I hate the cliché ‘this person needs no introduction’ because it’s over-used and says, well, nothing. Yet with Rachel Tobac, I was tempted to put aside my dislike of the saying because, frankly, she needs no introduction. At least in the tech world. In fact, during the course of this conversation, Rachel receives so many pings from The Wall Street Journal and other national media for comment on a breaking story that it’s a stark reminder of just how well-regarded she is.
So if you’re a techie, you can skip the next paragraph. For those that aren’t, let me introduce Miss Tobac.
Rachel is CEO of SocialProof Security, she’s chair of the board of directors at WISP (Women in Security and Privacy), and she has lived her version of ‘always the bridesmaid, never the bride’ by picking up second prize at DEF CON’s famous Capture the Flag contest three times. If you’re unfamiliar with DEF CON or its wild spectator hacking contest, then know this: It is an incredible demonstration of Rachel’s talents.
When I ask Rachel if she considers herself a hacker, she doesn’t skip a beat. “Absolutely, I resonate with that label very well.” Her response is so definitive that I question whether I should have asked. She has won silver at DEF CON capture the flag for three years; of course she considers herself a hacker!
I like to think I’m way too seasoned and open-minded to have asked the question because Rachel doesn’t look like what the average person would imagine a hacker to look like. So why did I? I guess external connotations of what that label means to some fed into my subconscious, and I wanted her permission to stick that label on her. I’ve made a mental note not to make that same mistake again.
Rachel’s career journey to date has been a surprising recipe made up of ingredients that include serendipity, determination and a big helping of hobbies and passion. So, in the words of Coldplay, let’s take it back to the start…
Rachel earned a neuroscience and behavioural psychology degree at Allegheny College, “a tiny little arts college in the mountains of Pennsylvania.” She worked in a rat lab, studying rat and human subjects within her degree, but didn’t know what she wanted to do upon leaving college, other than harbouring childhood dreams of making it as a poet or being on SNL. “But I wanted to teach, so I went into teaching children with disabilities for six years.” Multiple teaching jobs across numerous age groups and schools landed her in California, teaching at a small private school in the San Francisco bay area.
Interested in trying something new, a local friend said she should look into Silicon Valley. “I had no idea what it even was,” she laughs. It’s almost incomprehensible to think that someone as technically competent (an understatement) as Rachel was unaware of the global centre of tech and innovation. After submitting 100 different tech job applications, she landed a role straddling her past and future professions in an ed tech start-up, which she describes as fitting. “I worked in ed tech for many years, starting in community management and then moving into UX (user experience) research because of my background in statistics and psychology.”
During this period of her life, Rachel’s husband made her an offer she didn’t refuse: to accompany him to DEF CON, an infamous hacking conference held annually in Las Vegas. “He was already in the hacker space; that’s what he went to school for. He told me about a competition where people hacked in a glass booth in front of an audience and thought I’d be good at it because I always succeed at calling the cable company and getting the bill lowered every month.”
She looks back fondly on popping her DEF CON cherry, which would have been DEF CON 22, and remembers watching that glass booth competition and deciding to apply as a contestant the following year. In those 365 days, Rachel studied, “read a whole bunch of books,” and listened to hacking podcasts. She landed back in the desert with zero expectations, but returned a few days later, having competed in her first-ever hacking competition, silver place proudly tucked under her arm. “I’d never hacked anyone before, and suddenly, I was doing it in front of 500 people. It was so fun, wild!”
The second prize was not the only thing that Rachel left the desert with. She also landed an invite to be on the board for Women in Security and Privacy (WISP). “Immediately, I said yes, that would be awesome!” Rachel joined WISP as creative director and has remained with the organisation ever since, now serving as board chair. She estimates that she currently spends around 30 hours weekly on WISP work. For many, this would constitute a full-time role. “Yeah, true,” she admits, “it’s basically a full-time job, except it’s not. But there’s a long way to go to achieve parity within cybersecurity, but there are some clear indicators that we’re at least moving towards parity.” And what are those indicators, I ask? “I stood in line for 15 minutes to use the bathroom at DEF CON,” she laughs as we land back at that age-old methodology for measuring gender balance.
With the bug for hacking well and truly caught, Rachel returned twice to compete in the DEF CON competition. “I got second place every single time, which is funny,” she laughs. Rather than bemoan her unsuccessful quest for gold, she instead focusses on the doors that were opened. “After I competed, people started to invite me into their company to talk about how to hack. They were very organic conversations” that ultimately led to the birth of SocialProof Security, the business she co-founded with her husband Evan Tobac in 2017.
In essence, SocialProof Security helps organisations with social engineering prevention through training, workshops and security protocols.
I ask how she engages boards, who don’t live and breathe security as we do. “It requires role-based customisation. The board has a very different threat model, and if the advice feels high-level, the board may say, ‘yeah, I’ve heard that before, next’. It helps to talk through how we’ve hacked board members in the past, give a demo of how I would hack them, and then tell them what to look for and how to report it before going into all the cybersecurity initiatives you may want to prioritise.” Ultimately, she’s advising to make it personal, “and then even folks who’ve heard and seen it all before will care.”
She credits DEF CON with changing the course of her career, predicting that had she not gone to ‘hacker camp’ in Vegas, “I’d be leading a UX team somewhere.” She reflects that revolution is not as evolutionary as it seems. “All the same skills are required in teaching, UX research, hacking and human-based studies. I haven’t even had to change how my brain works,” she smiles. “I can oscillate between those roles happily.”
Roles are something that Rachel has much practice in. She has a history of performing improv, a skill she says has supported her in hacking, teaching and research. “Storytelling is essential in teaching, and it’s essential in cybersecurity.” Although her path has been far from direct, she’s surprisingly grateful for the decoy. “I wouldn’t change the path I took for anything. If I’d gone straight into cybersecurity, I would never have had the time to do improv on the side. I’ve used my musical theatre and improv background for our latest work at SocialProof Security.”
She’s talking about the security awareness training they now deliver in the form of musical song and spoken training, featuring schoolhouse rock-style songs about phishing, malware, and how to recognise social engineering scams.
She judges her dance talent to max out at “holding my own on a dance floor at a wedding” but rates her singing higher: “I can hold a tune, hence the sea shanty.” If you’re an avid follower of all things cybersecurity, you’ll know exactly what she’s referring to right now. If not, Rachel wrote an infosec shanty which received input from the hacker community and was widely celebrated. You can check it out for yourself if it’s your jam.
She may have no regrets about her unorthodox route into the industry, but she admits that had she known cybersecurity was an option in high school, she would have undoubtedly changed her career path sooner. “I’d have been able to apply my neuroscience and psychology interest to something that felt like a harder science. I can handle the fluffy stuff, like psychology, but I like hard sciences where there’s right and wrong.”
We’ve talked a lot about the journey, but now to the destination: SocialProof Security. I ask Rachel what it’s like to be married to your co-founder. Her answer: “I love it, which is a testament to how good a person he is. He is just so easy to be around.”
Her answer is a relief, given that she also confesses to working a lot. And I mean a lot. “I work from the second I wake up until I go to bed. That would upset many people, but my brain is not wired that way.” She describes this as a “season of her life” that won’t last forever. “It’s my choice, I work for myself, no-one else is asking me to do that, and that’s what is important.”
Rachel is lucky enough to consider her job as both her “hobby and passion.” When I push her to list alternative hobbies, she adds that she likes to watch comedies and time travel movies, play Overwatch, and hang out with her husband and dog, whom she refers to as their ‘chief barketing officer’. The dog, not Evan.
You’d think that SocialProof Security would keep her busy enough. Still, we’ve already discovered the time she dedicates to WISP. Additionally, she sits on the CISO tech advisory council supporting some of the recommendations that go to Jen Easterly, director of CISA (Cybersecurity and Infrastructure Security Agency) in the Biden administration. “It’s a cool and fulling volunteering opportunity,” she says. She also spends up to a fifth of her working week talking to the press, “making sure people understand solutions to security issues. I’m all about staying grounded and offering rational recommendations.” Oh, and sometimes it means hacking journalists…with their permission, of course.
Donie O’Sullivan is a CNN journalist. Rachel received a DM from his team asking her to hack him. “I looked him up and said, ‘absolutely, I’ll hack him, and our friendship grew from there.” Rachel hacked Donie first in 2019 and again this year. It’s well worth watching the videos; you can do so here.
There’s no question about it, Rachel is an inspiration to many. Representation matters, and if I was ten (fine, fifteen) years younger, with an aptitude for hacking, and I knew of Rachel, I’d be fully invested in pursuing a career in cybersecurity. But even the inspirers are inspired, so who gives Rachel stars in her eyes in the cybersecurity industry?
“My proudest achievement is pivoting my career through various industries, picking up useful skills along the way.”
She jumps instantly to Jen Easterly. “She’s cool, smart, brilliant and an amazing communicator,” she gushes. “Another person I truly admire is @_sn0ww. She started the DEF CON social engineering community this year. She’s a pioneer, a powerhouse, and it has been so cool to work with her as a judge at DEF CON.” That’s right, the hacking competition that launched her career as a competitor has now welcomed her as a judge, which she describes as “such a cool, full circle moment.”
Each year, Rachel and Evan Tobac hop on a plane to Sin City and DEF CON, a nod to the very beginning and her cybersecurity roots. Althonjugh Rachel believes the foundation of her career was woven long before that fateful trip to Vegas, as she acquired the teaching, improv and psychology skills that she leans upon so heavily today. “My proudest achievement is pivoting my career through various industries, picking up useful skills along the way.” Rachel, you’re a powerhouse, and I take my hat off to you.