Sitdown with a SOC Star: 11 Questions With Haylee Mills of Charles Schwab

She signs off her emails with “keep it surreal” just above a colorful signature that describes her as a “network security person” but also a “data disciple,” “community cultivator,” “eccentric educator” and (we’ll explain later) “ex-animator.” Oh, and at the very footer of her emails, she offers a small-fonted but not-so-subtle dig at her email carrier of choice: “hey Google, The Man, state-sponsored APT, darknet skulking edgelord, or bewildered bystander caught in corporate feudalism’s capitalism-fueled cockfight for privacy and internet security, I SEE YOU.”

It takes receiving just one email from Haylee Mills to determine she is no buttoned-up, one-dimensional security operations professional. Creative, compassionate and acerbic, the senior security developer (and former analyst and engineer) at investment services firm The Charles Schwab Corp. is as passionate about providing mutal aid and helping the marginalized as she is open about her own struggles. She does a lot, both personally and professionally, and you may walk away wondering when she finds time to sleep.

From theories on epigenetics to the benefits of NIST security best practices to the motivation of money, Mills’ passionate mindset and versatile viewpoints, as well as the unusual path she followed to a career in infosec, are coming your way in our latest edition of “Sitdown with a SOC Star.” Enjoy!

1) Hi Haylee! Tell us about where you work, what you do there, and the role security operations play there. 

Howdy! By title I am a senior security developer at Charles Schwab, but to be more specific, I’m a detection engineering gal on a brilliant SIEM development team. We all have our tool specialties, mine are endpoint detection & response (EDR) and risk framework development. We primarily serve the security operations center (SOC), developing use cases. However, we work with any team that has logs and wants to make something together that’s high fidelity and actionable.

Schwab has high expectations of its security teams. Painted on the wall over the SOC is a principle instilled by Chuck himself, “Trust is everything. Earned over time. Lost in an instant.” In a world of regular breaches on a maturity level from script kiddie SQL injection to coordinated nation-state actors, every company has to balance budget and time with their security teams to triage appropriately. I feel very thankful to have stepped into a company, team and organization with a lot of incredible, passionate people crafting a stellar security program.

2) You received your degree in animation, which sounds really cool but doesn’t sound anything like information security. Are the two connected in some way, and what prompted you to move from the design studio to the SOC?

I’m glad you asked, because I love breaking the mold of “tech person” and making other folks with an interest in cybersecurity feel like it is a domain and skillset they could pick up and pursue a fulfilling career. I’m queer, covered in tattoos, and my hair color rotates on a trimonthly basis, and I’ve felt quite welcome by the cybersecurity community. I think there’s something about the hacking mindset that (most) people don’t really mind if you’re hacking computers, gender or your appearance, as long as you’re curious and willing to learn.

I think there’s something about the hacking mindset that (most) people don’t really mind if you’re hacking computers, gender or your appearance, as long as you’re curious and willing to learn.

The primary reason I left the animation industry was the grueling and consistent “crunch,” starting a project working 40 hours a week which quickly rose to 80. Part of this is the nature of the entertainment business before you get regular union work, and part of this was my personal lack of boundaries and fear of losing the job (or continued work) if I couldn’t hang with the production schedule. I’m still unsure how real those fears were, but after four years, I had to escape for my mental health. I know this sounds familiar for some people in cybersecurity (just with bigger paychecks), but from that experience I have very strong boundaries around working more than 40 hours a week.

As to your question about connection there isn’t a direct through-line, but I have found a surprising amount of symbiosis in skillsets and perspectives. People see “tech person” like they do “art person,” as if we all had a natural knack for it and if you didn’t get the gene, then no sense in pursuing it. However, epigenetics is showing the powerful influence of the environment, and all it could take to cripple your inner “art person” who likes creating things or your inner “tech person” who likes solving things is one throwaway comment or reaction from someone you trust, which programs an inner critic that will program you for the rest of your life. I feel like people with that initial knack have enough curiosity to overcome the critic, and are willing to make bad work and do things badly enough times to get good at it. The master has failed more times than the beginner has ever tried, as they say.

3) What’s the most important hard skill(s) and soft skill(s) for an analyst or engineer to possess to move to the next level? –

I would say one of my most valuable traits is empathy, which has served as fuel for my communication skills and I did not expect them to be as valuable as they have been in this career. Even if it seems hard for me to see at the surface, if I stay curious, I am often able to find a deeper reasoning or desire expressing itself in a contrarian viewpoint that is what truly needs an answer. It took me ages to finally get around to reading it, but I would highly recommend “How to Win Friends and Influence People,” which may be about salesfolkship, but really encapsulates staying focused on what other people want so they can see what you want. I have also gotten a lot out of Marshall Rosenberg’s “Nonviolent Communication” and highly recommend practicing those principles in every aspect of life.

This sounds boring to a lot of folks, but one hard skill that is often overlooked is a solid understanding of security controls via NIST 800-53. I don’t necessarily mean just rote memorization of the charts, but really thinking about the day to day of these various groups and their tools in a large enterprise. This can help build perspective about your organization, and as you intentionally build relationships with members of that team with all those soft skills, you can be more certain about the depth of your defense-in-depth strategy at every level. You never know when a last-minute ask or suddenly urgent fire can be quenched by knowing the right people to get the right answer.

4) What is the biggest challenge facing you and the teams you work with on a daily basis, and how do you work to overcome it?

Everyone seems to have a mountain of work to do, and not enough resources to do it. In the short term, I notice that when I’m regularly meditating I am more able to stave off the anxiety about the mountain and continue laying each brick at the pace I can manage, and at 40 hours a week so I have time for myself. In the long term, the solution dovetails into the previous question about organizational awareness and the soft skills that will help you talk to the right people in the right places, so you can figure out what’s realistic for your organization. Along with those external connections, developing a relationship with your immediate lead, your manager, and your director (or however your company is structured) so that you can understand their concerns and what they’re being driven to do or provide to a level upward will also help you temper your perspective and provide valuable insight from down in the trenches.

5) What’s one piece of advice you’d give for someone considering a career in the SOC?

Stay curious, do stuff and get a mentor. Not necessarily in that order. That’s just the advice that worked for me, but I think it’s generally relevant as I was somehow able to teach myself cybersecurity while I was incredibly depressed after leaving the animation career I had worked so hard to reach. I am endlessly grateful to my childhood friend and cybersecurity sensei Jason Azzarella, who suggested to his depressed artist friend that she could totally do cybersecurity. When he mentioned his starting salary, I’m pretty sure my eyes did the cartoon dollar sign slot thing, and I freely admit that initially I was purely motivated to feel comfortable financially. After feeling anxiety about money for most of my adult life, I don’t think it’s a bad thing to have that as an external motivation. Regardless, very quickly I found out that cybersecurity was fascinating.

I would generally pursue something that was interesting to me, and that curiosity is what pulled me along when I didn’t feel motivated to keep doing traditional studying. In my case it was the world of advanced persistent threats, threat intelligence, and the geopolitical cyberwarfare theater thanks to Mandiant’s APT reports and books like Brian Krebs’ “Spam Nation,” which prompted me to begin learning about their techniques, which prompted me to test them out myself, which meant I had to make a home lab, and so on. The best thing about having a regular check-in with Jason was that I would feel bad if I didn’t follow up on anything he mentioned or dig into anything to talk about, so having that accountability to someone who cared about my progress but still left me to progress myself was instrumental. 

6) I love that you describe yourself on your LinkedIn profile as an “incident investigator, noise nullifier and smile supplier.” Tell us more.

Part of it is a bit tongue-in-cheek at the powerful word soup a platform like LinkedIn wants folks to use that field for, the other part is that describes more of what I do than a fancy title. When I started in the SOC, I prided myself on my thorough investigations and clear analysis. As an engineer, I pride myself on keeping noise to a minimum and empowering my SOC analysts to do their best work. As a person, I pride myself on bringing a personal mix of honesty, empathy,and levity to every interaction, partially because it gets results but also because life is hard enough, and I don’t want to be another straw on the back of every lovely camel I come across.

7) What’s the No. 1 thing SOCs can do to improve their maturity?

This is my personal broken record, but move to a risk-based alerting framework as soon as possible. I was introduced to this by Jim Apger and Stuart McIntosh in a talk called “Say Goodbye to Your Big Alert Pipeline, and Say Hello to Your New Risk-Based Approach” at the Splunk .conf conference in 2018, and shortly afterward given a great example by a team at Schwab fingerprinting user logins to prevent fraud. As the title implies (and every SOC analyst knows), the big alert pipeline is a problem plaguing our industry and has a number of negative consequences: more visibility and detections means more alerts, more alerts means overworked analysts, more overworked analysts means situational numbness. We can’t just keep throwing more analysts at the problem.

I hope this gets some folks head spinning about the possibilities, as it has so many advantages that lead into further maturity. Past the immediate advantages of alert volume reduction and fidelity increase, this has obvious synergies with machine learning. Machine learning can be great, but it’s even better when it has a clean dataset to work with. With this risk approach, we now have a catalog of activity by object to baseline and discover anomalies, as well as less signal-to-noise for an algorithm to draw insight out of. I am excited to see this become standard practice for SOCs and SIEMs as the whole industry evolves to develop adaptable behavioral detections over brittle signatures.

8) What security industry luminary would you most want to have dinner with and why?

Oh gosh, I am a huge fangirl of Tarah Wheeler, who wrote/collected stories for an inspiring and insightful anthology called “Women In Tech.” That book helped me reorient myself into feeling confident about my future career when I wasn’t feeling confident about pretty much anything. Bonus: If we could have her lovely husband Deviant Ollam join us for drinks afterward, whose work deconstructing physical security I also deeply admire. I’m not sure we would talk much about cybersecurity anyway, as they are lovely, passionate humans in spheres beyond tech.

9) What is the most interesting thing you’ve learned (or learned about yourself) since the coronavirus pandemic began? It doesn’t have to be related to security.

I feel like I’ve become more in tune with the sort of self-care I need to function. What felt generally “helpful” before feels far more “necessary” now. I jump on and off the horse, but tracking my mood day to day, as well as how much I exercise, stretch, use weights, meditate, draw, and play music as “stats” separate from my to-do lists gives me a holistic perspective on what makes a fulfilled, happy Haylee. I also started with a new therapist who uses somatic experiencing. After 10 years of regular talk therapy and understanding my left-brain narrative, this seems to work with the symbolic nature of the right brain, or something, and has been incredibly helpful. Additionally, reading books by and following people on Twitter dealing with ADHD and autism spectrum disorder (ASD) helps me feel heard and understood.

I jump on and off the horse, but tracking my mood day to day, as well as how much I exercise, stretch, use weights, meditate, draw, and play music as “stats” separate from my to-do lists gives me a holistic perspective on what makes a fulfilled, happy Haylee.

10) What’s your proudest professional accomplishment? 

This isn’t directly related to my day job, but after the tutelage under my friend I wanted to pay it forward and began hosting a weekly cybersecurity chat/class for anyone interested. I did this a few months after I started my first cybersecurity job at Schwab. I kept this going for about two years, and probably had about 30 people float in for a class or two, but six of those people went on to start jobs in cybersecurity, and I couldn’t be more proud. The financial stability of a cybersecurity career has done wonders for my mental and emotional health, and I want to reach as many people as possible to offer the same – particularly queer, femme, or black/indigenous/people of color (BIPOC) folks who have not been reached by or well represented in the traditional pipelines into tech. My current cohort has around ten people who I feel confident will be in the industry sometime next year!

11) When you’re not staffing the SOC, what is your favorite thing to be doing and what do you like about it?

I have a deep passion for video games, board games and tabletop games, along with their design. I feel like play is such an essential part of being alive, and games are such a beautiful medium for that. I do a mixture of playing the game and being fully present in its experience, as well as reviewing its various elements and systems to determine why and how it makes the experience fun. I’m working with some friends to practice and develop some games, as well as writing a text-based adventure game to teach cybersecurity skills set in a fractal library. I feel like gamers have a natural knack for cybersecurity, as they’re used to be thrown into an environment with limited data and try to figure how to win.

Additionally, I am very passionate about community building. When I look at the United States as a whole – especially in recent years – I feel like things have become more divided and that some sort of social glue provided by communities has broken down. To sail against the current, I bought a house in suburbia, have roommates on board with the vision and have built a community space. Things have slowed down on that front since the pandemic, but we offer space as a drop site for a local mutual aid group, delivering supplies – no questions asked, no forms to fill out – to struggling community members. To witness the incredible amount of support from our community has been a huge blessing during this time, and I look forward to when things feel more normal so that I can build further relationships with my neighbors and my city.

You can connect with Haylee on LinkedIn here.

Are you or somoene you know a SOC star with lots of insights to share and who is deserving of recognition? We’re always looking for new candidates. Email Siemplify Content Director Dan Kaplan.

The post Sitdown with a SOC Star: 11 Questions With Haylee Mills of Charles Schwab appeared first on Siemplify.

*** This is a Security Bloggers Network syndicated blog from Siemplify authored by Dan Kaplan. Read the original post at: