In This Episode

This episode features Akira Brand—a cybersecurity leader, educator, and technologist. Read more at their Substack: @psilocyber.

You can learn more about the conversation and the guest below.

Tune into the audio version of this episode by clicking the player below:

Tune into the video version of this episode by clicking the YouTube player below:

About the Guest

Akira Brand wants to live in a world where digital privacy is sacred, the internet has no ads, and cable management comes easy. 

Honored by numerous organizations for her teaching, leadership, and technical acumen, she travels all over the United States speaking on tech and cyber, often drawing inspiration from a nature-based lens. She has spoken at RSA, BSides Denver, The Elephant in AppSec conference, and many others.  She also has appeared on podcasts such as The Secure Developer Podcast with Snyk, Application Security Weekly with SC Media, and the Application Security Podcast with Chris Romeo.  

A budding technology leader, she recently led the Application Security department at PRAGroup, where she honed her craft in both the technical and political aspects of bootstrapping an AppSec program from greenfield. 

When they are not working on their home lab, writing talks, or navigating the politics of cyber at an executive level, they enjoy tinkering with their hi-fi system and spending time in the wilderness. 

To read their writings and learn more about them, check out their substack at substack.com/@psilocyber 

Full Episode Transcript

Jess Vachon: 01:01

Welcome back to Voices of the Vigilant, where we explore the human side of security — the stories, scars, instincts, and imagination driving the people who protect the digital world.

Today we have someone whose story weaves music, wilderness, early-internet creativity, bullying and survival, engineering discipline, and deep love of privacy into one of the most distinctive voices in cybersecurity.

My guest is Akira Brand, educator, speaker, AppSec leader, musician, and champion for the “weirdos” who don’t always fit but absolutely belong.

Akira, welcome. I’ve been looking forward to this one.

Akira Brand: 01:09

Thank you for having me, Jess. I love the champion for the weirdos. I always knew when I was a young child I'd want to grow up and have that be my title.

Jess Vachon: 01:20

Well, you know, and so weirdos in their own right are rebels. And so that completely fits into the theme of the podcast. So again, so happy to have you with us. You have one of the most powerful origin stories I've read. And I want to begin right at the roots. Tell us something unique about yourself that most people don't know, especially something from your early life that shaped who you are now.

Akira Brand: 01:45

Sure. So, I was actually reflecting on this question. Like, you know, a lot of times when people come into tech, especially from a not traditional background like myself, our origin story can sometimes feel a little bit like, oh, maybe I don't really belong here because I didn't get a CS degree and, you know, I don't have 25 years’ experience yet, things like that. But I think my origin story with computers is actually decently interesting, even though it's not necessarily traditional. When I was really young, probably I want to say eight years old, I transferred from being a homeschooler to being in my first ever quote unquote real school, right? And the school that I started going to was very moneyed. There was it was a private school. My mother was able to actually get a job there, which is why I was able to go. She taught mathematics, and I was able to go for relatively cheap as part of as part of her compensation package. But coming from a homeschool background, especially when we didn't have a lot of money, and then transferring to a very wealthy environment was really challenging for me because I didn't look right. I didn't have the right clothes; I didn't have the right way of expressing myself. I talked really strangely. We didn't have the means or the finances to do a lot of the extracurricular activities that really brought the students together outside of the classroom. And I was also painfully shy. I barely spoke. And when I did, I didn't know what to say or how to say it, right? And as a result, I was bullied a lot, like a lot. I had things happen, like I would have other eight and nine-year-olds give me death threats, which was like really terrible. Um, and was always like made to be like the laughingstock of the class very often. Like whenever I would say something like to the teacher, kids would be like, ah, like Akira, you're so weird. Why did you say it that way? Or whatever, right? So, I was very much othered from a very, very young age. I stuck out, and not because I wanted to, but because I really truly was an other. So, I found solace in two places. I found solace in the choir room, and I found solace in the computer lab. And in the choir room, of course, it kind of came to be that I auditioned, not auditioned, I joined choir in sixth grade because one of my only friends was in choir. And I was like, well, I don't want to like not be around the one person who's my friend. So, I'm going to join the class that my friend is in. And also, I thought in choir you could kind of disappear, right? Because like you don't have to, you don't have to do anything solo. You don't have to do anything where you stand up and say, “Oh, this is like my idea, and this is why I think it's this way.” You can kind of just disappear in a sea of voices. But during the vocal testing, which is when they find out if you're like a high singer or a low singer or anything in between, right? My teacher actually found out that I have a really strong and powerful voice. And I was really surprised by that because I'd I not only had I never really sung, but I also never really talked, right? Because I I'd been sort of trained internally that when I spoke, people were going to laugh at me. So having this experience of singing in a place where people actually supported and liked what I was doing was very revolutionary for me. So more on that later but then let's talk about the computer lab. Excuse me. So, in sixth grade, we went to our first ever like computer class in in school. And it was to me one of the coolest things I'd ever done. Because suddenly, in this virtual environment, right, in this virtual world, whether it was with early programming, with like, you know, programs like Scratch that like teaches like little kids like how to write rudimentary programs, more even in the world of gaming, all of a sudden I had this experience of having power for the first time. I could modify the worlds around me. I could put in cheat codes into like different games, and like suddenly the environment of the game itself would change and like match what I wanted it to do, and not what I think the other people around me wanted me to be. So, I had a lot of freedom there to just be who I was. And after I discovered computers again in sixth grade, it was it was kind of off to the races for me. So, either when I would be on lunches, I would either be hiding in the choir room, or I would be hiding in the computer lab playing with computers. And the rest is sort of history there. I ended up going to college for music, and then of course, by one thing leading to another, I ended up following my second passion, which was technology. And now I think it's a wonderful outlet. I think anyone that feels othered should have access to a virtual world where they can be themselves, where it's safe. And I it was a great gift. So, I'm really, really fortunate that I found refuge and a sense of autonomy and power through music and through computers. Not to say I didn't stop getting bullied, but the bullies usually don't go hang out in the choir room, right? Like that's not where like machismo like kids hang out, you know. So, it was it was a place of sanctuary for me for sure.

Jess Vachon: 07:27

So, you've touched a little bit upon the theme of I think empowerment and discovering those two spaces. When you discovered you could sing beyond the empowerment, what did that what did you realize about yourself?

Akira Brand: 07:45

What did I realized when I found out I could sing? I realized I have a lot to say, and I had the knowledge that I had emotional depth to me when I was younger, right? I knew that I had a lot inside of me that I wanted to express. I had a very rough early life, obviously. And so, I had a lot of like anger, I had a lot of drama, I had a lot of rage, anything like that. But singing gave me a place to express those experiences in a healthy and constructive way, as opposed to just like, you know, just acting out or causing fights or anything like that. I was very lucky that I found singing because it let me almost self-therapize in a way, right? Like I was able to express these things that I knew I had within me in a way where I didn't have to do it as me. I could do it as a character. And then as I grew up and I got older and like I learned more about my craft and I got more into the art of acting and things of this nature, I realized that the reason I was able to do so many different characters and do so many different forms of expression was not because I was faking it, but because it was drawing on so many different aspects of myself. And it's interesting too because with computers, too, like when I learned how to program, I'd always loved logic. I'd loved math. I wasn't always very good at it, but I loved it. And doing things with programming and learning about computer systems, all kinds of different things in the world of computation, I was able to be like, you know what? I actually might be somewhat intelligent. Like maybe I'm not like really dumb. Because I never did well in school, right? Like I'm a terrible student. I'm a horrible student. I love learning, I love classes, but I'm like, I'm a C student, right? Like I'm not, I'm not like very good at the art of school, but I'm really good at figuring things out. And computers were a place where I didn't necessarily have to follow a curriculum, I could just figure it out. And that felt really good. So I guess at the end of the day, to answer your question, what I found out about myself is I have incredible emotional depth and ability to express those emotions, express those experiences, as well as like I have confidence now in myself that I actually might know a thing or two about a thing or two.

Jess Vachon: 10:27

Yeah, most definitely. We're going to fast forward. You studied opera and then you became a cybersecurity leader. That's not a common career arc, although I think in what you've described to us so far, that we're starting to see how you reach that point in your in your life. What did the idea when did the idea shift from music is my life to technology might actually be part of my path?

Akira Brand: 10:58

Sure. So, the shift happened for me on April the 28th of 2011. That was the day my mom died. And my mom, as I mentioned earlier, taught mathematics. Mom was brilliant. She had a master's in math from Creighton University. She taught math her entire life. My whole family is very full of math and science and engineering nerds, right? Like we're super nerdy. I'm kind of the anomaly being the musician in the group. But when mom died, I had this moment of like, you know what? I want to rediscover in myself the parts of myself that my mother gave me. And I want to expand upon them in my adult life. And one of those things was through mathematics. I was like, well, mom had a mathematical mind. Dad has a mathematical mind. The whole family has a mathematical mind. I'm not really like exploring this to its fullest potential. Let me see how I can, how far I can take this, right? And I also missed her. I love her. I still miss her. It's been over 10 years, but I wanted to feel closer to her. I wanted to feel as though I could understand parts of her that I wouldn't have been able to understand without, without pursuing technology, without pursuing science, without pursuing mathematics. So, after sort of wandering around for a few years in my early 20s, like very lost. Well, mom died when I was 22. I had just graduated college. It was very young, very impressionable. And I sort of stumbled for a little while. I just trying to find my place in the world. And then at the time, when I was about 24, an ex-boyfriend was like, hey, you should try programming. And I'd been working in music for several years at that point. I was like, there's no way. Like, I don't, I don't do that programming stuff. Like, I'm not smart like that. And it wasn't because I didn't like computers, because like I said, I hung out in the computer lab all the time. And but I never thought I was that smart. But then I realized, you know what? Maybe if mom could do this math stuff, maybe I can do this computer stuff. So, I went to like a I went to a weekend course at a local code school. My expectations were very low. I was like, this is another school. I don't want to do more school. I really suck at school. We already talked about that. But let me see if there's something here. And when we had a two, it was a two-day course, right? So, the first day was front-end development. And this is like back in the day. Like not that that back in the day. It was like six years ago, right? This is like before a lot of our modern tooling. Like we didn't have AI, right?

Jess Vachon: 13:36

I like that six years ago is back in the day.

Akira Brand: 13:39

Well, I mean, but how fast the technology changes?

Jess Vachon: 13:43

Back in the day for me is decades ago, but okay, we'll go with six years back.

Akira Brand: 13:46

We'll go with we'll go with six years ago back in the day. I think it was more like seven or eight. We'll be generous and call it like seven. Anyway. But I'm working on front-end development the first day, and we were working with um, I think it was code pen. Yeah, code pen. And we had like, you know, our little CSS window and our little JavaScript window and our little HTML window. And I looked at all that and I was like, oh, forget that. Like, that's that there's no, I'm not, there's too many dude ads going on. I can't handle that. And then I so I came home the first day pretty dejected, like, because I didn't understand what the hell anyone was talking about. The second day though, we did back-end web development. We did a little teaser course on like how to do some things with API calls. And this is back when the Twitter API was exposed. So, you could actually like from your terminal, you know, take an API key and from Twitter and use it in your terminal and like post something on a on a Twitter feed. And I saw that happen in real time, and I did it, and I was like, whoa, this is incredible. I just made something happen on the internet through like a black blinky box on my computer, and that blew my mind, and I understood how it worked. Like I front end, I still don't really understand, man. That that stuff is that's for real smart people. But yeah, the understanding, like just the logic of it and understanding that, like, hey, there's ways to again communicate, right? Through different methods, through different means with the world in a way that is automated, that is sort of secret, that not everybody knows, that is a very logical sort of way to approach things. I don't know, it's really hard to put into words, but I think what it really was is it was an aha light bulb moment where I was like, you know what? This mind, this mathematical mind that my mother gave me, maybe there is something to this. So, I ended up enrolling in the code school and I went, and the rest is history. Now I work in tech. Go figure.

Jess Vachon: 15:57

Now you work in tech. So, boot camp, web dev, devrel, and then app sec engineering. What made you move into appsec specifically?

Akira Brand: 16:08

Yo, that's such a good question. So, I worked in DevRel for a few years. DevRel, for those of you who don't know, stands for Developer Relations. It is a job within the tech industry where you functionally act as a liaison between the end users of your product who are developers and then your product team, right? I mean, it's different at every single company. But the first company I worked at was called Fusion Auth. And it was an identity and access management company. And this is where I really got my start. And it was all about, of course, it's about I am. And when I went into this job, I didn't know a lot about cyber at all. I knew I liked it. I'd done like a couple of like I've read a couple of books on it, right? But I wasn't like a wizard at it by any means. But when I was there, I discovered that there was something called application security, which was like a mixture from my understanding of it, of programming and cybersecurity. I was like, whoa, that's really cool. Like, tell me more. So, I worked at Fusion Auth for a little while. And then I went to my next Everel job, which was also for another security vendor, Bright Security, and their product was not IAM, it was actually DAST scanners. So, the people that I interacted with most of the time were AppSec engineers, or they were software engineers that had a deep interest in security. And they just it just felt right, you know. Like I was like, okay, these are my people. Like these are these are the people I want to hang out with. These are the kinds of problems that I want to solve. These are the sorts of questions that I want to answer through my work. And yeah, I think that after I worked at Bright for a while, I realized I didn't want to do dev round anymore. I wanted to actually do the engineering side of it. So, I applied for a role at a company called Resilia, working as an AppSec engineer. And I'm shocked I got this role, but I got it. And I did that for a few years and went into leadership later on. And I think for me, AppSec is a really good fit. Like it combines programming, which I love, it combines cybersecurity, which I love, and it combines expression, which I love. You know, it's like a trifecta.

Jess Vachon: 18:30

Yeah. So, I want to ask, when you say these are my people, what does that mean to you? What's the context that you come to that statement from?

Akira Brand: 18:44

These are my people. I'll fast forward until Deathcon 33. That's when that's when that phrase really got solidified for me. For a long time, as I've talked about in my origin story, I felt very othered in my life. Like just the weird kid that didn't have the resources or breeding or pedigree or whatever to survive. When I found the hacker community, right? The people that really like to break stuff and get in the weeds and bust into systems and all that. There's this undercurrent of like; I do what I want. And I love that. I love that. I've never been a conformist, whether by choice or by not. But I think that it's so cool to find a group of people that have found a medium through which to express themselves in an offbeat way. And that medium just happens to be computers. When I worked in music, I did a lot of avant-garde, like real weird shit.

Like really when I was at DEF CON 33, this is my first DEF CON this this past August. I know we throw around the term imposter syndrome a lot in this industry. I don't know necessarily that I was dealing with imposter syndrome, so much so like in terms of like, do I belong here technically? But mostly like, do I belong here as like a person? Right? Like, am I is my persona like am I hacker enough? Am I cool enough to be here? Like, am I like, do I have the right mindset? Am I smart enough? Like, I don't know everything. Like, maybe I like don't belong here because I don't understand how like a lot of things work. And I remember I was outside at DEF CON 33 outside the convention center the last night. I was crying, Jess. I was like literally like crying, like, oh my God, I don't know if I belong anywhere. Like the world has no place for me. And I had seen a few dudes a few times throughout the conference, and they found me outside. They were like, “hey, girl, like what's going on”? I was like, guys, I'm having an existential crisis here. Like, I don't know if I belong here. And they were like, “Why do you say that”? And I was like, because I don't understand so many technical things here. Like, I have yet to learn so many things, and everyone is so much smarter than me. And like everyone knows so much more than I do. And like, I feel like I'm a fraud, like I feel like I'm a joke. Like, you know, like I just I don't know if I can do this properly. And they were like, Akira, no one knows everything. No one can know everything. I don't know what the fuck I'm talking about. I'm just learning all the time. Like, you're great. You totally belong here. We like you. We love you. We want you to stay. Don't go. And I was like, okay, thank you. And I just like that really changed a lot for me. Like to have someone like from the community, several people from the community, like really invite me in and bring me in and like tell me literally verbatim, like, you belong here. That actually set off a huge chain of reaction to a lot of the changes I made in my life later on. I actually I went home from DEF CON. The first thing I did was buy a bunch of books. I'm looking at them right now and I'm working through all of them. And my favorite one I'm working on right now is calling, excuse me, it's called Cybersecurity for Small Networks. I'm securing my entire home network because like I can do this. I can do this. I can read the fucking manual, pardon my French, and I can figure this out, right? Like, and that was really that was really moving for me. And since then, I felt like I haven't really felt any sort of quote unquote imposter syndrome since, which is really cool.

Jess Vachon: 22:39

That's great. So, let's talk shop for a bit.

Akira Brand: 22:42

Yeah, sure.

Jess Vachon: 22:43

You previous have previous experience leading an app section at a global financial services firm, and you have your public speaking, which both really show command of the technical and political sides of the job. When you were bootstrapping an app sec program from scratch, what did you discover that were the biggest surprises? And what did you learn about people, politics, or culture that you didn't expect?

Akira Brand: 23:09

Oh, yeah, I learned I really don't like politics. Like I do not like politics. That was the biggest surprise, actually, because I like working with people. I don't necessarily like people, but I like working with people. Working with people at a senior leadership level is extremely different than working with them as an engineer. The priorities are different, um, the concerns are different, the problem sets are different, and the pressure is very, very high. You are seen as the app sec person, whether you like it or not, or whether people admit it or not, you're seen as the blocker. You're a pain in the ass. And guess what? You are because you slow things down, you slow down velocity. And like I was very naive when I had my first ever tech leadership position in that I thought it would be a lot more collaborative and like teamworkish. I guess the teamwork isn't the right way to say it. I thought it was going to be a lot more input from more people, but what I quickly learned is that again, at a senior level, other people at that senior level don't have time to collaborate, they just don't. They're too busy with all their stuff below them, and then they're getting a ton of pressure from you know the CIO or the CTO or whatever it is, right? So, you have to be much more concise, you have to be clearer. You can't make it by Herculean effort, it has to be much more consistent, small results over time. And I didn't know that because again, when you're an appsec engineer, a lot of your results are to be honest, produced oftentimes by Herculean efforts, right? Like, okay, we had a DAS scan, and now we have 200 new vulnerabilities, and we need to patch 150 of them in the next, you know, however long. And guess who's going to do it? DAPSEC Engineer is going to have to do it eventually because the software devs are just too busy. So, I got into this kind of habit when I was in engineering of doing like huge lifts and then nothing, and then huge lifts and then nothing, and then huge lifts and then nothing. But in leadership, you can't do it that way. It has to be small, consistent, overtime results that are smaller and more often. That was a huge surprise for me because it was a complete paradigm shift, right? The other thing that was God, the other thing that was a surprise for me, I had a lot of hubris going into my first leadership role in that I thought, oh, we're a Microsoft shop. No problem. I'm like great at Microsoft, I game all the time, you know. Like I've done some stuff with PowerShell, like it's great, I'll figure this out. Jessica kicked my ass because I had come from a Mac background, right? I was on Unix systems, I was working with Linux like that, and like the Microsoft ecosystem just whoa, it was brutal. So, what I'll tell you is that if you're going to a big corporation after working in startup land for a very long time, you need to like kick your own butt and learn the Microsoft ecosystem or it will eat you alive. Like it was so funny. My first three, four months on my new job, I was like, how the freak do you work teams? Like, what the hell is this Outlook stuff? Like, ah so, yeah, it was it was a trip. It was definitely a trip. I could go on for months about this one, but I'll let you ask another question.

Jess Vachon: 27:27

Yeah, and that's an important part, right? When we go from being individual contributors or part of a team of individual contributors to being leaders in the environment, it is a shift because you're moving from producing, like you said, hey, I produce, produce, produce, produce, to oh no, what I produce isn't what I bring to the table. It's the whole program. It's contributing to the overall success of the organization. So that's a great insight. It's interesting, or I think sounds rewarding for you that you learn that, even though it was seems like it was a bit of a challenge that you now you've got that under your belt, and you're like, okay, now if depending on the role I fill, I may be able to have better communications with the dev teams because now I understand both sides of the fence. And so that's going to lead into my next question. You said AppSec is basically customer service, but your customers are developers. Yeah, what does AppSec as customer service look like?

Akira Brand: 28:35

Well, when I was an engineer, it looked a lot different than when I was a leader, right? AppSec as customer service. When you're an engineer, your customers are other engineers, they're other software engineers, right? Like those are who you're collaborating with. When I'm a leader in the AppSec space, I would say AppSec is no longer a customer service role. Um at least as a leader, you can't see it that way anymore. I would say it's more of an enablement role and a role where you are almost like a tailor more than anything else. Like maybe you have this system development lifecycle, right? The SDLC, and it's being done in one particular way. Well, what's really important for you to do if you're coming in and you're building an appsec program, especially from Greenfield, is you need to understand how the SDLC works at your company really, really, really well. And then not try to overhaul it. You need to act like you're a tailor that is like making the garment fit the organization with embellishments, which would be, you know, like, hey, let's put our death scanner here, let's do a secure code review over here. But don't try to like, you know, don't try to strip the entire program and rebuild it from scratch with how you think it should be. You really have to come in and what sort I'm looking for. Insert yourself gracefully, right? Into different points of the process without overhauling the whole thing, or else you're going to make a lot of enemies. Like, don't be like me and make a lot of enemies.

Jess Vachon: 30:21

Yeah. Well, that's very insightful. And I'm sure those folks that are going to listen to the podcast are going to take that to heart. And it's an important point that you make. One size does not fit all. And so, tailoring to use your vernacular for it is a very good way to look at it. Threat modeling is a topic you love, and you've talked about making it genuinely useful, not just for compliance checkbox, but beyond that. How does threat modeling actually help a business when it's done right, in your opinion?

Akira Brand: 30:52

Oh, how does threat modeling actually help a business when it's done right? Can you please expound on what you mean by help a business? Like what would the metrics for success look like there?

Jess Vachon: 31:07

Well, you tell me. That's your question. It's your passion is threat modeling. How do you see that that is a plus for the business or enhances the security of a business? And you can explain that either in terms of APSIC or just overall in terms of your opinion on.

Akira Brand: 31:24

Yeah, sure. So, I think that the okay, so to so for our listeners, when I say metrics for success, I think that's the first thing you actually need to keep in mind when you threat model is not, hey, how many risks did I mitigate? How many problems did I solve? How many, you know, how many, how many mitigations did I or compensating controls did I put in place? That's not what it's about, right? It's about figuring out how do I know this was successful? What were the metrics for success for the business, such that the threat model can support that? So, for example, say you have a gosh, let me try to think of this on the fly. Okay, say you're threat modeling a new feature, right? That you're going to roll out. Maybe there's like some kind of I don't know, we're not going to try to name the feature right now. It's a little too early in the morning for that. But say you have a new feature out and you need to threat model it before you start designing it, before you start coding it, before you start deploying it. Most of the time, what I would do when I was an engineer is I would think, hey, okay, like let's go through the Adam Schoestack for question framework. Let's do stride, let's figure out where our compensating controls need to be. But as a leader, you have to look at it differently and say, okay, if we do this threat model and we don't add these four compensating controls in this area, what will the cost to the business be? How expensive will this be down the road? Right. It's almost like an if-then problem statement, right? So, like, if I add this compensating control here, then the business will mitigate risk by X percentage, and we will not have to pay XYZ down the road if we get breached. However, what I learned as a leader is that you cannot mitigate every risk. I didn't realize that when I was an engineer. I thought you could mitigate everything. You can't. You just can't. There's too much. So, you have to start asking yourself the question as early as you can, aka in the threat model, right? Where do the compensating controls absolutely have to be in place because it's going to pose a significant business risk? Where do the compensating controls can be maybe a little deprioritized in other areas? And where is it like, you know what? We have five other compensating controls. We have five different layers of security over this other section. We don't need to worry about this like little area right now because it's just going to be too damn expensive to fix it, right? So, I guess that's kind of my answer to your question. I don't know if that's exactly what you're looking for. But again, coming through from that IC mindset of, oh, I can fix everything and I should fix everything, then going to that leadership mindset of you can't fix everything. So, you need to prioritize is really what I would come down to it.

Jess Vachon: 34:19

Yeah, I love that that answer. And again, another point of insight from your experience as to we can't do everything. Yeah. And for leaders in in cybersecurity in particular, I think that's an important lesson to learn. That's what marks someone from being just a manager to actually becoming a leader because they're starting to understand the business aspect of their career choice. Right. So, a lot of times people ask me, “Well, what do I need to do to be a CISO”? And the first thing I say is, “Well, you have to understand the business, and you have to be able to, in your head, accept that you can't fix everything. Either financially it doesn't make sense, or you just don't have the time to fix everything because the business moves too fast”.

Yeah. I want to zoom out or zoom in to the future, have a re-look at that. You've spoken about AI's role in AppSec, both the opportunity and the risks. What excites you most about AI transforming secure development and what concerns you?

Akira Brand: 35:23

What excites me most about AI transforming development and what concerns me? I'll start with what concerns me. What concerns me is that I think AI is extremely powerful if you already know what you're doing as far as software development goes. Like I think it can augment your abilities 10, 20, 30, 40-fold, right? If you already understand coding principles, if you already understand good engineering mindset, if you already understand how to break problems down into little, tiny pieces and work on them from the ground up, as you do in many, in many coding environments. Where I get a little concerned is when I see people that are relatively new to programming or new to cybersecurity, just like, I don't want to call it vibe coding because that's not what they're doing. They're not like, oh yeah, just make an app, haha. Like they're doing their best. But they don't have anyone that's like, hey, you know what? That's not actually a good step to take, insofar as like it actually being a sound engineering principle that you're following. And until you learn those principles, your AI-assisted coding is not going to be as good as it could otherwise be. Does that make sense?

Jess Vachon: 36:47

It does, because if the AI is trained on certain models and influenced by certain models, and you have someone who or a base of developers that might not have had tight coding principles, like you've talked about, then yeah, if you're trying to vibe code and stuff, you're getting everyone's, for lack of a better phrase, junk, right? Yeah. Whereas if you know that you're using a vibe, let's just use vibe coding again, a vibe code AI model that was developed and trained by the best developers, you know, those that are establishing the standards and the best practices, then it's different. So, I hear I hear what you're saying, and I think it comes across to our listeners in that it goes back to that age’s old adage, garbage in, garbage out. So, you don't know what's if you don't know what's in the model, what it's been trained on, yeah, then how can you be reliant on what it's giving you? So certainly, I understand what you're talking about as far as the apprehension about relying on it without checking it. So, from what I'm hearing, you're saying, hey, it's a good tool if you've already developed the skills and you understand the principles, but it's still at a point that it needs human review. And I think a lot of companies, in my experience, anyways, are still doing that human review. They may use it as an aid, but then they go and check it.

Akira Brand: 38:16

And of course, the other concern about it is I'm not going to say one way or another, I'm not an investor, right? I'm not on Wall Street. I don't understand a lot of that, a lot of that world, but I understand enough of it to look at it and be like, is this a bubble? Like, is this going to pop, right? That's concerning, right? Because if we're building all kinds of infrastructure for this technology that is a bubble, that's going to cause a lot of problems too. So, I get concerned about that. But those are minor concerns in the world in the face of how cool I think AI is. I've actually been working with a mentor for about a year and a half now on using agentic AI to build software programs, to use in software development. I've taken a couple classes from Jason Haddock's on attacking AI, red teaming AI, and it's a lot of fun. Like the amount of things, you can produce in a very short period of time once you do have that baseline knowledge of how to program is incredible, right? I'm actually playing around right now with the agent development kit for Python that has been produced by Google. I actually might put that in. Do we have if we have show notes? I'll put it in our show notes. But I'm creating AI agents to build functionally a tool that helps salespeople prospect their leads in a more like intelligent and targeted manner. And I can build this tool in a matter of maybe like two, three months as opposed to a matter of like two, three years. It's incredible. Like I it's just it's so exciting. I think this is really going to open up a lot of opportunity for a lot of people, especially if you are able to do AI assisted development in a way that is still in line with sound software development principles.

Jess Vachon: 40:13

Yeah, I think a key point here is you've got to learn AI. You've got to learn the prompting. Whether you're using it for development or app sec or what have you, you've got to understand it as a tool that can make you more productive and open opportunities for you, like you've talked about, right? So, you're working, you can do independent work, and that opens up a lot of avenues for a lot of people because we're in a world right now where being employed at one company for a long period of time is not necessarily a given anymore. No, so having the ability to learn new skills and have those on the side and have a side gig is pretty important for continuity, let's say, of income or just your career without having those career gaps.

Akira Brand: 40:57

So very important too for people to understand, like you just said, Jess, like you can't in this day and age really rely on working in a company right now to like to pay all your bills, right? Like things are crazy, things are changing all the time. People are getting laid off, like left and right, all over the place. And like, especially if you're first getting started, that can be really depressing. And I would say for anyone that's first getting started, that is like, well, like, look at all these layoffs. Like, is tech right for me? Like, I don't know if I should do this. AI is going to take my job. First off, it's not going to take your job, but it will take your job if you don't learn how to use it for sure. Um, I would say, do something like I've done in the past or that my colleagues are doing now. Find a small business, ask them what their pain points are, and build a product using AI to solve for those pain points. And you will have a lot of success in that. Like I said, um I'm working with the Asian development kit with uh Python right now to build some AI agents to solve that salesperson problem that I was talking about earlier. Well, I'm doing that for a friend of mine, right? Like that's just his that's his company's pain points. It's going to be his Christmas present. I think it's a pretty sweet Christmas present, in my opinion. But like you can, you can the world is full of problems. You can solve some of them, and AI can help you.

Jess Vachon: 42:20

I love it. One of my favorite things that you've ever written ends with: if you're the freak in the room, hang in there. Find the thing that speaks to you, take the road less traveled, here's to the weirdos. For listeners who feel like outsiders, especially young people, what do you want them to hear from you today?

Akira Brand: 42:39

Oh wow, so many things. If you feel like an outsider, I think that you have to remember that society is transient. The way our social systems work is not permanent. You're just born in this particular era. Just because you feel like you're on the outside doesn't mean you are, doesn't mean you're a weirdo, doesn't mean you're never going to find your place, right? Maybe you carve out your own place, and you change society toward the direction you want it to go. If you feel called toward that, I highly encourage you to go that direction. If you feel like an outsider and you don't necessarily feel like a large drive to like really to expound upon that, that's also fine. Like the only thing that really matters at the end of the day is if you can look in the mirror and say, you know what, I'm okay with myself. I'm going to sleep well tonight because I did what I need to do today. And just don't compromise on who you are, have integrity, don't do things that make you like lesser than in your own eyes, because that's all that matters. Well, only person's opinion that matters of you is yours. That's what I'd say about that, and that's beautiful.

Jess Vachon: 44:06

Thank you for this conversation. Where can people find you? Where can they read your Substack? And where will you be for your next talks?

Akira Brand: 44:13

Yeah, sure. So, uh I have a Substack called AppSec and Other Fodder. You can look for my tag; you can see it down here at the bottom is Psycillo Cyber. That's uh that's like my Mastodon tag, and that's my Substack tag. And you'll see that around the internet on Discords and whatnot too. I actually am not going to be speaking anymore this year. I have some potential things coming up next year, but those are all very much in the works, and I don't have final dates. But look at my Substack, look at my LinkedIn, you'll find plenty of stuff.

Jess Vachon: 44:46

Akira, thank you for again for this conversation, for your vulnerability, for sharing your craft, your philosophy, and your courage. You're exactly the kind of voice we want to amplify on Voices of the Vigilant. So, thank you again for joining me today. Listeners, thank you for joining us today. Until next time, everyone. Bye.

Akira Brand: 45:06

Bye.

Want to get notified when new episodes are released?

Click the button below to subscribe: