity we put into the world, the more of it we will all experience.
Related: CISO Conversations: Alyssa Miller at Epiq and Mark Walmsley at Freshfields
