HomePodcastDefense in DepthDefense in Depth: Ageism in Cybersecurity

Defense in Depth: Ageism in Cybersecurity

Is it too much experience? Is it that they’re difficult to work with? Do they want too much money? Will they not be motivated? Are cyber professionals over the age of 40 being discriminated in hiring practices?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ben Sapiro, head of technology risk and CISO at Canada Life.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Qualys

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

Full transcript

David Spark

Is it too much experience? Is it they’re difficult to work with? Do they want too much money? Will they not be motivated? Are cyber professionals over the age of 40 being discriminated in hiring practices?

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. Joining me for this very episode is none other than Steve Zalweski coming out of permanent retirement to semi-retirement. Steve, let’s hear the sound of your voice.

Steve Zalweski

Hello, David. Hello, listeners.

David Spark

He doesn’t sound any different, I must say from coming out of permanent to semi-retirement. Sounds exactly the same. Our sponsor for today’s episode is Qualys and Qualys has been a phenomenal sponsor of the CISO Series. More about Qualys later in the show. But first, we’re gonna talk about an issue. We wanted to do this episode for quite some time, Steve, and we found a very interesting post of which got close to 200 comments on it from E.J. Hilbert. Now he is a cyber professional, age 51, who was told by a recruiter that he was rejected for a series of jobs because of his age. Now, he didn’t know whether to believe or not believe this recruiter but, he was on the side of believing this recruiter sadly. From the story that he says, which has some elements of it, what do you take from it, Steve?

Steve Zalweski

So, when you talk about this. I was really looking forward and have prepped for this call today because almost any statement you make can be taken the wrong way. The way I’m going to say this is, I think this episode really is talking about diversity and inclusion being used as a big hammer that is maybe being used too often to rationalize other problems that are not unique to the cyber workforce as a way to be able to couch the problem that what we’re about to go through is really looking at these kind of forces and how the conversations are being leveraged under those two perspectives.

David Spark

Good point and I’m going to throw this in as well. This is a subject that drives me nuts mostly because this is the one group that, God willing, we’re all going to become members of. God willing, we’re all going to become older than age 40 and still be in the workforce. So, if you keep that in the back of your head if you’re on either side of this issue, maybe you’ll address it in a very different way. To help us get through this discussion is one of my favorite guests on the CISO Series. I’m thrilled that he could join us for this conversation. It is the Head of Technology Risk and CISO for Canada Life, Ben Sapiro. Ben, thank you so much for joining us.

Ben Sapiro

Well, thank you for having me.

Does anyone understand what’s going on?

00:03:01:11

David Spark

Steve Wilkins of Synoptek said in referring to E.J. the subject of this post, quote, “You were rejected by a live human being and my guess is that you appeared grossly overqualified to them for the roles you applied to and or you looked very expensive.” This is a good point. Now, Larry Hughes of LJH Cybersecurity said quote, “There is an entire workforce out there sitting idle while there are more unfilled positions that any one person can possibly apply for.” But Larry admits a friend who is 60 plus was rejected for a job offer that was at a rate 20 years ago that she received and she never got another offer past then. So, the offers are coming in really low. Both Steve and Larry are arguing that this issue has to do with money and these people with a lot of experience want a helluva lot more. What say you to that, Steve?

Steve Zalweski

I want to make two comments here and I’m going to speak to each of those two quotes. With regards to Steve Wilkins, what I’m going to say is, this maybe an example of diversity and inclusion being used when the problem may in fact be an actual mismatch of expectations. And so, we got to understand expectations before we just simply say, we’re not hiring you because of age. And that’s to offer that dual perspective. When I look at Larry, there’s a part of me that says, and I’m in that over 40, I will acknowledge it, so, I basically can speak from both sides of the equation here and I’ve got kids in their twenties.

David Spark

I am as well.

David Spark

Correct me if I’m wrong, you at one time were under the age of 40?

Steve Zalweski

Yes. I was. At least that was the hypothesis that somebody had said at one point I was there but it was so long ago.

David Spark

I believe our guest has been at younger ages as well. I’m not clear on it but I believe he was in his teens and his twenties at one time. I’m not sure though. He’ll tell us. But go on.

Steve Zalweski

And so, now, with regards to Larry Hughes’s comment about the workforce sitting idle and potentially 60 plus and the money wasn’t right. I’m going to say, hey, let’s face it, career growth is not a ladder it is rather a pyramid that you have to climb and there are no guarantees that past results and achievements automatically get you equivalent pay or an equivalent point in that pyramid. There’s still the fact of competition for high level roles is fierce.

David Spark

And I would say that I have a friend who was applying for a design job, a promotion, a senior position. They were not in a senior position but that senior position at the other company paid half what her current position paid, which was below that, just a different company. Ben, what do you think about this?

Ben Sapiro

I don’t think that everybody understands what’s going on here. You asked a question earlier of the premise of do we believe the recruiters or should Mr. Hilbert believe the recruiters and at least in my experience with recruiters on both sides of the tables is as much as they want to sell the head count one way or the other, they’re generally going to be pretty straight shooters with the people they’re working with because that’s their bread and butter. So, if they’re saying it’s about ageism, my inclination is to say that there’s probably some truth there. But, Steve, I think you make an excellent point, as does Steve Wilkins, he raises the concern that this maybe about compensation and that’s a conversation that I think would be better served if we could actually see something like pay transparency. Within the organizations I’ve worked in historically, we’ve always been happy to answer the question to a candidate of what is the compensation. So, you go into these conversations saying, well, I need somebody with the following characteristics, the following capabilities, they match the role profile, great I’ll have an interview with them and in that interview disclosing the compensation might then level set the conversation because they might, to the other individual which Larry Hughes talks about, say, “Hey, in the first interview I heard the money was this and this is what they’re willing to pay for the role. I can opt out.” I would like to see organizations being more transparent around the pay scales that they’re offering so that then employees or candidates who are interested in a role can then self select rather than being left in the dark about was I excluded.

David Spark

OK. I’m going to throw this argument at you, Ben, and that is, sometimes they know that someone who is older is getting desperate and they’ll start taking a lower paid position but they may not be as enthused about doing it because it’s such a lower paid position. My feeling is a lot of times they’re knocking those people down because they’re still too over qualified, I know they applied for this.

Ben Sapiro

That’s absolutely unfair.

David Spark

Well, that’s what ageism is, it’s unfair.

Ben Sapiro

At least in Canada, and I can’t speak about the US, it’s also illegal because it is a protected ground, you cannot discriminate on it.

David Spark

It’s illegal too here but it’s extremely hard to prove too at the same time.

Ben Sapiro

Oh, absolutely and that’s not this conversation, Mr. Hilbert’s not going to get the proof that he wants and even if he could, would he honestly want to work for an organization who had behaved in that way?

David Spark

No, but what I’m saying could be an unspoken thing too at that point.

Ben Sapiro

Right. So, this is where, if I’m talking to our fellow CISOs out there and security practitioners and saying, if that thought is going to cross your head around, this individual we could hire them, they’re qualified, maybe over qualified but I’m worried about the idea of they might not be fully motivated, this is performance management. If you hire an employee, you give them the benefit of the doubt but you coach them through the situations and you set your expectations clearly. Don’t worry about this as a foregone conclusion before hiring. You’re doing yourself a disservice and you’re doing them a disservice.

How would you handle the situation?

00:08:49:07

David Spark

Michael James of NTT Data Services said quote, “Main reason is lots of younger managers. While preconceived of lack of compatible skills is a large determinant, they don’t want someone working for them that will outshine them.” The other is that, quote, “Older experience” is outweighed by quote, “Someone who will fit in.” It’s an interesting one. And Frantisek Sedlacek of BRNO Municipality Office had a bad experience with a 50 plus year old person that they hired. Quote, “He saw his age as a leverage to ignore rules and disobey processes set in the company and team.” And then later, quote, he said, “We came across a younger fellow with start up career, hired him immediately. He was asking, talking, generally working with the team rather than against us.” So, I’m going to throw this to you, Steve. There is this notion that older isn’t willing to bend because when you get older you get set in your ways and when you’re younger you’re a little bit more malleable. Could that be a reason?

Steve Zalweski

That is definitely a possibility. There is no doubt that that exists but that’s not unique to cyber security. That is a problem that we all have across any industry where people think that experience entitles them to be able to either ignore the rules or make the rules and that gets back to as an individual, and you take a job, you can negotiate for yourself. But good teamwork, good management skills, good leadership skills, if you have those you will succeed. What you’re seeing here are people that don’t necessarily have them and are using their age as a way to be able to accommodate themselves at the expense of the company.

David Spark

What do you think of this feeling that older people are not as malleable as younger people? I’ve got to assume in general that most people think, if I’m going to hire somebody right out of college I can just make them do whatever the hell I want versus someone who’s 50 plus. I got to assume that that’s a general assumption.

Ben Sapiro

Clearly whoever thinks that hasn’t had children or younger people in their lives. And also as an aside–

David Spark

Are you paying your children?

Ben Sapiro

Yes in candy. So, I’ll take the alternate perspective on this. What this talks to is that, again, somebody who has made an assumption. If they are behaving in this way, somebody has made an assumption about how a person could fit into the team and what team dynamic might result. Sure, maybe you can take somebody who’s early in their career and really get them to go 150 percent and maybe they are at a point in their life that they don’t have much else going on, they don’t have family commitments and therefore they’re happy to do this and that’s kind of cheating the system because you’re getting more than what you’re paid for. But that does happen. But the other side of that is that you look at somebody who’s an experienced practitioner who has a balance, a cadence, an ability to deal with complex situations, navigate politics in a way that a younger hire might not be. And so, sure, you might be trading off, sure I can work till 3AM in the morning because I can stay up late versus, when I’m encountering a situation where I’m doing with a leader or a manager that is difficult and unwilling to bend to our needs, I’ve got this person with more experience that can navigate that situation for the team with the team. So, I think you’re being very presumptuous if you say, this person can’t integrate with my team and you’re also ignoring the benefits that come with experience and you manage it.

Steve Zalweski

And I want to jump on this too because I want to get back to diversity and inclusion and the foundational understanding of what that definition is. Which is for many people, diversity and inclusion is having one of everything so that I can check the box to be able to understand that there’s no ethnicity or there’s no gender that isn’t represented because I’m worried about people not being given an opportunity. Diversity and inclusion is not that in my mind. Diversity and inclusion is an appreciation that I have to have different sets of thinking so that when I’m tackling a problem, I don’t have any blindsides to the problem. Not that I have somebody uniquely capable or uniquely represented. That, in my mind, is the big difference between what diversity and inclusion is in its truest sense for why we fight for this versus where some people have used it for particular reasons where now I have a fact versus fiction, perception versus reality and unreasonable expectation versus true market value being used to take diversity and inclusion in a different direction.

Ben Sapiro

So, I don’t know that in this situation somebody chose to do check box things one way or the other but certainly they didn’t act in a way that said, I want to hire somebody who’s good for the job and I’m going to consider something that is innate about them, that is, in least in Canadian terms, is protected. When we hire people as leaders, as managers, generally what we should be saying is, do they have the right talent? Can they deliver? And if the answers to those questions is yes, minus of course the affordability conversation, maybe they’ve got stellar expectations which don’t line up with what the company is willing to pay, that we should be then hiring them in that inclusive fashion. Whereas what in this situation appears to be is somebody made an assumption about this individual’s age, at least that’s what’s alleged to have happened, and then chose to ignore their capabilities and that’s quite problematic. So, it’s not the check box, it’s also about the hiring decision I have to make, which is I should not be colored by weird views on what a human being is or isn’t because of some innate characteristic of them.

Sponsor – Qualys

00:15:02:12

Steve Prentice

Sumedh Thakar is President and CEO of Qualys, a company dedicated to delivering a single IT security and compliance solution. He says, there is an increasing level of urgency in security today.

Sumedh Thakar

I think what’s changing now is the scale at which the attackers are leveraging automation to attack systems, acceleration of the speed and the scale at which they are able to go out and pop all exchange servers, [INAUDIBLE]. So, I think there is definitely a sense of urgency to make sure that we have tools in place that are able to ensure that security measures like patching can be immediately deployed as soon as the patches are available and not have to wait for days and weeks to go through the normal process many times to have to do that and that’s one of the ideas that we focused on, especially with our recent zero touch patch capability, which allows customers to ensure that their critical applications are always up to date and auto updated with patches. They don’t have to wait for discovering the vulnerability and I think there is just an in general urgency, I believe, of leveraging scale, automation and speed of response and being able to fix and reduce your risk and then being able to monitor the environment [INAUDIBLE]. So, the speed and scale, I think, are becoming really urgent now.

Steve Prentice

To learn more or to sign up for the free patch management trial, visit Qualys.com

Why are they behaving this way?

00:16:37:24

David Spark

Dianne McGaunn of Silicon Valley Project Management said, “Welcome to the reality of much of the professional world including all those who talk a good game about diversity and inclusion”. Ah, Steve, like you said. And Pete Strouse of InfoSec Connect said, quote, “I think it has a lot to do with the company’s leadership and their views on age, motivators and how hard they want to work people and burn them out.” Something else we brought up. And lastly, Martin Oresnik of Avanade said, quote, “It’s because they can’t hire you for bleep money and run you into the ground like they can for young people who don’t know any better.” And that goes to a point that I made. So, they’re addressing all the negative aspects of this happening because of tainted culture. Ben, what do you think?

Ben Sapiro

I think that leadership can do a lot to set clear views and policy around how one hires and what one needs to consider or should not consider in this particular case. But I also think it comes down to the individual. So, sure, there are probably companies out there that have culture issues and we read about them in various places, but I think a lot of more of this has to do with the hiring manager, the individual that is looking to bring on talent into their team and their preconceptions. It’s quite possible that this individual is actually the hiring manager for the many roles that Mr. Hilbert applied for, was in a company that espoused these good values, encouraged these things and they acted individually in themselves and they found other reasons to pass on the resume. They may have even chosen not to look at the resume. They got a 100 resumes and they just walked by this one because they perceived something for it. So, I’d be cautious about blaming entire leadership, I would say let’s actually look at the individual manager and the decisions that they’re making around this.

Steve Zalweski

I would say these three individuals and their perspectives are really highlighting the fact that this is a subjective not an objective conversation and that it only takes one bad experience and somebody standing up and making generalizations about one bad experience that taints everybody. This is exactly, I think, to what we were talking about here and what Ben said, is if you can talk the talk and walk the walk, you’re responsibility as a hiring manager to be truthful to yourself and to your company. You as a perspective employee are responsible to be truthful to yourself, to understand what you really bring to the table and don’t play the DNI card for the sake of you putting your perspective out there, realizing it’s one subjective opinion against another. It doesn’t help either side.

David Spark

I want to get to the point you made. First of all, we’ve all made bad hires at one time. We’ve all done it and in some cases one of the bad hires we made was a person of considerable age and in that case, they may have fallen into some of the common stereotypes that we have listed and that people know about and when you have a bad experience like that with a person of age, all of a sudden that now taints everyone of age. As you’re nodding your head, Steve. Yes?

Steve Zalweski

Right and that’s where I get back to, I don’t think that this is a cyber security issue. I think, if anything, this has much more to do with our cultures and everything else and again, if you’re a good manager and you leverage your HR teams and you leverage your performance plans, there are tools there to be able to course correct individuals where they may be blind to what they’re doing and you owe them a responsibility to have that brutal conversation with them, to talk about truth either in the beginning to set expectations or subsequently. That is what good managers do and that is the problem is that’s hard to do. And again, then that allows people to put subjective statements out there that create this type of conversation and that’s why I said, we’ve got to walk away from he said she said and to the degree that we can, like you David and Ben said, is we have to talk about objective truths not subjective bias.

Ben Sapiro

I agree with you, Steve, that I don’t think that this is particular to cyber security. My father got downsized at the age of 65 and he struggled to find a new role and finally he landed and it was hard for him and he’s not in security. This is perhaps an indictment on managers who want to hire people that they think they have more affinity to, be it age, culture, race, gender, whatever it might be and really not willing, as you said, to have those hard conversations. Hey, you’re skirting the rules because you think your experience allows you to. I’m here as your leader, your manager to tell you no you can’t. To actually be a manager as opposed to trying to find the easy path. Let’s go hire a bunch of people who look exactly like us etcetera which is a terrible thing to do from a diversity and inclusion perspective. That, I think, is what this is telling us. That being said, while you said this was not unique to cyber security and I agree with you, I think one of the things that’s unique in cyber security is we’re desperately short of talent. So, why are we cutting off our own noses to spite our faces in these cases?

Well, I guess that’s one way to solve it.

00:22:14:14

David Spark

So, E.J. Hilbert of KC Cyber who wrote this post said, “I should say that when I could not find a role, I just started my own practice and have been able to win clients. I just hate selling.” That, by the way, is a story we’ve heard again and again of people that couldn’t find jobs and started consulting but I’m not a salesman and that’s core if you’re going to be a consultant. So, it became a tough challenge for them and Dan Bruns of Lincoln Tech got laid off and couldn’t find another position and quote, “So, I looked around and thought, maybe I can teach? Turns out, teachers are needed and they don’t care about age. So, I have been teaching and have my own consulting business on the side. It has worked out very well.” So, these are people who feel that they were faced with ageism issues and yet found a solution to still stay in the industry although, I might guess, not optimal to what they wanted but who knows. Is the answer, yes we can keep railing and telling people to look differently but that may take time before we get over the ageism issue. Is the solution well you’ve got to go on your own at this point? What do you think, Ben?

Ben Sapiro

If Mr. Hilbert’s listening, I get the I hate selling thing and I would say, don’t think of yourself as a sales professional, think about yourself as a professional that sells. That’s something I learned very early on in the consulting career I had before becoming a CISO. But what I think this really talks to is we all should have within our career path exit plans. You talked, Steve, about the pyramid and you’re not guaranteed to sit at the top of that pyramid. That has to be earned and there will be competition for it. So, you might have a scenario in your head that says, I’m fine with where I am in my life and I’m going to continue operating and if everything goes according to plan, you can stay there. But the world might change around you that says, the company you work for stops being a going concern and everybody is out of a job at the organization. You don’t know. And so, I think that this is a really important lesson for all of us to say, what is my long term career plan if this role that I’m in doesn’t pan out and if I’m assuming that I’m just going to keep on doing the same thing year after year after year until I hit that age where I might decide not to work anymore, then what are my alternatives, what assumptions am I making, how might they fall down and might I get myself ready for some alternate plans as well? It kind of sucks that we have to do that but the reality is is that we need to keep on earning and so we should have those plan A, plan B’s in our head. I’m glad that both of them found that path, although not happy that they found it forced on them.

David Spark

Good point. Steve?

Steve Zalweski

Life is not fair.

David Spark

I’ve heard that since I was a kid.

Steve Zalweski

I have four kids in their twenties and that’s what I tell them. I say life is not fair. It isn’t and if you put yourself in a situation where you become an expert at doing one thing very, very well in a company that values you, that doesn’t mean that you’re necessarily going to be valued at any other company at that level or for that capability. And again, that’s a hard problem to many as they approach 40 or older, are thinking there’s a certain amount of entitlement based on their age and their experience. But life is not fair. So, to your point, you have to think about how you want to reinvent yourself. If you’re not willing to reinvent yourself then you have to be prepared for an outcome of you may obsolete yourself. And again, that’s not cyber security specific but I would say in cyber security, you’ve got to reinvent yourself a lot more than in many other industries to be able to stay relevant, but it’s a true message everywhere and if not, then I think you owe it to yourself to use your career counselors and everything else to again, be truthful about understand their may be a diversity and inclusion issue there. There may be an age issue there. But, equally know yourself and be prepared to have to go through that transition and figure out what you’re going to do with the rest of your life or you can just sit on your couch and complain that everybody else is unfair.

David Spark

And a good way to stop this conversation because we just don’t want to just complain that everyone else is unfair. I want to hear from both of you, what was your favorite quote and why. I’m going to start with you, Ben, which quote was your favorite and why did you like it most?

Ben Sapiro

I think it was E.J. Hilbert’s own quote that he said, “I couldn’t find that role and so I moved on.” And it’s unfair that had to happen and you’re right, Steve, life is not fair and we will tell our children that. So, that’s not the good part of the quote but the fact that he then recognized that he wasn’t where he needed to do and then recast his role in life and moved forward with that successfully is the good news outcome here. So, that’s why it’s my favorite quote.

David Spark

I should say, and I don’t know if it’s happened to you, but I have always had hiccups and bumps in the road professionally myself every time at the point I thought, oh my God this is a downturn but the downturns always turned into an upturn. Most notably, how this CISO Series started. There actually was a significant downturn that was a result of what I was doing but it turned into a monstrous upturn as a result. So, there’s always two sides to this as well.

Ben Sapiro

But you embraced it, right? That’s the key thing.

David Spark

Oh I was able to embrace it. But I didn’t know it was happening at the time. I didn’t know. It was one of those things, it evolved over time. Trust me, I didn’t have the foresight to see that it was going to happen that way. Steve, your favorite quote and why?

Steve Zalweski

I am going to choose the quote by Dianne McGaunn of Silicon Valley Project Management. “Welcome to the reality of much of the professional world.” I think that is perception versus reality and there’s a perception of how we want to see it and the reality of you having to manage your career and understanding the pitfalls that happen. I’ve been through four careers and it’s traumatic the first time when what you’re doing is not getting you where you need to be or when somebody says, “Thank you very much for your career, we no longer need you.” That is devastating for many people that have careers for 20, 30, 40 years and you can see that. In the Valley it’s a little better because we move a little more often so we get better at grieving and moving on and reinventing. But I think, that’s welcome to reality, is why I like her quote.

David Spark

Well, that brings us to the very end of this episode of Defense in Depth. I have to thank both my hosts, Steve Zalweski and Ben Sapiro of Canada Life and I will let both of you have final comments. Ben, you get the last comment and the question I always ask my guests, are you hiring? So, make sure that you answer that and let me ask you, would you hire anyone of any age?

Ben Sapiro

Yes.

David Spark

Are you hiring by the way, Ben?

Ben Sapiro

Absolutely we are hiring. Penetration testers. We’re also hiring professionals around risk management, information security analysts, data loss professionals, cyber security engineers, operations people in our cyber security team. We’re going the full gamete as well as in our technology risk team. We’re also looking for risk analysts. So, check me out on Linked In or go look at Canada Life dot com.

David Spark

By the way, I just want to make a comment that when the pandemic hit, let’s say around April of 2020 to March of 2021, I asked the question, are you hiring, I would say it was about a 50 50, people said yes we’re hiring, no we’re not hiring. After that though, starting now, I’ve yet to have someone say we’re not hiring. Everyone’s hiring right now. Now it’s an up slope. Steve Zalweski, any final words?

Steve Zalweski

Yes. I say, this is why we do Defense in Depth. This is exactly taking very complex and very hard problems and trying to break them down to look at perception and reality. So, I appreciate the audience and my co-hosts here to tackle a very difficult problem and do what I think was a pretty fair analysis of giving people some perspectives to allow us all to get better.

Closing

00:30:31:00

David Spark

Hopefully so. Well, I want to thank both of you. Thank you very much and our sponsor, Qualys. By the way, if you don’t know how to spell them, it’s Q U A L Y S dot com. That’s where you can find their information. We had them talking about [INAUDIBLE] on this show and vulnerability management too. Anyway, check them out at Qualys dot com. Thank you very much for sponsoring the show. Thank you to the two of you and thank you to our audience as well for all of their contributions and for listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.

RELATED ARTICLES

Most Popular