Kristina Balaam on Breaking in to Security


Introduce yourself! Who are you? Where do you work?

Hi! I'm Kristina Balaam. I'm an Application Security Engineer at Shopify, based out of our Toronto office.


Who or what got you into programming and tech?

I was interested in computers from a really young age. Video games were sort of my "gateway drug". My parents were, thankfully, very encouraging of my love for video games. They started me on a Sega Master System when I was 2, and introduced me to computer games shortly after. As an introverted kid who danced something like 30 hours a week, computers were the cure to my "introvert hangovers". I loved this game in the late 90's called Neopets. It was kind of like Tamagotchi meets some sort of social network for kids. You could customize your pet's "homepage", so I started learning HTML and CSS in order to do that. I quickly lost interest in Neopets, fell in love with writing code, and started teaching myself PHP and Javascript. I had some really wonderful mentors online. One woman in particular, Claire, had her own hosted site for a couple of years. I was inspired by her work and found a few other women who offered hosting space to anyone interested in building their own websites.


How did you transition into security? What excites you about that space?

I had been interested in security for a long time, probably dating back to high school. I had a self-hosted blog that someone was leaving really inappropriate comments on. I managed to trace their IP address to a computer from my school. A bit of social engineering helped me figure out who was responsible, and I was able to talk to him and stop the behaviour. Unfortunately, my CompSci program didn't really offer a true computer security course; a lot of fundamentals were baked into other classes. I always figured I'd need to enrol in a Master's program in order to focus on security. That became my ultimate goal: pursue a master's part-time and eventually transition. However, I learned that there were actually a number of computer security programs offered by colleges and universities, and some were even available online. I enrolled in a couple of post-grad certificate programs: one through Stanford University, Advanced Computer Security, and another with Ryerson University, Digital Forensics and Cryptography. While completing these, I was thankfully able to transfer to a role in the Application Security team so that my day-to-day work aligned more with my overall career goals.

There are a number of things that excite me about the space, but I think my interest lies mostly in the protection of individuals. We're living in an increasingly connected world, and we hear stories about baby monitors being hacked and strangers saying inappropriate things to toddlers. That power and access to individuals' lives is just unacceptable, and I'd like to be a part of the solution.   


How would you suggest someone "break in" to the computer security industry?

Don't get hung up on not having some kind of designation or degree. Start learning as much as you can, hacking on apps (legally), getting involved in a bug bounty program, and make sure you're able to demonstrate that you understand the things you're learning! Most security teams are wildly understaffed, so if you can demonstrate passion, perseverance and competency, you should be able to find a position that will also help you to continue to grow!


How has a notable(~10k) instagram following helped your career?

My Instagram following has only really developed in the past 6 months, but it has been wonderful for networking and facilitating introductions with others in the field!


What has been your toughest lesson to learn in your software career so far?

It has absolutely been to prevent insecurity and self-doubt from holding you back. I've struggled a lot with "imposter syndrome", and have come very close to turning down opportunities because I didn't think I had a hope in hell of being successful (Shopify was almost one of those!). I still struggle with it, but have found it's an almost universal struggle and discussing it with others has been really cathartic.


What would be your number one piece of advice for a successful software career?

Never stop learning. Our industry changes so quickly, and although it's impossible to be an expert in every field, staying in tune with pertinent issues and technologies is super important. I really don't believe everyone needs to go back to school or continue to learn in some sort of structured, institutionalized way; it just happens to be how I learn best. We have so many incredible resources available -- free classes online, blog posts by experts in the field, meet-ups, hackathons, conferences, etc. If your company doesn't support your professional development, they're working against their best interests. If they do provide support for professional development, make sure that you (responsibly haha) take advantage of it to avoid stunting your growth!

When you mime programming to somebody, do you use T-rex arms, or wiggly fingers?

Always T-Rex arms, but preferably as a typing cat gif.


Have you got any hobbies outside of your job? Do you think they help your tech career in any way?

I played the piano for 17 years, and although I'm rusty as hell right now, I do still try to practice. I ended my dance career in university, but have replaced that with running and cycling and yoga. I'm also involved with the vegetarian/vegan community here in Toronto. I'm currently learning Mandarin, which I think is likely the most beneficial hobby for my career.


What books/resources would you recommend?

I'm going to shamelessly plug my coworker Peter Yaworski's book, Web Hacking 101. It's a truly fantastic resource, and the forward was written by the founders of the bug bounty site, Hacker0x01. I'd also recommend the CyberSecurity Humble Bundles. They're only available occasionally, but are a great deal. The books presented as PDFs, incredibly inexpensive, and a portion of the proceeds go to charity.  I also think hands-on practice is really important. There are CTFs (Capture the Flag competitions) offered in most major cities, and there are also a number online as well. Having a chance to actually try hacking into a vulnerable web, mobile or desktop application is a great challenge (and won't result in an arrest!). A quick google search for "Online CTF" or "CTFs in <your city>" will return a number of great options!


Finally, make your shoutout! What would you like the readers to go have a look at?

I'm really passionate about mentorship, so if you have any interest in getting into the security industry, please don't hesitate to reach out to me on Twitter (@chmodxx_) or Instagram (@chmodxx)! I'm still pretty new myself, but I'm happy to share what I've learned thus far :)