Defense in Depth: Why is Security Recruiting So Broken?

What role should HR play in the hiring process of cybersecurity candidates? Many candidates feel they’re being inappropriately filtered out before a knowledgeable security leaders gets a chance to see them.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Tony Sager (@sagercyber), svp, and chief evangelist, Center for Internet Security.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our podcast sponsor, Qualys

Full transcript

David Spark

What role should HR play in the hiring process of cybersecurity candidates? Many candidates feel they’re being inappropriately filtered out before a knowledgeable security leaders gets a chance to see them.

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark; I’m the producer of the CISO Series. And joining me for this very episode is Geoff Belknap, who is the CISO over at LinkedIn. Geoff, make some noise with your mouth, please.

Geoff Belknap

[LAUGHS] Hello, David and CISO Series fans.

David Spark

Thank you very much. More from Geoff in just a moment. But first, our sponsor for this episode is Qualys. Huge thanks to Qualys for sponsoring. It’s been a long time sponsor and, in fact, they’ve got a very interesting story on vulnerability management. More about that later in the show. Now, next, I want to set up today’s discussion. And it is on the topic of getting hired, which is a very, very hot topic always. And we’ll see it in particular with this one. Greg van der Gaast, who is the CISO over at scoutbee, penned this post about a security leader telling him he would be perfect for a job at his former employer. By the way, I should mention that this post was a couple of years old, so this was when he was looking for some employment. And Greg submitted his application to the recommended company and in six minutes he received a rejection letter by the company’s HR department. Now, obviously the HR department doesn’t see the same as the security professional or the security department is not properly communicating what they want to HR. Or, possibly, the case is the application tracking system didn’t find the necessary keywords on Greg’s resume. This story obviously hit home with a lot of people as there were more than 2,300 reactions and nearly 600 comments. Geoff, this is an issue: the HR filter and the ATS looking for keywords. It seems to irritate a lot of people.

Geoff Belknap

Aw, this irritates me, I’ll be honest, both as somebody who at different points in my career has looked for a job and has been affected by this kind of thing, but also as somebody who does an incredible amount of hiring. And, spoiler alert, we’re hiring now; come see us.

David Spark

By the way, that’s the spoiler alert for every episode that Geoff’s on.

Geoff Belknap

That should not actually be a spoiler. But what I’m getting at is, it’s really hard. And as much as we’re in a transition time in InfoSec and security in general about how we conduct the business of InfoSec and how we get new people into InfoSec, there’s also a transition in how do we hire for InfoSec. I spend a significant amount of time with my recruiting team, which, for me, is more recruiting than HR, talking about this very same issue, and I’m excited to get into this. I’m excited to have our guests join us in this conversation.

David Spark

I’m very excited as well. And one thing I should mention I talked to actually some of his colleagues is I didn’t realize that first of all this his is going to be dropping on October 21st, the third week of October, which as I understand during the Cybersecurity month is focused specifically on hiring. So, I couldn’t have timed this more perfectly. Total coincidence, by the way. Our guest, who we’ve had on the other podcast–thrilled to have him. And, by the way, I want to tout that he is responsible for the CIS Controls, which were previously known as the CIS Top 20. I’ve been told not to call it that anymore, but it’s the Controls we keep referencing as the most critical things you need to concern yourself with. Our guest is responsible for them. So, if you like them, applaud him. If you have a problem with them, still applaud him. [LAUGHS]

Geoff Belknap

Still applaud him, yeah. Let’s all appreciate his contribution. [LAUGHS]

David Spark

We appreciate him. Anyway, it is Tony Sager, svp, and chief evangelist for the Center for Internet Security. Tony, thank you so much for joining us.

Tony Sager

Well, David, that’s a pleasure to join you and Geoff today, and thanks for the plug on the CIS Controls. If we were a comic book, I would have been part of the origin story for the hero. But all I can claim credit for is version zero, and then the cat herding along the way of lots of great people contributing to it.

David Spark

Were you bit by anything, or did you fall into a vat of anything? No?

Tony Sager

No, I don’t remember any radiation, but maybe that’s why my hair fell out. [LAUGHS]

Geoff Belknap

I feel like we need to secure at least Stan Lee to have cameos in more of these.

Tony Sager

Absolutely.

Why are they behaving this way?

4:34.998

David Spark

Garry W. of Haler Europe said, “Sadly indicative of how nearly every major company seems to recruit anyone these days … Can the candidate tick all the pre-requisite pigeon hole boxes? No? Then let’s send out a polite but impersonal ‘thanks but no thanks’ … The process needs to change and adapt or this cycle will just keep repeating.” That, I would say, is a good theme for this entire discussion here. And Peter Gross of London Stock Exchange Group said, “So often in this (maybe overloaded) market it just comes down to keyword checks.” And Gina Jahn of Power Automedia said, “When companies allow algorithms to screen their candidates, this will happen more often than not.” So, we’re setting ourselves up for this, it seems, Geoff. Yes?

Geoff Belknap

Yeah. All the focus in the last few years, and don’t call me out for saying “all” when it’s not really all, has been on technology and how do we communicate and get investment in technology. And, really, very little of the investment has been on how do we hire better for these people. And most of the companies that are guilty of this are doing their best. They’re high volume organizations that are hiring hundreds if not thousands of people a year, and they built up this technology stack that they thought was a good way to screen and hire the very best people. And, more importantly, there’s a bunch of stuff these recruiting tools do under the hood that collects metrics and helps them understand about what hiring managers are good or bad. Unfortunately, it has the side effect of really excluding a lot of really qualified candidates from consideration. And it’s a problem that security teams and HR or hiring teams need to solve together, and it’s a real problem.

David Spark

Tony, you, I’m sure, have seen this problem. You’ve probably had people come to you and complain about this problem, yes?

Tony Sager

Oh my gosh, Geoff really struck a nerve by starting this conversation. I’m old enough to remember, certainly, hiring in government where I was starting in the mid-’70s, we would have to please apply for our jobs. We would try to cast the net wide and try to be as open to find people. And heaven help you if you get what you wish for, because now we’re drowning in these kinds of things, with the focus on the technology. And Geoff’s right: hiring is more than the list of certifications or the list of languages that you can speak or write or program in. We’ve got to think differently about the job. How do I take a first look at this? David, you hit on a key thing in your introduction, why this is a system problem, not a component problem. It’s how we ask for people, it’s how people ask or seek jobs, and how do we align all these different pieces to do something rational here. I do remember the early days when even my employer at the time, the National Security Agency, started to go with what we called robo screening just to get through the flood. This was the dot com days, and it was crazy.

David Spark

And, Geoff, it feels that we need something to create a filter, because this is too much for a human to handle. But the filter we’ve created is upsetting everyone.

Geoff Belknap

I think it is. We just have to face that fact: nobody is really happy with this. And the only thing worse than this are the systems where they’re, like, “Upload your resume. Now, re-enter into all these fields everything that was in your resume.” I think a lot of the problem here comes from the fact that, and we were talking about not too long ago in our AMA, the conversation often comes around that there’s no common path or common set of credentials that are very standard to get into security. Even when NSA was hiring, and they still are, they’re looking for people that have common sets of academic backgrounds and things like that. And in that case, it’s easy and in fact helpful to have something that auto screens people out that don’t have the qualifications or the credentials you’re looking for. In the security space, there’s no standard way to evaluate those folks. There are a lot of people that want to get into security, and there are a lot of different disciplines of security. So it’s really hard to interview people; it’s really hard to screen them out, and you have to do some amount of screening. The unfortunate thing is it’s got to be done at this point by humans. And most organizations are not staffed up for that, much less ready to compensate people fairly or understand exactly what their value is. So, this is an emerging problem we have in InfoSec. I hesitate even to call it emerging, because this post is two years old. It’s clearly something we need to face that we don’t talk enough about.

What are they doing wrong?

9:21.255

David Spark

Gina Jahn of Power Automedia, again, said, “Unless you alter your resume to include several ‘keywords’ from the job application, you won’t meet the algorithm.” Now, knowing what that algorithm is, and, who knows, but many talked in this discussion about, well, just throw the keywords in so you can bypass that first filter. Christophe Foulon of Capital One said, “Big companies screen more with ATS than for fit.” Lastly, Joshua Maynard of Motorola Solutions says, “It’s asinine to change words on a resume just to make it match an ATS.” So, if you’ve got to fit into the system, maybe you have to do it whether you like it or not. Tony, do you see people just reviewing resumes and go, “Oh, you don’t mention this on your resume. You need to do it because you won’t get past the ATS if you don’t.” By the way, ATS stands for “application tracking system” for those people who don’t know. Go head, Tony.

Tony Sager

In the early days, the ones I was familiar with were very crude: keyword matching at a very simple level. And, of course, the people you’re looking for are very clever. The people applying are clever. [LAUGHS] And so there’s a bit of a game going on here about how are they screening and swapping tips for how to craft your wording or hit the right things in there. Which turns out to be not very helpful at all, because you might be finding a certain amount of cleverness. For the right kind of job, you’re looking for people that like to cheat the system, but it’s not a good general solution here. At one stage in the dot com craziness, again, my experience was government, the head recruiter once told me, “We’re not getting anybody from–” he named a bunch of the top ten schools in engineering or something like that. I said, “You need to quit looking.” What I really needed at that time, what I was seeing was the need for what I called lifelong learners. The old model was hire a smart kid, bring him in, maybe intern program, but they’ll learn from the masters here at the work space. I became one of the masters and I realized these kids coming out of school had more current and relevant skills than most of my workforce. So, you had what I call skill inversion going on. What you were trying to find was the folks that were immersed in the technology and could keep up with it, because the old folks like me weren’t going to teach them. They’re going to have to teach themselves. So, we had a whole different challenge there. But what you were looking for was my older workforce might not have had as current skills, but what they had was professional judgment. They had maturity. They had all these other skills they had honed over the years. So, I needed to look for people who had the capability to move in that direction, that could move beyond the technical but to really run a project and work with others and do all these other things.

David Spark

Geoff, I would assume you’d rather hire somebody for capability that has the ability to grow than necessarily has items listed on their site. I don’t want to put words in your mouth, but how do you find that on a resume?

Geoff Belknap

You don’t. You really don’t.

David Spark

By the way, am I right in thinking that would be an ideal candidate for you?

Geoff Belknap

Oh, yeah, great. Here’s my ideal candidate for entry level or early career engineering roles: you have some basic technical capabilities. You’ve learned, whether self-taught or at school, some basic technical understanding of the environment you’re going to work in, depending on your discipline, and you can demonstrate a basic competence at the role, and that you can show me you’re an engaged learner. You want to learn, you dedicate yourself to learning, you can learn quickly. There’s no “I’m a certified engaged learner certificate” that I can screen for.

David Spark

Although you could say here are courses that I took and when.

Geoff Belknap

I don’t even care. There are so many people, especially in security and in tech in general, that are self-taught, that are building home labs or reading stuff online or whatever it is. People learn in so many different ways. And the easiest way to get past this somewhat fantastical skill shortage gap is to start broadening how you look at people. And I think the reason that this topic hit such a nerve is that it’s all about narrowing the field of people, which used to be really important. There’s so many people coming out of school and there’s probably so many lawyers or doctors graduating that you have to narrow the field so that you’re just looking for “the best.” And in our case, the best for the job doesn’t mean it’s necessarily somebody that graduated from Harvard. That’s all well and good, but these systems are built up to look for people from certain schools or people with certain certificates, and they don’t really acknowledge that a lot of the great engineers and leaders I’ve worked with have been self taught and didn’t necessarily have college degrees. But they had that professional experience, that competency they’ve built up themselves, and the fact that they were just learners. You don’t get that until you get them in the interview. The hardest part is all this screening is done before you get to talk to anybody. And that’s a lot of what I spend time on with my recruiting team: let’s just talk to more people. Let’s do phone screens, let’s do first engagements with them more so we can get a sense of what they’re like beyond just their resume.

Sponsor – Qualys

14:44.060

Steve Prentice

Ask a CISO what they are looking for from a security perspective, and they might say, one, to know everything about the assets that they have in their environment so they can protect them, two, to do everything they can to prevent and mitigate risk in their environment and, three, after doing all of that, to monitor the infrastructure for any sort of threats that may be on going in your environment. Sumedh Thakar is president and CEO of Qualys, a company that offers a unified platform that provides all of these three things for on premises cloud assets, containers, and mobile devices, and he believes this is best achieved by doing it in a consolidated and holistic fashion.

Sumedh Thakar

Every CISO will say that they want consolidation of security tools, because we have too many security tools and each solution comes with its own console, and there has to be a lot of effort put into integrating that with some sort of third party sim or something like that. What we provide is a single solution, a single agent. That one agent can do as an inventory; it can do vulnerability assessment. It can also fix the assets via patching the issues. It can monitor for EBR, it can monitor for file integrating monitoring. Today, these are six or seven different agents, and Qualys, a single agent, can consolidate all of that. And that gives a lot of efficiency in terms of utilization of CPU on the endpoint, but also a lot better integrated intelligence in one solution to get a better picture of what’s going on in the main line.

Steve Prentice

For more information, visit Qualys.com.

How do we make this everyone’s concern?

16:19.202

David Spark

Jane Frankland of KnewStart said, “This is not a talent problem; this is a hiring problem.” And Faiz Shaikh of Digital Software Labs said, “What happens when we take the Human out of HR?” And Duncan Hart of Cyber Risk Quadrant says, “The more that recruitment people want to make

recruitment look fair, methodical and rigorous the more homogeneous it becomes. The problem of applying the same criteria to everybody is that everyone you choose is the same and your diversity goes down and the groupthink goes up.” I think that was a very interesting comment right there. You have the same filters: are you just going to get the same people, Tony?

Tony Sager

There’s certainly the risk of that. The lazy way is to pick your approach of filtering to get the most to fall off the table as quickly as possible. That’s what leads to these bad ideas and bad judgment. And it’s very complicated to think through. And you’re looking for these other attributes; Geoff said it really well. There is a level of competency that all these jobs require. But there’s also this professionalism that is harder to get to. Sometimes you can see indicators of it in the paperwork or in the application. I liked his point of speaking to as many as possible. Getting that first contact is a really important thing because I think there’s a lot to be gained from that sort of first contact.

David Spark

What I want to ask is what if you had in your system a chance for someone to prove themselves? So, “Oh, I’m sorry you’re not appropriate for this,” but there could be a second chance where if you really wanted, could you show us this kind of a thing. Because, like both of you, I’ve hired people because they showed they really, really wanted it and they proved it. And I was, like, oh, I definitely want you if you’re going to work this hard just to try to get this job. Wouldn’t that be a good way to handle this? Tony?

Tony Sager

That’s clever, David. I’ll give an anecdote: one of my best hires ever was what is known back at the NSA as a courtesy hire. [LAUGHS] He’s made it this far into the process and no one quite wants him. And it was a him at the time. His resume comes to me, and a very unimpressive GPA. Not a name school. I happened to flip the page over. Normally, you would never put a second page of your resume on the back, because in our system no one every copied that. But by accident it happened this time, and I flip it over. It turns out he was the first generation of young people applying for jobs who’d grown up in this stuff. He had a side business since he was in his mid teens writing specialty software for a local fish and wildlife whatever. And I looked at that and said, “I want to talk to this kid.” I take him out of the courtesy pile and said let me just talk to him. He had that spark; he really wanted to be in this stuff. And it turned out he was an indifferent student, but his GPA in his department, Double E, was noticeably higher. He had done these side things since he was a kid so he was growing up. So, I’m getting over my old guy generational thing and saying, this is what we need to start looking for: someone who lives and breathes this technology and sees this as their path. Not accidentally like me, but this is core to what they want to do. So, getting to that contact and giving someone the chance to separate themselves and demonstrate the passion and self-drive that would lead to a long, successful career is easier said than done. But I think that’s something that’s stuck with me for decades now.

David Spark

Geoff, have you ever had an experience where you maybe were initially dismissive of someone but they were, like, “Oh no, I want this,” and they pushed really heard and you realized your first thought was wrong and they proved themselves?

Geoff Belknap

Oh, yeah, sure. And I think some of it comes from maybe a chip on my shoulder from being a relatively non-traditional student myself. I went to college at a time when–

David Spark

At a time when there were still wheels. Because the wheel had been invented.

Geoff Belknap

When there were still wheels. They were not all square. But I went to college at a time when telecommunications and the internet was just burgeoning and coming up and I got a job in the industry. And I was, like, I don’t need a college degree. I had a job and it was a great job. And it took me 12 years to come back and finish the degree. And I think along the way I hired a lot of people that were non-traditional as well. And what I’ve taken forward to this role is exactly what Jane says here. This is not a talent problem. We have lots of talent; there’s tons of talent in the marketplace, whether it be in the US or otherwise. This is a hiring problem. And it’s really a misunderstanding of how to hire into an industry like this that is under constant rapid change. And if I go to what Tony is saying and I think about what Duncan is saying about fairness and methodology in terms of hiring, we’re shifting that. Something I’ve done in previous roles and I’m looking to implement in my current role is you can shift the hiring process to demonstrate your competency. Show me that you have this competency. Even if you didn’t go to a great school and get a great GPA, take this practical test or a little bit of homework. There’s a double-edged sword to this because I think there are some startups that have done the take a take home test, but it’s 12 hours of work and you’re writing an actual piece of code and that’s a little exploitative. But I like to give people open-ended things like here’s a pcap or a log file or a piece of code. Take a look at it; spend no more than 30 minutes. Write up your thoughts; tell me what you think about this and what you can find in there or what you know about it. And that’s a great way as an opening salvo before you even come on site to help understand this person’s competency level, to understand how they think. You could see how they write.

David Spark

I will also say that half of the people won’t even do it, and those people really should be weeded out.

Geoff Belknap

Exactly. At that point, I’m being very fair. Everybody gets this. The people that grade it don’t get to see what the profile or the name of the person is that wrote it, and we get a really fair assessment of what their skills are. And I think we’re going to have to find more ways like that to do things to make it fair before we get to something that works algorithmically. Because I think something that works algorithmically is decades away from this industry.

Does anyone have a better solution?

22:38.727

David Spark

So, here are some suggestions on how to deal with this. Mark Buckwell of IBM said, “Open security roles are always here,” saying at IBM. “If you don’t fit exactly a role, apply for the nearest appropriate and we will still look at your resume.” Hassan Peabody said, “I myself have been rejected many a time.

One way to beat those teams is to simplify your responses to only meet what they are after.” And I think that’s actually very clever, because you want to tell a longer story, but you realize you’re just looking for a simple answer to say yes to you to move you on. And sometimes more may give them more reason to say no, sadly. And, lastly, Lee Dalton of Roder said, “Five minutes on the phone to anyone that has potential, is, in my opinion, likely to unearth some gems that you would never see via an average recruitment process.” Trying to keep someone on the phone for just five minutes, I don’t know. But, Geoff, have you done that before?

Geoff Belknap

I have, although I say usually it’s my recruiter that I’ve invested a lot of time in and trained them in what the profile and kind of people we’re looking for will do that. Because you can’t really scale it at my level. But I think if I just zoom out very broadly, I’ll say I’m a CISO. This is hard to say about myself, but I’m relatively successful; I’ve had some good roles. I have been rejected as well. I’ve been a CISO out looking for new roles and have gotten that immediately bounced back: “No, you’re not qualified for this role.” And I go, huh, that’s interesting. It seems like I have a little bit of experience taking companies public as a CISO; you’d think I’d be qualified. So, it’s not like it’s just one role. This is a technology problem. I think it’s very real that you do need to still edit your LinkedIn profile or your resume to reflect the kind of job you’re looking for and to be willing to adapt, especially knowing that one of the easiest and most common ways that recruiters look for candidates is they just do a LinkedIn search. And they’re looking for certain keywords to bring you into the hiring process. That’s not screening you out; that’s screening you in looking for people that have some skillset they’re looking for or have done a job they’re looking for. But at the end of the day, like we talked about earlier in the show, I’m looking for reasons to get somebody on the phone so that somebody I trust can just talk to them, human to human, get a sense for who they are or how they got to where they are, or how they learned, how they’ve grown in their career, to see is this the person we want to move forward in the process? And I think the next step here is looking at this, like, how do we modify hiring for these roles. And how do we acknowledge that hiring for these roles is different than hiring for software engineers or hiring for some other kind of engineer, and get better at doing that instead of going, “Ah, there’s a skill shortage; there’s no one to hire.” There’s plenty of people to hire. We just have to figure out how to find them.

David Spark

All right, Tony, your closing comments on this very discussion as have you changed and would you like to change? And what do you think of the advice that these three people have suggested?

Tony Sager

I think there’s a lot of wisdom there, and I really enjoyed hearing Geoff’s comments on this, too. Because it points out that when we say we have a hiring problem, that doesn’t mean it’s up to the hiring department to fix the entire problem. What you heard from Geoff and some of these other comments were we have to think about what we’re asking for and be much more conscious of what we want. I’m involved with a formal study that’s about to kick off and we’re calling it “The Hunt for Unicorns.” Another theme that aligns with this one is maybe hiring managers that want people with ten years’ experience in a five-year-old field. And there’s lots of this over asking. [LAUGHS] And it may partly be because the person filling the job doesn’t actually understand the job. It may be because it’s it’s the safe thing to ask for something really high, and there are other factors like that that you say, what are you thinking when you ask for this? And the other problem I often see is what I call the back fill problem. You get someone that’s been there for ten years. The job they started with is not the job they finish with. They grew into them and the job grew to them. And if you write the request at that level you’re asking for a unicorn.

David Spark

We’ve heard that growing a unicorn is better than finding a unicorn.

Tony Sager

[LAUGHS] That’s exactly right.

Geoff Belknap

I also find people are looking for purple unicorns. They’re, like, not only do I want a unicorn, I need one in this special custom color.

David Spark

By the way, I want to give credit to Jesse Whaley, CISO of Amtrak, who said that line. Go ahead, I’m sorry. Tony?

Tony Sager

As I said before, it’s a system problem. You don’t want to throw it all on your hiring folks. I’m intrigued by Geoff talking about how many hours he’s invested with his recruiter. That really is what makes a difference is to be clear on what you’re looking for but also train the front end, not with the AI. At least not in the next few years, but with conversation, with understanding about what you’re trying to achieve. I think there’s a lot of wisdom in that.

Closing

27:35.890

David Spark

Thank you, Tony. Once again, Geoff, with Tony’s help, we have solved the problem of security hiring.

Geoff Belknap

That’s it; all done. This is the last episode about hiring.

David Spark

I’m always impressed with what incredible work we do.

Geoff Belknap

[LAUGHS]

David Spark

With that being said, I’m going to throw to you first, Geoff, what was your favorite quote of this episode and why?

Geoff Belknap

My favorite quote is, I’ve got to go back to Jane from KnewStart. “This is not a talent problem; this is a hiring problem.” And I’m going to bolt onto that the thing that Tony just said. That does not mean it is the hiring or the HR team’s problem to solve. We have to be as invested in this problem as we are in whatever technology we’re deploying, whatever risk conversation we’re having with the executive team. We have to be just as engaged in solving this problem as we do any of the other problems. And it takes a lot of effort to invest in to get just a couple of hires. But we have to be willing to do that if we’re going to move the industry forward.

David Spark

Tony, your favorite quote and why?

Tony Sager

It’s close to the one that Geoff mentioned here. Faiz Shaikh at Digital Software Labs: “What happens when we take the Human out of HR.” We talked a lot about the attributes of the whole person that you’re trying to hire, and a broader understanding of the job that you’re trying to fill is bigger than the list of specific technical qualifications. And if we don’t find ways to get to that to really both understand what we need and help find the people that have those attributes or the potential to grow into the job that we need, then we will really fail. And what we have is a friction problem and an entry problem here. In all my wanderings through the industry, you hinted at that before, David, I can’t tell you how many people came up to me and said, “I heard the numbers about all the jobs available. I went back and got another certificate, another degree.” I look at the resume and they look pretty good to me, and they can’t even get a callback on the first job. We have a tremendous friction problem here for entry at the entry level for these kinds of jobs. And I think both that and then the mid-level more experience, demonstrated talent level is really important. Because whatever the magic number is on how many jobs we’re short, it’s big. And it is a problem for the future of the country, the economy, and the security of the way of life that we know. End of commercial. Thank you. [LAUGHS]

Geoff Belknap

I can’t stress enough that that really is what we’re talking about. We have to solve this problem because our economic security, our national security, our corporate investments all depend on doing this well.

David Spark

The key stone is the ATS, I think. If we can just solve how that darn thing works, the entire security industry would fall into place. Don’t you think, Geoff?

Geoff Belknap

I think we should make this a national priority to build a better ATS. There’s nothing government can’t fix by just spending more time on it.

David Spark

We have to ask the attackers to be patient and stop attacking until that’s set up.

Geoff Belknap

I feel like that’s fair. That’s a fair ask.

David Spark

I think it is. Geoff, thank you very much. Tony, let me ask you to make a pitch. By the way, let me also say, Geoff is always hiring at LinkedIn. You usually say this; I’m going to say it for you. And if you don’t want to work for LinkedIn and work for Geoff, why you wouldn’t, I don’t know, but I believe you can use LinkedIn to find jobs in other locations as well, besides at LinkedIn. Tony, would you like to make a plea for the Center for Internet Security or anything else that you’re doing right now?

Tony Sager

If you’d like to work at a small but scruffy and powerful non-profit, the Center for Internet Security is always growing. Not at the scale of the industry giants, but this problem, we’re involved in creating best practices. We work through volunteerism. Our job is to bring together great minds, create content, and support it. And I always say there’s great volunteerism in this industry, but volunteer labor doesn’t come for free. And our job is to organize it professionally and to make sure that it’s put to best use. So, I’m always happy to chat with folks. Reach me through LinkedIn if you’d like to talk about these kinds of issues or about what you can do to help secure all of us so that we all have confidence in the systems and in the world that we live in.

David Spark

All right, thank you, Tony Sager. Thank you, Geoff Belknap. And I want to say thanks to Qualys for sponsoring this episode of the program. Huge thanks to Qualys; we greatly appreciate their sponsorship and continuing support. More about them and their automated vulnerability management at Qualys.com. And to our listeners as well, we always greatly appreciate your contributions and listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.