You want to bring on entry level personnel, But green employees, who are not well versed in security, IT, or your data, introduce risk once they have access to it. What are ways to bring these people on while also managing risk?
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rich Lindberg, CISO, JAMS.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor SolCyber
[David Spark] You want to bring on entry level personnel, but green employees who are not well versed in security, IT, or your data introduce risk once they have access to it. What are ways to bring these people on while also managing your risk?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode is Geoff Belknap. You will also know him as the CISO of LinkedIn. He’s also the cohost of this very podcast. Geoff, thank you so much for joining us.
[Geoff Belknap] David, a pleasure as always.
[David Spark] Thank you. And I want to thank our sponsor, SolCyber. They are the MSSP to bring simplicity and affordability to your cyber security. More about them later in the show. Our topic for today came from Scott Barnabo of General Dynamics Information Technology, and he asked this question on LinkedIn. “Since an organization’s cyber security program is meant to mitigate risk, what are some effective methods to mitigate the risk of onboarding entry level cyber security personnel who do not have prior job experience?” And he says…and we’re going to get into this, “Education can only get an individual so far.” What’s your initial take on this? And I’m sure you’ve brought on plenty of entry level people.
[Geoff Belknap] Yeah, I think the more we talk about the talent gap or the talent shortage, however your favorite way to talk about it is, the more I like to talk about you have to bring on entry level people, and you have to train them perhaps sometimes entry level to full performance but also from no experience to entry level. And I think the great part about this, as Scott is pointing out a problem, that as people tackle this, as they’re training new people and bringing new people into the career, you have to deal with this problem as well. It’s going to be a great time to talk about this. The one thing I will say is education can only get you so far, but it’s also our job to educate people to get them as far as we need them to be. So, I’m excited to talk to our guest about this and get some perspective.
[David Spark] And our guest, very excited to have him on board, it is the CISO of JAMS, Rich Lindberg. Rich, thank you so much for joining us for this conversation.
[Rich Lindberg] Well, thanks for having me, David. I love joining your Super Cyber Fridays, and I really appreciate what you do for the community. It’s great [Inaudible 00:02:57] with a colleague, Geoff. Thanks for having me.
What would a successful engagement look like?
[David Spark] Daniel Rocha of AAA Network Solutions obviously wanted to be the top of the Yellow Pages. Remember when that was a thing?
[Geoff Belknap] Does that matter anymore?
[David Spark] That company has to be at least 25, 30 years old. It’s got to be with a name like AAA Network Solutions. Anyway, let’s jump into Daniel’s quote here. He said, “Education can only take you so far as you mentioned. I have come to realize that what you study does not really happen in real life situations. The only way to get that experience is by being at the job.” And Joshua Copeland of AT&T said, “As for mitigation of risk, it’s about having the tiered approach and a rock solid training program.” Tip of the hat to what you said up front, Geoff. He goes on to say, “Your risk issue should be no different. Have those truly entry level folks doing the well documented repeatable processes and tasks. Crawl, watch, walk over the shoulder, run, do it by themselves. As they gain experience, add more tasks using the same approach.” So, Geoff, Joshua’s comment here seems like the model to do it. Simpler said than done. But is that really the model?
[Geoff Belknap] It’s basically the model. Look, anytime you’re starting with entry level talent and it’s a great time to start with entry level talent, whether you’re getting people out of boot camp, or some sort of program like You’re Up that’s helping people transition careers, great. You’ve made it through the first step and a really important step of focusing on not just senior talent but entry level talent. Now you have to adapt your program to figure out how are you going to onboard them. And I think Joshua has the perfect remedy for that or the perfect way to start that, which is a crawl, walk, run approach. Start slow, embrace the tenets of security you should already be following, which is lease privilege. And maybe don’t grant the person that just walked off the street and is learning this career for the first time access to do any damage from the beginning. And I think that’s a pretty reasonable approach to take.
[David Spark] All right, Rich, I’m going to throw this to you. Josh gives a basic explanation of how to do it. It seems like that’s the formula right there. But where does education fall off? Where does experience take on, or is it literally it’s the training it’s one and the same?
[Rich Lindberg] Well, I think that it’s interesting the very first question at the top of the segment really relates to this, too, and that is we all know we need help. How do we get there? Because all of the organizations seem to be behind in their security talent acquisition, and so they’re panicked. And they’re saying, “No, I need to have these experienced people. I can’t possibly spend cycles bringing people up.” We know that that just doesn’t work long-term. So, having a planned approach is… I think Josh was spot on. I think I would give advice to the earlier questions of don’t fear embracing new talent. Once up on a time, I started a brand new line of business for a major telecom in security from nothingness. They had no such business. I interviewed 30 people, brought them on. Some of them had some talent or prior experience. Some of them had none.
But they had lots of raw talent that I could mold. And so when Joshua commented about a programmatic approach to get there, that’s what I would recommend. But the trick is that so many companies have documentation debt. Having documentation debt means you don’t have your processes. Everybody is not on the same page. They don’t know their roles, where they begin, where they end. If we think about incident response, to have successful incident response we’ve got to have very clear scope of duties and when there’s a hand off in a communication, etc.… And I think the training is no different. The other thing I would say about training is… You know that old joke that the CEO talks to the CFO and says, “Hey, do we really need to train these people? Because what if they leave.” And the other one responds, “Well, what if we don’t train them, and they stay? And we don’t have that competency.”
[Geoff Belknap] Yeah, exactly.
[Rich Lindberg] So, I would say that having a deliberate approach to have people have clear understanding of their roles, which is really the result of what Joshua is suggesting, makes sure that everybody can get the help they need and support they need from mentors above. It’s just better for everybody.
How would you handle this situation?
[David Spark] Michael Muñiz of InfoSight said, “Invest in a robust curriculum for entry level employees as part of their probationary period. This training curriculum can serve as a bootcamp of sorts. It also allows the company some leeway to turn away those who are not fit/lack the skills the organization require.” And Heather C. of Optiv said, “Training in the following areas with oversight is needed.” And Heather mentioned phishing. New hires are ripe for the picking and access levels. They need to know what having admin rights in the long run means. So, both Michael and Heather are getting into some specifics here. And I’ll start with you, Rich, on this about how to handle the training. Heather mentioned a few other things, but I just picked out phishing and also access levels of there’s some key things that you really need to worry about that have sort of the highest sort of risk concerns. Because this discussion is mostly about how do you sort of thwart risk. Not just how do I bring on talented people and make them better, but how do I deal with the risk issue of bringing on green people. So, I thought Heather has pulled out a couple of good ones here. Any more that you would add, and do you agree with Heather?
[Rich Lindberg] I would say that I am empathizing with Heather because that’s exactly what I’m doing right now at my shop, which is I have some amazing, smart people that are really talented in their disciplines. But in order to create a more comprehensive security culture I’ve been partnering with IT who are really good at what they do, but this is not their area of focus. So, for them it’s rather like bringing on a new cyber security resource because it’s new training to them. Right? And my challenge is to empower them. They already have amazing rights because they are the IT team. They’ve got administrative rights. So, I have to be careful I’m programmatic in making sure that they can understand the implications of events that they see and how they can navigate properly. But that’s my job – to educate them.
It’s their job to pay attention and invest, but it kind of speaks to this probationary period which in my experience seems to eb about 90 days. I would say that, first of all, as an organization you have to invest in employee empowerment or talent development, that kind of thing, and have those training programs in place. You can’t just say, “Here’s a book. See if you can get through it and pass the cert in 90 days.” There’s got to be…the organization has to take more ownership than that and provide structure. I think in that kind of probationary period that HR sets up, you’re not going to see anybody master a skill to varying levels. What you will see is do they have good habits, and will they show good promise to get to where you expect them to go. And so that, again, requires us to take our job as leaders seriously.
[David Spark] Let me throw this to Geoff. And I like the idea of looking for good habits. That’s kind of a nice indicator to see if you’re heading in the right path. Let’s talk about this probationary period. I don’t know if you actually call it that, or you may just sort of think about it. Like do they have the good habits. Even though they don’t know everything, are they developing the right habits? Geoff?
[Geoff Belknap] I don’t have a formal probationary period, but I think any job you start at any level, there’s that first honeymoon period where people are making sure that are you a reasonable adult showing up and doing the basic things on the job, and are you demonstrating that you can learn and engage with people in your career path. Great, you’ve made it onto the next stage which is now we’re going to invest in you, as Rich said, and make sure that you can learn the way that we do the job here. And really where the rubber meets the road because the stuff you learn in the classroom… Look, if you’re a surgeon, you’re going to learn stuff in medical school.
But when you graduate and you become an actual resident or an attending physician, they’re not just like, “All right, here’s some surgery tools. Go do that open heart surgery.” There is a lot of learning that happens as part of that process, and there’s a lot of continuous learning. I think one of the most important lessons that the info sec industry is just learning now is we as employers and we as a community have to be part of that continuous learning exercise and that it is 100% okay to not know everything when you’re beginning. It’s also 100% okay to not have access to do all kinds of damage in the beginning. Honestly if you’re starting somebody new and they have the ability to make a mistake that’s incredibly damaging to your organization then you should ask yourself some questions about how good program is.
[David Spark] Right. And in those cases… Because we hear all these stories of the intern changed a password, or this happened, and then all the blame on the intern. I’m like, “Why was an environment set up that an intern could do that?”
[Geoff Belknap] Exactly, from your lips to God’s ears. I was going to say the other people that don’t have that access or shouldn’t have that access. Or like me and Rich. I shouldn’t be able to change a password and destroy the entire environment. That’s not my job. I shouldn’t have that access. And if I do, I think you really have to ask yourself some questions about how you’re granting access and governing access in your environment. That’s why I think people like Rich and I always cringe really hard when we hear it being blamed on the intern. Not only is it a terrible thing to do in the public, but it really highlights a problem. You’re kind of telling on yourself.
Sponsor – SolCyber
[Steve Prentice] Companies that are not the size of Amazon or Google office face significant challenges, being large enough to serve and grow their customer base but not always large enough to fully overcome and benefit from the logistics of being a player in the global marketplace. That’s where SolCyber comes in, as CEO Scott McCrady explains.
[Scott McCrady] The main thing we’re trying to do is really help midmarket customers solve their security and risk problem. And we do it in a very practical manner. So, in today’s world security can get very complicated. There’s a lot of products. There’s a lot of services. And so if you’re in this midmarket space and you are dealing with the risk of…pick your risk…ransom ware, or breach, or business email compromise. And then you’re also trying to say, “Well, how do I get my cyber insurance so I can offload some financial risk?” The whole process is very challenging. So, what we’ve tried to do is take Fortune 100 level security and put it into a super easy compelling package so that the midmarket can just sort of walk into a no brainer type situation where they’ll have an amazing security posture, best of breed technologies, the ability to respond when something bad is happening. And then we can pivot that into supporting different types of offloading of risk like cyber insurance. So, if you’re using what we do, it’s so successful that a lot of the insurance underwriters are willing to give a significant discount on your cyber insurance policy if you’re using SolCyber.
[Steve Prentice] For more information, visit solcyber.com.
There must be a better solution.
[David Spark] Mic Merritt of McByte…love that alliteration…said, “I don’t advocate for reducing experience requirements to allow entry level people to get hired. But to actually create realistic entry level positions, companies must actually create entry level roles. Entry level roles have minimal responsibilities and limited access, so risk is negligible.” And Aaron Zook of OneStream Software said, “I would like to see an entry level hiring model implemented in info sec that scopes in training, mentoring, and measurable growth path. This could easily replace the flood of unrealistic job posts we all loathe so much.” So, I’ll start with you, Rich, on this one. This is more from the hiring end on this. And this is a complaint we’ve heard endless times. Endless. I don’t know if you’ve ever done this, but a job listing will say entry level position with these skills and when you’re hired, this is going to happen kind of a thing. That would sort of make it clear to everyone what’s going on. Yes?
[Rich Lindberg] Well, sure. But I think the pain that we all suffer is the actual content of those job listing, those positions that are listed. Look, when we have compressed IT teams and even more compressed security teams where we all have to wear a bunch of hats, that leads to the problem of scope creep, and it makes it harder to create those discreet roles. So, again, it’s up to the company to decide how much investment they want to make. Of course you want to be responsible to the business, but you have to be able to speak truth to what are the capabilities, roles, functions, etc. that need to happen in order to get to a B in security, an A in security, however may you want to rate it and to manage risk. And if the business doesn’t want to invest in it, they’re willing to accept risk, so be it. And then you have fewer people with more hats. But if you want to get more realistic hiring definitions in the job descriptions, I think we need to have a better look at our discreet duties within security operations, within policy and guidance, audit, all the different… There’s so many.
So many different roles. When we get to this one-man band phenomenon you end up with these unattainable roles, and they don’t want to pay anything for it. And it’s just awful. The thing that I am personally working with and I love that my ICO is on board with this that we believe in apprenticeship systems where we will assist colleges and/or people who are looking to change careers, whatever. They have less experience, but they’ve got the passion. And they want to do something different. We will bring them along with a deliberate responsible mentor. It is now that masters role. It’s their responsibility for their padawan learner to be successful. It’s part of their success criteria. So, I think that there’s a hybrid of professional training, some university, and some responsibility at the organizational level to measure success and translate that to performance reviews and promotions, and we’re just too busy, or lazy, or I don’t know what…not formal enough. But those are the things that the organization, again… I keep coming back to it’s our job as leaders to empower success. And otherwise it’s an excuse.
[David Spark] All right, let’s take this to Geoff. I couldn’t agree more. What have you done? What have you seen, Geoff, in this respect of at the entry level making this a more understandable experience of what we’re expecting and what we’re going to deliver?
[Geoff Belknap] I think the first thing is first, and Rich kind of hinted at this, is entry level has to really mean entry level. Entry level at McDonalds or something like that means you have basic skills needed to learn the job. And I think entry level in info sec should mean the same thing. We have to stop saying entry level info sec job, you just need six to ten years’ experience of incident response, or product security, or something like that. That’s not entry level. That is mid-career for a great many people.
[David Spark] No, but entry level could require a certain level of education.
[Geoff Belknap] Right, but what it shouldn’t require if it’s really entry level is years of experience in some security discipline.
[David Spark] Right.
[Geoff Belknap] If you have three years of network experience, or operating systems, or programming, or something like that, great. So, I think Rich implied this. I’m going to be direct about it. There are definitely companies out there that are framing things as entry level to try to hire people for dramatically below market, and I think that’s just wrong. We get into a problem when that happens. Then what I’m doing, which it sounds like what Rich is doing as well, is I’m leaning into apprenticeship programs and training programs. I think if you’re a larger organization you have the ability to hire an instructional designer – hire somebody that could build a continuous learning program for your engineers. Even people with lots of experience who might be senior people can benefit from learning more about their career path.
[David Spark] Do you for your own staff…? And quickly answer both of them, talking about mid to senior level people. Is there a certain percentage of their time that is set aside to training others?
[Geoff Belknap] We’re working on this right now on making this a thing for people.
[David Spark] Okay. So, it’s in development. And, Rich, yourself?
[Rich Lindberg] Right, so since I joined seven months ago this is also in development, but it’s something that’s accepted, and we’re working on the parameters to.
What needs to be considered?
[David Spark] Robert Tremont of BC FIPA said, “Actually the risk increases if you hire only experienced people because someone else will hire them away from you. Part of mitigating all those risks is proper succession panning and staff development.” I thought that was a very interesting comment there. And Natalie Baker of Appalachia Technologies said, “Leadership is not the same as management, so learning how to be an affective leader and constantly reevaluating your leadership style is also just as important. People are your greatest asset and your greatest risk. So, if you treat them right, they will move mountains and earth to prove you made the correct choice.” So, both of these brought up really interesting points about risk of hiring experienced talent. You could lose them. And if this hugely experienced person goes and you don’t have someone to move up and replace them, that is an enormous sort of risk hole that you’ve generated. And then similarly Natalie was saying yes, the risk… But if you train them right, they’re going to be the complete opposite of a risk. Geoff?
[Geoff Belknap] Absolutely. You’ve got to start somewhere. Your team should have a whole spectrum of different levels of experience. If you’re super lucky and you can only hire the most experienced people ever, great. But to I think Robert and Natalie’s point, you’re leaving yourself holes. If you have a developmental path of talent that’s coming through here, you’re building a stronger, more resilient security program that is resilient to disruption of the program itself, and that is only good for your organization.
[David Spark] Rich, your thoughts?
[Rich Lindberg] Yeah, I think that this speaks to three things for me. One is the servant/leader mindset, organizational documentation debt, which I kind of spoke to earlier, and then lifelong learning. So, the servant/leader bit is that it is our job to continue to enrich and evolve our teams. And if we are not doing that then we are just letting them stagnate. Then at some point we should just buy automation tools and replace them with a very small shell script.
[Rich Lindberg] So, I think that we need to trust our people.
[David Spark] Which by the way, can I pause you there for a second? If you could do that, you know you would do that, right?
[Rich Lindberg] I automate the heck out of everything I can so that I can have my people do interesting things and avoid repetitive work, so I value both because efficiency.
[Geoff Belknap] I think the answer is yes. If that was possible, there’d be a company doing it right now, and it would be a trillion dollar company.
[David Spark] Exactly.
[Geoff Belknap] It’s not possible. You can’t get rid of humans.
[David Spark] Yes.
[Rich Lindberg] Right. But if you are not doing something to advance your people then you should rethink your security program a little bit. Succession is important. But the point of liability in case people leave… Well, if you’re enriching your team then they’re going to want to stay anyway. However, if you have good process, if you’ve matured your process so that it is no single point of failure, it’s institutional knowledge, not tribal knowledge, your teammates can be cross trained. They can take over for each other. And if you lose a single person you’re not going to be crippled. If you lose your whole team then you should reevaluate your management team, I suppose. But at the end of it is something that Geoff said, is cultivate a culture of lifelong learning. And like what we’ve done is actually provide whole learning management system access to people at our organization. We have technical training available through third parties. We have language training just in case people want to, not because they need to. We’ve got all kinds of esoteric enrichment for humans that don’t always seem to correlate to their job, but we invest in our people. And if you look at our retention rate in this great resignation, I don’t think we’ve lost a single person. Not even one to the great resignation.
[David Spark] And that’s a good place to button this all up.
[David Spark] Thank you very much, Rich. And thank you very much, Geoff. Now we have come to the portion of our show where I ask you, what was your favorite quote, and why. Rich, I’ll begin with you. Do you have a favorite quote, and why?
[Rich Lindberg] Well, I’ll say that I appreciate Joshua.
[David Spark] He’s at the beginning. He kind of set the outline of how to do this.
[Rich Lindberg] Yes, but because I think that his approach is one that is really understandable that you can get buyoff from the top to the bottom of your organization when you need support if you’re going to [Inaudible 00:24:18] programs. So, I think he wins my vote for favorite quote because he’s coming to the table with a solution that we agree works.
[David Spark] Good. All right, Geoff, your favorite quote, and why?
[Geoff Belknap] This is a tough one. We had a lot of good quotes here.
[David Spark] Yes.
[Geoff Belknap] Really appreciated Natalie, and Joshua, and Michael’s approaches, but I’m going to go with Robert Tremonti from BC FIPA. Actually the risk increases if all you hire is experienced people because someone is going to hire them away eventually, especially if you don’t treat them right. Part of mitigating risk from a key person loss is proper succession planning and staff development. Train people, invest in them. Whether they’re senior, or junior, or early career. You have to invest in them, and investing in them is not just giving them additional work.
[David Spark] And I’m going to sort of add an addendum to Robert’s comment. I’ve mentioned this on the show before, and we’ve all worked for companies like this. I have gone through interviews galore where they say, “Oh, we hire from within.” And then you work at the company, and you watch them hire from outside. Like they don’t promote from within. You want a quick way to give the finger to your entire staff… If you do that on a perpetual basis… Yes, sometimes you need to hire from outside for senior positions. Sure, of course. But if all the positions you’re doing go in that direction, you’re going to start to lose your staff.
[Geoff Belknap] Yeah, absolutely.
[David Spark] So, make it clear that that’s what’s happening. Agreed?
[Geoff Belknap] Agreed. I think also you can’t only hire from within. You need diversity of perspective.
[David Spark] Right.
[Geoff Belknap] You need some different people. You got to spread it around.
[David Spark] Right. All right, we’re going to wrap this up. And, Rich, I’m going to let you have the last comment. The question…I always ask if you’re hiring, so we’ve been talking a lot about this. So, hopefully you will be right now. I want to thank our sponsor, again, SolCyber.com. How else would you spell cyber? Don’t answer that. I know there’s going to be two C’s, and Q, and an E in there somewhere. But not them. Spelled the way you think it is. Anyway, there’s an MSSP that brings simplicity and affordability to your cyber security. If you need that, who doesn’t, check the out at solcyber.com. Thank you for sponsoring the show, and thank you very much, Geoff. Geoff is always hiring. He’s perpetually hiring. And if for some demented reason you would not want to work with Geoff…
[Geoff Belknap] Then work with Rich.
[David Spark] …work with Rich. Those are the only two people we want our listeners to work for.
[Geoff Belknap] That’s it.
[David Spark] Other than that… Or you could go look on LinkedIn, and they do have a job listing there. Rich, any final thoughts, and are you hiring?
[Rich Lindberg] I think people resource is one of our huge vulnerabilities as an industry and organizationally. So, this kind of topic gets brought up at every C-level event that I attend, and I think that until we put action behind it and until we do something about this… And this conversation was a great framework for starting that at a place…things are never going to change. And so my final thought is be part of the solution and help out. Get involved somehow. We are hiring actually. We decided to… Because I partnered with my CIO counterpart. We’re hiring investing in the IT team because we want them to be hand in hand with security operations. So, we are giving them additional responsibilities to commiserate with our expanded programs. We’re empowering them and empowering our partnership.
[David Spark] Excellent. Well, thank you very much, Rich. That’s Rich Lindberg, who’s the CISO over at JAMS. And my cohost, Geoff Belknap, who’s the CISO over at LinkedIn. And you all have the title that you currently have. For how long, I don’t know.
[Geoff Belknap] We’ll see.
[David Spark] We’ll see. Thank you very much for your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe to you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn, or on our site, CISOseries.com, where you’re also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to Defense in Depth.