The Router

Life in Security with Jodie Vlassis and Tanvir Ahmed

UQ Computing Society Season 2 Episode 1

Welcome to the first episode of season 2 of The Router! In this episode, we have Jodie Vlassis and Tanvir Ahmed to tell us all about their journey to, and their life in, Atlassian's Security team.

Jodie Vlassis is a cyber security professional with 5 years’ experience in Cloud Security, governance/risk and compliance, government strategy and policy. Jodie is a Senior Trust & Security Analyst on Atlassian’s Security team in Sydney, Australia. Her primary focus is to remove barriers and security issues with customers so they can become a customer, continue being a customer or be a bigger customer of Atlassian. Prior to joining Atlassian, Jodie came from big four professional services (Deloitte), where she successfully delivered and uplift cyber security needs to ASX100 clients.

Tanvir Ahmed is a Product Security Engineer at Atlassian. Prior to Atlassian, Tanvir's focus was working in consulting, banking and financial services industry; primarily in the Application security space. Tanvir works in the Product Security team at Atlassian, which encompasses end to end security responsibility for all Atlassian cloud products. He assists numerous teams across the organisation and helps teams find, fix, prevent, and disclose security vulnerabilities.

Links:
Jodie's LinkedIn: https://www.linkedin.com/in/jodie-vlassis-285074104/
Tanvir's LinkedIn: https://www.linkedin.com/in/tanvirahmed11/
Atlassian Student Careers: https://www.atlassian.com/company/careers/students
Atlassian Student Talent Community: https://pages.beamery.com/atlassian/form/talent-community-students/sign-up

Matt:

Hi, everyone. Welcome to the Router, season two, we've hope you've had a great summer break and we're delighted to bring you all new episodes of our UQCS student podcast. Today, we have Jodie and Tanvir from Atlassian to tell us all about their journey to, and their life in Atlassian's Security team. Hello, Tanvir and Jodie. How are you both?

Jodie:

Great. Thank you. How are you Matthew?

Tanvir:

Doing well.

Matt:

That's good. I just thought it'd be good to start, um, to let you to, uh, introduce yourselves, um, and what you do.

Jodie:

Uh, cool. I'll go first. Hi everyone. My name is Jodie Vlassis and I am a senior trust analyst, on the Atlassian security team. So I currently work in the Trust& Security team based here in Sydney, Australia.

Tanvir:

Hi everyone. My name is Tanvir Ahmed, I also work in Atlassian in the product security team. I'm here, senior product security engineer. I'm pretty new to Atlassian, over eight or nine months now. Yeah, and then working on ProdSec team, excited to be here.

Matt:

Um, so I guess I'll start by asking, um, what's a typical day at work. Like both of you, um, like a lot of students are interested in entering cyber security, but they kind of don't know what's involved, you know, what's the day-to-day so, um, I guess Jodie, if you want to elaborate on what your day at work is like.

Jodie:

Yeah, for sure. Um, so here at Atlassian and we have a small function that sits within the wider security team and we're called, uh, the Trust& Security team. So the easiest way to explain what we do is very, essentially a small team that, uh, sits, uh, sits within the security team we're essentially cybersecurity SMEs. That's, uh, pretty much, uh, the bridge between the customers and the security team and what we do. Uh, we do, we do quite a lot of things, but I guess in the day of what we do is, um, we work quite closely with, um, customers around, um, around if customers have specific security related questions, um, in regards to our products or to our solutions, we generally provide that support to a number of our support teams. Um, we also, uh, provide a lot of support to other teams within the organization. So we work quite closely with the risk and compliance team to obtain certain certifications for our products. Um, we also work closely with our privacy and our reliability teams as well. Um, there's also a little bit of marketing that's involved with what we do. We like to showcase and highlight a lot of the really cool things that we do with the Atlassian security team. And we want to showcase to our customers, um, and through that we build, uh, I guess, we build transparency, through security, um, within our products.

Matt:

Tanvir, did you want to, I guess, talk about yours, you're coming from a product security background, so a bit different?

Tanvir:

Yeah, so yeah, our, so we, uh, I mean I'm in a product security team, which is a bit different than what, uh, Jodie is, and we are in the same, uh, cybersecurity or information security umbrella, uh, but our roles is a bit different. So we are in product security which encompassed end to end security responsibilities for Atlassian, uh, products. Uh, as most of you are aware that we are a software company. Uh, so, uh, our day-to-day, you know, it's like selling software basically, right? So we help development teams find, fix, prevent or disclose security vulnerabilities. Um, our typical day would include like checking on our public bug bounty, uh, to ensure that, you know, there is no sort of security report from the public bug bounty sites we are on background and then doing some internal product security reviews for our products, um, working on security automation projects, each one of our product security engineers are assigned to certain Atlassian products. So basically we are kind of a subject matter expert on some, uh, like, uh, in, on our assigned, uh, products. So for example, uh, each, uh, product security engineers will be a subject matter expert for one or two. Uh, for example, Atlassian products. So we are closely work with those teams to make sure they are securities, uh, you know, um, is, is, is security posture for that product is good for example.

Matt:

Interesting. Um, so it seems both of you are really into security. Um, I guess, uh, the next question I wanted to ask is, uh, what was your journey to the field of cybersecurity as a whole? Like how did you get to Atlassian as well?

Jodie:

Yeah. Um, yeah, it's a lot, it's a long, my journey is probably a little bit unique, I guess it's not your traditional journey into the cyber security world. So I guess I was quite exposed, um, I guess, to creating and programming at a super young age. Um, I used to watch my brother, um, do a lot of programming way back in the day. I think I was about 12 years old, try not to give my age away too much. Um, um, and I used to watch him and I used to say, Oh my God, you know, I'd love to do, you know, I'd love to learn how to do that. Um, I guess, uh, choosing a different career path in life, I somehow managed to come back into cybersecurity. So, um, uh, my journey, I guess, was, I eventually went back to uni as a mature age student and I ended up studying for about eight and a half years. Now, my background is not technically cybersecurity. I didn't do a traditional computer science degree. However I'd like to think I'm a pretty good product of, um, and a pretty good example that you don't need to do a science degree to get into cyber security. So, um, not to say that you don't need a computer science degree, you definitely do. If you do work in and more technical, um, programming background prior to joining it last year. And I actually came from big four professional services. I actually came from Deloitte, uh, where I was delivering& uplifting cyber security products and cybersecurity needs for clients. Um, a lot of my work, uh, is a pretty big intersection of IT business and risk, and I was able to assist a number of clients to develop and implement strategies, roadmaps, um, operating models, assess current states and develop, uh, governance and policies, uh, within a client's organizations. How I came to Atlassian? Uh, and I say this with such high importance that, you know, it's really important that you need to network within this industry because by the reason why I got this job was because of networking actually went to, um, uh, cyber security women's related event. And, um, you know, just, just went and introduced myself. And I wasn't really looking for a job at the time, but it just, you know, it doesn't hurt to say hello and introduce yourself. And then three months later I was offered a job. So that's sort of how I came to it last year.

Matt:

Sounds amazing. Um, and I guess Tanvir, did you want to talk about your journey as well?

Tanvir:

Uh, yeah, sure. Um, so I started my career in sort of cyber security, even though I wasn't like really keen, I mean, you know, planning on doing it. So I started like very briefly as a developer, but then I quickly move into security sort of after graduation. Um, uh, I'm not even also from a computer science background, I'm more of an engineering background, even though I did a lot of programming and stuff in my, um, university. Uh, so anyway, so cybersecurity back then, like it was a while ago, like probably nine years ago I started my career. It was not as popular as it is today, for example, but once I started doing, uh, you know, I started in this career path, it seems to be a quite interesting and I thought very good career prospect as well. So that's why I started pursuing the path. And over the years I had like, you know, many different roles within information security as we used to call it. And even though some organization call it, uh, within various different industry sectors as well. So for example, from banking, financial industries, uh, consulting, um, and now for example, over here in software company, so it's actually a very good, um, it gives a very good idea around how, uh, the cybersecurity functions work within organizations since I was working in very different industry sectors and varied, um, few different functions as well, not for example, just product security, uh, that I'm currently working on in few other, uh, related, uh, domains that I was working. So it gave me a very good holistic approach around how security works in an organization regarding our journey to Atlassian. So, as I mentioned, I'm pretty, still new learning. Uh, it's only been nine months now, uh, but, uh, I applied through that Atlassian job site, um, through LinkedIn basically, uh, because I'm still new to Australia as well in Sydney. Um, had been only here for less than two years now. So I am not, I don't have that much of, uh, for example, uh, you know, um, networking opportunities, for example, like that's Jodie mentioned. So it's still pretty new here as I applied through the, through the, uh, through the portal, uh, and then had a very good, uh, you know, experience seamless experience. We now started with a seamless or remote onboarding because since I joined Atlassian, I never got to see, got to work in the office. So it was all remote, an onboarding experience, which is really fantastic. And then you're in a very seamless journey and, uh, I'm really, really, uh, you know, pleased with my, uh, with, uh, how chatting is going so far. It's very, I mean, I'm quite impressed with the team cultures and you know, how we collaborate with different teams within the organization. It's, it's really good so far.

Matt:

That sounds great. I think Atlassian is known for their kind of team culture all around the company. Um, I guess another thing I wanted to ask is, I guess this is a really good question as well now, cause I know, um, both, uh, both of you are not from strictly computer science, uh, backgrounds. Um, but a lot of our listeners are currently, um, university students or might not even be university, they might just be graduates, but, um, if they're interested in entering, um, cybersecurity, are there any topics or like different things that you think that they should focus on learning about?

Jodie:

Uh, good question. Um, when I think Tanvir, and I might have different responses to this, which is really going right. Um, we want a bit of diversity and variety in, in, in different approaches to these. So I guess I can only really talk from experience from what I've gone through. So, um, as I previously mentioned, I don't, I actually don't hold a technical degree. i.e. Like a computer science degree. Um, I guess if, if the listeners want to know what topics they think they should focus on. I think ideally what worked for me was, um, was doing a couple of units that were cyber security, um, specific, but were very like broad learnings, right? So what I mean by that is, is they're not specific or technical, they're not too specific or too technical enough. It was more, um, somewhat of a beginner/ intermediate introductory to cybersecurity, because cybersecurity is just such a huge industry, right? Like you can really just go down a rabbit hole, and then all of a sudden you're sort of, you know, neck deep into application security or vulnerability management, or, you know, coding or whatever. Right. Um, I think the one thing that I want to stress to people is that you don't need to have a technical background or technical degree to get into cybersecurity. I think, um, as an individual, you should sort of start with knowing what your strengths and weaknesses are and sort of do your research and see what really interests you, you know, a lot of people sort of freak out or quite surprised when I say I've been, I, you know, I studied for like eight and a half, nine years. And the reason for that is because I was really passionate. And when you're really passionate about something, the learning comes quite easy to you. So, you know, do your research and see what really interests you. Um, a lot of, I, I get asked a lot of questions about, um, you know, should, should individuals, um, consider taking on, uh post-graduate so it's degrees like master's or post-graduate, or, um, PhDs. Um, I guess it's just each to their own, I guess it's up to a situation or circumstances up to where you sort of are at, in life. Um, I think, uh, for me as a mature age student, are, I felt like in my own personal situation for me, in order to stand out, I chose to do a master's degree, um, because I did want to stand out. I knew that I was going to be going up, um, a lot of individuals that were probably a little bit younger than me, and probably a little bit smarter than me, but I sort of wanted to stand out from the rest and go, you know, what, I'm going to do a master's degree. Um, also study the market and the industry that you'd like to prefer to work in as well. Um, you know, my background was I went into Deloitte as a graduate, and I, I say this to a lot of my mentees. I say, you know, the best way to gain as much experience as possible is starting in a graduate or an internship role, because it gives you the opportunity to learn so much and to ask so many questions and really be a sponge, and really experience all the different areas of security. Um, and the last thing that I want to sort of suggest and mention as well is, um, you know, you might be, you might be starting a, uh, an engineering degree, like Tanvir, for example, um, with security, I think the unique thing about working in the cybersecurity role is your, your attributes and your skills that you have are so easily transferable into the cyber security world, you know, identify and look at what, what your uniqueness is to the industry and see how you can transfer that into the cyber security world, because I can guarantee you, there is always a spot for anyone, um, in the security world. It's such a, it's such a unique industry that we work in, that you can pretty much bring any type of skillset into our world and really apply it.

Matt:

It certainly sounds cybersecurity has so many different, um, opportunities. And I know, I know a lot of, uh, um, listeners and students and things like that all want to explore their own different, you know, um, paths. So it's good to know that cyber security allows for all those different, um, things to be applied to something, um, yeah. Uh, Tanvir. Do you have any thoughts on like, topics to focus on or just like things to learn about? Um, yeah.

Tanvir:

Yeah. Yeah. I think I agree with Jodie in that sense that, you know, find out what area of cybersecurity or in any careers. So to say in IT or in any other field, for example, you are interested in and then pursuing it, uh, because I mean, you don't want to be like, just going around until, okay. I just want to work in cyber security finding out that interest, what interests you, and then they know, and then go forward for it and then try to learn knowledge or gain knowledge in that area where you are interested in, uh, I think that will help you progress a much more focused way of going. Um, but I mean, having said that, you know, like a lot of the knowledge, for example, when you started working, you are not definitely not going to get it from the textbooks or, or in the, you know, our, we learn in the classroom. Right. Uh, so a lot of the knowledge that you'll be getting is through what Jodie mentioned while you were doing an internship, or when you are doing the, for example, um, you know, when you're actually working. So just, uh, you know, I mean, be at that in mind, for example. Um, but, uh, anyways, I mean, uh, having said that like in our cyber security as most of a university students or anyone in that sense, I know, always think about, you know, cybersecurity is mostly about hacking a company. You know, when we see on the movies, a hacker in a hoodie who tried to hack into a computer, but that's not always, that's not the case. Right. I mean, as you know,

Jodie:

If you work at Atlassian, you will definitely be wearing a hoodie. I mean, that's pretty much all there. So that bit's right!

Tanvir:

Yeah, yeah, exactly. Um, but yeah, I mean, having said that, so, I mean, that's not only what cybersecurity is, right. I mean, as we all know that, you know, there are various different domains within, on cybersecurity. That's only one section or one part of it, which is like, where do you do a hacking our way we do work in red team already work in penetration testing, for example, but there are other domains within cyber security, for example, the security risk and governance incident, response, infrastructure, uh, product security dev cycles, and so on and so forth. There are so many areas. So, yeah. So just try to find out what interests you and then probably, you know, um, learn and try to develop knowledge in that area that might help, um, uh, to, for beginners outside.

Matt:

Sounds good. Um, I think going into that question a little bit more, uh, specifically, uh, with regards to like what you need to know, um, and work, um, I know there's a lot of talk about, um, things like the OSCP or like, uh, security certificates and things like that. Um, I've either of you, I guess, had experienced with obtaining like cyber security certificates, and have they, have they been useful in, uh, at work or obtaining the job at Atlassian, or anything like that?

Jodie:

Tanvir, do you want to answer this?

Tanvir:

Uh, yeah, sure. So, yeah, I mean, I have taken quite a few certifications a few years ago actually. Um, so things like OSCP that you mentioned and, um, and some sense certifications and so on, so forth, AWS, those are really good. Um, I highly recommend that, uh, but I think for university graduates or at least for people who are studying in the universities, um, my advice is like, yeah, it's good to have those certifications, but had to make sure that, you know, you have those technical, um, technical fundamental skills that you really need. Like, you know, things like as if you really want to go into the technical stream. So to say like things like programming, networking, uh, I think like I didn't work in, uh, yeah, not that the networking is all important, but like things such as sys admin courses, like, you know, like Linux or drag to understand how Linux or windows environment work and so on. So for like very technical skills will definitely be very, very fundamental. And then you add on to your security certifications or security. Um, you know, of course if you desire things like OSCP, which is a bit more advanced, I need a bit tricky for, but first of all, you need to know about technology, right? I mean, that's, that's important and fundamental. If you don't know how technology works, you won't know how to hack it, for example. Right. So for example, first it's actually knowing the basics, trying to learn security fundamentals and then move on properly. Um, doing security certifications, if you, if you, if you're willing to. Yeah.

Jodie:

Just to add to that, um, to what Tanvir has said as well. Um, I think, you know, as a university students, I think probably what's more important is to study, get his teeth sunk into like work. Um, don't focus too much on security certifications. Um, what's more important is experience. And I think a lot of our listeners will find that, um, you know, when you're applying for jobs and roles, you know, yeah. So skills is one thing, but like experience is way more valuable than skills themselves. You can, you can obtain skills and you can get certifications whenever. But like, if you, and like Tanvir said, you know, if you don't understand the technology and you don't have that experience, a certification is not going to mean anything. So, you know, as a graduate or as someone who is trying to, um, you know, get their foot into the door, really just focus, trying to get that job first and get that experience. And, you know, the certifications will come and follow after that. Um, I know that I'm currently working on, um, Susan at the moment. Um, and a lot of, some of the, I guess not suiting, I guess, some of the non-technical, um, certifications out there, like your CISSPs, your CISM, um, CSSAs and whatnot, um, actually require, um, an individual to have, um, X amount of experiences before X amount of years of experience. Sorry. Um, before you can even, um, apply to do those certifications. So, you know, don't, don't focus too much on certifications. Yeah. They're great. Go find certifications that are free. Like, you know, there's an abundance of free, um, free websites out there that will offer free, um, free certifications and, you know, go and do those ones, you know, to me that shows, um, that shows dedication that shows enthusiasm, you know, and, you know, someone's behavior and someone's attitude is way more valuable and experience is way more valuable than, than a certification in my eyes.

Matt:

Yeah, fair enough. And I think, yeah, as, as uni students, they're just getting started I guess, to, to build up those fundamentals. Um, and certainly I guess a CS degree might help with those fundamental things as well. Um, you learned those after as well, but, um, they've building up this fundamentals and then focusing on certificates afterwards, I guess, or even like when you're at work, maybe. Yeah. Yeah. Um, I just have one final question. Uh, I wanted to ask it's a bit more specific to what Atlassian does. Um, so, uh, that's, I think some people will have heard at last year, uh, started this big shift towards, uh, software as a service and like cloud based offerings. Um, and this, I guess might affect, um, you know, the security concerns is involved with having data in the cloud and things like that. Um, how has working in the last year and how, how has that, um, move towards this cloud-based offering impacted, um, the different security concerns Atlassian faces?

Jodie:

For sure. Um, I'm happy to talk to this. Um, just because, you know, I, myself and our team, the trust insecurity team does work very closely with, um, our customers globally. Um, and we do hear a lot of these concerns. So, um, you know, Atlassian is helping more enterprises move critical workflows to the cloud every day, and we field a wide variety of questions to help them make that process, um, you know, as easy, but as well as secure as possible. Um, the most common among them are worthy of consideration by any business with cloud aspirations. So for example, we see a continuous pattern of customers becoming more, I guess, woke or more inept about data residency, for example, um, compliance, uh, encryption of data, uh, and so forth. So, you know, it's our job working in security, um, is to build trust and transparency, through security. So, um, as most business challenges, large and small, they're usually sold not by individuals, but by teams. And it's been last scene's mission to unleash the full potential of every team across all organizations and all, um, all sorts throughout the world. Um, and I guess in recent years, we've witnessed the growth in one of the most significant tools for tank collaboration, which is the cloud. And, um, you know, Atlassian's embraced it wholeheartedly. And our cloud products enable teams to collaborate and innovate more effectively and scale quickly and focus more time and energy on their core mission. Uh, the cornerstone of our cloud applications and services is security. And our mission Atlassians depends on those. So we are pretty committed to ensuring, uh, the unfaltering safety and security of a customer's data and to providing all our customers with the information that they need to understand and evaluate, um, you know, our security practices as security posture, our policies, uh, for themselves that they have the right information and to make that salt, that sound decision, um, when migrating to the cloud,

Matt:

Sounds fantastic. Um, I guess, uh, Tanvir, do you want to say anything or?

Tanvir:

No, I think Jodie is the expert over a year in advising the company moving to SaaS and cloud based. So I think she covered most of the points that we wanted to cover. So yeah,

Matt:

I think that was a great summary. Um, and yeah, so I think that's all from me. Uh, I just want to say thanks so much for, uh, you know, uh, giving some time to chat about, uh, security with all with us. Um, and I think a lot of, uh, university students or anyone listening to the podcast will find this really helpful, um, for, I guess the planning, the, their careers moving forward of thinking if they want to go into cyber security, maybe this will help sway them. Um, but yeah, uh, any, any last things?

Jodie:

Yeah, for sure. So, um, just for all our listeners who are university students, um, that are wanting to step into, uh, you know, a full-time role, whether that's in, um, professional services or whether that's in the tech space or whether that's in private or public sector. Um, so Atlassian, uh, we obviously have our internship program as well as our graduate, um, graduate ship program as well. Um, I'd highly recommend all of you to go and visit that which is, uh, www.atlassian.com/students. Uh, you'll find all updated information about upcoming, uh, applications for our internship program, as well as our graduate ship program. Um, also as well, um, our human resources and talent community, um, have created a new group called the student talent community. And this is actually a really good opportunity for any individual that wants to get direct contact and response, uh, from our campus recruitment recruiters or our human resources recruiters. Um, what I'll do is I'll post the link down below so that you can join that student talent community, because if you have any questions, uh, that you would like to ask about the hiring process, or maybe getting some tips on, um, interviewing and things like that, our team is more than happy to support you and your journey, whether that's with that last in, um, or to provide any, um, advice or tips or tricks are for interviewing for other job roles as well. So I'll provide that information as well.

Matt:

Fantastic.

Jodie:

And that's it, thank you for having us Matthew, appreciate it!

Tanvir:

Thanks for having us, Matthew.

Matt:

Yeah, it was a pleasure. And, um, we hope that, uh, all of our listeners are now inspired to, uh, consider cybersecurity as a career.

Jodie:

For sure. And if you'd like to reach out to Tanvir and I we're both on LinkedIn, so just feel free to, um, to follow us or hit us up and we'll then happy to answer any questions.

Tanvir:

Yep.

Matt:

Fantastic. All right. Thanks so much. Our next episode will be in two weeks time, we'll be following the fortnightly schedule as we did last season and, uh, until then make sure to join us on our Slack community at slack.uqcs.org. My name is Matthew Low and this podcast was created by the UQ Computing Society with gracious support from our industry sponsors.