“Bad” Security Practices That Really Aren’t All that Bad

“Bad” Security Practices That Really Aren’t All that Bad

If they can find flaws, security professionals are quick to label it as bad security behavior. But often, what is marked as “bad” may have problems, but when looked at from a reducing risk perspective it’s actually a very good security behavior.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Carla Sweeney, vp information security, Red Ventures.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Protegrity

Protegrity empowers intelligence-driven organizations to use data to drive innovation with secure analytics and artificial intelligence, without fear of violating compliance or jeopardizing privacy. To make this vision a reality, we protect sensitive data anywhere and everywhere to create secure data agility that aligns with the speed of modern business.

Full transcript

[Voiceover] What I love about cyber security, go!

[Carla Sweeney] There is never, ever a dull moment. Even when you might love a dull moment, there is never a dull moment.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I’m the producer of the CISO Series. Joining me as my cohost for this very episode is the one and only Mike Johnson. Many of you know Mike Johnson because when he flaps his lips, it sounds like this.

[Mike Johnson] Flaps his lips…


[Mike Johnson] I appreciate the compliment, David.

[David Spark] It wasn’t meant to be a compliment.

[Mike Johnson] Yeah. No, I got that, but I’m taking it as one anyway.

[David Spark] Do what you can with that. We’re available at CISOseries.com. If you don’t know, if you’ve only listened to this show, we have four other shows on our network. Just go to our site, and you’ll see. We drop ten episodes every week. It’s very exciting what we do. I want to mention our sponsor for today’s episode is Protegrity. Data fuels your business. Protegrity protects your data. More about data protection and Protegrity later in the show. But first, Mike, I want to… I read the tagline for Protegrity, and often cyber security practitioners like to poo-poo on how cyber security companies sort of have a sort of a tagline for their business. And often it’s extremely difficult to sum up what you do in a tagline. I don’t see cyber security practitioners offering up any better advice. So, my opinion is if you’re going to slam a vendor for their crappy tagline if you don’t like it, you better deliver a better one. What do you think?

[Mike Johnson] What it really comes from is so many people in our industry are very literal. That’s just the go to. That’s the world that we live in. And marketing is not literal. I think what you would find is if you challenged a lot of folks in the industry who are poo pooing the marketing terms, they actually can’t do a better job.

[David Spark] No, they can’t.

[Mike Johnson] Because that’s not their job. That’s not what they do. That’s not their expertise.

[David Spark] But I will say this…

[Mike Johnson] And that’s fine.

[David Spark] …I was at RSA, and I took a bunch of photos of the taglines on booths and things like that. I would say a good half of them were literal. Because I was taking the photos in an effort to play the game like, “What the heck do they do?” And a good half of them pretty much said what they did. So, I think the industry is realizing we just got to say what we do.

[Mike Johnson] The question that I would have is about the size and diversity of those companies. Diversity of product.

[David Spark] Right.

[Mike Johnson] If you’re a single product company it’s very easy to do it. If you’re a multi-product company, that’s not so easy.

[David Spark] Not so easy. I would go so far as to say impossible.

[Mike Johnson] I would not put anything past our marketing experts. Some people are really good at what they do. So, maybe you can pull it off.

[David Spark] I would like to know if any company that has more than one product has done a good job literally explaining what they do. Because I think that’s tough to impossible.

[Mike Johnson] Give us your feedback at CISOseries.com.

[David Spark] There you go. You can also info@CISOseries.com. That’s our email address, too.

[Mike Johnson] There you go.

[David Spark] Let’s bring on our guest. Very excited. I was in a dialogue with some other CISOs, and this security practitioner spoke up. I was very impressed with what she was saying. I was like, “We have to get her on our show.” So, I asked her, “Would you come on our show sometime?” And lo and behold she was not scared of me. She said yes, so I’m excited about that. It is the VP of information security over at Red Ventures, Carla Sweeney. Carla, thank you so much for joining us.

[Carla Sweeney] Thank you for having me.

Confessions of a CISO


[David Spark] Is a CISO really an architect of choices for themselves and the other business leaders? This was the argument Malcolm Harkins, chief security and trust officer of Epiphany Systems, posited in an opinion piece on US Cyber Security Magazine. He said that CISOs face the external battlefield of threats and the internal battlefield of budgets, bureaucracy, and internal organization behavior. This commentary goes into great detail about knowing the questions to ask, for example, why do we even exist as a company and a security organization, to how controls can impose friction or drag on business velocity. I just want to give a quick tip of the hat to Bob Henderson of Intelligence Services Group for bringing this to my attention. So, Mike, do you agree with Malcolm’s assertion? And if so, how do you go about architecting choices as a CISO for yourself and for other business leaders?

[Mike Johnson] I agree at a high level the points that he’s trying to get across. I don’t like the description or the assertion of an internal battlefield. I think that anything that we’re doing that even subconsciously sets up an adversarial relationship with the business, we don’t want to do that. So, that’s not a way that I think about it.

[David Spark] Okay, if you don’t use the term battlefield, you still have to mine those… You have to deal with those issues because those are all real issues.

[Mike Johnson] It’s navigating the internal business. We’ll talk about it that way. But I do think the article is good. I really recommend that everyone read this because…

[David Spark] We’ll have a link to it.

[Mike Johnson] …Malcolm makes some really good points. I have a ton of respect for Malcolm, by the way. I’ve known him for quite a while. That said, I do think very much about why our team exists. I wrote a slide just this week on that topic, and it’s very important to sit back and not just assume, “Well, it’s obvious why we’re here.” If you are only assuming that everyone else knows why you’re here then you’re going to be wrong. You need to really have that perspective from the rest of the company why the security team exists.

[David Spark] Are you an architect of choices for yourself and others?

[Mike Johnson] I believe so. I try to. And the way that I think about that is where is it that we want to go years down the road. Not what do we want to be tomorrow, what do we want to be a month from now. Where is it that we’re going? What does the business need from us in an ideal state? And then you’re laying out the little building blocks to get there. I believe Malcolm referenced a book called “Nudge.” You’re nudging folks in the direction. Be it your own team members or other business leaders. You continue to plant these seeds, and they eventually bear fruit. Then one day everyone realizes you’re where you wanted to be, but you have to know where you want to go.

[David Spark] Good point. Carla, are you an architect of choices, and how do you go about doing that?

[Carla Sweeney] I totally agree with Mike, by the way, on the internal battlefield. It’s like yes, these are things we have to deal with, but we’re in the same boat with the business dealing with them together in that boat internally. I think yes, we are architects of choices, and I love the way that Malcolm put that. And the way that we can help nudge along that path I think is with data. I really like the point that he made at the end of the article about our responsibility to improve our own data, and analysis, and context so that the business can understand the risks in the context of those shared goals. And that risk acceptance is not a control, it’s a business process. I love that. Because I think it’s easy to say, “Well, either you implement the control, or you accept the risk.” And we write off risk acceptance, wash our hands of it. At the end of the day, it’s the CISO everyone is going to look at and say, “What happened? How did this happen?” So, I really, really strongly believe in using good data and facts to tell that story.

Why are we still struggling with cyber security hiring?


[David Spark] “If it’s in your resume, it’s fair game,” said one redditor after having a frustrating experience with an interviewee, simply unable to answer any question that referenced something directly on the candidate’s resume. The interviewer asked questions like, “Tell me about your last capture the flag or offer some suggestions on how you would remediate after viewing a scan report.” And many of the answers fell to the ilk of, “I haven’t done that in a while.” Now on the flipside, one redditor said, “I get nervous putting things on the resume because I never know how much experience justifies putting it there.” Another said, “I’m hesitant to put anything on my resume unless I feel I have expert knowledge on it.” Is a resume just a tool for asking further questions? What’s too confident and not confident enough to put on the resume? I’m going to start with you, Carla. What are the types of questions you ask when you’re referencing a resume, and what are some examples of really impressive responses? And do you know what’s too much and not enough to put on the resume?

[Carla Sweeney] I read that post, and I think in general it’s a better use of time for both parties to tailor questions in the interview to what you want that person in the role to do on your team rather than auditing their past necessarily. So, if there’s something on the resume that’s super relevant or specific to what we are trying to do on our team and I want to learn more, I might ask them to tell me more about their experience with that technology or that thing and how they used it to make an impact. What is most impressive to me is when they can describe specifically the benefit of that knowledge or experience and how it helped the business to reduce risk, or save money, or influence specific action in that scenario rather than just saying, “I’m deeply knowledgeable with whatever the thing is.” In terms of sussing out their technical capabilities, I think a technical whiteboard scenario or session would help suss out some of that, which is…and can be very important depending on the role. But I wouldn’t necessarily get all of that straight from what someone has listed on their resume. I guess if the risk of, “Oh, this person is putting too much, or they’re not telling the truth. They’re not really straightforward…” Inflated ego and exaggeration generally comes out in our interview process, and you can tell pretty quickly if someone is faking their knowledge in basic conversation.

[David Spark] Excellent point. And by the way, great advice that a mentor gave me a long time ago… Man, this was the defining moment in sort of building the career is you sell stories. If you can sell a story of how you accomplished something, that is critical. And in fact he told me when he was starting his business and I was starting mine I was concerned about not getting the money that I asked for, and he said, “Oh, geez, don’t worry about the money at the beginning. Just get the stories.” He couldn’t have been more right. Just get the stories. Mike?

[Mike Johnson] I totally agree with the stories. It very much is I want to know your experience. I’m not looking for a bolded list. Tell me… Again, very much agreeing with Carla here. Tell me how you did that thing, what was the impact of it, what was the business value, business benefit of that particular set of knowledge. I also very much am looking at what are you going to do in the role, not necessarily what’s on your resume. The fact of the matter is when we’re at interview stage I’m already done with your resume. I’ve read it. You’ve reached a point that your resume was enough for me to have a conversation because I want to ask you questions about how you’re going to perform in the role. I’m not going to be asking you questions about, “Hey, what are the in map flags to scan all of the ports?” That’s not the kind of question that’s going to come up…

[Crosstalk 00:12:17]

[David Spark] That’s the question we ask to be a guest on this show actually.

[Crosstalk 00:12:23]

[Mike Johnson] And did an amazing job. Amazing job.

[David Spark] I have no even idea what that is.


[David Spark] Go on, Mike.

[Mike Johnson] But very much the questions that we’re going to ask in interviews are experiential in nature. It’s, “Tell me about a time.” It is, “How have you…” Related to the responsibilities of the role. And knocking it out of the park is when you tell a compelling story. When you’re able to walk me through what you did, what was your experience, and I’m going to look at it, and I’m going to listen. And if you’ve got specifics, all the more so.

[David Spark] And I would throw this out – people like how you overcome adversity. Yes? Like if you said, “This problem happened. This is how I deal with it.” I’m sure that scores huge points for you, yes?

[Mike Johnson] Yes. And quite often that’s an exact question is, “Tell me about a time where you had a particular type of friction, and how did you navigate through that?” That’s a very common question.

[David Spark] You’ve got to go into any interview in security with that story locked and loaded. You got to have it, right?

[Mike Johnson] Yes. You should show up to these interviews with many stories.

[David Spark] Yes, but that one in particular because that one is coming up.

[Carla Sweeney] It would be unnatural if there was no friction in your job in security.

[David Spark] If you had no friction, either you’re blessed, or you’re clueless. Right? [Laughs]

[Mike Johnson] I thought you were going to say you’re either blessed or cursed, which I absolutely was going to agree with.

[David Spark] No, but clueless because you…

[Mike Johnson] Which I would say would be a curse.

[David Spark] It’s like you’re Mr. Magoo of security. You’re just walking around, and everything is crashing around you. You have no idea what’s going on.

[Mike Johnson] [Laughs] Oh, to live in that world.


[David Spark] I’d love to.

Sponsor – Protegrity


[Nathan Vega]The landscape has really changed. 2020, 10% of the world’s population was under a privacy control. Our partner tells us next year it’ll be 65%. And the year after that, 2024, we’ll have 75% of the world’s population under some sort of privacy law.

[Steve Prentice] This is Nathan Vega, vice president of product marketing and strategy at Protegrity.

[Nathan Vega]When we’ve reached that inflexion point, being able to do data security and data privacy is about competitive advantage. Companies will literally not be able to compete in the markets they want to if they can’t keep customers’ data private. And so we’re seeing a lot of our customers wanting to use our technology to help ensure that they’ve got a path to innovation, a path to accelerate projects to market, and a path to accelerating analytics users in their business. And those three things combined are key tenets for not only driving new innovation but also creating sustained competitiveness for our companies.

[Steve Prentice] Protegrity has developed a specialized service directly aimed at data security privacy, offering two key services.

[Nathan Vega]We have one or more technologies that we deliver for data security at a fine grain level, element level. Then we weave that find grain technology together with a methodology called data deidentification to deliver privacy. So, we’re unique in the space that we can provide data security and data privacy for our customers.

[Steve Prentice] For more information, visit protegrity.com.

It’s time to play, “What’s worse?”


[David Spark] Carla, are you familiar with this game?

[Carla Sweeney] I’ve heard it on a couple of your segments, so yes.

[David Spark] All right, so here’s how it works. It is a risk management exercise. Both options stink. And I always ask Mike to answer first, and I love it when the guests disagree with Mike. Mike, I’m going to tell your right now, you’re going to have a hard time putting yourself in the shoes of this one because you’re going to know right away as I read it. Ready?

[Mike Johnson] [Laughs] Okay.

[David Spark] Einat Segal with Clarion Housing Group said this scenario. You’re a female CISO. Already you’re having problems with this, Mike, but I’m making Mike answer first. You’re a female CISO, and you have a problem that only two vendors can solve. One vendor is well known, highly recommended across the industry, but during all engagements with them they keep addressing your male direct reports as the point of authority in the room. Ugh, we’ve dealt with this one before. Whenever they speak to you, it was in a condescending way. Ugh. The other vendor is brand new, has very few clients. And although engagements with them are outstanding, working with them would be taking a risk on an unknown service. Now, which one is worse? Mike, I know you don’t like the unknown, but this has another wrinkle to it. So, which one is worse?

[Mike Johnson] While I cannot put myself into the shoes of the CISO, I have been the other person in the room. I have been on the other side of that. And to me this is actually easy. When I think about these two, what is the company that I want to give my business to, that I want to build a relationship with. And one of these I feel that I can have a relationship with, and the other one is a bunch of jerks that I don’t want to do business with.

[David Spark] Well, you don’t necessarily know they’re all jerks.

[Mike Johnson] Well, the people that they’re putting in front of me that are representing their company that they are rewarding, that they are supporting, that has been at the company for some period of time, that gives me an insight into their culture. And that’s very important to me. And so for me the first scenario, that’s the worst of these two.

[David Spark] Carla, now, you are a female security leader. Do you agree or disagree with Mike?

[Carla Sweeney] I’m going to have to agree with Mike here. Assuming of course… I can’t go into these without all kinds of assumptions. Assuming we would have done a bake off and assuming…

[Crosstalk 00:18:30]

[David Spark] …take it as is. You can’t change anything. That’s how the game works.

[Carla Sweeney] Assuming that there were no deal breakers in the POC and we could figure out a way to make the tool work, it’s a much easier decision. It’s a relationship. If we’re starting a relationship with someone who won’t even look at me in the room, and I want it to be a successful relationship, it’s going to be very hard to build on that initial sales process when I’m not even being acknowledged.

[David Spark] Good point. I had a similar experience recently. I was vetting a vendor for something, and there was no question this guy was smart. There was no question he knew his stuff. But I was really concerned about some issues of what he was actually going to do for me. I repeatedly asked him, “Why am I paying you this for that? I don’t understand it. Can you explain to me what you actually do?” What he gave me was a lot of metaphors. He didn’t actually give me an explanation of what he does. And I realized the guy is unbelievably smart, but I can’t communicate with him at all. Because he won’t answer direct questions. I’m like, “This is a precursor to our business relationship. It’s going to be a disaster.”

[Carla Sweeney] I think that communication is so critical. If you’ve ever had a brilliant jerk on your team then you know…

[Crosstalk 00:19:44]

[David Spark] You’re speaking Mike’s language here.

[Carla Sweeney] Super smart. But if you can’t communicate with your peers, with your stakeholders, we’re never going to get the job done, and you may as well not be that smart.

Ok, what’s the risk?


[David Spark] “What are some things that get a bad rap but are actually quite secure?” asked a redditor on the cyber security subreddit. I love this question. This was a great question. Some of the answers included passwords that are sentences, PGP, Pretty Good Privacy which is encryption, writing passwords down. Which remember, Mike, you’ve said this on the show. Not that bad. Modern Windows onboard security capabilities, specifically Windows Defender. This I’ve heard multiple times as well. Biometric authentication and Zoom. So, Mike, I’ll start with you. Do you agree with this list, and what would you add?

[Mike Johnson] The list was weird to me. The whole premise. But PGP is a good example of something that gets a bad rap because user experience is horrible. It requires an expert level knowledge of how to use the tool.

[David Spark] And by the way, it’s never changed. It’s always been like that.

[Mike Johnson] No, it’s always been that way.

[David Spark] It was hard when it came out of the box, and nobody thought…

[Crosstalk 00:20:57]

[Mike Johnson] It’s not gotten any better, but it’s really secure. It really is a powerful tool. But it’s just impossible to use. The other thing I’d say that does get a bad rap, you’d mentioned this, the writing down your passwords. One of the redditors summed it up well – is not everyone’s threat model includes someone breaking into their house to steal their passwords. That’s something that we have kind of forgotten. It used to be the joke that the penetration tester found the sticky note by looking under the keyboard at the person’s desk when they had walked away to the bathroom. If there’s a penetration tester in my house, I’ve got a bigger problem.

[David Spark] Right, it’s what is your vector. If you’re in a busy office, yes, that’s a bad idea. If you’re at home, not so big a deal.

[Mike Johnson] Yes. Yes.

[David Spark] Before I go to Carla, what would you add to the list?

[Mike Johnson] The one that I would add to the list is something that I’ve mentioned on the show several times – is the SMS as a second factor. I think it gets a bad rap.

[David Spark] Yeah, it still gets a bad rap.

[Mike Johnson] It’s better than the single factor, and that’s what everyone keeps forgetting is it is an improvement over just a password.

[David Spark] But it’s a pretty leap in improvement. Yes, it can be broken. It takes some major hurdles to do it.

[Mike Johnson] It’s not perfect.

[David Spark] It’s not perfect, but it’s a huge leap. All right, good point. Carla, what do you agree with on this list, and what would you add?

[Carla Sweeney] Everything in my soul hurts to acknowledge that writing down passwords is okay.


[Carla Sweeney] I just feel like it goes against everything you’ve ever been taught.

[David Spark] But I think about my mom.

[Carla Sweeney] Yes.

[David Spark] The vector my mom… She writes down every one of her passwords.

[Carla Sweeney] Yeah, the redditors aren’t wrong. It’s not that big of a risk if you’re in your house or if you’re… Right, for my parents I would totally say write them down, keep it in a notebook, whatever. That’s fine.

[David Spark] By the way, my mom’s password page looks like the chalkboard from Goodwill Hunting. It looks insane.


[Carla Sweeney] Well, that’s good. Then she’s using different passwords for everything. That’s what we want.

[David Spark] Oh, I don’t know about that.


[Carla Sweeney] I love passwords that are sentences with misspellings or other substitutions. Length of complexity any day, and much easier to remember. So, I love that. I think someone said all the Windows stuff. It’s just like almost to what Mike was saying – something is better than nothing sometimes. I think we love to debate the shortcomings of some solutions without necessarily providing a reasonable solution or understanding some of the other factors. If something is expensive or not feasible to implement, and something is better than nothing a lot of the time.

[David Spark] Good, something is better than nothing. Okay. What would you add to this list?

[Carla Sweeney] This will get a bad rap for user experience, but a lot of password managers. Because I can’t recommend writing passwords down. Password managers, even if it’s a little clunky…

[David Spark] We fully support password managers, and I think quite the opposite. I think password managers deliver better user experience because you can log on quicker.

[Carla Sweeney] Yes, I agree. I hear a lot of complaints about password managers. So, not that necessarily it’s like outdated or not secure, but sometimes the user experience is not so great. But I think it’s far and away better than using the same password over, and over, and over, and even better than writing them down.

They’re young, eager, and want in on cyber security.


[David Spark] We have three problems with growing the cyber security community. One, minorities often don’t know cyber is a career option. Jerich Beason, now commercial CISO at Capital One, said on or show, “The only way an African American would even know that cyber was an option professionally was if they were in the military or they had a friend or family member who did it.” Two, very few companies hire true entry level talent. Mike, I’m sorry I’m pointing this out, you mentioned your business model just kind of simply can’t allow it to happen. That’s totally understandable. Three, if companies are going to hire green people they have to train them. Julian Waits of Rapid7 said that at Rapid7 new employees go through weeks of training before they do any real work. What can be done to improve any of these variables? Carla, you mentioned at Red Ventures you have a nonprofit, Road to Hire, which trains underprivileged young people who are not college bound in engineering and security. How are you addressing the issue of awareness, usefulness, and training?

[Carla Sweeney] We have in security such a shortage of highly experienced and skilled practitioners, and so we increasingly have to get very creative when we think about hiring. And I think this is true for so many roles, but the most important thing for someone to have, particularly for those mid and junior level roles, is curiosity and aptitude for learning, and just that passion to keep going because Lord knows they’re going to need it. Even if someone has skills on their resume that they did not embellish and are totally 100% factual they’re going to have to evolve and grow no matter what. So, it is harder to interview for, but luckily it means that our pool of candidates for many positions can get bigger. It is absolutely an investment to train someone to contribute meaningfully on the security team, and teams have to be structured to be able to support that training. And so I totally can relate to leaders that say, “My team isn’t structured for it. I don’t have capacity.” Because often those senior level resources are 120% engaged in solving all the security problems. But like at any level, entry level, mid, senior, principle, I think identifying specific starter tasks and training the individual on those can be beneficial. So, I’ve even seen software engineers or platform engineers transition into security focused roles which has been super beneficial because A, they already know the org and how to navigate which takes forever for anyone to learn. And they have some experience. They can bring a fresh perspective to the team. Like could they respond to a specific alert, can they automate part of a workflow, can they put together metrics. So, no matter the level there are tasks that can be given to someone new to capitalize on their abilities and over time train them. I think half the battle is just getting them reps with that team. So, for those very green people, new hires, no experience, I love Road to Hire. We actually have three Road to Hire graduates over the course of many years on our team now, and they’re doing great. But as you mentioned, it’s a nonprofit that focuses on providing career opportunities in tech for historically underrepresented groups. So, this is through paid apprenticeships, college scholarships sometimes, tech training in high schools or getting earlier in that pipeline to introduce the idea of technology and security, and that yes, you can do this. And then mentorship and job placement. To date Road to Hire has graduated over 200 students from coding and cyber apprenticeships. You talked about diversity. 43% of those graduates are female or nonbinary, and 84% of them are people of color.

[David Spark] Wow.

[Carla Sweeney] That’s just an incredible amount of diversity to add into this pipelines. I volunteer with this organization.

[David Spark] Now, how do people discover Road to Hire? Obviously we’ll provide a link to it, but how are people discovering it?

[Carla Sweeney] A couple of ways. It’s expanding, but so far it’s very much local to the Charlotte area. We work with Charlotte based high schools and then have feeder programs with a couple of partner organizations that…

[David Spark] So, is it possible to participate if you’re not in Charlotte?

[Carla Sweeney] Yes, you can. There’s lots of volunteer opportunities that… Some of it is a mentor over a period of time. Some of it is just a one-day resume review, or maybe you’re a judge for a capstone presentation or something like that. And so many of this is available virtually now, so check out the volunteer opportunities on the website.

[David Spark] All right, Mike, how do we address these three issues of awareness, usefulness, and training?

[Mike Johnson] One of the things that Carla said was that you have to have the teams structured to be able to support the entry level hires. I think that’s really key. That’s actually something that we’ve been doing a lot of soul searching recently ourselves, was, “Well, maybe we’ve actually reached a point where we do have the right structure that we can start to bring on more entry level folks.” And the other lightbulb that went off…again, Carla mentioned it…was there are other people in the organization that may not know security, but boy, do they know the organization. And if you’re going to take three months to train them up on the organization if they’re coming from the outside and they already know security, why not flip that around? Take that three months, train them on security when they already know the organization. And what you have on month three is someone that would have taken you a year or two if you have someone from the outside.

[David Spark] That is a really good point is that you got to train them on the company. Everyone needs to be trained on the company. Whether they’re savvy or not.

[Mike Johnson] And the more complex the company the more difficult that is. That’s always been one of our challenges and frankly my own blind spot was, “This is a complicated company. We need to hire very senior people because they’re going to grasp the concepts more easily.”

[David Spark] Now I get more why this has been a hurdle for you.

[Mike Johnson] But now flipping it around and going, “Hey, this person already understands the company.”

[David Spark] So, it’s mostly hiring from within.

[Mike Johnson] Yes.

[David Spark] And are there people within the company raising their hand like saying, “I’d like to jump over to cyber.”

[Mike Johnson] There are. We are having those conversations. I can’t give details because I don’t want to give anything away.

[David Spark] Okay, but the fact that it exists. That’s all I want to know.

[Mike Johnson] Yes, it exists. We are having active conversations with folks. We are actively priming the pump and having conversations with managers and trying to have more formal programs where people see that as a career path within the company.

[David Spark] All right, Carla, I want you to close this out. Give me one quick story about someone who really excelled who literally started at ground zero.

[Carla Sweeney] Okay. There’s so many of them to choose from, but…

[David Spark] Pick any.

[Carla Sweeney] I’ll just give you a very quick one. So, there is one person on my team. They recently graduated from the cyber apprenticeship program from Road to Hire in November. They started on the team. It’s six, seven months later. This is their first job. Their very first job. So, this isn’t like they had a different career, and now this is what they’re doing. They are on our GRC team and are learning the ropes about third party risk management, and what to look for, and compliance assessments. And in fact they’re now just less than a year later running our entire phishing program. So, choosing the templates, doing all of the reporting, and education, and awareness around that in just such a short period of time. I think it’s important to give them meaningful work and really be able to contribute to the team. But it just amazes me that you give someone something, and they can just run with it with no prior experience.

[David Spark] That is awesome to hear.



[David Spark] And that brings us to the end of our show. Thank you very much, Carla Sweeney, who is the VP of information security over at Red Ventures. I’m going to let you have the very last word here, and you’ll also give us information on how people can find your program. But first I want to mention our sponsor, Protegrity. Thank you so much, Protegrity, for sponsoring us. You can find more about them at protegrity.com. You’ll find more about them as well. Or just go to our website. You can link to their sponsorship right in our post for this episode. By the way, all our guests…Carla, we always ask, are you hiring. So, make sure you’re answering that question, but my guess is that you are since you have a program called Road to Hire. But hold that thought. Mike, any last words?

[Mike Johnson] Carla, thank you for joining us. It was wonderful to sit down, to meet you, have the conversation. I liked how you opened the opening tip with there is never a dull moment in security even if you might want one. I think that’s so true. But I really appreciate you coming on and talking about Road to Hire and your experiences with that organization. We need more folks who are getting involved with those organizations, and we also need more folks who are advertising them and letting the rest of our audience, the rest of the world know that these things are out there. So, thank you for telling the story of that organization and impact with them. And I think there’s some really good tips that people can take away from the entire show but especially in that area to rethink how they’re hiring. So, thank you for joining us. I learned a lot, and I’m sure our audience will as well.

[David Spark] My favorite tip is something is better than nothing.


[Carla Sweeney] Keep that bar high.

[David Spark] All right, Carla, how do people find out about Road to Hire? Secondly, are you hiring? And any other plug you would like to make for Red Ventures or anything else?

[Carla Sweeney] Folks can go to roadtohire.org and check out more about the programs. There are links there for volunteer opportunities. Everyone can register as a volunteer for something big and small. Red Ventures is hiring for security engineers right now, so go check out careers.redventures.com and check out open security roles there. And thank you so much for having me. It is an honor to be here and be counted among your many esteemed guests.

[David Spark] We’ve had a few. We’ve had a few here. Four plus years we’ve been doing this, amazingly. And people are still listening. I’m shocked. I would like to know if anyone listening has actually heard every single episode. I’d be interested to know who these people are and what else they’re doing with their lives.


[David Spark] I appreciate it. Anyways, I always say this – how much I appreciate our audience. I do. I greatly appreciate our audience. I appreciate their support, their listening, their contributions, and telling all their friends about this show. So, thank you very much for participating and listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com. Thank you for listening to the CISO Series Podcast.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.