The Security Champions Podcast

Brandon Troche - Engaging the Next Generation of Security Champions

Mike Burch Season 4 Episode 5

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 44:21

Brandon Troche is an OWASP chapter leader in Las Vegas with a unique path into the AppSec community. Before stepping into cybersecurity, Brandon built his career in sales and marketing within the health and fitness industry, bringing a people-first perspective to community building, relationship development, and security education.

In this episode of The Security Champions Podcast, Brandon joins Michael Burch to discuss the role of OWASP chapters in creating stronger, more connected AppSec communities. They explore the importance of member feedback, in-person meetups, accessible events, and support networks that help security professionals learn, collaborate, and grow, regardless of their technical background.

0:07 Welcome to The Security Champions Podcast

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com

FOLLOW US to stay up-to-date with new content!

Get your free VIBE Coding Field Guide: https://hubs.ly/Q043-zdS0

The Security Champions Podcast is brought to you by Security Journey. We help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. Learn more at Securityjourney.com. Welcome back to another episode of the Security Champion Podcast. I am your host, Michael Birch, Director of AppSec here at Security Journey. I'm here joined with Brandon Trocci, who is also an employee here at Security Journey. However, he's not in an AppSec role, um, not traditional AppSec. And um rather than me telling you about what he does and his security journey, um I'm gonna give him the opportunity to tell you that story. Yeah, appreciate you, Mike. Appreciate you having me on this podcast. It's it's been a pleasure. Obviously, been uh following it for some time now and and working together uh to this point has been has been great. Um so you know, where do I start? You know, it's been about uh almost a year and a half or a little over a year and a half ride with Security Journey, and that's been my transition into cybersecurity, app sec, and just uh, you know, more of a technical uh technical industry. And so um, you know, the journey was rough. And in fact, you know, it was my first time working remote. And uh again, yeah, I I come from more of a sales and marketing background, so obviously very uh not not your typical uh person that you might have on this podcast, but I'm here to share kind of the journey that I've had and how great it's been with the the transitions in the app sec, particularly, uh, that I've been able to um enjoy through the community aspect that uh I've been able to plug into via OWASP and uh you know locally here in OWASP Las Vegas, where I now have the privilege to co-lead a chapter um alongside uh one of more of our experienced leaders here. So um it's all been driven by curiosity and and just um being able to connect in re in with with others on how this landscape is changing so so fast. And uh yeah, so I mean a journey is the best way to describe uh my past year and a half in the industry. Curious. So and uh would you what was like the last kind of role more adjacent to before you joined Security Journey? What type of stuff were you in that more start marketing and sales before you jumped into this app sec world? Oh man, totally different. I mean, I was in the health and fitness industry, uh, so you know, a little bit of fintech, you know, if it was basically just I mean, selling online personal training, selling um, you know, programs uh for for people looking to obviously get in get in shape, putting together uh meal plans, exercise plans, and uh but yeah, then before that was at Lifetime Fitness, which is a big health and fitness club chain. Um so yeah, completely different industry. And uh, you know, the love to work remote, and where my you know, my wife and I, she's she's Argentine. So being able that was the main driver. It's like the health and fitness industry, I could see it was getting very louded, very crow, very crowded with with some of the things that were happening. And I was looking for a change and um just very curious person in general, and and some of my buddies that went into remote work uh were able to just enjoy more leisure and and time to explore on on activities that they liked. So uh that was the main driver just to get me out of the industry and uh which which allowed me to to be where I'm at now and with security journey, uh working remote and in in app sec. Yeah, and then so going from fitness to app sec, that's a that's a hard shift if I ever would kind of say one is, um, especially coming in as that you're not coming in, even as you're now in that that role where you have to talk to people about it. So learning curve, let's talk about that for a second. Like like getting up to speed on this type of an industry, and especially at this time, because I'm gonna tell you one thing, the day you joined to where we are now, it ain't the same. Yeah. Learning curve is, yeah. I mean, it's from what I understand now, it's it's more that's more has happened within the app sec industry in particular over the last two years than the last you know, several, maybe maybe decade or several decades prior. So it's very very uh cool window of opportunity to get into the space with so much evolution that and so much uh change and and AI adoption that's happening uh within. But uh in terms of learning curve, you know, to to start to start where I came in, I was brand new to the industry. I didn't know you know anybody to really connect with. And the main thing that I knew that I needed to do was get involved in communities. Uh you know, being able for worse for working remote is tough, especially when you're in a new industry, because I come from a background where you know, let's say, let's just say in a gym environment, you're able to communicate toe-to-toe with person, you're able to build rapport, you're able to have daily interactions. And so the the transition and the learning curve for me first started going from you know in-person to remote and also a new industry. And so being able to first just be like, how do I become one, you know, become become into integrated with with this with this new industry? And uh the first thought you know that came to mind was like, okay, well, what what types of communities or things that are around, whether it's like Discord channels or you know, webinars or things that I can plug into, or maybe I can start um meeting some like-minded folks and maybe having getting some mentors um that I can learn from. That was that was the first step. That was the first challenge. Yeah, so what you just described to me is you became a security champion, like like the the the core method of it, right? You you're like, I need community, I need community to help upskill me in this industry that I'm working in. And uh, I guess that leads to what what brought you to OWASP? Like, like like where where did you get your foot in there to be like, oh wow, this is cool, this is where I want to be. And all of a sudden it went from that to now you're a leader there. Like, like, tell me about that transition. How did that happen? Yeah, so it happened very progressively, uh, not definitely not over a you know span of a couple months or it the when I first rejoined your security journey, the the old um sales manager who left, he had kind of brought the idea upon me that, hey, you know, are you interested in doing like field events, going out and and doing those types of things? And I was like, Yeah, that's that's what I'm all about. I'd love to do that type of stuff. He's like, well, and then just planted the seed of like, well, OWASP would be a great opportunity for you know you to start meeting some like-minded folks, start maybe engaging opposed to just watching, you know, videos and things like that. Um, and from a security journey aspect, it was like very uh, you know, our product for for me was a lot to wrap my head around. And those OWASP chapters were a great way to uh not only kind of plug into the domain of here, you know, we're we're focusing on this topic for the next two hours. You know, you have a community around you that come from different backgrounds where you can ask questions, you can shape, you know, shape perspective, shape knowledge, and then um and then and then practice it, you know, maybe have some type of way that you can apply, you know, what you're talking about into you know, a f a full learning curve for me. Because that that was the biggest thing is like I don't I I the only way I'm gonna learn is if uh and in fact um Dustin Lair uh who is part of our team told me when we first met in Black Hat, he's like, what have you built? You know, like you need to enter in order to enter the realm of of like development and this app sec community, go in and build something, you know, and and so um going on a little bit of a tangent here, but you know, with with the capability for some like someone like myself without a uh technical background to enable me to now you know talk to uh coding agents that allows me to at least you know get a get a kind of my catapults uh into a developer, allowed me to really become very, very curious as to wow, like this is this is awesome. Like I want to get as involved in as many communities like this as I can. Um kind of went off a little tangent there, but that's basically how I got into a WASP, and it's been you know, it's that that was the start of the journey. Yeah. And the interesting part there, to drive this home for our listeners, you were running one of those initiatives where you'd go run tournaments at these different events, right? And I think that's something to be clear is you'd go in and we'd give this opportunity for people to be able to compete against each other on secure secure coding tournaments. So, what a platform and area to start meeting a lot of different OWASP chapters, right? Yeah, um, thinking through that then. So, so what what drove you? So now you're you're meeting with all these different OWASP leaders, you're helping them run these events. What drove you to well, I'm here in Vegas, I have my OWASP chapter, and then all of a sudden I want to be a leader in that. Like, how did that transpire? Yeah, yeah. So you you uh you missed the key piece that I forgot to mention was the fact that you know we have this great platform at Security Journey, which enables what I just mentioned, which is the the last part of the learning, which is engagement. You know, a lot of OWASP chapters, from what I found, are doing presentations and things like that. So when I began to start networking with some of the other OWASP leaders from a from a security journey aspect, again, this point I was just an OWASP member. So I would attend uh you know some of the hybrid events online and whatnot. But once I began to message some of the other OWASP chapters, like, hey, have you heard about Security Journey? We actually have a platform where we can provide a tournament uh for your for for you know your OWASP uh uh users and they can you know interact and we can we can do a learning experience. Here's what it's about, you know, and and having a discussion with some of the OWASP leaders of uh would this be interesting for you? And surprisingly enough, it was very engaging, and they were you know we're like, yes, we've you know maybe we've done a CTF in the past like a year ago, and here's how it went. It was actually you know a really good opportunity, but we'd like to do it a little bit differently, and working with those leaders to figure out how to make the best experience for their unique chapter, because most of from from what I found, they're they're very unique, they operate differently, um, is was was really fun and enjoying. So I began to start working with the leaders to put together a CTF for their uh their community, their their developers, their users, and uh hosting it, whether it was all together in a in a classroom type setting or in a remote type setting where they can all plug into the security journey platform and and do some lab exercises. Uh that's that's how it initially started. And then come to fast forward to after a couple chapters that went successfully, we were where we put together a nice uh tournament for them. I uh I finally brought it to attention to the OWASP leader here in locally where I live in Las Vegas, um, and say, hey, you know, let's are we or it was kind of a flat chapter here, so there wasn't much much track uh traction going on. And so I just presented him with the idea and he loved it. He's like, Yeah, let's do this. Um bottom line is we we we we did it. We had uh a decent turnout, not as much as some of the other turnouts of some of the other chapters that I worked with prior, but he was so thrilled to have me bring an experience like that locally to Vegas that afterwards he was just like, what do you what are your thoughts about getting involved? Is more from a leadership aspect. And uh at first, I gotta be honest, I was like, uh, I I don't know, uh I don't know about this thought, you know. So I kind of sat on it, I kind of slept on it. But my but my wife was, you know, like, you're you're you're the community's in your DNA. You know, you know, you need to do something with this. Otherwise, you know, you want to bridge the gap, help people, just like people like yourself who maybe getting into the industry, plug into these communities and you're with your marketing and sales background, you know, it doesn't need to be about uh you don't have to be technical. You you're you can just be somebody to bridge the gap for uh someone who's working remote and getting them involved with with a wider body of community locally. And so she's the one that really convinced me to to take the leap and and uh and now it's been about six months. So that's that's amazing. Um, and we're about to dig into that. But this is where we're gonna take the break because that takes us up to where we're now, and the topic of today is what's that look like being that non-traditional leader in OWASP and building that program and how that's kind of played out in your local chapter. But before we do that, we're gonna take a quick break, get a word from our sponsor, then come back and talk about OWASP and chapter lead. Are you struggling to measure the effectiveness of your secure code training? You're not alone. That's why we're proud to share that on average, Security Journey learners increase their knowledge an average of 33 and as much as 85%. Our diverse training content satisfies a variety of adult learning styles. Conversational training videos and hands-on secure coding activities ensure that learners are engaged no matter their learning style. Visit securityjourney.com to try our training. Welcome back to your Security Champion podcast. I'm your host, Michael Birch. I'm here with Brandon, and Brandon is actually a Vegas chapter lead at OWASP, and he's also works here at Security Journey in this kind of sales and engagement role where he actually works with a lot of OWASP chapters and he builds community and once again also helps us promote our product. But that's not what we're here to talk about. We're here to talk about how that experience has been for you being an OWASP chapter lead, what it's been like being a non-technical role, helping guide and grow community in this space. So let's talk about that. What was it like starting out as an OWASP chapter lead? Uh starting out was very overwhelming because it is a nonprofit and it is all volunteer-based. So the the lack of resources, um, I don't want to get in trouble for per se, but just through my experience, you know, just being able to get involved uh was was uh you had you know very much like a bootstrap entrepreneurial type, you know, startup. You know, you have to put in the work because no one else is gonna put it in. And and then it's different in the aspect that a community, you can't build it overnight. You know, it's gonna, it's like a plant, you know, you have to water it and continue to nourish it. Um, so the first experience I had was working with a bunch of the different Owash chapters prior to me becoming a leader was very, you know, allowing me to see from a bird's eye view. Some of them are strictly doing like lectures and formats, which was great. It's very technical, very educational, uh, but then other ones were more engaged in just relational community, you know, meeting up at a bar and something like that, and and kind of uh um having that more relational feel to it and less like lectures and PowerPoints. And then others were, you know, just a bunch of hackers getting together and kind of like putting, you know, getting on their computers, bringing their desktops and looking over each other and getting involved. And so seeing those different unique approaches, um, I wanted to kind of combine or or at least kind of cadence a difference in our chapter with, you know, like maybe one month we do something like this, and next month we meet up somewhere and just keep it more casual and relationship building, and then you know, so kind of have that uh routine cadence. That was kind of the vision that I had for for OWASP plus Vegas, and um and so we the very first one that I was involved with was uh the tournament, uh, which went well, and but it just wasn't we didn't get as many people involved as some of the other chapters. And then the next one I thought to myself, well, why don't we just get people here in the in the Vegas community out to uh at a at a venue where we can just at least socialize and and you know see who's who, you know, see and and and have a good conversation. That one went a lot better. Uh in fact, oddly enough, it was uh right when I came in, it was the F1 was in town. And so obviously, like the crowd strikes, the password ones, there's a lot of vendors out here sponsoring and in town. And so they actually reached out to me like within the first month and a half of being an OWASP chapter leader and said, Hey, you know, would you guys be interested in doing it something socially or just plugging into what we have already? And it was at the F1 uh facility arcade at um on the strip. And so I was like, this is awesome, this is perfect, perfect timing. So uh from my perspective, my goal was just to build out our communication channels. So let's spin up a Discord, let's you know, promote this on meetup, let's let's get people to understand where we're meeting, what we're doing, what we're about on LinkedIn, and uh was very impressed with the how many people showed up. And uh that was that that was kind of the big momentum builder for us here. Uh, what was was that you know you know, where people actually began to ask, like, what is OWASP? You know, and obviously it was it was a lot different than what the traditional OWASP like meetup was, but I really feel like it was important for us locally here in Vegas because we have so much to offer when it comes to hospitality and like meetup space and things like that, that we did it maybe a little bit more non-conventional uh way than some other chapters. No, that's amazing. That's that's uh that's so cool. Once again, it's in the part I love about it is you didn't run, you didn't start with the sprint. Like I love that you do it was this step back. I'm like, man, I just need to get people talking. I just need to meet these people. That's that's that's the step one. And and I I think about that organizationally uh organizationally, right? I'm always gonna pull back into like cool, what do we pull out this for the org? It's not just about the chapter, but that's such a big part of it when we're thinking about building community. Is sometimes we try to be like in organization. If I build a like a security champion program, I got people now, go do work. Hold on, like build a culture for a moment, get people to like meet each other and do like like that's the way you start a champion program. Have a bunch of people that want to learn app second your organization and go do a dinner and a meet and greet and like build community first and then start thinking about the work, right? Because if you build that core community, that's something you can grow, right? Without it, it's you're fighting up an uphill battle. So you're building community, big F1 event. What's your next step? Um, from then it was like, okay, how do I take this momentum and continue to build upon it? And so then it was like no longer, you know, just putting together, you know, uh a marketing like, hey, here's this event, come join us. It's like, yeah, like you said, like how do I continue to build this from a month from a monthly standpoint? And um at this point, still trying to get other people involved, but the main thing that I realized is uh I think we talked about this a little bit last time, was understanding that, hey, you know, a lot of people they work in these these technical environments, but they're not really engaging uh, you know, from a community level with maybe in even inside their organization, they're really seeking these other opportunities to plug into like OWASP. Or let's say if somebody just, you know, is go unfortunately, there's been a few uh of our members that have lost their their job or they're looking for a new opportunity. So these communities kind of transcend uh just your organizational, you know, communal, communal practice. And uh so from from that kind of thought process, I really wanted to be like, well, this is bigger than just you know, just getting together a relationship. This is something that can maybe people in the Vegas, even beyond, let's say, when I when I move, you know, hand a torch to someone else in OWASP, that this community can be like a fire that's building, and people are continuing to have good conversations and meet up as they go throughout their career. Um, so I basically what happened was I started to get a lot a lot of thoughts happening all at once, but then I needed to instead just focus on the month-to-month aspect of building the chapter. So at this time, um, it's been about trying to partner with other local uh people in in the in the industry in the space out here to try and see how they can sponsor um working at the co working event, finding venue spaces that we can meet up regularly. Um and uh and but but then working within how a wasp likes to structure things. So there there are certain guardrails, there are certain things you can you have to be. mindful of, you know, for instance, to give you an example, uh, you know, Vegas is a very, you know, a very uh loud city where you can get into a lot of trouble or, you know, have a lot of bars and things you can do, but you want to make it uh impactful to let's say the UNLV students, you know, that are that maybe can't enter those environments. So you need to make it kind of wide ranging and not just uh meeting up at the F1 arcade on the strip. You know, let's let's find the the balance of both worlds. So it's been a challenge uh lately trying to trying to see who all our members are, what what their backgrounds are, what you know what what types of things they're doing. So um at this point what I'm doing is trying to send out some forms to find out where we should have our monthly meetups, uh what part of town, uh what people and getting their feedback, like what, what they experienced thus far, what types of events they would like to do, uh, which I felt like was a good, what is a good aspect to it, finding out from the actual community itself, what what is it that you want for the next meetup? You know, let's continue to have other people shape the community and not just myself. You know, kind of give back some of that control uh as as that we continue to build this. No, I love, I love the axe accessibility thing that you really like brought into that, right? Like a simple uh antidote of that like we have college students, maybe we can't meet at a bar every time, right? Like, like like like like that like uh some people might have an internal bias like, oh well just do the bar meetup but then like who have I cut out from that and when we think organizationally a decision like that may not be about age limits it may be about maybe people just don't drink right so are you closing out that whole part of the community that would normally want to be involved but you're not creating that environment for them to be involved and being very cognizant of that as you're building these things out. I think some of us can get like these biases that like we like to do this, but what does our community want? And getting that feedback is so important. I do want to pull on something you said earlier. You said it lightly and kind of moved on but I I do remember a time that maybe me and you were in a bar having quite a few drinks talking about all this that it it stuck with me though. And and it's the idea that these communities we build they can transcend the day-to-day job in ways that are extremely powerful um because you're like you talk about OWASP chapters and all these others like you have coworkers but work changes people lose jobs you get hired there's layoffs and one day that person that's in the cubicle next to you that you talk to day to day to day or that you're on that same Zoom call, the next day it's gone and you're in kind of a culture shock having these communities like OWASP that that no matter what happens to you you can fall back into and you go meet that same person that was there last time and their support structure like that's so important. It's so important especially in this world and culture we're moving so fast and to be honest the way tech's changing the amount of layoffs the the the fear of job insecurity I think it almost makes these external communities even more important right because it's giving you that space to like to continue that community when your your traditional community might fall away. Yeah no you said it best uh I mean and that's what I began to realize you know the more you're because after events I'd like to connect with people online and LinkedIn and you know you see some of the people that you know they they lost their job or they're they're posting but once you build that community everybody's trying to uplift each other as well and trying to um um just share other opportunities share knowledge bases and that's really kind of been the upskilling for a lot of our folks is you know kind of going back to what you what you're saying that for for me in particular working remote and working you know for maybe with colleagues around the the the nation that's not very new I mean that's that's still very new for our our uh like our primatal brains you know like that's this this workspace has only been 10 years old I would say uh for me you know I'm still entry level so I think there's still a a need and a desire to meet up locally with people you know toe to toe uh regularly enough um because the zoom calls and things like that you could you can only gauge and and um just build a community and relationship so much virtually you know I and I really feel that way I feel that uh you know when we were able to meet up for the first time in in in RSA you know like that's why those big conventions have such a draw is because at the end of the day there's still a desire there's still a need to meet up in person uh from from I feel like just like a a biological level and so that's why I really want to make it a cadence of of where people can look forward every month to getting out of the house, unplugging and uh you know and just meeting up. And so um that's kind of been the that's been a huge driver and what the way I'm trying to think about building this out and and just communities in general is having that routine, you know, look forward to uh you know just like the same way people do a vacation you know they they're looking forward to an experience. And so um I don't know about for for any most of the listeners but for myself moving into a fully remote it that was a big transition for me. In fact a lot of the time when I was working inside uh you know the gym or just I've had other jobs where there's a lot of people you know at the office every day you're like man I I cannot wait to be out of this place and I don't want to be around anybody. But then when you're put in the opposite perspective you're put in the you know where you're sitting in the in a cubicle at your house all day and just taking Zoom calls it's weird because then you want to you desire that that opposite which you said you didn't like otherwise so um it's it's a it's a strange it's a strange dynamic of the desire that we want to just be you know together in in a in a community yeah no that's that's so spot on and it's interesting because even so I'm gonna like I I 100% agree with you the human connection part like there's a benefit to remote work right especially you get a large audience of diversity and there's some people can enjoy the fact I don't have to drive to the office. I can make my lunch in my kitchen stuff like that. It helps you with the family for sure but but even I my journey here at Security Journey has transitioned through those phases. And when we first started when I like when I was here I was employee number four making literally building desks with Chris Romeo and his wife Deb Romeo who's the CFO and we had one sales guy one engineer and one other uh security engineer which was Hannah actually by the way me and Hannah joined together like she actually joined right before me. A little side note she's the longest standing employee at Security Journey if you didn't know that. But that that culture we had as we were in the office when everyone else wasn't we were coming to the office every day. And I remember I'd walk in the office door and I had my routine before I ever even got to my computer I'd make my right I'd sit down with our lead marketing person and we'd have a chat. She was one of my best friends at the time where we'd talk through our day right and talk about what's coming up next, see how the family was doing. And then I'd move over to the next office I'd go talk to Deb, the the CFO and we'd talk about everything about family and everything else going and we had that culture and that was part of my just getting ready and then I'd go make my coffee and then I'd go sit at my desk and I start working right but but I'd go do the rounds and I talk to everybody first. And and we don't really get that the same way when we're doing this remote work. And it's so impactful even the lunches right we'd all get together at lunch and we'd all eat lunch together and we'd have that half an hour an hour where we'd we'd hang out and we'd talk or sometimes I remember they'd throw old school TV shows on like Star Trek or things just completely ridiculous right um but it was fun it was community and that was the biggest part of it it was community that was built into the way we operated and it built culture it built the an understanding and relationship with us right um which I do think we lose in remote work. And a lot of us in these industries cybersecurity tech software developers a lot of people that go to was chapters we have that disconnect right quite often we do. And to have something as powerful and so community driven as OWASP like I I and it's funny as a security practitioner all the time I think of like security culture well what are we trying to do? We're trying to build culture to embed more security OWASP chapter we're trying to give people more places talk about security security is the the the byproduct almost to this it's a place to build domain yeah yeah it's it's the domain but the reason people are there they're not they're not usually there because I just want to learn security they're there to connect they're there to make a friend right to to find like minded people and and the on the way if I learn some security and upskill and like get my next best job that's amazing. But I think at the core that's not why people are there they're there because they want that community and want to connect yeah 100% agree on that. And uh I look forward to it you know I like I I personally you know I like getting out and meeting new people and it's been cool to see the transition between having hybrid events where some of the folks that I see you know that are on the call and maybe they've shown up to three hybrid events finally show up in person. You know, because it's like it they might have not felt comfortable you know and I I can totally understand that I've shoot when I went to my first OWASP meeting I drove there and I was about to get out of the car and I was like I don't really want to do this. You know I don't I I know I know it's I know it's out of my car like I don't want to do this but I'm already here with and I came back it's just kind of like what for me I guess the best way I can relate it is like going to the gym. You know you you go to the gym you don't like I don't want to be here I don't want to do this. How many times when you leave do you feel better than when you came in and so that's that was really a a turning point for experience for me because I was getting too comfortable just being at home doing my work doing my tasks and you know I'm at the point now where I don't know about most people but I'm walking around the house talking to AI and like you know doing stuff like that that was like where's the human element you know so getting back in into those uh those engagements was was obviously a step outside of the comfort zone and I can understand the feeling for a lot of those people that maybe have never plugged into that but I do feel like there's a deep desire and you just need to get beyond that initial discomfort and it becomes uh a very rewarding and um and great experience. Yeah I love that gym analogy that's that's such a great relatable thing right it's it's it's always that like oh I mean the get getting there getting there and starting that's that's the hardest part once you're in it especially when you're done oh it's great right type of thing with this is it makes total sense is getting getting to the event that can be hard that can be really hard I love the hybrid thing right so so the hybrid thing it goes back to that access right you're and I I try to talk about this all the time when I can um security culture effectiveness you have to meet people where they're at right you can't force them into the box that you want them right you can't be you have to be here to participate well that's not gonna work or we're only doing virtual events is that really why I want to be here that's kind of cool that you're like look show up how you want we're gonna cater we're gonna allow meet you in your comfort zone when we think about like I think about developers it's the same thing as security people and I people who listen to podcasts have heard me some long enough as security people we end up being like the house of this is the rule and this is what you do. Or if you're gonna be a champion I'm building a champion program and this is what they do. Here's the here's the definition go do it well great you're gonna find the one person that's gonna do that and anyone who doesn't want to do that one thing isn't going to be part of your community right so when you think about champion programs it's like okay what if I have a list of different stuff some's more in depth lens some's less and you help and choose where you want to participate that's building a program just like you're doing an OWASP that's accessible. You're meeting people where they're at and you're giving them the flexibility to participate in a program in the way that best fits their needs as well as it helps your needs you're gonna get such a bigger net that way yeah yeah 100% I mean then I I I realized that when working with some of the other chapter leaders when building out OWASP tournaments is they said exactly how you said like well traditionally we do it this way you know and we don't really we never really tried that and you know uh I was like just trying to have the conversation is like well you know like obviously let's say gas prices are going up you know like what may you you might want to be able to incorporate this event in case if somebody wants to join you know via via uh a remote sesh or you know that the timing doesn't work for them to get there might be in the car when they're trying to get back to home or something like that. You know maybe somebody just had a newborn and you know they can't make it out of the house but they really still want to plug into that community. So 100% what you're talking about, you know, giving giving access uh to to all different walks of life that's that's been a priority for for trying to do that in Al Wasp and Vegas and as much as I want to lean into hey we have this you know the strip and the social and the relationship of element that we can tap into we have to make sure that hey this is this is going to build out uh the right way and making the most people allowed into these types of community events and these learning opportunities. So that's how we're we're trying to shape it even though we have a lot in our in our backdoor and on the strips let's say yeah. All right Brandon I'm gonna put you in the hot seat on this one right so I I I this has been a great conversation but but I want I want you to I want you to drive home something here and okay the thing I want you to drive home is you took a new you took it you took a chance you did something new you built community you took a prior knowledge and applied it some way that was really useful. If you have somebody that's out there that's that's either part of a no wash chapter or like just getting started like what's your what's your biggest advice for that person to get how to how to best approach getting tied into this community into this community I mean it's like uh I've I've always I've always overanalyzed overthought and that's been kind of my biggest uh challenge just as it relates to starting a new venture or or uh building something um from from my perspective like OWASP has been a great opportunity for me to kind of just learn and pivot and grow uh without overthinking things too much just learn through each experience how to adapt and evolve and with with the environment and with appsec the way it is right now everybody's trying to do the same and so just plugging into that ecosystem that energy you know everybody can sit at home and and try and figure things out on themselves but the uh the best way for for me is to you know collaborate with others and then as a you know as a leader um if you have that mentality how do I shape this experience you know to make it most impactful uh and build build momentum um so for for me for for me you know driving at home for anybody who's maybe similar to myself very analytical and you know overthinking things um uh one of the one of the best things for me to that that I learned through this experience is just to plug in you know create a little bit of vulnerability and you know have kind of have that feel that hey I don't know how this is gonna go but you know I need to I need to step outside my comfort zone try something new and uh you know and and go from there you know and and pivot and and learn learn along the learn along journey yeah no that that's amazing advice and and that's that that's one of those things right like it's it's one of these things that's the most um most impactful I think right like like just just go do it right um especially right now like and and that's kind of the part I want to drive home here right everything's changing so fast I think there's a large part of the world that has this almost like constant nagging feel of panic right because and it's just reality if you're not feeling it like I feel like I'm on the front end of this stuff and I'm feeling it right if you're not feeling a little bit nagging of panic of where everything's kind of going and like what the future's gonna look like where we're gonna land um then then kudos to you like like I I need some of whatever you got but I think everybody's starting to have this and we're better than something like an OWASP chapter to meet up with other people that are learning new things that are trying to stay relevant as the world's changing right like I and that's the part that I think I want to drive home for everybody here. These communities exist to help you right and it's not just to upskill you in app sec, the the definition of app sec is changing right if you want to ride that tide if you want to help yourself stay relevant and find other people that are trying to do the same go to these chapters go share knowledge go ask questions see what everybody else is doing because once again if your job market changes if your world changes you'll still have that community there and that can help you pivot right it can help you stay relevant and help you grow and if you maybe you don't have that in your organization where they're not training you up. They don't have a great platform like Security Journey to upskill you I'll plug that in a couple more times. But the the the idea there is if you don't have that these are the chapters that can help you do that right um these are the areas where you can help yourself grow and help yourself stay relevant as the world's changing so quickly. So that's my kind of my drive home from what you said there is kind of like this is the perfect place to do that. Yeah yeah and OWASP community has been great here locally and some of the communities that I've had the experience of working with uh have been awesome. They've helped shape my knowledge and my you know my my passion for for just relationship building and and engaging on uh similar topics I really feel like the best organizations you look back in history they've had some type of great internal community and if yeah like if you like you said if you have if you if if you maybe stuck in a position where it doesn't have that you know you don't have to sit there and dwell and and uh you know try and figure things out on your own and and learn everything because I know I I'm the type of person to that has been guilty of that in the past where it's like oh I can just take it upon myself to to try and self-learn everything but really the best way to do that the most efficient way is to get around other like minded people um step outside the comfort zone plug into those communities you know share your knowledge learn some knowledge you know share perspectives you know because that's how you be take knowledge and really turn it into wisdom and you know when you're able to communicate stuff you know out just from from from your head and communicate it with others understand their perception and and have those in those dialogues that's transcending kind of the basic you know knowledge of text you know text reading and things like that. So yeah I mean it's it's been a great experience and anybody who's interested in getting involved uh again oh you know OWASP is is a is a nonprofit global organization where you can don't even have to be a member to join uh one of the one of the meetups. So um if it's if it's something that you're interested in and and and wanting to learn more uh it's it's there. Yeah. Brandon this has been a great conversation. I want to thank you so much for giving your time and thank you for being such an amazing leader in this community um and helping grow that community and give back um in such a powerful way. So thank you so much for jumping on and joining us. And also thank you to the audience for jumping in, listening to an episode and I hope you learned a lot go be part of these communities. Go check out your OWASP chapters. They're there for you right so go check it out. Go be part of the community and if you have something to give back go teach something go give a lap go go give back to that community also um join us for our next episode I have no idea what it'll be about who I'll be meeting but I know we'll be having another one um and having such a passionate conversation. So and like I said any last words Brandon to to the audience as we go no thank you Michael I appreciate the opportunity and again you know this has been another stepping out of the comfort zone for me and and I appreciate the the the ability to kind of share what I've my journey thus far with you know with those and uh be able to communicate it it's it's been a it's been a great experience for me. Thank you. The Security Champions podcast is brought to you by Security Journey. Security Journey is an enterprise class secure coding training platform with lessons that are built on learning science principles to deliver long term measurable results. Learn more at securityjourney.com