Friday, December 5, 2025 — Meeting Recap

Prague Travel Plans Discussion

The meeting began with casual conversation about recent vacations and travel plans, with Jay returning from a European trip and Kimberly discussing an upcoming three-week stay in Prague with her family. The group discussed Kimberly's innovative travel plan involving a home exchange that would allow her to work remotely while spending time in Prague, with her manager even offering to set up meetings there. Shawn shared some travel advice about Prague's ribs, noting the city's reputation for pork dishes.

Cloud Security Office Hours Discussion

The Cloud Security Office Hours meeting welcomed new participants, including Nigel from Ireland and Wintana, a recruiter at Wiz based in Sacramento. The group discussed the low attendance at the recent AWS re:Invent conference, with only a few attendees, including Juninho, and noted that re:Inforce will be merged into re:Invent next year. Jay expressed frustration with the relevance of traditional cybersecurity conferences, preferring events like Forward Cloud Tech and KubeCon for more meaningful conversations.

Cybersecurity Conference Trends and Vulnerabilities

The group discussed the changing nature of cybersecurity conferences, particularly RSA, noting a shift where both vendors and buyers are increasingly skipping the event, leading to concerns about its relevance. They also discussed a recent React vulnerability, with Neil explaining that while it had a high CVSS score, the actual risk was limited as few organizations had adopted the affected server components. The conversation concluded with a discussion about CVSS version 4 and the challenges of vulnerability management, with Oscar raising questions about reachability assessment between vendors and customers.

Understanding Static and Dynamic Reachability

The group discussed the concepts of static and dynamic reachability in vulnerability management, with Neil explaining that static reachability involves analyzing code on disk while dynamic reachability focuses on whether vulnerable code is actually executed during runtime. Jay emphasized the importance of considering environmental and temporal factors when interpreting CVSS scores, noting that organizations should focus on their specific context rather than relying solely on base scores. The discussion concluded with Neil highlighting the subjective nature of CVSS scoring and the low adoption of CVSS V4, suggesting that while CVSS is useful, organizations should prioritize their own risk assessment programs over relying on standardized scores.

Career Transition and Networking Strategies

Kimberly discussed her career transition challenges, particularly around being overlooked for roles despite having significant technical and leadership experience. The group advised her to focus on networking and getting referrals rather than applying directly to jobs, with Tyler noting they receive 20,000 resumes monthly for 2,700 positions. Jay suggested Kimberly might be underselling herself and recommended looking at higher-level roles like technical advisor or CISO positions, while Neil and others emphasized that Customer Success Engineer (CSE) roles can be valuable for gaining deep product knowledge and operational experience. The discussion concluded with suggestions about Cisco as a potential employer and Kimberly expressing interest in cloud security and hyperscaler technologies.