What happens to your team after the layoffs? Your overextended team now realizes they’re going to have to pick up the slack for those who left. How do you shift responsibilities in such a situation? Does anything fall away? Because you can’t still operate at the same level. How do you adjust while maintaining morale and not burning out those who are there?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Dan Walsh, CISO, VillageMD. Our guest is Nick Vigier, CISO, Talend.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Sentra
Full transcript
[Voiceover] What I love about cybersecurity. Go!
[Nick Vigier] I love that I get to understand the entire business. I have to understand how every team does their job in the way in which they do their job. So, while you have an HR team that might work across the entire company doing HR things, we have to understand how a development team works, how a product team thinks about product, how the HR team does performance management, finance team does budgeting and the tools they use, and all of those things that put that context together into the bigger story, and then talk about risk.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Sparks] Welcome to the CISO Series Podcast. My name is David Spark, producer of the CISO Series. And joining me as my guest co-host who has been a guest multiple times on the show, and I think you’ve come on as a guest co-host before. Yes, Dan?
[Dan Walsh] I have. That’s right.
[David Sparks] You have. It is Dan Walsh. He’s the CISO for VillageMD. Dan, make the sound of your voice. We heard a little of it. How does your voice sound?
[Dan Walsh] It sounds kind of like this. On a Friday anyways, or whatever day of the week it is.
[David Sparks] It does. So, on a Thursday, it sounds much higher pitched, would you say?
[Dan Walsh] Sometimes, it depends. It also fluctuates with my blood pressure.
[David Sparks] There you go. Good thing you work for a health organization, and you can monitor that.
[Dan Walsh] That’s right.
[David Sparks] We’re available at CISOseries.com. You can check out this show and all of our wonderful shows over there. Hey! Our sponsor for today’s episode is Sentra. Sentra – data travels. Now security does too. And they got a really cool offer, something coming up at RSA, and we’ll talk about it later in the show. But first, Dan, we were mentioning just before we turned on the microphones that your organization is actually blocking ChatGPT, and I believe you said you are having doctors that are saying, “Hey, can you unblock it?” Let me ask you – why are you blocking it and why did the doctors want access to it? Do they want to do it to fill prescriptions?
[Dan Walsh] So, the DNS filtering tool that we use blocks it because it categorizes it as chat and instant messaging, which is blocked categorically at our organization. Digging into it more, I was kind of surprised that we had employees asking to use it. Obviously, there’s a lot of excitement, a lot of benefits around it. I think from our perspective, we’re trying to wrestle through the legal privacy compliance security issues of it to make sure that we’re evaluating it properly. Because obviously, whenever something is number one, free, you are usually the product.
[David Sparks] Yes.
[Dan Walsh] And number two, when it’s new, there’s usually this lagging indicator of governance that has to come up behind it which is what security professionals look for.
[David Sparks] Excellent, excellent point there. And so, yeah, there’s a lot that’s unknown. I think the security implications haven’t exploded in our face yet, but I think there’s a lot of sort of overarching concern. Yes, Dan?
[Dan Walsh] Yes. I don’t think your average security leader understands how that platform works yet. If you want to have an interesting time, go read open.ai’s privacy policy which I think creates more questions than it answers them. And so really trying to understand how the data’s being used and all the different security considerations that we would think about using a security framework.
[David Sparks] Excellent point. Well, we are not going to be talking about that on today’s episode but we got that through. I do want to introduce our guest today, very excited to have him on. I know you know this person very well. It is the CISO for Talend, Nick Vigier. Nick, thank you so much for joining us.
[Nick Vigier] Thank you for having me.
How have you actually pulled this off?
3:40.641
[David Sparks] Do you know your signs of burnout, and can you take action on them before you do actually burn out? Joseph Lewis, who just became the CISO at the CDC here in the US, wrote a confessional post about realizing he was taking on too much. He took on the CISO role and he was going for his PhD. He realized he was taking on too much and he put the PhD program on hold. I think everyone could see trying to do both of these is going to be a major red flag. So, Dan, I’m sure you or your colleagues want to believe you’re superhuman and can do everything. We all want to believe that. But what are the signs you’re about to hit the wall or at least moving towards the edge, and do you communicate that to your team, and do they come to you? How do you adjust so the work gets done and you don’t get a burnt-out team member?
[Dan Walsh] So, what I would say is security’s a relay race meaning you can’t always have the baton, sometimes you got to hand it off. And I think you need to have self-awareness for yourself to understand personally how you react to stress. I think a good way to determine that if you’re unsure is to ask your loved ones and your friends and your colleagues. Like, how do I look like when I’m stressed? If you’re married, ask your spouse as an example.
[David Sparks] Have you done that with your own spouse?
[Dan Walsh] I have, and she will tell me.
[Laughter]
[Dan Walsh] She will gladly tell me. I think it’s important to have a little self-awareness and then create permission for those around you to tell you that because sometimes it’s not quite evident.
[David Sparks] So, excellent point and I’m just going to call out Andy Ellis who’s the other co-host of this show. He implemented when he was at Akamai that any employee can tell another employee to go home. If they see them not performing well and that they’re very visibly stressed, each employee has the power to tell that person to go home, which is exactly what you just said. Nick, you are nodding your head heartily here. Where do you stand on this?
[Nick Vigier] I think Dan hit the nail on the head. It’s self-awareness, right? It’s trying to look at yourself and understand and being able to have a language of safety around you so that people can bring that to your attention. I think that’s super important to have with your team, it’s super important to have with the people around you, and being able to recognize what are those signals. We all handle stress in different ways. Some people become hyper introverted, some become manic, you never know. I know that I just pile it on and pile it on and pile it on, and then it breaks, and being able to short-circuit that becomes really important. And I think the other thing that people need to be okay with is that psychological safety to say, “I need to pull back.” It’s not a failure to pull back. It’s actually a success.
[David Sparks] I will tell a personal story here, not in cybersecurity, I was working at an ad agency actually. I went through a divorce myself and I honest to God did not know how I was going to react. And literally it happened the day before I walk into work the next day, and I walk into my boss’s office, I go, “My wife just left me. I honestly don’t know how I’m going to react. I’m just letting you know right now.” And they were so cool about it. And actually, at the time, my boss, he had also gone through a divorce too and he commiserated with me, so he was very cool about it. So, have you ever had, like that, had an employee give you like, “Something very dramatic happened to me. I don’t know how I’m going to react,” and just give you a warning about it?
[Nick Vigier] Absolutely. I mean, I’ve had folks who’ve had a family member pass away or a parent pass away or a sibling, and like, “Just FYI this is happening,” at which point we have a human conversation, right? This is not about performance. This is about empathy and making sure we provide the psychological safety to people to be able to express that. We’re not robots in general, and as we talk about being people leaders and motivators, we have to understand how all those pieces fit together.
[David Sparks] Dan, you get the closing comment on this.
[Dan Walsh] So, I mean, this has hit very close to home for me. March of 2020, my brother-in-law passed away of a drug overdose, and at the time I was a CISO, in my first CISO job. I was also teaching; I was an adjunct faculty at a university. And of course, we were just shutting everything down because of COVID and there was a lot of fear and uncertainty around that. So, I had to kind of go through the paces of being able to do some self-reflection and have some self-awareness at a very emotional time. I had to really lean on my team and just let them know like, “Hey, I’m not in a good place right now, and I’m going to need you to run with the ball on some things.” So, it’s very important. If you don’t do that, you won’t make it.
What do you think of this vendor marketing tactic?
8:30.211
[David Sparks] On the cybersecurity subreddit, a redditor asked, “How could cybersecurity companies market better?” The two most popular responses were, “If you make me talk to a sales rep to get basic pricing information, I hate you.” Now, that’s a little harsh. The next one was, “Quickest way to lose me as a potential customer, if talking to a sales rep is absolutely required to get any real information, I’m moving on before reaching out.” So, we’ve heard this a lot. We stress the need to have a product demo on the site for them to view rather than a “Request a demo” button to your site. I mean, I hear this again and again from CISOs. They do not want to be required to be in your marketing funnel. So, I’ll start with you, Nick, here. Do you agree? And provide some examples of information you saw on a company’s site, a demo that you really liked, that allowed you to do the investigation yourself.
[Nick Vigier] I’ll tell you – I like the frictionless trial. Let me just give it a shot, and there are a lot of companies that actually offer that. “Hey, you can use a lightweight implementation of this and give it a shot.” I think Tines is a great example for me where you get three workflows for three, go ahead and try it. The other introduction for me is usually through peers, right? Who’s using this? Tell me about it. Versus talking to salespeople.
[David Sparks] We hear that very commonly. Yeah. If you can try it, and also CISOs talk to CISOs. But one of the complaints that I’ve heard is that if you only get your information from the CISO bubble, then it’s very hard for new entrants to come in. I know Allan Alford was a strong supporter of trying to bring new entrants into the bubble. Do you think there’s too much of a bubble among CISOs just trading around what they know?
[Nick Vigier] I think one of the things that some vendors aren’t realizing, and I actually have had several of these conversations recently is that they don’t realize that getting an advocate within the sphere is actually really useful. Not only for getting feedback as an advisor but getting introductions and figuring out how do I frame this in the right way. Maybe there’s a value prop that hasn’t been identified yet, for example. That being said, hey, I’ll go do the floors at a booth at a conference and try to see what’s going on. That’s my second favorite way of doing things, and that gives me a very quick sense of the organization’s culture, right? That’s another thing for me for a vendor. What’s the culture of the vendor and the organization that I’m buying into because I don’t want to necessarily find a vendor, I want to find a partner.
[David Sparks] Mm-hmm. All right, Dan. I’m throwing this to you. Can you give me examples of company sites that you were able to do the investigating yourself or they had a great trial? What was it about the experience that made you much happier to actually buy them? And maybe you ended up buying, maybe you didn’t, but you still liked the experience.
[Dan Walsh] Yeah. So, without naming specific vendors because I know that can get a little sensitive. I would say the ones that I like are ones that will offer something for free, like, “Hey, here’s a very basic,” – to Nick’s point – “Here’s a very basic feature set that you can try it out,” or “Here’s some free information because we really want to contribute to the security space, so we’re going to give this free information away for CISOs that can help them run their program.” I know there was a vendor a few years back that had like, “Here’s 100 things that you can do to improve your application security posture,” and it was very tactical things, like, “Oh, yeah. That’s a great checklist. I can hand that to my application security leader.”
[David Sparks] You know what’s also similar to that? We had one vendor was a lot about questionnaires, and they said how you should react to certain answers on questionnaires, which I thought was very interesting. It was like, “If they say yes to this or no to that, this is what that means.”
[Dan Walsh] It’s a flag or something, right, exactly. I think those are really huge. And the other thing too is if I’m talking to a vendor about a product and I ask you, “Hey, ballpark, give me how you price this,” and you don’t give me a clear answer, that’s a huge turnoff. Because if a CISO’s asking you to ballpark, they’re already doing the math in their head to see if they can find a way to find it in their budget potentially.
[David Sparks] Yeah. And if as a salesperson, you’re looking to squeeze that person, that ain’t good.
[Dan Walsh] Right, exactly.
Sponsor – Sentra
12:49.111
[David Sparks] Hey! You remember I mentioned at the beginning of the show that our sponsor’s got something very cool about RSA? Well, here it is. So, are you going to RSA this year? I’m speaking to you. But even if you’re not, you’re going to want to hear this because it’s pretty darn cool. Our sponsor Sentra knows that what security leaders actually look forward to at RSA is meeting up with their peers and learning from each other. I mean, that is it. I mean, sometimes you never go to a single session. Many don’t. Many don’t even get a pass to the darn thing and just enjoy being around there. Well, RSA is a huge event, and it can be difficult to get some one-on-one time with the security leaders you’re most excited to meet. So, here’s what Sentra is offering.
Right now you can sign up on Sentra.io for a free 15-minute private meeting between you and three of the leading CISOs and security experts for you to talk cyber strategy or technology. This is a chance to get in a room with three experienced CISOs to discuss questions you have about anything – from management and career advice to security best practices. It’s your time away from the chaos of the conference to soak up as much cyber wisdom as possible.
Now, who are these “cyber sages” that are giving their time to help CISO Series listeners? Sage number 1 is Jason Chan, the former VP of Information Security at Netflix, who by the way listed one of our shows. Cyber Security Headlines is one of his top podcasts that he listens to, so he’s a fan of this show. And next is Swathi Joshi who’s the VP of SaaS Cloud Security at Oracle. And the final sage is Talha Tariq, the Chief Security Officer at HashiCorp. Now of course, with an offer this good, you’ll want register as soon as possible. Because of the one-on-one nature of this offer, spots are truly actually limited. So, visit Sentra.io/RSA to register before all the spots fill up. Remember, that’s Sentra.io/RSA to register.
It’s time to play “What’s Worse?”
14:56.839
[David Sparks] Dan, I know you know how to play. Nick, you know how to play “What’s Worse?” Yes?
[Nick Vigier] I do.
[David Sparks] All right. So, this I was telling you before we went on air. This is submitted by, I am giving him the title of Best “What’s Worse?” Submitter Ever, but we do not know who this person is. They go by the pseudonym Osman Young. He does not want to use his real name and I feel awful that I can’t say his real name because his “What’s Worse?” scenarios truly are great, and this is a pretty darn good one. All right? So, here we go. I always make the co-host answer first. Dan, you’re up first. There are two quite detailed scenarios, so hear me out here. You are a security architect for a large healthcare organization. You can relate to this.
[Dan Walsh] I have no idea what they’re talking about. [Laughter]
[David Sparks] Just somewhat. All right. You have been asked to evaluate two software solutions for the same exact need. For a set of complicated business reasons, you require an on-premise web-accessible repository for patients to retrieve their medical records. All right, solution number one. It has a very intuitive interface. Your 80-year-old grandmother can navigate with ease. Patients love it, providers love it, the C-Suite love it, and it’s a bargain price. However, when you dig into the supporting architecture, it’s a greatest hits of worst coding practices, it’s full of major vulnerabilities, and you would need a long list of policy exceptions to implement it. Even worse, the vendor contract carefully externalizes all risk to their customers.
All right, solution number two. This solution is good as it gets from a security architecture perspective. It requires zero policy exceptions to implement, and the vulnerability scanner found two information-only issues. The contract language is much friendlier to the customer as well. However, the user interface is confusing, completely unintuitive, providers hate it, patients hate it, and the C Suite hates it too. To boot, it costs triple what the first solution costs. Which one’s worse? By the way, have you ever faced this situation?
[Dan Walsh] I have not, I have not. I mean, ultimately, it’s a business decision, right? You lay out the total cost of ownership, but you would be inclusive of the security tax, I would call it, in solution number one. And then the user experience test in solution number two…
[David Sparks] Yeah. Solution number one’s definitely [Inaudible 00:17:26]. But solution number two has less of a tax, but it does cost triple what the first solution is.
[Dan Walsh] I would say I’d probably go with solution number two just because the OCR fines for a security breach of health records is millions. IBM stated the breach report said the average healthcare breach is $10 million. So, even if it costs triple, that’s a lot less than $10 million.
[David Sparks] That’s good. So, you’re saying it’s just purely you need the security even though… Now, the thing is this thing is so horrible, the interface, you may not even be able to run the business.
[Dan Walsh] Well, this is why it’s a business decision, right? What’s the total cost of ownership? That has to be the focus…
[Crosstalk 00:18:09]
[David Sparks] So, I’m sorry. Remind me again which one you’re choosing is the worse one, one or two?
[Dan Walsh] Two because I’m guessing that the total cost of ownership is higher because the cost of an OCR and other penalties and fines from a breach.
[David Sparks] All right, so solution two. Now, Nick, do you agree or disagree? These both stink.
[Nick Vigier] They do, they do both stink. When I look at this type of situation, I kind of go with Dan’s similar response, which is these are business decisions.
[David Sparks] The business loves the first version.
[Nick Vigier] I know. And I think it’s a matter of bringing everything to the front, right? So, maybe the business is okay with, “Hey, we’ve got to find other compensating controls that we can put into place or something in order to manage this risk.” Maybe it’s just putting more money into the fines bucket for the OCR issues. Who knows? So, for me, while I would really want to be able to select the second one as the one to implement, I think that that one might actually end up being, the second option might end up being the worse one because you’re literally telling the business, “I’m going to hobble you. I don’t care what you think and we’re going to go this way just from a security perspective,” and that may not align to the business’s risk appetite.
There’s got to be a better way to handle this.
19:22.425
[David Sparks] Now, we’re recording this episode during a week where there have been massive layoff announcements. A lot of the focus on these announcements has been on the people who’ve been laid off. You, Dan, have even posted about this, and my question is what happens to your team after a massive layoff? Now your team becomes overextended, and they realize they’re going to have to pick up the slack for those who are left, so here are my two questions. First, how do you shift responsibilities in such a situation? Does anything fall away? Because you can’t still operate at the same level. How do you adjust while maintaining morale and not burning out those who are still there? It seems pretty tough. This is where leadership skills really, really come into play, so I’m really looking for some guidance here, Dan.
[Dan Walsh] So, when there’s a layoff, there’s an assumption or the reasoning of that should be, “We are tightening our belt, so we are going to do less as a business.” Which means that priorities have changed, right? The line, the cutoff line for a prioritization has been moved up. We’re going to do fewer things because we have fewer resources. We’re going to try to maximize our business and some of the less strategic things that may have been revenue generating, we’re not going to do those things anymore.
And so I think it’s important as a security leader to really hone in and be sensitive to what priorities are the current priorities of the business. It might just be keep the lights on. So, maybe as a security team, you’re not going to be able to mature the program at the rate that you wanted to or address those risks and your security depth [Phonetic 00:21:07] the way that you want to. So, I think it’s really important to have that prioritization with the business. And I think it’s also important to communicate that to your team and set some rules so people don’t get burned out. There’s always going to be this initial knee-jerk reaction of, “I got to go find another job because this company is going down the tubes, and if my colleague got laid off, maybe I’m next,” type of thing.
[David Sparks] Yeah, yeah. So, how do you… First of all, have you dealt with this before at a previous organization where you had layoffs and you had to reassure the staff?
[Dan Walsh] Yes. I have.
[David Sparks] And what did you say to them? How’d you communicate this? Because I’ve dealt with this myself and heard it, and they always say, “Everything’s great. It’s just something that they…” And all the employees are like, “I don’t buy this crap.” That’s how everyone reacts. I’m sorry, go ahead.
[Dan Walsh] No, that’s fine. I don’t tell them everything’s great. I tell them this is the job we have to do; this is how I as your manager am going to continue to support you. But there are business realities. I mean, at some point, if the business isn’t doing well enough, they may eliminate my job. I mean, we’re in a business here so this notion that everyone’s job is safe, they’re only as safe as the businesses that are employing those folks.
And so I really don’t focus on that but I focus on like, “Look. Here’s the things that we can control. Here’s the good work we have to do. Here’s the good experience you’re going to gain on your resume while you work here. And so when you look back on this chapter of your career, you can look back and say, ‘Hey, these are the accomplishments that we had and the things that I learned to make you a better security professional down the road.'” The last thing people want to hear is to be placated with, “Oh, everything’s going to be fine. Don’t worry about it.” It’s disingenuous and I wouldn’t recommend it.
[David Sparks] Nick, question number one, have you had to deal with this problem before?
[Nick Vigier] I have had to deal with this problem before in a few different situations. The biggest thing for me is it’s leaning in with that empathy, right? The first thing that they’re looking for is to know that, hey, you understand them as a human. And then come back to the burnout issue too, right? The stress of going through this can lead to burnout for a person not able to handle that stress of the layoff. Nothing to do with the workload at hand but more of just the psychological stress. So, it’s really around reestablishing those trust boundaries that are now being strained by that action and providing the psychological safety to be able to have a conversation about it and trying to be as transparent as you can be in a position of leadership with those folks, right? So, it’s not a matter of saying, “Don’t worry, your job’s safe, I’m going to reassure you no matter what.” But to Dan’s point, let’s find those beacons of light that we can point to and figure out where we can focus some of that heart and some of that effort.
[David Sparks] What do you do about shifting responsibilities? When someone goes, how do you have them pick up the slack yet not… Because everyone’s already stretched to the max, and now you’re adding things to people’s plates. I’m interested in just quick responses, like how are you dealing with that? Because first of all, as a manager, that must pain you to do this. Yes?
[Nick Vigier] It’s that moving away from your vision, right? Moving away from your plan that you had in place and you were driving towards. It’s that conversation with the leadership team, first off, to say, “Just FYI, this isn’t… Here are the things that are not happening. Here’s how this affects risk and our operations and things like that.” I think being very clear to the people that we’re going to readjust and figure out how we’re going to handle this and yeah, there are some things that we’re not going to do anymore. That, we can be hyper transparent about. And where you’re driving. Maybe a reset vision, maybe a reset mission based on the new realities to help drive forward.
[David Sparks] And Dan, your last thoughts on this?
[Dan Walsh] Well, your metrics have to change. So, what you’re reporting to the business, the old adage of measure what you need to know and report on what you want to change or communicate. And so hey, business as a result of this action, here’s the new definition of success that you’re telling me that I have to hit, and here’s how we’re doing against the definition. And so I think that that’s also very important as a communication mechanism with your business.
What’s your security advice?
25:29.688
[David Sparks] On Twitter, @hakluke asked, “For those who have been in the cybersecurity game for a while now, what advice would you give to your younger self?” and here are a few of my favorite responses. “Consider the business aspect of what you’re doing,” said Rick Deacon of Interlock, and this is a tip of the hat to what you said at the beginning of the show, Nick. “Don’t be afraid to ask for more,” said Rob Fuller of United Airlines. “Understanding and explaining business risk is more important than pawning any application,” said Ashish Rajan of the Cloud Security Podcast. And another quote was, “Security is all risk based. Don’t get too frustrated when management doesn’t listen to your advice.” So, lots of advice about getting a non-tech hobby as well, and don’t let yourself burn out, I saw a ton of that in there. So, I’ll start with you, Nick, which one was your favorite, and do you have some advice you would give to your younger self as well?
[Nick Vigier] That security is all risk based and don’t get too frustrated when management doesn’t listen to your advice. I’ve learned to become more dispassionate about the outcomes of a business decision because it’s a business decision. We obviously have what we think is the right and best way to approach a problem or what we think is the best and right way and when the business doesn’t agree, I mean, my younger self used to get very emotional about things and passionate about it. And frankly, that’s when you start losing credibility and you get left out of the room. So, I think understanding that decisions get made, they may not be the ones that you would make, but it’s not right, it’s not wrong, it’s just different.
[David Sparks] All right. Dan, which quotes are favorite of yours and do you have one that you would give your younger self as well?
[Dan Walsh] I mean, I think to Nick’s point, it always goes to the business, so consider the business aspect of what you’re doing. I think that’s important. I think if I were going to go back and give my younger self some advice, it would be you have in your mind how you would want to architect a security solution or a security program and you can’t be a purist to the point that it doesn’t take your business needs into consideration. Because when you do that, what you’re going to end up with and what you will continuously try to improve is something less than optimal. And if you’re a perfectionist, you will burn out, you will not make it. And so you really have to consider what your business wants in a very empathetic way and ultimately remember two things. One, who your ultimate customer is, and then two, that security risk is not the only risk facing an organization. And when you understand those two things and kind of internalize that, that makes that realization much easier to live with and to manage your program with.
[David Sparks] Yeah. We hear that a lot, that we’re just one, or security is just one risk of many different risks, and when you’re running a business, you’ve got to deal with a lot of different risks. And I’ve seen this a lot. We talk about this, about the importance of understanding the business. And Nick, you said it in your opening today about you love the fact that you get to learn all parts of the business. But I have seen this many times where security professionals stay in their kind of closed world, and they only think about that. Do you do things with your employees to sort of force them, like, “Hey, there’s a world outside of this and you better know it and respect it and recognize it.” Have you had those kind of people, Nick?
[Nick Vigier] Yeah. So, what I encourage my team members to always do is to ask why, right? Don’t assume that you know why something needs to get done or why something’s being asked. Always try to understand the underlying reason. And I think that starts to peel away a little bit of the echo chamber and the what you’re comfortable with and expand your horizons a little bit more, and maybe you find better solutions to problems that way. It’s a great way to understand the world at large.
[David Sparks] Dan, you get the closing comment on this. How do you deal with your team members who are maybe a little too isolated in the security world?
[Dan Walsh] Well, one of the things I do tactically is when I have a team meeting. So, I have a team meeting monthly with the broader security team at Village, and then weekly I have a leadership team meeting for some folks that report directly to me. I always start off with a 10-minute monologue of, “Hey, here’s what’s going on across the business. Here’s what’s going on in our industry.” And when you provide that information and then you give them an opportunity to ask questions or you pivot into, “And here’s what it means for us and the implication it means for us,” it really gives them a broader perspective. So, that’s one thing that I’ve found that’s been helpful.
And the other thing is you will identify very quickly the folks on your team who are like the security purists. Like, you’ve hired them because – not to sound mean – but they’re like almost a savant at what they do, they’re excellent, they’re like the best security operations person in the world, or the best DevSecOps leader in the world. And that’s where you need to come alongside of them and help them to understand like, “Yes. That is a superior solution, but in the context of our business that will fail, and we will end up handicapped in the long run because of that.” And I think just recognizing the individual talents and kind of where on that what I would call the purist scale your folks fall is really vital for you to be successful. Excellent.
Closing
30:55.016
[David Sparks] Well, thank you very much, Dan. Thank you very much, Nick. That brings us to the very end of our show. I will just say that the both of you can be found on LinkedIn, correct?
[Nick Vigier] Absolutely.
[Dan Walsh] Correct.
[David Sparks] All right. I’m going to ask you both your last thoughts about today’s conversation, but I do also want to mention our sponsor again, Sentra. They are offering a pretty cool deal about having one-on-one time with some pretty thoughtful CISOs and to sign up for this, which will literally run out, Sentra.io/RSA. So, please check that out and please sign up as quickly as possible. Dan, your last thoughts about today’s conversation, anything spark your interest?
[Dan Walsh] I guess what I would say is I would speak to the people who are out there who are looking for a job who got laid off or who feel discouraged about their job, and think about this, there are still more security openings than there are people to fill them. I think a lot of companies right now might have some jobs that they’ve held back a bit because they’re trying to get some clarification. But even this week, I’ve seen a lot more jobs start to be posted. It’s almost like they held them for the first three weeks, four weeks of the year. Now, all of a sudden, I’m seeing the job boards light up. So, hang in there and be confident in your ability as a security professional.
[David Sparks] Okay. Very, very wise advice. Nick, your thoughts?
[Nick Vigier] Going along with that too is don’t be afraid to express that stress you might be feeling, right? Whether you’re left at a company and dealing with people who are gone now and having to pick up the work and stuff like that, your leadership wants to know how you’re feeling and how you’re doing and if you need some help. And likewise for the folks that are looking now, we’re all here to help you so don’t be afraid to reach out, don’t be afraid to ask for help, and we’re all going to be offering anyway. So, I think this is where we all band together.
[David Sparks] Targeted requests though. This is the thing. The messages say, “Hey, here’s my resume if you can help me find a job.” That is not the way to make a request. If you can say, “Hey, can you introduce me to this person specifically?” That’s something people can help with. Open-ended requests, I don’t know what to do with them at all.
[Nick Vigier] Very true. And I think especially if you… I think that there’s a… People are afraid to reach out sometimes, like if they hear something on a podcast for example, and they’re like, “Wow. That really resonated with me, but you know what? I’m not going to reach out to that person because X.” But do. If there’s something that you heard from someone and you’re like, “Wow. That really struck a chord with me,” being able to make that connection beyond just, “Hey, can you connect me with blah-blah-blah because I see you’re connected on LinkedIn?” That will be much more valuable for making that connection and for getting some help.
[David Sparks] Thank you very much, Dan. Thank you very much, Nick. And thank you to our audience as well. We always greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.