We’re seeing increasing recognition that cybersecurity jobs should focus on competency rather than years of experience. But how do you create job posts to encourage that? And how do applicants even show that on a resume?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for the episode is our special guest TC Niedzialkowski, CISO, Nextdoor.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Reqfast
Full transcript
Intro
0:00.000
[Voiceover] What I love about cybersecurity. Go!
[TC Niedzialkowski] I love that you get to be skeptical, humble, and creative, and think from an attacker’s perspective and then implement the best defensive strategy that you can with the resources available. Going into it, there’s a lot of really smart people that have worked really hard on impressive systems, and you almost have to have this illusion that there’s something wrong with it, there’s something that’s going to be exploited, and you need to find out what it is, and you need to find out how to protect it.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. My co-host, Mike Johnson, he’s the CISO of Rivian of which I’m seeing these cars everywhere, Mike.
[Mike Johnson] [Laughter]
[David Spark] As I told you, my neighbor across the street has one of them. We’re available at CISOseries.com. Our sponsor for today’s episode is Reqfast – get the most out of your intelligence team and tools by mapping stakeholder requirements, workflows, and feedback. More about Reqfast later in the show, brand-new sponsor, we love having them onboard.
Mike, I am going on vacation next week.
[Mike Johnson] Okay!
[David Spark] I’m excited about it, but here’s my question. I’m trying desperately not to do work on vacation, and I’m going to have to touch it at a [Inaudible 00:01:29] mostly because I own my own business, that has a lot to do with it.
[Mike Johnson] Yep.
[David Spark] I ask you, Mike, when you go on vacation, do you truly do no work? Do you look at no emails, do you do no work?
[Mike Johnson] It depends. Some vacations, I have no choice but to be disconnected. Recently was on a trip in the middle of the Mojave Desert and there’s not a whole lot of cellphone coverage out there, turns out.
[David Spark] There you go.
[Mike Johnson] So, I did not actually have to do any work while I was out there camping.
[David Spark] So, I’m talking about the times when your phone and computer can connect to the internet.
[Mike Johnson] In those cases, I do try to disconnect, and the reason why I do that is I want to serve as a good example for my team because I want them to feel like they can disconnect. That’s really the important thing there. The reality is yeah, I do some work.
[David Spark] I, in fact, heard a CISO on a panel at an event say, “Do as I say, not as I do,” and he works his tail off on vacations, and I called BS on that. I go, “No, you can’t do that. They want to be you. And if they see you doing this, that’s what they’re going to do.”
[Mike Johnson] Yeah.
[David Spark] It’s complete BS.
[Mike Johnson] You can’t just say, “Do as I say, not as I do.” I try and do keep it very mild. It’s really just checking in. Is there an emergency that’s going to require me to do something? And if not, I leave it alone and it waits.
[David Spark] And yeah, and I mechanically have to get on to hit a Publish button here and there…
[Mike Johnson] Yeah.
[David Spark] …but otherwise, I do little to nothing. And again, only if it’s an emergency. I try to avoid, truly, doing any work whatsoever.
[Mike Johnson] Yeah. I think that’s a good way of thinking about it is only in the case of an emergency.
[David Spark] Mm-hmm, all right. Well, we have no emergency right now, but I’m excited about our guest who I met during RSA, an event at their offices, and I’m a huge fan of their product which I was mentioning just before we got on air, that Nextdoor. Nextdoor’s responsible for finding my plumber, electrician, and dentist, and all were excellent, so I have to thank Nextdoor for that.
Actually, I don’t think I have to thank Nextdoor, I have to thank the people who posted on Nextdoor for that.
[Mike Johnson] You can thank everyone, just give out the thanks all around.
[David Spark] I’m giving thanks. You know what? I’m not blaming anybody.
[Mike Johnson] [Laughter] That’s a good place to start.
[David Spark] Nobody’s getting blamed. All right. It is the CISO for Nextdoor, TC Niedzialkowski, thank you for joining us, TC.
[TC Niedzialkowski] Oh, thank you for having me.
What’s broken about cybersecurity hiring?
3:57.198
[David Spark] Lose the “X years required” in your job description and replace it with “demonstrates competency in…” suggested Dutch Schwartz of AWS in a post on LinkedIn. But how do you show competencies and soft skills on a resume? A competency, as Dutch defined it, is a problem-solving capability you’ve used in the past and can apply in the future.
While it is hard to show these in a resume, I definitely think you can show competency in a cover letter or an introductory video.
So, I’m going to start with you, Mike. Have you crafted job descriptions that eliminate the years requirements and request demonstrations of competencies? Which are most important to you? Now Dutch suggested, and I agree, that dealing with ambiguity is a good competency to demonstrate. All it takes is to tell a story of how you’ve dealt with an ambiguity.
Have you challenged candidates with these types of questions? Not just in the interview but in the introductory, if you want, application process. And what have been the best answers too?
[Mike Johnson] Well, I think it’s first of all important to recognize that a JD and an interview are two very distinct things.
[David Spark] Yes, yes, yes. But I’m interested in the first barrier thing. Can you make that request in a job description is what I’m saying.
[Mike Johnson] I think in the job description, you can have the “demonstrates competency in.” You can actually have that, and I think it makes a whole lot of sense. The X years thing, I think that’s a bygone era.
[David Spark] Well, you still see it on pretty much every job description.
[Mike Johnson] Absolutely. But someone who’s done a thing for 10 years isn’t necessarily better at it than someone who’s done it for 1, and I think that’s one of the negatives of just looking at years of experience. But what I have seen, and for me, if someone is submitting a resume, they’re like, “Yeah, I actually hit all of these,” and one of the things I do try very hard is to make it very clear what are the actual requirements for the job so that someone can look at it and go, “Yeah, I actually hit all these, I’m going to apply.” And then if someone doesn’t hit them all, I can actually feel confident of moving on to the next person.
These are the requirements, full stop. It’s not a list of nice to haves. These are the requirements.
So, that helps get it to a point where what I then start looking for is what are the other things that they do, what are some of the outside contributions. I’m really big on contributions to the community, so I’m looking for that. I’m looking for presentations, I’m looking for participation in community events or in nonprofits or something like that.
One of the best things that I’ve seen is I’ve got a particular competency or expectation and someone is like listing me all of their YouTube presentations for where they’ve given to a conference. And one of them was they had presented on exactly the thing that I was looking for. And that’s really the best that I’ve seen is there’s a video of them out there presenting on the thing that I’m trying to hire for, “Let’s have a conversation.”
[David Spark] That’s amazing if you got that, yes. All right. TC, I’m going to throw it to you. Because this is a really tough thing to do in just that initial job description, to sort of veer away from the years requirements. How do you do it and have you done it?
[TC Niedzialkowski] Yes. I think there’s good advice out there but judgment is knowing whether that advice applies to you where you are right now. So, there’s a push within the industry to kind of open up job descriptions, make it more accessible, make clear that skills are more transferable. But sometimes that’s really not an option, so like if you’re at a startup, you’re putting together a team, you might be hiring your one and only security engineer or your one and only cloud security engineer.
And you really need them to be a senior engineer because you could be going through hyper growth, you could have a scrappy startup, you need them to be able to confidently go out, make changes in your production infrastructure and not mess anything up.
And so when it comes to the job title, the difference between a cloud security engineer, senior cloud security engineer, principal cloud security engineer, within the tech industry, you can just go to levels.fyi and these companies, they’re talking about the same things, they’re using the same IC levels.
And so really years of experience is almost the same way of saying level of expertise, level of experience within the industry. I think when it comes to this idea of competencies and years of experience, things like, depending on the role, things like DevOps, software engineering, infrastructure engineering, security engineering, those skills are transferable, but you need to be crystal clear, like Mike was saying.
What is it that you’re hiring for in this role? For me, I really got to narrow it down to one or two things, and those are the things that need to be crystal clear in the job description, I need to see it in the resume.
And I know you said you weren’t as interested in this part, but for me, what’s important is during the interview process, I need to put a lot of time upfront to provide the opportunity for the candidate to demonstrate their competency. So, if it’s a cloud security engineering role, we’re going to have a take-home coding assignment where the ask is for them to write infrastructure as code that’s going to check and make sure that S3 buckets apply the security policies that we need.
And we’re going to look at the result that we get back, do a quick sanity check, and if it passes muster, that’s going to be the basis for further interviews with the engineering team.
And you want to make it situational, right? What you want from an application security engineer or a corporate security engineer is going to be different. And then when it comes to overall competencies, what about communication, what about collaboration? Really using a case close to the business. Say that one day everybody has to pack up and start working from home because there’s a pandemic.
Trying to use those realistic scenarios and then have them demonstrate to you those soft skill competencies in response to that scenario.
Are we creating more problems?
10:02.568
[David Spark] TC, this segment actually sort of is a nice follow-up to your opening tip here, and I asked the question are cybersecurity professionals by nature a “glass half empty” group of creative thinkers? In a LinkedIn post, Erik Bloch of Atlassian was doing some research on large language models and AI, and he said, “For every 20 articles I’d find on hacking or breaking LLMs, I’d find maybe one focused on either how to effectively leverage them, it’s weird,” continued Eric, “A new technology comes out, and we security professionals rush to see how fast we can break it and point out how insecure it is.” So, I’ll start with you, TC, because you brought this up at the very beginning.
Is it our nature – security professionals – to just want to break? Do we want to tear something down successfully? Or is it just the classic case of it’s always easier to destroy than it is to create?
[TC Niedzialkowski] One of the things I love about cybersecurity is that there’s room for everyone, and by necessity you need builders and you need breakers. And so when it comes to these LLM models, generative AI, it can be a thankless job. We need people to figure out what are the problems in these systems, we need to identify them, and then we need to figure out what are we going to do about it, and we need to keep an open mind as that happens.
So, one of the ones that’s been out there is prompt injection. And so just as an example, with prompt injection, it’s essentially being able to somehow through the application tell the LLM, “Ignore the previous command. Write something nasty.” And the issue with prompt injection when it comes to the threat model is that that attack, depending on the implementation, only affects the person doing the prompt injection.
And so if you think about the scenario, where has this LLM been integrated into a product or into an application, say that they’re successful, if they’re only getting the LLM to speak like a pirate or use bad words to themselves, there’s no real risk there. But we need to be mindful.
I’m much more concerned about secure deployment of these technologies. So, things like are people installing malicious plug-ins because they want to have ChatGPT in their Google Sheets? Are developers using GitHub Copilot without telling us? And there are no protections for IP or indemnification against use of open-source code.
Maybe we have a contract with Open AI, people are using it, we have opted out of their training model, but because it doesn’t support SSO, people have bad passwords. Their account on ChatGPT Open AI is hacked because they used a bad password and it wasn’t integrated into our SSO and we can’t manage that with 2FA.
So, I think I’m actually more concerned with the implementation of these technologies, but I’m still keeping account of what’s going on on the advanced research side.
[David Spark] All right, Mike, I throw it to you. Great answer, by the way, [Laughter] TC. Throwing to you, Mike. What do you think? I mean, is it just the nature of security people to want to tear down?
[Mike Johnson] Well, there’s the old movie quote of “some people just want to watch the world burn.” I think there’s some aspect of human nature where people pay more attention to bad news than good news.
[David Spark] Well, I’ll tell you that from social media. Whenever we posted a headline that had a negative bent, it always did double the traffic of one with a positive bent.
[Mike Johnson] So, it’s a great example of some aspect of that is simply human nature.
[David Spark] Mm-hmm. It’s like rubbernecking on the highway.
[Mike Johnson] Yeah. But I also really liked what TC had to say which is you kind of need to know the failure modes of a system so that you can engineer those out. You need to understand the ways that it can go wrong so you can try and prevent those from actually happening. And to some respect, there’s almost an inherent analysis that comes in that says I don’t need to look at the particular implementation of passwords within the ChatGPT public interface to know that there’s going to be a problem there.
I don’t need to analyze that. So, I can just go ahead and say, “Hey, SSO is needed.” We know that.
But the prompt injection is an interesting one in that it is a unique problem to that technology. There’s not a control that we can pull off the shelf and then just go ahead and apply that. And that’s where there’s value in looking into what are all the ways the thing can break. That said, I would love for us to be more optimistic as a profession, I would love for us to, rather than immediately jump to, “Well, here’s all the ways that this thing is going to destroy society,” and actually go, “You know what?
There’s actually some good things that this thing can do,” and approach it from that perspective as well. What are the ways that we as a security organization can empower the use of this technology within our companies in a safe way? I’d love to see more of that.
[David Spark] But I come back to what TC said at the very beginning of this show and actually I’m going to throw it to you, TC, in just a second, is someone makes this incredibly cool technology, super-smart people make it, and we look for a way to find what’s wrong with it. TC?
[TC Niedzialkowski] Yes. When it comes to prompt injection, I feel like I’ve been here before with cross-site scripting, SQL injection, the other kind of breaking the data code barrier. But yeah, I mean, SSO, right, there’s a reason it’s on the top of the list, and Open AI is coming out with a ChatGPT for business product in a couple months, and I think that’s going to be really something we want to make sure that businesses adopt rather than almost like a consumer-grade version with how it’s managed right now.
Sponsor – Reqfast
15:57.086
[David Spark] Before I go on any further, I want to tell you about Reqfast. Remember Reqfast I told you about at the very beginning of this show? The get the most out of your intelligence team and tools by mapping stakeholder requirements, workflows, and feedback. Well, let me tell you a little bit about that.
First, raise your hand – I know you’re alone but just listen to me – raise your hand if you’ve ever heard of or understand the need for intelligence requirements. Now, raise your other hand if your intelligence team is actively using your requirements to guide their operations. Now, who is there embarrassed to have both their hands raised while listening to a podcast?
You may be jogging or driving your car. Get your hands back on the wheel! No worries, folks!
But if your intelligence team is not tracking its work against identified stakeholder requirements, like yours, now that is embarrassing, my friends. Why? Because if intelligence is all about decision support and it is customer service, how can they possibly provide value if they don’t know what their stakeholders are making decisions about?
Our sponsor today – Reqfast. Reqfast ties the stakeholder’s requirements to their intelligence team’s day-to-day operations and provide them with the metrics that demonstrate their value to the stakeholder. If you, the CISO, is the primary decision-maker, then your intel team needs to make sure you are getting the most accurate information, in the format you need it in, in the most timely manner possible.
Pretty much everything you want, right? So, Reqfast ensures that happens. That’s Reqfast, that’s reqfast.com. They build confidence, clarity, and trust in your intelligence team. Please join them at, what did I say? Reqfast.com.
It’s time to play “What’s Worse?”
17:48.074
[David Spark] TC, you know how this game is played, correct? It’s a risk management exercise. We give you two horrible scenarios and you have to decide which one’s worse. This comes from one of our favorite contributors, and it is actually a pseudonym. We have hidden this person’s identity; they need to have their identity hidden.
I honestly don’t know why. I know who it is, but I can’t tell anybody else. Now, Mike, you know this because I put the name in there, that this person works at Setec Astronomy, which is the name of the company from the movie Sneakers.
[Mike Johnson] Hmm.
[David Spark] Osman Young is who. Osman Young, and also that means something too, I forget what it meant, Osman Young. But Osman Young from Setec Astronomy provides this “What’s Worse?” scenario. TC, I make Mike answer first. This is long, so hang tight with me. Okay?
[TC Niedzialkowski] And I’m supposed to disagree with Mike, right? That’s my job is to disagree?
[David Spark] It’s ideal, it’s ideal if you disagree with Mike.
[Laughter]
[David Spark] I will say that. All right, scenario number one. You have spent the last years raising alarm bells about the unacceptable state of the charity security program – and that’s the one you work for – but the founder just isn’t convinced it needs to be a priority. Seeing no way forward, you begin looking for a new job, but then catastrophe strikes.
Attackers break in and steal the entire database of donor payment card data and dump it for sale on the Dark Web. Both donors and your payment card processor have lots of uncomfortable questions about how this happened. In a press release, the founder carefully scapegoats all blame to you for your horrible security advice and announced that you have been fired.
Baseless rumors begin circulating that ties you to hate groups, and this was all an inside job to hurt the charity. You launch a lawsuit but in the meantime you now have to begin looking for a new job. With the albatross of a breach and unjustified community anger hanging around your neck, callbacks are few and far between.
All right, this stinks, right?
[Mike Johnson] Yeah.
[David Spark] Okay, scenario number two.
[Mike Johnson] Okay.
[Laughter]
[Mike Johnson] So, we’re going to somehow go downhill from there. All right.
[David Spark] Well, hold on. We’ll see, we’ll see. Because of your hard work and coordination with the organization, it now has a rock-solid security program that you are very proud of. The founder often brags to his supporters about how great a job you’ve done and how much you have helped out the charity.
Then it all goes sideways. The founder’s personal cellphone gets hacked and instead of extorting him for money, the attackers just dump the data on the Dark Web as a public service. The founder ends up being a profoundly horrible human who stands for the exact opposite he became famous for and has harmed many people in horrible ways over the years.
We’ll let your imagination run wild as to what that is. So, he tries to deny it but the incontrovertible evidence begins stacking up and his former fans just aren’t having it. Baseless rumors begin circulating that because of your close association, you were in on the whole thing. Overnight, any association with his name and organization becomes super-toxic and now, you are out having to look for a job with this specter hanging around your neck.
All right. Mike, which one’s worse? They both stink.
[Mike Johnson] So, the first one, there’s a breach and…
[David Spark] The data is dumped.
[Mike Johnson] Data is dumped and your CEO blames you for it and fires you.
[David Spark] Correct. Second scenario, just his phone is hacked, a lot of data comes out of that, and you realize what a horrible human he is.
[Mike Johnson] He’s a bad human being and people are trying to tie you to that.
[David Spark] Yeah, you’re tied to it and you’re seen like as brother-in-arms with this horrible human being.
[Mike Johnson] Hmm. So both suck.
[David Spark] Yes. You are correct. So, far, you got a correct answer.
[Mike Johnson] Way to go, Osman!
[David Spark] I tell you, he always comes up with good ones.
[Mike Johnson] Yeah. I’m just going to have to pick one and run with it.
[David Spark] Exactly. [Laughter] Let me just say – you don’t want either of these, right?
[Mike Johnson] No, no, no. These both are terrible.
[David Spark] They’re awful. [Laughter]
[Mike Johnson] This is not one of those ones that I go, “Oh, that’s easy.” Like, “Neh.”
[David Spark] No, no. Well, that makes a great “What’s Worse?” scenario.
[Mike Johnson] Yeah, good job on this one. I really think what you’ve got in the first scenario, it is your professional competency that is under trial in the public eye. The second one is your personal ethics and your “are you a decent human being” is on trial.
[David Spark] Right. So, it’s competency first, it’s ethics, yes.
[Mike Johnson] Yeah.
[David Spark] Actually, good job on isolating it down to that.
[Mike Johnson] With that in mind, what is always most important to me is character and ethics.
[David Spark] So, you’re leaning on the second one already.
[Mike Johnson] I really think the second one is the worst between these two.
[David Spark] Because you got no problem if everyone thinks you’re a buffoon. [Laughter]
[Mike Johnson] Well, the reality is one of those you can actually address. The reality of, yeah, maybe some things actually didn’t go well with this security program, and yeah, maybe I did make some bad decisions. But people make mistakes. I’m learning from them and I can do better next time. Versus, “I’m actually not a bad human being.
All of that stuff that you’re reading about me is all fake.” That’s really difficult to deal with. They’re both problematic.
[David Spark] If the public makes up their mind, they make up their mind and it’s hard to shake that, yeah.
[Mike Johnson] Pretty much. That’s why I land on the second one…
[David Spark] I hear you.
[Mike Johnson] …the ethics and character being the worse of the two.
[David Spark] All right. TC, I throw this to you. Do you agree or disagree with Mike on this one?
[TC Niedzialkowski] I’m supposed to disagree, right?
[David Spark] Well, you know what? You can do whatever you want here.
[TC Niedzialkowski] I hope I heard it right, but in the first scenario there’s a data breach, and so everybody that had donated to that charity was impacted.
[David Spark] Right, yeah. So, the exposure is worse in the first scenario, yeah.
[TC Niedzialkowski] Yeah, so I mean, from a harm mitigation principle, right, I think more people are hurt. Many, many more people are hurt in the first scenario than the second.
[David Spark] So, TC cares more about others than you do, Mike.
[Mike Johnson] I mean, thank you for going ahead and putting my character on trial here.
[Laughter]
[Mike Johnson] I appreciate that.
How scared should we be?
24:18.989
[David Spark] You remember the good old days when the worst fear you had as a CISO was just getting fired after a breach? Oh, that would have been wonderful if we could just go back to those good old days. Well, the SEC has turned up the heat with the threat of a Wells Notice on the CISO of SolarWinds, Tim Brown.
In a very concerning post on LinkedIn, Jamil Farshchi, CISO of Equifax, noted that a Wells Notice is usually reserved for CEOs and CFOs who engage in Ponzi schemes, financial fraud, and market manipulation. But there is one area where a CISO is susceptible and that’s “failure to disclose material information.” What is material?
Oftentimes as a CISO, you’re telling the board and other C-level executives as much as you can and it’s up to them to do the disclosures. How can this be the CISO’s fault? And if so, how do you go about protecting yourself? And heck, has this changed your fear of being a CISO? I’m going to start with you, Mike.
I’ve got to assume when things happen, you’re telling your board and C-suite everything that’s happening. You’re not the one that communicates to the greater world unless they approve it, yes, no, what happens?
[Mike Johnson] No. I’m certainly not the one making the communications. All of that is in partnership. I might actually write it but…
[David Spark] But internally you do the communications, correct?
[Mike Johnson] Internally it’s either myself or a deputy, yes.
[David Spark] But you are trying to reveal as much as what you know at any given time I got to assume, yes?
[Mike Johnson] No, certainly not going to hide anything internally, no.
[David Spark] Right.
[Mike Johnson] No. And a lot of some of those conversations of what does and doesn’t get disclosed comes back to are people going to jump to the wrong conclusions. And when you have all of the facts, when you have everything in front of you and you’re not assuming, you’re not making incorrect or jumping to conclusions, then you can have a situation where you are being open with what all is going on.
So, yes, internally, absolutely. We’re being very, very clear on what we know and what we don’t know. And also I think it’s important to talk about confidence levels. We are highly confident, we are somewhat confident, so that you can also communicate things that you’re not completely sure of and again have folks not jump to a conclusion because you’re making clear what you do and don’t know precisely.
[David Spark] Now let me ask you just very quickly, does any of this news about the Wells Notice and Tim Brown at SolarWinds, the fact that he could be on the hot seat for this, and actually have to pay a serious fine, does any of that kind of scare you as a CISO?
[Mike Johnson] No. I think the reality is this is one particular situation, and we’ve had a few cases of one particular situation. There’s so much involved here that we just don’t know. And who knows where this is going to go? But the flip side is if we as CISOs want to be executives of companies, if we want to be making decisions that impact the shareholders of the company, we have to recognize that responsibility comes with that and potentially being held accountable for those decisions is part of that.
So, if you really want to absolutely avoid this exact thing, don’t become a CISO of a public company. But if you actually want to be the CISO of a public company, you’ve got to recognize that this is a risk that comes with it.
[David Spark] Well, get D&O insurance too while you’re at it.
[Mike Johnson] Yes, but what I’ll say is I know a lot of people say, “Hey, just get D&O insurance.” D&O doesn’t cover things like criminal acts. There’s a lot that D&O does not cover and you can’t just assume that, “Oh, I’ll get D&O and I’m fine.”
[David Spark] Good point. Thank you for making that clarification. All right. TC, [Inaudible 00:28:26] experience this and does this sort of rankle you a little bit? As a brand-new CISO because you’re a brand-new CISO with Nextdoor, right?
[TC Niedzialkowski] Yeah, yeah. What I would say is wisdom is to learn from other people’s experiences and so there’s a clear demand to hold CISOs accountable. We don’t know the details yet on this case, the allegations aren’t public, and so I agree with Mike there. And there’s definitely lessons learned like in the Joe Sullivan case with Uber.
So, best practices like having a documented incident response, data breach policy, having a procedure that you follow, having it be counsel that decides if something’s a data breach or not, and what the required legal obligation as far as communication is. And so I think that’s the lessons learned. I guess the part that would concern me about this is that having gone through the interview process a couple years back, there was a certain cloud security company where their head of security reported to an infrastructure manager that reported to a director that reported to a VP that reported to the CTO.
[David Spark] That’s pretty far down the chain of command.
[TC Niedzialkowski] Yeah. And it’s even larger companies within the kind of technology/security space, you might be two or three or four steps removed from the CEO and not have the opportunity to present to the board. So, the question is if you’re in that role, are you really going to have the opportunity to get the guidance that you need from legal?
Are you going to feel empowered if you’re put into a situation where you felt like you’re being asked to do something illegal or something that’s not in line with your ethics? And so I think where I see more of a challenge is where really the security leadership isn’t empowered within the organization and they’re not getting the support and alignment that they need from the organization with the responsibility, the accountability that someone outside the organization would want to bring.
[David Spark] Let me ask both you – what are the questions to ask in an interview as a CISO? Like, “Hey, I’m not planning on doing anything illegal, but we have seen this kind of stuff happening and I’m fearful that…” Maybe not say the word “fearful” but how do you kind of couch this like, “Are we all on the same page?” before you take a job.
Mike?
[Mike Johnson] A lot of that just comes back to understanding the culture of the company.
[David Spark] Mm-hmm.
[Mike Johnson] Is it a culture of driving buses over people? Is it a culture of support? And you should try and understand that regardless so that you know what you might be getting yourself into.
[David Spark] Did you ask, I mean, when you interviewed, have you asked any sort of like, “Well, how do you deal with hot legal issues?”
[Mike Johnson] It’s really more… It’s even less direct than that. Usually if you ask in an interview of how do you deal with hot legal issues, they’re going to give you a very direct answer, and that’s not what you’re after. You’re really trying to understand is this a place where leadership is supportive of each other?
Is this a place where mistakes are recognized that they happen and that we’re going to try and help each other to work through them? And if that is what the culture’s going to be like, then a situation where fingers start getting pointed is less likely to happen. Nonzero, but less likely.
[David Spark] TC, I’ll let you have the last word on this. Any experience when you jumped in?
[TC Niedzialkowski] Yeah, I guess to what Mike said in terms of are they going to give you a direct answer, can you believe that direct answer, what’s the culture of the organization, I think it takes a while actually working there to really learn the culture of the organization. I think that’s why you’re always taking a risk when you step into a new role and join a new team, and that’s why you really want to have confidence in the leadership.
And so I think that’s, yeah, I mean, that’s the part of this that’s scary to me would be the internal dynamics versus what the external parties want, and then your decision taking on that responsibility. And really, your own brand, your own ethics, your own liability, that’s something you carry with you no matter where you work.
Here’s some surprising research.
32:30.470
[David Spark] A major tip of the hat to Richard Stiennon, he’s the author of the Security Yearbook 2023, he actually publishes one every year it seems. So, guess what? Next year, guess what it’s going to be called, Mike?
[Mike Johnson] Uh.
[David Spark] Okay, too long.
[Mike Johnson] Okay.
[David Spark] It’s going to be 2024.
[Mike Johnson] Thank you, thank you. It was right on the tip of my tongue.
[David Spark] I know. He’s been spending countless hours categorizing security vendors, and he currently has a list of 3400. He’s still counting. He suspects he’s going to hit about 4,000 by the end of this year. Now what I found fascinating is how many competitors are in each space. Now the biggest being GRC, 507 vendors, and within that, risk management is the [Inaudible 00:33:20], now second to that is compliance management.
I was surprised to only see 80 vendors in email security and only 30 in training.
So, if you look through the thread, he reveals more subcategories of all these numbers. So, two questions. I’ll start with you, TC, on this. What jumped out at you with these vendor numbers and do you feel paralysis of choice? I mean, if you’re trying to choose a vendor who’s in a category of 50+ vendors, do you feel you’re missing possible opportunities?
I mean, there’s no way to look at 50 different vendors or more, hundreds for that matter. So, are you good at discovering any five, analyze them, possibly doing a PC, and then you just choose? Because I’ll just tell you – the vendors that come to us with sponsorship, the most common line that I hear, and it’s not from one of these big companies, is, “We have this awesome product, nobody knows we exist,” and that is the fear of looking at this list.
What say you, TC?
[TC Niedzialkowski] Yeah, this is a explore versus exploit tradeoff. Right? So, should you spend more time potentially discovering a new vendor that does that much better at solving the problem that you have? Or should you look at the information that you already have and make the best choice given the information that you have?
And I guess the challenge, I definitely feel this, it’s very painful, and the thing is is that I don’t get paid to look at vendors, I get paid to reduce risk, [Laughter] right? So, I have to at some point make that decision.
[David Spark] By the way, some vendors would argue, “You have to look at us to be able to reduce risk,” but go on, TC.
[TC Niedzialkowski] Yeah. I think if you can be very specific and intentional with what your requirements are. So, for me, I have a large public cloud infrastructure, it’s highly ephemeral, it’s Kubernetes, everything’s infrastructure is code. I’ve already reduced the number of vendors in the space that are going to be able to be a fit for my organization.
And then what I want to do is I want to talk with my peers. I want to talk with similar companies with a similar tech footprint, I want to talk with experts in the space, I want to find out what’s working for other people. You can also make like a risk-based decision. Is it a scenario where I can partner with someone where I’m more of a design partner and I’m going to help them build it out so that it’s really enterprise ready for me?
Or is this something where given the resources and the team, I need it to be ready yesterday because I don’t have enough resources to really make it fit my use case, it needs to hit my top use cases right away.
[David Spark] Yeah, sometimes you don’t have the time to look at all these companies. Like you said, you don’t have time, like I got to solve a problem now.
[TC Niedzialkowski] Yeah, yeah. Or even when it comes to selecting a vendor, maybe they’re close but it’s not perfect, and you don’t have the resources to make it perfect for your environment. So, I think I really feel for we need these startups, we need these new vendors, we need competitors in the space, but it’s a very crowded market.
And I think that’s why word of mouth, what’s actually working for my peers, what’s working for people in a situation like me, that’s the first place I go rather than a booth at RSA.
[David Spark] And we hear that all the time but I’m going to throw the other argument that Allan Olford, who used to be a co-host of our other show, Defense in Depth, he said if you do that, the model you’re saying, [Inaudible 00:36:22], you get this echo chamber. They’re all bouncing the same vendors around.
You need someone to go outside to learn about other ones, not necessarily pay for them and get them, but to learn about them to bring other ideas in. Let me throw this to you, Mike. First of all, let’s just ask you what you thought of the list in general. I mean, I found it fascinating. It’s just numbers and categories but I found it completely fascinating.
[Mike Johnson] So, first I want to argue with Allan, and I’d love to have that conversation of…
[David Spark] Oh, he’s written about this a lot and I’ve written about him [Inaudible 00:36:52] about this a lot.
[Mike Johnson] But if you’re in that echo chamber already, you’re already getting an echo chamber due to the vendors, you should actually… You’ve got other reasons to expand who it is that you’re talking with. That’s actually one of the awesome things about doing this show is really getting to talk to CISOs from all walks of life, and frankly…
[David Spark] And we talk to vendors too.
[Mike Johnson] Right, right. So, listeners – recognize that where the variety of voices that are on the show really does give a different perspective and different set of security programs. So, I’ll table that further argument with Allan in the future. But the list was kind of fascinating. I was really surprised 507 vendors of GRC.
Like, wow.
[David Spark] That was a wow to me too as well.
[Mike Johnson] But the real wow to me was just risk management, that there’s more risk management vendors than email security vendors.
[David Spark] That, yeah, well, I was actually shocked because I keep seeing email security vendor, and I thought there were a lot more than that.
[Mike Johnson] Yeah, I mean, I’m… Frankly I think the 80 for email security vendors, that feels about right. I think that’s probably accurate.
[David Spark] Well, that seems accurate but if there’s 507 GRC vendors, I would assume there’d be more email security vendors. I was only putting relationship to that.
[Mike Johnson] Yeah, the proportion is very off.
[David Spark] Right.
[Mike Johnson] And it makes me wonder if it’s a case of GRC tools have a broader usage.
[David Spark] Right. And if you saw the subcategory list, there’s a lot of subcategories of GRC, a lot.
[Mike Johnson] Yeah.
[David Spark] TC, what were you about to say?
[TC Niedzialkowski] Yeah. So, I think this is a case of the guy that loses his keys in the parking lot at night, and he’s only searching around the lamppost, and clearly the keys aren’t under the lamppost, “Why aren’t you looking elsewhere in the parking lot?” “Well, because I can only see under the lamppost.” So, I think when it comes to metrics, things you can measure, things you can put on a dashboard, things you think you can sell, I think that’s what’s attractive about GRC.
Let me go take all these other things that you have from these other tools and put it in a dashboard and repackage it and sell it to you. Versus things that are maybe harder to measure, like what is actual effective email security that increases business velocity. So, I think that’s my suspicion as far as the skew in just the sheer number of vendors.
[David Spark] Right. I’m sorry, Mike, I cut you off but I threw it to TC. What were you about to say, Mike?
[Mike Johnson] Really, the proportion numbers are interesting. The overall number, it feels very overwhelming that there’s just so many security vendors in the space, and it feels like there’s a new one every day, right?
[David Spark] Yeah, and he’s still counting.
[Mike Johnson] And the reality is he’ll never finish because a new one just started, and there will be another one next week.
[David Spark] Worse is the number of AI companies that are coming out. I subscribe to a bunch of newsletter threads and they list three to five new AI companies in every daily email. It’s unbelievable.
[Mike Johnson] Yes. And I don’t know where all this funding comes from. All of the VC money, all of the statistics about the VC money that’s out there has shown that there’s a lot less. I don’t know where these people are getting the funding to start all of these companies, and I really would have thought that the rate of new security vendors would have actually slowed, but it doesn’t feel like it.
I think there’s an opportunity for collapsing the number of vendors. Like we do see acquisitions on a pretty regular basis. There are traditional players in the space who are acquiring a security startup once a month and bringing them under their umbrella. I think we’ll continue to see that and especially right now with valuations decreased.
I think there’s a lot of opportunities for acquisition right now. We’ll see. The number will probably flatline because some of them are being taken off the market at the same rate of new ones coming up.
[David Spark] Good point.
Closing
41:04.613
[David Spark] That brings us to the very end of the show. I want to thank our guest, TC Niedzialkowski. We worked a lot on pronouncing that name. It’s up to you, the audience, to figure out how that’s spelled. I’ll let you take it from there. TC, by the way, as I pointed out before we went on air, does not have any vowels in his first name because they used up their budget in the last name.
He has quite an extensive number of vowels in the last name. TC, I’m going to let you have the very last word here, but I do want to mention our sponsor again, Reqfast. Remember – reqfast.com – Reqfast, get the most out of your intelligence team and tools by mapping stakeholder requirements, workflows, and feedback.
Reqfast.com, please check them out. We love it when you support our sponsors. Just take a look at them, knowing they exist. Mike, any last words?
[Mike Johnson] TC, thank you for joining us. We’ve known each other for a few years now. I’ve had the opportunity to pick your brain on multiple occasions and so I really appreciate you coming on, sharing your insights with our audience. A couple things I really wanted to highlight. It was like your opener, talking about the mentality of security, and I really liked what you said about needing to find problems so that we can fix them.
I think that’s a great perspective, then I think people should take that away of it’s not just finding the problems, it’s finding the problems so that we can fix them, and those are so tightly related and I hope people will keep that in mind. So, thank you for that specific insight, but overall thank you for sharing your thoughts, your perspectives, your experience with our audience.
I appreciate it.
[David Spark] All right. I am going to throw this to you, TC. I’m going to mention something to our audience that you told me when I first met you that I thought was interesting. When you became a new CISO, you took advantage of the Donut service on Slack to have meetups with CISOs on Slack channels you’re at, and you just peppered – you had a meeting each, like, I don’t know how often, once a week or whatever – and you just peppered each CISO with questions because you wanted to learn how to be a better CISO, and I said, “This is a great model to do it.” Add to that story, which I found fascinating.
[TC Niedzialkowski] Yeah. I mean, I guess that’s what I love about this community, right? So, when we’re encountering a problem, we’re probably not the first person to encounter that problem. And that’s something, David, that I love about your show. Thank you for this opportunity, having those diversity of voices and perspectives, being able to share our experiences with others so that they can solve that problem cheaper, faster, better based on our experiences.
And I think that’s just something that really stitches the whole security community together and I just find that really fulfilling.
[David Spark] Awesome. [Inaudible 00:43:42] by the way, are you hiring at Nextdoor? We always ask this question.
[TC Niedzialkowski] So, we’re not hiring for the security team but we are definitely hiring on the product side, on the software engineering side, on the sales account executive side. So, we have a ton of openings but our security team’s doing pretty great, so we’re good where we’re at.
[David Spark] Then kudos to you for filling all those roles up. All right. Well, thank you very much, TC. Thank you very much, Mike. And thank you to our sponsor, Reqfast, as well, we appreciate that as well. And thank you to our audience in general, we love your contributions, keep them coming in, “What’s Worse?” scenarios, we love them, and also we appreciate you listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.