2018 Chicago AWS resolutions

I’m finally putting more into writing for my elaborate plans for the Chicago AWS user group. I started off some thoughts at the beginning of December, so I’m adding to that list.

A new AWS Chicago logo

A new logo! Pizza, with clouds as little cheese bubbles


First off, my pride of late 2017: the ChicagoAWS.com website. More than anything I wanted to save myself from typing and anyone asking me the frequently asked questions. A static site is easy enough for me to manage (thanks to these guides on AWS  at least). I also really wanted a place to put the code of conduct. Thankfully, there hasn’t been a conduct-related issue at an AWS event (but ask me about the Pizza Thief some time), but I wanted to be more clear about setting expectations in 2018.


I get a fair amount of people asking me to help them either find a job or find someone to hire. In the past I rolled my eyes and thought “not my job!” but an easy solution is to just put people in touch with each other directly!

Slack for the group is definitely under-utilized, but it is a good option for communicating in realtime during events, a message board of sorts for jobs, and an “ask experts” channel to tap into collective knowledge. I don’t see it being a busy Slack group, but it gets me out of the way of people who’d like more ongoing group interactions.

No more meetup. Eventbrite!

I was considering this at the end of 2017, but the Jan event solidified my decision to dump Meetup. Each host company, their building, and their security team is different. I think it’s really important to keep the venues on rotation, but a big headache is getting attendee lists of full names to building security 24 or even 48 hours early. Plus, there are ALWAYS people who want to walk up the day of.

Meetup has a field in their old UI (that’s a whole other rage-blog about their UI changes) that lets me ask people a question when they RSVP. I’ve always put something along the lines of “what is your full name (for building security only)” but only sometimes get full responses. I had a few folks tell me in Jan that they’d RSVPd with their full name, but neither of us had any record of it! So frustrating for everyone.

Plus, I have no insight into who is RSVP’ing and how to get in touch with people. Meetup only has the options to email groups (a random grouping of members, too) or use Meetup Messages to communicate.  I image few people have the meetup app on their phone, so if someone is stuck outside security at an event it’s pretty close to impossible to get in touch with me.

My answer: eventbrite for all AWS ugorups. Yes, another sign up. It’s not as easy to find as searching meetup groups, but honestly I want to keep folks to come back to the same events rather than all new people. For now my solution is to create 2 events and post the list to RSVP on Meetup, pointing to the real RSVP on Eventbrite. Still far from perfect.

New RSVP policy: 2 weeks or nothing

Comparing notes with other ugroup leaders in Vegas, Chicago has a pretty major drop-off rate. In 2016 members soared, up to 3,500 Meetup member, but only about 40% show up. It’s a shame when venues can only fit 100 people, over 200 people RSVP, but some of people who are in the ‘yes’ group don’t show while waitlist people miss out.

My rememedy, also suggested by the Germany ugroup leader, was to start RSVPs 2 weeks before. That way people don’t just hit ‘yes’ 2 months early and never think of it again. Hopefully between Eventbrite and the 2 week policy more interested members can come to events!

Emphasis on IRL

Another point that came up in Vegas was the emphasis on real life value of the user groups. Some groups are online only – South America has a huge and very active Spanish speaking online group. Other groups in Chicago have well-made videos and livestreams of events. I always get questions from people about slides and presentations after the fact.

But, there is clear value to showing up and talking to people that a video can’t do. AWS has excellent tutorials, FAQs, and videos for getting started. I am emphasizing the value of real, human interactions in 2018.

Topics and feedback

At the end of 2017 I put out a survey for the group. It’s the first time I’ve asked for feedback online. If someone can’t or doesn’t want to talk to me at an event, how will I know what they want to hear? The simple Google survey was mostly to set a baseline.

I did find things I expected: folks prefer mid-week evening events in the Loop. Short talks are better than 1 long talk. People also want more hands-on interaction, bleeding edge topics, and use case topics. feedback



Featured in “Business Data Security Tips: 40+ Experts Reveal Their Best Advice”

See the full article on Phoenix NAP: Business Data Security Tips: 40+ Experts Reveal Their Best Advice

Self-evaluate to keep pace with both risk and compliance

Your business is small, but risks are enterprise-size.

Top cybersecurity threats to small businesses (SMBs) are very similar to the risks all enterprises face. The stakes are much higher for SMBs because they often lack the resources to fight back and prevent data loss. Large firms have teams of data security experts and can afford extensive audits. SMBs can be more vulnerable to security risks and struggle to quickly react to vulnerabilities.

The 2016 Ponemon Cost of a Data Breach Study

Source: The 2016 Ponemon Cost of a Data Breach Study

Keep pace with both risks and compliance by self-evaluating

Frequently self-evaluating the company’s cybersecurity practices is the best way to detect and prevent cybersecurity threats. SMBs can use the NIST Cybersecurity Framework (it’s free!) as a blueprint to evaluate current security policies and remodel data protection policies to focus on preventing vulnerabilities and to set goals to improve and maintain security.

Traditional standards and protections all attempt to do the same things: protect sensitive data. The NIST Cybersecurity Framework is unique because the Framework combines the best practices of other security standards to focus on outcomes, rather than avoiding liability. SMBs should self-evaluate cybersecurity at least once a year, with participation from all business unit leaders and all of the IT team.

NIST Cybersecurity Framework

Read more on how the NIST Cybersecurity Framework can help: Why All Enterprises Should Adopt the NIST Cybersecurity Framework

Don’t become a victim of your own success – growth.

As SMBs grow and add employees and partners, they must share access to vital business data and systems. For example, a small company can rely on a single IT person to manage access to data, a server, and the company network. As the SMB grows and adds employees and offices, a “single point of failure” becomes a risk for the company. Security for data and networks should grow with the business, with precautions built into business goals.

Margaret Valtierra, Senior Marketing Specialist, Cohesive Networks

Margaret Valtierra is Senior Marketing Specialist at Cohesive Networks. She is responsible for growing business through digital and written content, public relations, and community events.

See the full article on Phoenix NAP: Business Data Security Tips: 40+ Experts Reveal Their Best Advice

Tips for monthly user group endurance

In early November, Ross from AWS asked me to do a quick presentation at re:Invent for the meeting for global user group leaders. It would just be a 5 minute, 1 slide lightning talk. It wasn’t that long, so I agreed. No problem.

Then I had to think up what I would say and what would be useful to other user group leaders! The meeting was really amazing – user group leaders from all over the world were there, and I was excited to be with “my people.”

I must say, a great thing about AWS is their hands-off approach to the user groups. I thought we were special in Chicago because no one from Amazon was allowed into the state before 2015. But everywhere, AWS encourages groups to build their own user group brands (Janpan’s AWS user group is JAWS!), formats, and leadership without any influence from AWS.

For me, I wanted to share with other user group leaders how to keep things rolling along smoothly. There’s good content out there about starting a group and AWS is willing to help. But what do you do after the 2nd or 3rd meetup? How do you get multiple sponsors?


My big 4 points: repeat, automate, change it up, and invite.

Repeat: some things stay the same to keep consistency.  For Chicago, most people work downtown and commute out before the last trains leave, around 8pm. That means the best places for events are downtown offices, right after work. Consistent timing means folks can count on being able to get to events.

The other repeatable thing for Chicago (really, for me personally) is the format. We give time for people to filter in from 5 – 6pm, grab pizza and drinks, mingle a bit, and find a seat. By 6pm I kick it off with a welcome, give sponsors / hosts 5 min to pitch, then jump into the talks or panel. People know they’ll get to the meat of the event by 6.15 at the latest, and I like to show that I respect their time. Sponsors and hosts know they get 5 min up top when everyone is paying attention.

I’ve found a predictible format is the best thing for keeping that momentum – for me as an organizer I don’t have to re-create the work each time and members know what to expect for the night.  I wrote up more about sponsors and hosts to manage expectations, and save myself from typing the same thing over and over: http://chicagoaws.com/faqs.html

Automate: save time on the little things. The FAQs I linked to above came from my realization that I was sending the same email to all potential sponsors. Posting it on the website was easier for me to link to, more people could access the information, and I wasn’t blocking group transparency.

For communications, I believe more is better – within reason. I only contact group members when there’s news, and then send out reminders to RSVP. My cadence is to announce the event, then remind folks to RSVP 2 weeks before, then week-of updates about getting to the venue.

Social updates, newsletters, and emails are the not-so-automated but automatic part. I use tools like IFTTT, Zapier, Mailchimp, and Hootsuite to trigger and update news when it happens. I joked that I’m the mechanical turk for the group’s social communications.

The next 2 kind of merge together: change it up and invite. For me, keeping a healthy rotation of venues, sponsors, speakers and topics helps the group group. More people pop in from their offices if their company hosts. New people join the group every time we have new sponsors and topics.

I try to invite new speakers almost each time. I always get those well-meaning members who volunteer to speak each event, but I gently tell them to share the stage. Once I started doing meetings each moth, it was so much easier to get new companies interested in sponsoring and/or hosting. Now I’ve got a steady rotation of companies asking to contribute, and people I know I can contact for venues.

But wait, there’s more!

Other tips I’d give user group leaders that I couldn’t squeeze in to the 5 min talk include:

  • try to plan the next event before 1 month out
  • have something (future events, other groups, AWS news) to announce at the event
  • communicate, communicate, communicate!
  • always be thanking – sponsors, hosts, speakers
  • ask for help from AWS, especially for speakers

Here’s my pre-event checklist:
[ ] print sponsor & direction for the venue
[ ]  print out sponsor logos for drinks and pizza
[ ] email attendees 2 days before – remind them to update RSVPs, venue policies for checking in, how to get there, and social info for speakers
[ ] order drinks at least 2 days before
[ ] order pizza online – schedule!
[ ] confirm with speakers 1 day before
[ ] schedule tweets for sponsors, talks, host

Post-event checklist:
[ ] tweet / post slides from speakers
[ ] upload slides to slideshare
[ ] post link to slides on meetup/ email
[ ] email hopeful sponsors / hosts/ speakers I met at the event
[ ] update schedule & attendee email drafts
[ ] invoice sponsor and send receipts in PDF to sponsors

Doing this talk made me really think through how the group works. I know the Chicago group is unique, both for how the people in the city work and that I’m a 1-woman dictator. I don’t think any other group runs quite how we do, so I’m looking at what works and what could improve.

Next up, deep thoughts about how 2018 will be a great year for the Chicago AWS user group!

from re:Invent to 2018

I am still recovering from a week in Vegas at re:Invent. Seriously, I think all 45,000 of us got a cold at the conference!

It was a busy week in the desert. There is plenty to talk about in 2018! For some refreshers on the product and service announcements, see the highlights from AWS and Day 1 and Day 2 reviews on InfoQ.

Personally, I enjoyed getting to meet fellow user group leaders from around the globe. There are amazing groups all over – Dublin, Munich, JAWS (Japan AWS), and the South American AWS en Español. I’ve got so many great ideas for 2018 user group topics!

2017 lookback

From the puny Meetup.com stats, it looks like the group has grown by over 500% from early 2016! We hit our goal of having regular, monthly events. I’ve been working on getting new speakers, more technical talks, and a diverse lineup of presenters – still a work in progress.

Big things for 2018

Part of my master plan for 2018 is already here. There’s a new ChicagoAWS.com website with info for sponsors, speakers, and hosts. Plus, a written code of conduct. Luckily we’ve never had an issue at a user group event, but this is an effort to be welcoming, transparent, and prepared. Also on our website is an invite form to join the AWS Chicago Slack channel.

Up next in 2018, I’ve got plans for a few all-day, hands-on sessions a year. We’ll hear from more AWS solutions architects, and hopefully more user group members. I’ll also send out a survey to get more feedback and ideas from the community.

Stay tuned for dates and announcements in January.


If you’re interested in learning more, join us on Chicagoaws.com or on the socials:

– Meetup: https://www.meetup.com/AWS-Chicago/
– linkedin group: https://www.linkedin.com/groups/6705840
– twitter: https://twitter.com/AWSChicago
– youtube: https://www.youtube.com/channel/UCXyvg7y0BnqrfNb_k9sgD2A
– slideshare: http://www.slideshare.net/awschicago

Security Hygene – Hosting my First CryptoParty

Turns out I am not alone in wanting to evaluate my online presence and update my security priorities. Partly to update my own security checkup, I wanted to update security knowhow here.

I got involved with an awesome Chicago-based group, the Lucy Parsons Labs this year. One thing that attracted me to the group was their outreach – they not only do work on behalf of others, but they also offer security training for journalists and activists. This week I got a chance to get involved and I led my first digital security training.

Ain’t No Party Like a CryptoParty

Monday was the November CryptoParty, hosted by moi. Like past Chicago CryptoParties, the point is to get all types of people together to talk about digital privacy and what’s important to each person. Some folks wanted to create stronger passwords, others wanted to divest from Google’s tracking tentacles.

I started by doing lots of research. There are great guides to hosting a CryptoParties, trainings, and resources for speakers  and the general public. Once I got a grasp of what range of topics we might cover, I knew I wanted to start with a short presentation on “threat modeling” and then open it up to questions and discussions for everyone.


The EFF has a new and awesome Surveillance Self Defense guides and printouts, plus  “playlists” for different threat models. I built my slides from there, with a quick intro to threat modeling (aka risk assessment since it sounds less militant and terrifying). I like the analogy of cold and flu season – the best thing to do is prevent getting sick and the easiest way to avoid colds is just washing your hands!

So what is security “hand washing” ? My favorite part of the threat model concept is that it depends. It depends on what information you have (assets), who you’re protecting it from (adversaries), and how comfortable you are with losing data (threat). If something happens (risk), how terrible is it?  It depends on who you are and what you’re doing.

Here are my slides.

Part 2 was more tips & tricks, mostly based on Martin Shelton’s post “Securing your Digital Life Like a Normal Person.” Applying the “it depends” model to the tips and tricks was a nice segue into discussions. We covered encryption, VPNs, and 2FA.

Here’s a partial list of topics, tips and tools:

Next Up

I was excited, humbled, and energized to get to participate in this CryptoParty. I was impressed how many folks knew about the “advanced” stuff I mentioned, like VPNs and Tor Browsers. I think next time we should jump into deep-dive topics like encryption, how VPNs work, and more. I’m ready, are you in?

Sound cool? Want to get involved with another CryptoParty or digital training? Have more in depth questions for any of us at Lucy Parsons Labs? Email us infoATlucyparsonslabs.com

September AWS user group Chicago

It’s been a few weeks, but I wanted to write down some thoughts on the latest AWS Chicago user group. An ever popular topic is certification, mainly for AWS’ own professional exams, but also things form CISCO to Microsoft certifications.

This time we opted for an open-ended format of the “unpanel” an idea I borrowed from CloudCamp (RIP Chicago CloudCamp). The goal is to get more people involved than a standard Q&A of “experts” on a panel. By sourcing panel participants from the crowd, people can both ask and answer questions and swap in and out.

In the space, wonderfully sponsored by Discover, the layout was great. Pizza and drinks (sadly no beer allowed) were off to the side, and the audience and panel were squished into the narrow part of the room so everyone was forced to be right in the action.

Running an unpanel in Chicago is always a challenge to me. Compared to the London CloudCamp, us Midwesterners are too nice to jump in and take over someone’s spot on the panel. As the moderator, I tried to be aggressive in both bringing more people up to the panel chairs, rotating questions from the group, and swapping out speakers as needed.

From an AWS side, I was surprised to hear not many Chicago folks are headed to re:Invent this year. It is a strange time, just after Thanksgiving, to go to Vegas as the big projects of the year wrap up. It’s also becoming such a huge event. Last year over 40,000 people jammed into the Venetian/Sands/MGM and this year it’s taking over most of the Strip. Just walking down the hallway is overwhelming, much less the “normal” of Vegas overload.

Another note, was that more and more people are looking to certify. AWS certifications are affordable compared to most others.

Check out the awesome notes, taken by local Chicago tech hero Alison Stanton (@alison985 )


alison stanton's tweet

Featured in Digital Guardian: Cloud Computing Security Benefits – Infosec Pros Reveal the Top Benefits of Cloud


“Cloud computing has obvious cost benefits…”

Especially for startups and businesses looking to move away from owning and running data centers. Cloud providers have more capacity, speed, and locations. Shifting your information security practice to fit cloud is a process, but there are upsides. Cloud providers offer Service Level Agreements (SLAs) for their services, including: specifics on security, privacy, access to data, and data portability. Offloading IaaS-layer requirements onto a provider will ease the burden on your teams as long as the SLAs meet internal security standards.

Margaret Valtierra featured in Digital Guardian

Cloud providers can also help InfoSec teams meet compliance requirements, since most IaaS offerings meet ISO, PCI, and other well-known standards. Before cloud, we had to maintain and secure our own servers and physical security. Now, Amazon, Azure, and Google run word-class data centers for us. 70% of organizations use at least one application in the cloud. Those applications – everything from CRM to mobile apps – put critical business data beyond the reach of traditional security. Security teams can now use cloud technologies to prevent data breaches and vulnerabilities by enforcing strong virtual networks and flexible data policies for each application.

Another big benefit of the cloud is the ability to build security on top of standard offerings. A virtual private network (VPN) allows security teams to create a secure network on top of a cloud provider’s physical network. As teams install and launch applications, security teams can directly control network traffic with point-to-point connectivity. Network security settings like firewall rules, users access, and internet port filters can be sized, scaled, and tailored to each cloud application.

Margaret Valtierra featured in Digital Guardian

Read the full article here.

Margaret Valtierra is the Technical Marketing Specialist at Cohesive Networks, where she creates technical documentation, guides, and video demos. Margaret has a BSM from Tulane University and is an AWS Certified Solutions Architect and Cloud Security Alliance (CSA) CCSK.