Should you look for the ideal candidate that has all the security talent you want, or should you find the right person and train them with the security talent you want. And if the latter, what is the right person to work in security who doesn’t have security experience?

Subscribe to CISO Series Podcasts - Defense in Depth

Check out this post and this Twitter discussion for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Dev Akhawe (@frgx), CISO, Figma.

Got feedback? Join the conversation on LinkedIn.

Thanks to our episode sponsor, Sonatype

With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code.

Full transcript

David Spark

Should you look for the ideal candidate that has all the security talent you want, or should you find the right person and train them with the security talent you want? And if the latter, what is the right person to work in security who doesn’t have security experience?

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me on a regular basis is Geoff Belknap, who is the CISO of LinkedIn. Geoff, grace us with the sound of your voice.

Geoff Belknap

Hello, friends. And David, I’m always with you in here.

David Spark

He’s pointing to his heart, people. Our sponsor for today’s episode is Sonatype. Thank you, Sonatype, for sponsoring this episode. If you are in the world of DevOps and you’re looking to improve your security hygiene in DevOps, you’ll want to listen to what Sonatype has to say later in the show. All right, let me set up our discussion today. On LinkedIn, Matt Trevors of AWS argued against the commonly held belief that we have a shortage of cyber talent. The issue comes from the hiring managers either not knowing what they want, or not willing to pay for what they want, as evidenced in many job postings that are either too broad or too narrow. He argued that in the time it would take you to find the right talent, you could train a well-suited person to do the job. As a companion to this discussion, on Twitter I asked, “If you had to hire someone with no past cybersecurity experience, what experience would you like them to have?”. While we all want the right person with all the appropriate talent to walk through the door, it doesn’t happen that easily. Geoff, how often do you struggle with the “find or build what you want” issue?

Geoff Belknap

Well I think I struggle with it every day on balance. The reality is, it is a very competitive talent space, and it has always been that way. I’ve observed that during the pandemic, somehow it has gotten more competitive, and I think that a lot of that has to do with the fact that people who are very skilled in the security space have a lot of flexibility to live where they want to live and work remote, and now that everybody’s remote it’s a very attractive thing. So talent has gotten very desirable, and the competition has heated up. Which brings it to a perfect time to have this discussion of, should you be buying or building this talent? And I think the reality is it’s not an easy answer.

David Spark

No, it is not. And we’re gonna walk through this discussion today with our guest today, who is Dev Akhawe, the CISO over at Figma. Dev, thank you so much for joining us.

Dev Akhawe

Thanks for having me.

What is everyone complaining about?

00:02:58:15

David Spark

Jeremy W. at Klaviyo said quote, “There is not a shortage. More like a lack of understanding and willingness to develop or build an employee if needed.” So this is pretty much setting the premise for our discussion. And Matt Trevors, who is the author of this post, he’s from AWS, “We do have a problem, but it’s not a shortage of talent, it’s communicating and understanding the problem.” I want to focus on that very last thing. How well do the security people and the hiring managers understand the problem and are communicating it?

Geoff Belknap

Yeah, I think the points that Jeremy and Matt make here are really important. InfoSec is inherently a multidisciplinary space. So it’s really challenging for recruiting teams and HR teams to understand that we’re not out there looking for an InfoSec engineer or a security engineer. There are probably at least ten distinct specialties that you might have, or a combination of skills, as somebody who works in the information security space. Well that makes it really challenging to figure out which people to go look for, and the reality is the people that are out there right now don’t necessarily have the skills that you’re looking for in any one given job. So if you are in the unfortunate position of being an information security manager or leader that is hiring people, you are gonna have to A, compete with everybody including Dev and myself for that talent. But you’re also going to have to spend an inordinate amount of time defining what the talent and the skill set is that you need. And let’s just be frank: you’re gonna have to get comfortable with the fact that the people that are out there are not gonna have all those skills. You’re gonna have to invest in them and build some of those skills up. And I think that is part of the problem that people are seeing when they say, “There’s a big talent gap”. No, there’s definitely a skill shortage, but there’s not an impossible problem to solve here. We just have to be willing to invest in people.

David Spark

Good point. All right, I’m taking this one to you, Dev. What do you add to that? I mean this just seems like the reality, yes?

Dev Akhawe

Absolutely. I agree completely with Geoff. Also, I would maybe add a bit more color. I think the good thing about security being interdisciplinary is we as leaders have to work a lot with stakeholders across the company, communicate the nuances and all the complexity of security, and make a switch in your mental model that recruiting is probably one of the most key partners you have in the organization. If you get them to understand and communicate your needs well, you’ll be so effective as a security leader.

David Spark

Can you give me an example of that? That’s a good point to make. So what’s a good way that you have communicated to your recruiting team about your needs so that they understand?

Dev Akhawe

That’s a long conversation. I think the big one is actually spending time. It’s people, relationships, and trust. I think spending a lot of time with your recruiting team, helping see their point of view because it’s a hard job for us, but it’s also a hard job for them. I don’t know why a recruiter would want to be recruiting for security, especially if you have results and quarterly performance reviews based on how many people you hired. So creating empathy and trust, helping them see that we are in this together, and then saying, “Okay, these are our needs, let’s work together, spend a lot of time”. I don’t have one message that clicked into place, but just lots of trust building, communication. I feel like that’s been really effective for me, but if someone has ideas I would love to hear them.

How would you handle this situation?

00:06:40:22

David Spark

Matt Trevors of AWS said quote, “In the time it’ll take you to find the exact talent you’d actually find and train a cyber professional without that specific application experience to learn the application.” And Justin Jones of Jacobs said, “Having a role unfilled for three plus months is, in itself, a major security concern.” And Lois Weiss of Nutanix said, “A lengthy process can make it even more difficult to hire.” So Matt was doubling down on finding the good talent and then training them, but then Justin and Lois throw in a couple of wrinkles that I thought was interesting. I want to start with you, Dev. Doing a long hiring process and waiting three months can be dangerous, and a long process can make it even more difficult for you. Do you agree with these statements? And before you answer, let me throw one thing out: I’ve heard hiring people say, “We take a long time to hire and short time to fire”. What say you to all those last statements?

Dev Akhawe

While I agree with the statement that delaying a hire is in itself a security risk, the thing I would say to all the statements is one of my core values is humility, and so having a value of humility means being humble that you might not be able to find that perfect hire, that it is hard, and acknowledging that will let you see that there is a risk of keeping that role unfulfilled. Having the humility to know that you might not know what is that perfect hire, because you are often not the individual contributor right next to the problem. So having the humility to say, “Maybe having someone who’s willing to learn and will come in and teach me,” is also something that has worked. Rather than assuming you know that perfect hire, look for people who are willing to learn. Maybe they’re not perfectly there. Those have been, in my experience, some of the best hires I’ve ever made. And then humility to learn from the rest of the organization. I think some of the things we mentioned, leaving a role unfulfilled is a risk. You can train people. The people who have taught me all these things really well are in the rest of the company, other engineering leaders. And so learning from them has also been really effective for me.

David Spark

So humility and learning from your counterparts, and hiring, Geoff, do you do the same?

Geoff Belknap

Yeah, I don’t know if I’ve called it humility directly, but I definitely look for that ability to learn – that curiosity, the ability to dig in and learn more about the space that you’re in, because I think Matt Trevors is right here when he says you’ve got to stop looking for somebody that has the perfect experience with the exact application or infrastructure that you’re looking for, and you have to look for people that have the basic building blocks that you can build upon. Now sure, you probably need to hire somebody that has computer networking and operating system experience, but you don’t have to have somebody who’s necessarily a wizard in each of those areas. You need to have somebody that’s curious and will learn more. Really, that’s what InfoSec is all about. You’re going to dig into this topic, learn what there is to learn about it, and be able to make risk decisions related to that, or at least help guide those. So I think those core personality traits, like Dev said, humility is really important, understanding that you are not there to be judge, jury and executioner for all these things, but you’re there to learn more about it and add value to it. It becomes the real focus of what you’re doing when you’re looking for these jobs that are open for a long time.

Sponsor – Sonatype

00:10:17:16

Steve Prentice

The vectors of attack are changing and worming their way into open source software development life cycles. This is a threat that could easily go unnoticed, but it’s something that Sonatype knows very well. Here’s Brian Fox, co-founder and CTO.

Brian Fox

The new trend that I have been observing is that a lot of these attacks are focused on the developers and development infrastructure specifically, which is a notable change from the historical behavior, which was to try and leverage vulnerabilities that existed in code that was easy to deploy to production, or shipped to end user customers. Many applications have designed their application security practices around that belief. And the new attacks are actually focused upstream of that, coming in through the open source supply chain, but often attempting to exploit the developer machine or development infrastructure like the CI Server, and use that to expand into the rest of the organization. That’s a new dynamic that traditional apps that defend the release practices will completely miss.

Steve Prentice

And here’s Derek Weeks, vice president at Sonatype, with some shocking stats.

Derek Weeks

Back in 2017 we saw a couple of these style of next generation attacks on open source projects. In 2019 we saw a couple of hundred. In 2020 we saw nearly 1,000. And within Q1 we saw about 5,000, 6,000 attacks.

Steve Prentice

For more information, visit Sonatype.com.

This is not just a security issue.

00:11:58:22

David Spark

We talked about recruiters, and here are some quotes talking about recruiters and this very issue. Karl Sharman of Stott and May said, “Recruiters are limited by what internal managers and executives want to do.” Matthew Thomas over at Walmart said, “Most recruiters/hiring managers simply focus on checklists versus candidate potential.” This may get into the conversation issues like you were discussing, Dev. And Priyanka Yadav, a recruiter at Facebook, notes one of the biggest problems for companies like hers is, “There are not enough security engineers who have solved security problems on scale.” So let me actually start with this very last one, because you come from a very large organization yourself, Geoff. Having people who deal with problems on scale, is that a core concern that you have?

Geoff Belknap

No, not really. I think you can teach the skill bits. The really important thing is that those people have the right mindset, the right basic knowledge of the technology and of, of the problem space, but doing it at scale, while this is a very unique thing and, and something that is very desirable, I have stopped looking specifically for you have to have done it at scale. We can teach you that. That part is something that we can bring to you, if you bring the raw skills. Of course, if I find that perfect candidate and they’re coming from another large high skill organization, they’re very attractive, who are very competitive for that role. But we have to stop kidding ourselves. We have to stop looking for the perfect person whose done it at a giant scale, because let’s be honest, there’s very few companies that are at the LinkedIn or Facebook scale. So if you’re not hiring somebody from Google or Microsoft they’re not going to have that scale experience. But also if you only hire people that have that scale experience, where are the people going to get that experience? It’s like the chicken and the egg. You’ve got to be willing to take that risk, and most importantly, you’ve got to be willing to invest in your people. And if you’re not, what kind of message are you sending the rest of your organization in terms of is this a place they really want to work if we’re not willing to invest the basics in teaching somebody how this works at scale, or how this newer technology works? And I think holistically you’ve got to be thinking about that. You not only want to recruit people, but you want to retain people. And part of that is investing in them.

David Spark

So Dev, two of the comments are about recruiters are limited about the information. You brought up the great point about communicating with them. What is a thing that you do to communicate about how to find candidate potential over a checklist?

Dev Akhawe

In my experience, I have been lucky enough to work with exceptional recruiting individuals, recruiters, managers, and so saying what you just said, that we are hiring for potential.

David Spark

But they don’t know what that necessarily is. And also it’s hard for you to define what it is, and we’re going to get into that in the next segment. But where do you begin that conversation about what potential is? Because how do they know what’s potential? And it’s hard for even security people to know that. It’s confusing, it’s tough.

Dev Akhawe

I think by potential, at least what I think of as ability to learn analytical abilities, and that willingness to approach new problems and be mentored. In my experience, this is a skill that applies across all roles. Sometimes the recruiters I work with are much better than me at detecting that, because they have seen so many more candidates go through the pipeline succeed or fail at the organization. I’ve been lucky to have exceptional recruiters who have honestly taught me how to look for potential and talent. I can be good at looking for security knowledge, but some of the recruiting managers and leaders I’ve worked with, they’ve taught me so much on looking for these soft skills. I mean they’re really hard skills, so the word soft skill is wrong, but these skills is something I’ve learned a lot from them.

David Spark

It turns out to be really important to invest in that relationship with your recruiters. I think you brought this up earlier, Dev. If you aren’t teaching your recruiters how you think about the talent, you’re missing out. You really should be bringing them into the loop about how they should be thinking about talent, just like you are.

Dev Akhawe

Yeah, I would add that spending a lot of time explaining what the security ecosystem is like – when you see a security resume what to look for, what that means. That was a lot of time building that trust and relationship and explanation. That worked a lot. And at the same time, the recruiters I’ve worked with, there’s other stuff like potential, analytical capabilities, excitement about the company and vision and mission. These are all things that some of the recruiters can often be much better than you on looking for, and rely on that. They’re experienced; they’ve been doing this for years. It’s great.

David Spark

Trust your experts.

Dev Akhawe

Which is funnily what we tell everyone else when it comes to security but don’t want to do. [LAUGHS]

David Spark

We never listen to our own advice.

Does anyone have a better solution?

00:17:15:12

David Spark

I said we would get to this last segment, and I put out a tweet asking, “if the person doesn’t have cyber security experience, what experience would you like them to have?” Let me list what a bunch of people did say. A couple of these were from LinkedIn as well. Lois Weiss from Nutanix said, “The “best and brightest are always the most challenging to attract and retain”, and I think Geoff, you kind of set the stage at the beginning of discussing that. Per what we’ve been discussing so far about what is potential and what does it look like, here are some of the things that people said. David Peach, over at The Economist said, “Network administration or software engineering.” The user @Bearfaced said, “Someone who has the ability to communicate complex concepts to lay people.” David Lagace over at Lowes Canada said, “Early childhood supervisor or elementary teacher” – I think that goes hand in hand with what Bearfaced said. And Eoin Keary over at Edgescan said, “Software development experience,” And Chad Voller of Bober Markey Fedorovich said, “Customer service”. So, I will throw to you, Geoff. What do you think of these suggestions of people who don’t have traditional cybersecurity experience? Would this speak to you of “they’ve got potential,” and what would you add to the list?

Geoff Belknap

Yeah, I think this is a great list. I especially like, and I have to laugh a little bit about, the early childhood development experience. And while I’d like to think that that’s because I’ve managed so many InfoSec engineers over the years that sometimes it can feel like herding children. But the reality is it’s less about dealing with children. It’s not babysitting, but what it is is understanding how people develop and learn. Both, you want to understand how to bring your engineers up, but you want to understand how to communicate to people about risk and how they learn about risk. This is also why I really like the Customer Service example and Bearfaced’s suggestion. If you are naturally somebody that can break down very complicated subjects and explain them to people that don’t have the experience that you do, A) that’s a fantastic skill just in life in general, but B) you can go far in InfoSec, because everything feels overly complicated, and being able to break it down in real terms, and being able to see yourself as somebody that is there in a service role or a customer service role to the people you’re explaining it to, that can take you really far. It also helps sort of diminish this stigma that we’ve got of security people are just here to tell you “no” and to yell at you, and to make you feel small about your lack of knowledge about security. So I think all of these suggestions I think are really good and great examples of, if you’re thinking about people that have those fundamental skills, you can build them into better security people. What do you think, Dev?

Dev Akhawe

I love the examples, I love the diversity of ideas people had. People ask me why I work in security, and it’s stuff like this. All the different backgrounds and the skills that come in, it’s exciting. So I love it. I would add on that a little bit that be honest to yourself on what you can teach. This is a list of things that people already have, and that might make them successful in security. But be honest to yourself that if someone comes in with that background, will you be able to teach them the rest of the skills? Do you have the mentorship bandwidth? Do you have that bench in your team that will teach someone [AbSec]? Because as much as we all agree that the ability to communicate risk and have that mindset is critical, you will not set someone up for success if you’re not able to mentor them on all the other stuff that’s needed. So being honest to yourself is really hard, but do that because it’s unfair to bring someone in when you can’t mentor them. So I would say these are good ideas for things to look for, but also be honest; what are the things that we can teach and give feedback on? How can we make sure people are setup for success?

David Spark

Do both of you clearly go, “Alright, I have to do this much education. I need to set aside this much time for these number of people to get them trained”? I mean is that all sufficiently baked in so they can do both their job and get the percentage of training they need? Are you consciously doing it, or are you more like, “Oh crap, I got to slap this on now?”. I know there’s a honest answer and the answer you want everyone to hear. [LAUGHS] So what do you think you can do?

Geoff Belknap

I think the honest answer is it takes work. You have to bake it in, you have to build a training budget. You have to build some understanding that you need to invest in people’s education and career development. But I’ve been in small and large organizations; it’s easier to do with a small organization because you have a small handful of people and you can really bake it in, but you also have to add a smaller organization like a larger organization. You have to pitch for that budget ahead of time. You have to make sure that finance and the executive team understand why these roles are different, why you need to cultivate them maybe differently than everybody else. But it does take time, and the reality is you will almost always get this wrong. Not everybody needs the right amount of training or the same amount. Not everybody needs to go to the same thing. And like Dev said, you have to have enough senior people that can do the mentoring and on the job training to make that work. Otherwise, if you’re just hiring like 15 people directly out of college, they can’t mentor themselves. You have to bring something to the table to offer that.

David Spark

Good point. Dev?

Dev Akhawe

I would add on to that one more trick, since this is a CISO podcast. Being honest that I will not maybe have the time as much as I would love to, to directly mentor people. I think it’s about if we believe that teaching and mentoring is the road to success, celebrating that, rewarding that. You get what you reward and celebrate. So for your existing team when someone joins, celebrate the people who are great mentors. Celebrate the people, tell them it’s okay to make time in your quarterly OKRs to mentor, and celebrate and reward that. If you don’t reward during performance review and celebrate the work around mentorship – and let’s be honest, it is work, it is time – then what are you doing? You’re not setting up the people who are joining for success, and sooner or later I think there’s some things that people will do just out of their sheer energy, but it won’t work out longterm.

Close

00:23:50:15

David Spark

Excellent point, and an excellent point to close on right here. And in fact, we have another episode on mentoring that Geoff did with the person who took your old job over at Slack.

Geoff Belknap

Sean, yeah. Sean Catlett.

David Spark

Alright, we are at the point of the show where we pick our favorite quote. So I want to know from you Geoff, what was your favorite quote from all of this and why?

Geoff Belknap

I really liked Jeremy’s quote at the very beginning here. “There’s not a shortage but maybe a lack of understanding and willingness to develop or build an employee if needed”. And this really resonates for me because I’m at the stage where I’m ready to build an academy, or maybe a training class to just take people with the raw skills and build them into performance security engineers, because honestly that’s really what we need to do these days.

David Spark

Alright. And Dev, your favorite quote.

Dev Akhawe

I really liked Chad’s example of “customer service” as the background to come from. Some of the best, most empathetic, best at communication people I work with came from a customer service background. I know a few people from customer service background who are exceptional security engineers today, and I think it really underlines to me that security should be internal customer focused role. We are in this together and let’s make the organization secure.

David Spark

All right, well let’s wrap up this show. I want to thank our guest Dev Akhawe, who is the CISO over at Figma – and I should mention my wife uses your product every single day at work; she is a big Figma user. Our sponsor for today is Sonatype. Thank you very much Sonatype for sponsoring us. They’re available at Sonatype.com for all your DevOps security hygiene needs. And… we close it up. Geoff, any last thoughts on the topic?

Geoff Belknap

I think this is something we should all be talking more about. You know, how are we going to build people up? What are the core skill sets we’re gonna train them on, and making this part of how we bring new people in to the space.

David Spark

Excellent. And Dev?

Dev Akhawe

Same. I’m super-excited about this topic, super-passionate about this topic. Please talk to me on Twitter and email. I just love to learn more and help others get in and succeed in this field.

Geoff Belknap

And Dev, are you hiring?

David Spark

Oh yeah, are you hiring? Yes.

Dev Akhawe

And Figma is hiring. Please reach out to me or just apply online on Figma.com.

Geoff Belknap

And so is LinkedIn.

David Spark

LinkedIn is hiring. And if you don’t get a job at LinkedIn, I know they have a lot of services to help you find a job, right? There you go.

Dev Akhawe

Yeah, and the Figma job is online on LinkedIn too.

David Spark

There you go.

Geoff Belknap

There you go.

David Spark

It’s all so incestuous. All right. Thank you everybody for participating and listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.