Finding That Perfect Time to Quit Your Job

We don’t celebrate quitting. Maybe we should. When should you do it when you don’t have another offer?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Hadas Cassorla, CISO, M1.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Keyavi

Data that protects itself?  Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how.

Hadas’ vendor engagement letter

Introduction to this meeting:
We really appreciate your time and understand you would like to work with us. We are considering working with you as well which is why we asked for this meeting. We understand that you have worked hard on developing your product and are proud of what you have built and where you are going. At this point, we would like to make sure that we respect your time as much as we value our own. We have invited this conversation for the purpose of reviewing the capabilities of [SPECIFY PRODUCT] in our environment. If there is specific information you need about our tool set or stack to help you make this presentation, please let us know in advance and we will provide it for you.

Please Do:

  • Send an agenda prior to the meeting to help us hone it down if needed
  • Get right to the demo
  • Be video ready. We want to see who we are potentially working with.
  • Limit the demo to 0:30 (if we need more time we can figure it out)
  • Show us how the product works and would work in our environment
  • Let us ask questions as your technical resource presents the functionality
  • Do your best to demo your software in the context of our business and the size of our team: [type of company, size of company, size of team]
  • Allow your technical person plenty of time to demo the product and take questions (this means they should be leading the conversation, not the sales rep).

Please Don’t:

  • Ask open-ended questions about our security goals or roadmap
  • Spend a lot of time on reintroductions
  • Spend time discrediting your competition or former employer
  • Show us your management, references, product roadmap or other information we can easily find on your website.
  • Tell us about vaporware

Full transcript

[Voiceover] Ten-second security tip. Go!

[Hadas Cassorla] Everyone on your team should do a ride along with the customer service department. This is where most customer data transfers happen. It’s where the business is most focused. And without that understanding on your team of what is important to the business and how the business works on the day to day basis, you will not understand your company or what they do, and therefore you won’t be able to protect it as all.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I’m the producer of the CISO Series. Joining me for this very episode is my cohost, Mike Johnson. Many of you know Mike Johnson because his voice sounds somewhat like this…

[Mike Johnson] It sounds like someone who’s just had a fun few weeks, and I am really happy to be here because I can now relax.

[David Spark] I’m getting the sense that that fun few weeks was not so fun. Was it?

[Mike Johnson] No, it was not. It’s been busy the past few weeks, David.

[David Spark] Are you coming to a slow down at this point?

[Mike Johnson] The irony was yesterday I made a comment that, “Hey, things are all better this week. We wrapped up some issues, and we’re all good.” And then there was the Okta breach last night. So, yeah, that happened.

[David Spark] You know you’re supposed to keep your mouth shut in situations like that, right?

[Mike Johnson] I have not learned that lesson. I clearly have not learned that lesson.

[David Spark] Not smart.

[Mike Johnson] Nope.

[David Spark] What it is is that’s one of those situations, “Remember that time Mike said that everything was fine. Then we had the Okta breach.” Because that’s the kind of stuff that’ll come up again, and again, and again.

[Mike Johnson] Yes. Yeah. It’s something that I imagine people will not let me forget any time soon. Until the next time.

[David Spark] Anytime soon. It will be the thing they laugh at you about repeatably on an annually basis.

[Mike Johnson] No, there’s a long list of those. I am not sure that this one even makes it to the top of that list.

[David Spark] You know what? Maybe we should have a show of all the things that we can laugh at you about.

[Mike Johnson] Perfect.

[Crosstalk 00:02:06]

[Mike Johnson] I would love that, and I can just sit back there and be grumpy.

[David Spark] Yeah. Well, what we could do is we could bring your coworkers on, and they could just say, “You should have seen the time Mike did this.” And then we can just mock you all through the episode. I think that would be a fan favorite.

[Mike Johnson] I am sure everyone would love to see me just… And let’s do it on video, so I can sit there just looking uncomfortable.

[David Spark] So we can see the squirm, yes.

[Mike Johnson] The whole time. I love this.

[David Spark] Awesome ideas. This is great, great ideas for the show. By the way, for those of you who don’t know, we’re available at CISOseries.com. And our sponsor for today’s episode… You may have heard of them before because they have been an absolutely spectacular sponsor of the CISO Series. It is Keyavi. You may know their site at keyavidata.com. And it is self-intelligent data – when happens when your data knows what to do, where it is, who’s using it, and can protect itself. Self-protect itself. I think it’s more self-protecting data than even self-intelligent data. But, Mike, I just want to mention one quick thing. We did banter for a second, but we were talking just off mic moments ago about the hacker movie, “Sneakers,” and the movie, “Hackers.” And I recently saw the movie, “Hackers” and saw the movie, “Sneakers” when it was first in the theater. I did not like the movie, “Sneakers” at all, but I adore the movie, “Hackers.” And you’re telling me I’m wrong.

[Mike Johnson] The movie, “Hackers,” is awesome, but you’re also wrong about the movie, “Sneakers.” Also a very awesome movie. Different direction. “Hackers” is just all camp.

[David Spark] That’s what’s great about it.

[Mike Johnson] It is just the height of camp. And “Sneakers” actually walks through the technology. It really does have some smarts behind it. And there’s really good chemistry between the actors. It’s a good movie in a very different way.

[David Spark] You have much lower standards than I do.

[Mike Johnson] I am certain of that.

[David Spark] Our guest was mouth agape when I made that comment.

[Laughter]

[David Spark] I am going to now introduce her. I am thrilled to have her on. I met her during our Friday events, which are the Super Cyber Friday event. She is awesome. And I thought, “Heck, she’s going to be an awesome guest.” She even suggested that she should be on, and I was like, “You know what? You’re right, you should be on.” And so thrilled to have her on. You heard her with the opening tip, and not let me introduce her. It is the CISO of M1, Hadas Cassorla. Hadas, thank you so much for joining us.

[Hadas Cassorla] Thanks for having me. It’s a pleasure.

What’s the motivation to do this?

4:29.808

[David Spark] What happens when a security control is bad for the business? Jerich Beason, CISO of Epiq, points out that a cyber control can add costs that are simply not worth it. He says, “Costs can not only be financial but also loss of efficiencies, loss of time, forced reprioritization.” I’m having a hard time visualizing this, so I’m going to start with you, Mike. Give me some examples of this sort of…a security control that’s bad for the business. Maybe you’ve witnessed it or been part of it. When a cyber security control just was not a good decision from a risk and cost perspective.

[Mike Johnson] A whole class comes to mind for me here. Think security theater.

[David Spark] Yes, coined by the way by Bruce Schneier.

[Mike Johnson] Yes. And he’s absolutely right. Imagine something that provides no risk reduction, no security value to the company, but is imposing a cost. That could be you’re going out and spending 100 grand on a box that just goes beep in the corner and doesn’t do anything. Or you’re adding additional friction to workflows that makes it seem like you’ve got better security but is not bringing any net value. Those are costs.

[David Spark] We see this often in physical security, by the way.

[Mike Johnson] Yeah. It’s, “Hey, you need to jump through these hoops almost literally to get access to this door.” And it’s not really doing anything. But in the cyber security world, it’s all over the place. You’ve got kind of all the charlatans out there who are selling a thing that doesn’t provide value, but it costs you money.

[David Spark] That’s a good point. Hadas, what’s an example of a security control that’s just causing more problems than helping.

[Hadas Cassorla] This might be a hot take, but I think a lot of the box checking that happens with security awareness programs is a waste of time. It makes your internal people really annoyed because you’re wasting their time with these phishing tests that maybe they fail. And really Janice in accounting just wants to do accounting. And I think that this cost is a lot about implementation. I’m not saying you shouldn’t have security awareness, but I think you really need to know how to do it so that it’s engaging as opposed to a test of competency and getting in peoples’ way of doing their job. because what people really want to do is their job and have those efficiencies. You mentioned door badging. I think the no piggy backing rule. People never follow that, but everybody checks the box that they do it. And unless you’re the NSA, do you really need it? I don’t know. Think about whether you need this control actually and whether you’re implementing it in a way that is useful.

[David Spark] Door badging… Can you accept, I guess…? I’ll put it in a word. Can you accept a certain level of leakage in that respect? And say, “Look, if we don’t do this, yes ,we may get a few people piggybacking and not swiping. That could be a compromise here, but we can stop them in other ways.” Or someone is like, “Oh, no, that can never happen. We can never have a case of piggybacking.”

[Hadas Cassorla] Yeah, for sure. What I tell my people is be friendly but be skeptical. If you are going into the office on a regular basis, you know other people. If somebody is definitely piggybacking on you, you can feel that, and you can tell. Also if somebody is carrying a ladder, so not just let them into your office. Ask them for… People can get… If you carry a ladder into a theater… I just saw this on Instagram. If you carry a ladder into a theater, they’ll just let you in. No tickets.

[David Spark] Because people just want to be friendly. That is the number one thing. And they feel good about it, too. That’s one of the great signs of a good social engineer is they make you feel good about compromising security. Not realizing you’re doing.

[Mike Johnson] That’s part of the engineer is that you don’t…

[David Spark] Yeah, exactly.

[Mike Johnson] …realize you’ve been had. And if you’re feeling good about a thing then you don’t realize you’ve been had by it.

[Hadas Cassorla] And this is why “Sneakers” is such a good movie. Because it really focuses on social engineering. He’s on a date with this hot check, and she’s making him feel good about being on that date. You should rewatch it, David. You’ll enjoy it more this time.

How do you go about discover new security solutions?

8:48.148

[David Spark] Hadas has created an engagement letter that she sends out to vendors prior to pitch meetings, and it’s a list of meeting dos and don’ts, and I want to highlight a few of these. Do send the agenda prior to the meeting. Do get right to the demo. Do let your tech person lead the meeting with a demo with plenty of time. Don’t waste time on open ended questions, reintroductions, or showing management and your references. I love this letter, Hadas, and it’s professional. And it shows your expectations. At the same time, you make it clear that you’re seriously considering working with the company. So, how long have you been using this letter, and what has it meant to your process of actually discovering new solutions? I’m interested to know before we did this, and now we do this, and it’s meant this.

[Hadas Cassorla] I’ve been using this letter since I got to M1. And I will say that this podcast actually helped me create this letter because I was getting so annoyed with my time being wasted by vendors, but I recognize that I need them. And being nice to them is useful, and I also know that they’re probably getting frustrated with my frustration at them. And hearing you guys having these discussions has actually helped me a lot. So, before using this letter, I was…the reason that this letter came about specifically is I was in a meeting with a vendor, and it was a 45-minute meeting where they were just showing us slides of how their company had gotten to where they had come. I had three senior engineers in that meeting as well as myself and my boss. So, it was one of the most expensive meetings I’ve ever sat in, and it was so useless. And normally I’m really good at interrupting people and letting them know that they’re not on the right path, but I was new, and I wanted to make a good impression. And after that meeting, at first I counted to ten.

[Laughter]

[Hadas Cassorla] And then I just started writing this letter out about what I didn’t appreciate and what they could have done better. And then I was like, “You know, actually this is probably helpful for this vendor and for future vendors.” And that’s how I started crafting it.

[David Spark] The thing is I think vendors would love this letter. By the way, if we can republish it on our site…

[Hadas Cassorla] Please do.

[David Spark] That’d be great. It’s great for everybody involved, and that’s what I love about it. Mike, you took a look at it, yes?

[Mike Johnson] Oh, yeah. This is awesome. I’m so glad to see this. I was looking at, going, “Boy, how much more efficient would a vendor meeting go if you’re not doing introductions on the fly, if they understand your environment, and you’re not having to explain it. They’re cutting the chase of what it is they do, what problems that they can solve.” And it’s the same thing that goes over and go over again. I like also that you had the pronunciation of your name in there. Which, again, it’s like that’s a great thing for a vendor to come in with that much more confidence. They know they’re not going to immediately step in it by mispronouncing your name.

[David Spark] And it’s not like a shaming vendor letter. It’s like, “This is how you’ll succeed with us, if you do this.”

[Mike Johnson] It’s genuinely helpful, and it’s one of those amazing examples that I so rarely see where it’s useful and helpful for all parties involved. It’s not shade. It’s not casting any aspersions. It’s, “Here’s how to win, and here’s how we both win.” I thought it was great, and I hope to see more people adopting it.

[Hadas Cassorla] I used to do sales way back when, and I know that if you get on the customers’ bad side, it’s really hard to gain that back. And so I know… I want these vendors to succeed, because I want the tool especially if it’s a really good tool in my environment. But I also know that if they annoy me or waste my time I’m less likely to want them to be in my environment. And they don’t know they’re doing it unless I tell them.

[David Spark] I want to mention that I’ve gotten pitches which hit all bunch of your don’ts – like the tell me about the management team, and all their references, and stuff. And, again, more it’s because of my personality, I still stop them flat and go, “Forget all this. Please just get to the demo.” And they’re like, “Okay.” Here’s what’s so funny – when they get to it or get to explaining what you do… Sometimes they’re not doing a demo. They’re just explaining what they do. They have to skip seven slides in, and that’s the part that always amazes me. Why is what you do seven slides in? [Laughs]

[Hadas Cassorla] I think it’s a lot of salespeople, especially younger salespeople, who don’t know the fact that they’ve created the meeting justifies their job. They don’t have to do seven slides to justify.

Sponsor – Keyavi (opens in a new tab)

13:40.277

[Steve Prentice] When people think about ransom ware, two big fears come immediately to mind. The first is whether to pay to unlock your systems and get back to work, and the other is what happens to that data after it has been exfiltrated. It’s well known that the bad guys will simply keep a copy and sell it or otherwise exploit it. Wouldn’t it be great if that data, once it’s out there, could actually self-destruct? Well, it can and more. And Elliot Lewis of Keyavi has the tools that you need.

[Elliot Lewis] What ransom ware does it either does encryption of data that you have and keeps it under hold and control because you no longer have a clean copy of it to use, and/or they exfiltrate your data to someplace else and then try to ransom it back to you. When you use Keyavi, not only can we make your data intelligent where you have it and help you automatically store and contain extra clean copies, if someone does steal your data then that data is self-protecting and self-aware. And if they try to ransom it back to you, the only thing that’s going to happen is the data is going to say, “I don’t know who you are or how I got here, but I’m going to delete myself right now right after sending your physical address to the authorities.” So, Keyavi, because data is self-protecting and self-aware, solves the issues that leave and also happen with ransom ware faces.


[Steve Prentice] For more information on how Keyavi creates self-protecting data, visit keyavi.com.

It’s time to play “What’s Worse?”

15:15.666

[David Spark] Hadas, you have heard the show many times. Let me ask – do you play along on “what’s worse” when you listen?

[Hadas Cassorla] I do. I try to train myself to disagree with Mike.

[Mike Johnson] [Laughs] Great.

[Crosstalk 00:15:35]

[David Spark] You have an opportunity to do it in front of our audience right now. I’m going to have Mike answer first. Here we go. It’s from Nir Rothenberg, one of our most prolific “what’s worse” writers. He’s the CISO over at Rapid. Here’s his situation – you report to the CIO, and you have a small team with no MSSP support. Your stack is Cloud heavy. What’s worse? Your entire stack are only seed or A-round startups that the CIO advises. Okay? That’s situation one. Or your entire stack is a single vendor – the biggest security vendor in the world because he’s best friends…your CIO…with the reseller. Now, no using the Cloud provider’s security tools. That’s cheating, by the way. So, which one is worse – the entire stack is seed or A-round startups he advises or the entire stack from one vendor because best friends with the reseller?

[Mike Johnson] I appreciate that there’s rules associated with this one. It’s almost like Nir could figure out where I was going to try and weasel my way through this particular one. So, you’ve got boiling it down…you’ve got a stable of very early stage startup companies that are now critical to your security because that’s what you’re leaning on and what you’re relying on. Or you’ve got the lumbering, old security company whose tools are probably not really up to date because they’ve never needed to update them because they have a huge presence, and they’re able to…

[Crosstalk 00:17:17]

[David Spark] But they probably have a more complete solution, conceivably.

[Mike Johnson] Oh, so if we’re adding that to it…

[David Spark] Well, no, your entire stack is only one vendor. So, I’m saying it’s like often one vendor sell like, “You just need us,” so it could be a more complete solution conceivably.

[Mike Johnson] So, both of these suck as usually.

[David Spark] Right, exactly.

[Mike Johnson] So, I’m just going to take a stand and defend it, and prepare for…

[David Spark] Hadas to go the other way.

[Mike Johnson] …the assault from Hadas going the other way. So, for me the stately security vendor, the huge security vendor, that’s the one that is lease desirable for me. I’m not going to be able to have a good relationship with them. They’re not going to add any features. They’re not going to add anything that I need along the way. It’s a take it or leave it kind of scenario. And if I’m not happy with it, I’m stuck with it. I can’t influence the roadmap. I can’t make any changes because they don’t care who I am. I’ve got a small team, therefor a small budget. And they’re a big pond. I can’t even make an impact on that.

[David Spark] Good argument here.

[Mike Johnson] So, with the other side, I’ve got agility. I can work with these vendors. I can advise them.

[David Spark] Usually, yes. And we’ve talked about this on the show about how much you enjoy working with startups.

[Mike Johnson] Exactly. And odds are some of them are going to fail, and I’m going to build my environment or my process to be resilient to that – to know who’s next, to know who I’m going to go with. And I think neither of these is ideal. That’s the more preferable for me. The big vendor is the…that’s the worse of these scenarios.

[David Spark] All right, Hadas, are you going to take the other side?

[Hadas Cassorla] I am.

[Mike Johnson] Sweet.

[Hadas Cassorla] But I do have something to say about this, which is the CIO is friends with the reseller. I know we’re not allowed to change the situation, but if he’s friends with the reseller we can talk to the reseller.

[Mike Johnson] Sure, yeah. Go for it.

[Hadas Cassorla] The reseller probably has other types of tools in their arsenal. So, if he’s really that tight with the reseller…

[David Spark] No, no, no. You can’t… You’re still getting everything…

[Crosstalk 00:19:31]

[Hadas Cassorla] Okay. All right.

[Mike Johnson] It was a nice try. It was a nice try.

[Hadas Cassorla] Thank you. I still can stand on the initial… Mike’s choice is the worst, the startups. One is yeah, you’re right, there are going to be ones that are likely to fail. And since you can’t change the situation you’re probably just going to get another less than beautiful solution to replace them. The other thing that I’m really concerned about – friends with a reseller is one thing. But on the actual boards of these companies, that has a taint to me of problematic legal issues with that. I would be concerned about if they were not providing the right type of coverage for me, and my boss is the one that is on their board. There’s just too much swimming in the same pond. I think knowing the big vendor and knowing the tools that they have, you know what you’re dealing with. You know exactly what you’re purchasing, and you can set up, like you said, some aspect of working around that environment and with that particularly large company that is a monolith. But also you don’t have the like stink of potential I’m going to say like… I used to be a lawyer. There’s a legal term of art, and I can’t even think of it because I’m really a recovering attorney.

[Laughter]

[David Spark] The point I want to make is some of these startups won’t make it, so you will have these cavernous holes in your security program if you go with the startups. This is more my concern. And you’ll just have nothing but integration nightmares. So, you’re going to have integration nightmares along with just gigantic gaps in the security program.

[Hadas Cassorla] Even though I’m choosing…you’re on my side on this, I’m going to say that even with monolithic security vendors you have integration issues.

[David Spark] That, too. But the thing is you have a huge hole in your program that’s even worse.

[Hadas Cassorla] Yeah, that’s true.

What annoys a security professional?

21:29.697

[David Spark] “I used to find cyber sec cool, but now I just don’t care. I don’t care if John Doe clicks on a phishing link. I don’t care if our EDR picks up a PUP. I don’t care if someone thought they saw their cursor move on their machine.” This was a ranting of a redditor on the cyber security sub reddit. There was a huge response on reddit, and the overwhelming diagnosis was, say it with me, burnout. Yes. And in general people told him to just get out. In fact many told stories of being burnout, leaving, and feeling a lot better. So, I actually don’t want to discuss how to avoid burnout. I want to discuss the value of quitting when you don’t have an offer on the table. Have you ever done it? Have you seen others do it and thought, “Yeah, that was the right decision.” What’s the argument, Mike, for quitting?

[Mike Johnson] In hindsight I think I did this. I didn’t realize it at the time. But when I left Lyft, I really needed a break. I took I think all told nine months off. I didn’t have an offer in hand when I left. But I needed that time.

[David Spark] But they shifted the environment considerably.

[Mike Johnson] There were changes there as well. But I don’t regret having left because I did need that. I needed the time, and I just didn’t know it. I didn’t know that I wasn’t ready to jump back in in the moment, but I’m glad I took the time, and I’m glad that I…rather than jumping right back in, rather than going and trying to get another job. I’ve certainly seen plenty of other CISOs take the same approach, and not a single one has reflected on it and said, “Yeah, I shouldn’t have done that.” They’ve all said, “I’m glad I did it.”

[David Spark] Honestly everybody… Like for example I used to work for the television network, TechTV. It was also known as ZDTV. When I quit, the funniest thing happened. I stuck around for two weeks after I gave notice. During that time, people were jealous of me. I was like, “Wow.”

[Mike Johnson] [Laughs] “You got out.”

[David Spark] “That’s not good if…” And I quit without anything.

[Hadas Cassorla] That is a bad environment.

[David Spark] Yeah. [Laughs] By the way, that organization from the day I quit… It had grown like 150 people, and then they fired everybody. I think it completely folded like two years later from that. But within one year, they hired like 100 and then fired 100 like that. it was unbelievable. Hadas, have you ever quit with nothing?

[Hadas Cassorla] Yeah, I’m a big fan of quitting once you’re sure you’ve tried. Once you are sure you have tried, I’m a huge fan of quitting. I told you I’m a recovering attorney, and I remember this like this early, like it was yesterday. But on Memorial Day of 2012, I’d just run a 10K with my boyfriend in Boulder, Colorado. It was the Bolder Boulder. I was exhausted. I was exhausted from the run, from the altitude, from the travel. But most of all, I lay there on the couch, and I was just sighing. Out came, “I hate my job.”

[Laughter]

[Hadas Cassorla] And my boyfriend from the other couch looked over at me, and he goes, “Quit.” I sat up, straight as a pin, and I said, “Well, I have school loans.” And he said, “And you’ll pay them.” I looked at him, and I was like, “Of course I’m going to pay them.” The next day we flew back to Portland, and I fired all my clients, found them new attorneys, and never practiced law another day in my life. I didn’t know what I was going to do. I had no idea. I went back to IT. I accidentally fell into a business analyst role where they actually needed somebody to just look at some of these controls we have from the IRS, which was setting up a missed 800-53. I love it. But here’s the deal – your skills wherever you get them are fungible. So, whatever you learned at that thing you’re quitting, you’re going to be able to take with you somewhere else, and you’re not going to know how it’s going to be beneficial, but it’ll be beneficial.

[David Spark] Yes. I had by the way a very similar story to yours. I was actually talking to my mother. I was in my early 20’s. I was the IT guy for an ad agency in Chicago. I was talking to my mother, and I was just saying… By the way, this was a period of time that I was pursuing comedy writing and working in corporate entertainment and stuff like that. I had a little bit of work in that area but not a huge amount. Like enough to cover maybe 30 to 40% of my expenses at the time. And I was just like, “This job, it’s so easy. It’s a warm bath. I’m never going to go anywhere here.” And I remember my mom says “Eh, just so quit.”

[Laughter]

[David Spark] My mother is saying this. My mother is telling me to go quit. And literally I hung up the phone, walked upstairs to my boss’ office, and said, “I quit.” From that moment, it was just… It felt great.

[Hadas Cassorla] I love it.

[David Spark] [Laughs]

[Hadas Cassorla] Yeah, there’s no reason to be miserable. Plus it’s contagious, so you’re making everybody else miserable. And also you might end up becoming that brilliant jerk that…

[Laughter]

[Hadas Cassorla] …[Inaudible 00:26:45] because you’re so miserable.

How have you actually pulled this off?

26:46.771

[David Spark] An anonymous listener asked, “How do you ask for a team building budget for a remote team? There are teams that are local and spend money weekly on team building. It seems obvious, but for virtual teams it’s all been so pat. Like sending a wine tasting kit. I did that, and I couldn’t have been more bored by it.” So, I’ll start with you, Mike, what actually does build virtual team morale, and what could you actually do and have you done that would require some serious budget? And how do you build the argument like, “We need this moment because they need some building, some morale building.”

[Mike Johnson] So, taking the last part first because it’s the easiest one…you start by reminding folks that, “Hey, we don’t have an office. We’re not paying for real estate for these people. We can take some of those dollars that we’re saving and invest in the team building in order to make these folks affective at their jobs. They won’t be affective at their jobs if they’re not working together as a team.” If you have a series of individuals, you’re not getting anywhere. So, there’s value to the company in reinvesting that saved dollars. So, that’s actually the easy side.

[Hadas Cassorla] That’s great.

[Mike Johnson] What we’ve done is we work with event companies that specialize in remote team building. This is especially since COVID. This is a whole industry in setting up virtual events, getting people together without them being in the same room. An example that we did was we had a celebrity chef come in and teach us how to make waffles. That was the event. And in advance we told everyone, “Here’s the ingredients if you want to cook along. Here’s the waffle iron that you can go get.” And we made it very clear that you can just sit and enjoy. There’s a lot of dialogue with the chef. There’s a lot of audience participation. There’s also people who are making waffles. It was just this great event of coming together and having fun. There was nothing else to it. This was not like trust falls in the woods that people used to do. This was just legitimately having a good time together. Folks let their guards down, and they let themselves have a good time. It was just this great moment. This was because we had worked with an event company that knew what they were doing. They were professionals. We let them help us through it.

[David Spark] Hadas, what have you done?

[Hadas Cassorla] Well, first I would like to remind Mike about the famous last words issue, and you know what’s going to happen is the next time you have a get together with your team you’re going to be doing trust falls in the woods.

[Laughter]

[Mike Johnson] I am certain that is not happening. I will go on the record right here. You heard it from me. I’m not doing trust falls.

[Hadas Cassorla] He’s definitely doing trust falls.

[Laughter]

[Hadas Cassorla] It’s funny. I think that there’s several aspects to this, and I also had some of the ideas of doing virtual escape rooms, or trivia, or things like that. But what really builds team morale is true, and what builds trust is candor and vulnerability. The way you do that is you instill it through… The way I do it is I instill it through modeling. I’m not always right. My team knows that not only am I not always right but in fact I’m often wrong. When I go to them with an issue that needs solving, I don’t have a solution for it. I don’t even share my opinions until the way, way end because I want to make sure that they feel comfortable coming up with ideas, and pairing, and as a team brainstorming. I think that the more we do that, the more team building we have. Having said that, we also do a monthly dinner happy hour and hang out where it’s kind of like a demo days and kind of like what we used to call in the army mandatory fun where you sit down, and you talk about new interesting things that you’ve seen in the cyber world or that you’ve just learned at a class. David will tell you, I’ve reached out to him for a few “what’s worse” scenarios. My team loves going through them and arguing about them. And just knowing that you can be in a space with a bunch of people who love geeking out about the same stuff you love geeking out about and that it’s safe to say stupid stuff to each other and bounce ideas off of each other, that is the most important thing you can do to build the morale. Now, the argument on money, I loved your idea, Mike. Yeah, we’re saving money already. Give me more. [Laughs]

[David Spark] Can I by the way say something? I heard about this trend where they were asking employees to take a pay cut for the right to work from home. Wow. That was… My head would explode. I’m like, “So, you’re making money because they’re working from home, and you want to make now more money.” Unbelievable. Drove me crazy.

[Hadas Cassorla] In this environment I just don’t know how a business would be able to even say that out loud to their employees.

[David Spark] It’s happened. I will recommend, by the way, this team building trick if you haven’t bought it. Have you ever played any of the Jackbox games?

[Hadas Cassorla] I love them so much.

[David Spark] They’re a ton of fun. Especially Quiplash is probably the most well known of them all, and you can actually write custom questions for Quiplash ,so you could do things that are specific to whatever you’re working on. I just bought the huge four party pack. I got 20 of their games for 75 bucks. I play them with my kids sometimes, too, but I highly recommend those games. Not all of them work. Quiplash being probably the best one. But yes, which ones have you played, Hadas?

[Hadas Cassorla] I’ve played… I think I have ever single one of those…

[Crosstalk 00:32:43]

[Hadas Cassorla] I’m an improviser for fun, and actually it’s also made me a better person. We can talk about that some other time. But those games are written by improvisers, and it’s basically all of them are improv games. They’re so fun. But I will say… Can I just say one caveat to all of this team building, which is as the leader of those teams you have to remember that not everybody is going to enjoy every way of interacting with each other. And so if somebody is quiet in the room, let them be quiet. If somebody isn’t geeking out in the way that everybody else is, even ask them, “Hey, what’s something you enjoy doing? Because it seemed like maybe you were a little mellow on this other team thing.” So that they can also find a way to be a part of that team but maybe not in the way that you think is the right way for them to find a way to be a part of that team.

Closing

33:30.358

[David Spark] Very good point. I want to wrap it up right here. Excellent. Excellent episode. Thank you so much, Hadas. You know what? It’s awesome to have a guest on who knows the show so darn well, she rolls with it perfectly. Thank you. By the way, Hadas, you know I always ask guests are you hiring, so make sure you have an answer for that. You’re going to have the last word here. I want to thank our sponsor, Keyavi. Keyavidata.com, self-protecting data. Data that just is smart enough to protect itself. It’s pretty fascinating technology. They’ve been with us for quite some time, and they are actually on fire. So, if that intrigues you, and why shouldn’t it, go check them out. We appreciate their support. Mike, any last words?

[Mike Johnson] Hadas, thank you so much for joining us. It was so amazing to sit down and have this conversation. I love the stories that you shared. I loved just your outlook. It was just such a joy to have the conversation with you. I also really liked the fact that you took that negative experience of that sales presentation, and rather than just going and raging out on LinkedIn, which is what a lot of people do, you turned it into a positive. You turned it into something that’s genuinely helpful and then shared it here with our audience, which is also awesome. So, thank you so much for coming on the show. Absolutely delightful to get the opportunity to sit down and talk with you. Thank you for joining us.

[David Spark] All right, Hadas, you get the final word, and I will also ask, are you hiring.

[Hadas Cassorla] Thank you, guys, both so very much. Also I’m no saint. I have raved on LinkedIn.

[Laughter]

[Hadas Cassorla] I am hiring. I’m currently hiring a security engineering manager, and that is the only role I’m hiring for right now. But I am hiring. And you can go to M1 jobs in the Google machine, and you will find the security engineering manager role.

[David Spark] It is just the letter M and the number 1. That’s how it’s spelled.

[Hadas Cassorla] That is correct. I would like to plug taking an improv class. I think that it is amazing. It’s a great way to learn how to communicate.

[David Spark] Where did you study improv yourself?

[Hadas Cassorla] I started at Company Sports in Portland, but I’ve taken improv classes actually around the world. I’ve played improv at a lot of different places. It’s made me a better person because it teaches you how to have empathy, and I think that that is one of the best ways to boost your career and get into the executive suite – be a better person. [Laughs]

[David Spark] The most popular article that I have written in my entire life is entitled “Improv Sucks,” believe it or not. And I wrote about it when… Because I was a writer for Second City in Chicago many years ago. I came in not having taken improv classes. I had a background in standup. I was also doing corporate entertainment. This was actually soon after I quit that job, Mike. Very soon after I quit. And I got responses to that article… By the way, if you search “Improv Sucks,” it’s my most…best Googled article I’ve ever written. I think it’s like the second search result, and it’s over 20-some odd years old. It’s so old, this article. But I got responses all the way from, “You’re a genius,” to, “You’re a complete idiot,” and everything in between. Which I think that’s the perfect article to write. Half the people hate you, half the people love you. There you go.

[Hadas Cassorla] And half the people are like, “Well, I read it.”

[David Spark] Yeah, there you go.

[Laughter]

[David Spark] You can’t have three halves by the way. That’s one of those producers’ scenarios.

[Hadas Cassorla] I’ve heard it both ways.

[Laughter]

[David Spark] Anyways. But that’s when I was young and stupid and thought I knew everything, which often we run into that problem when you’re young. You think you know everything, and now I’m old and know way less than I knew or thought I knew back then.

[Hadas Cassorla] I know that you don’t not love improv now because you use it on Fridays very frequently in the CISO jam.

[David Spark] Yes, I am a big fan of it. I also sort of had a business partner who was very much into improv and actually… He’s extremely, extremely well known internationally for his improv knowledge, so I have great appreciate for it now. The problem is… And I used to do a joke about this when I was on stage. The problem is how bad I am at improv. Actually if you do a search on YouTube, you will see a bit of me talking about how… If you just do David Spark, I suck at improv, you’ll find this bit. Well, one of the core jokes I used to say is that to be good at improv you have to do characters, and my range of characters is I can do everything from Dave all the way to David. That’s about it.

[Laughter]

[Hadas Cassorla] That’s at least two.

[David Spark] That’s at least two. There you go.

[Laughter]

[David Spark] All right. Hadas, thank you so much. You have been a…

[Hadas Cassorla] Thank you.

[David Spark] ..spectacular pleasure. We want you back.

[Hadas Cassorla] Okay.

[David Spark] Thank you very much. Mike, as always, you were, eh, good enough.

[Mike Johnson] I’m here. I’m here.

[David Spark] You were just good enough. You weren’t the sparkle that Hadas was.

[Hadas Cassorla] Do you guys need counseling?

[Laughter]

[David Spark] Like an old married couple, just bickering.

[Laughter]

[Mike Johnson] David, thank you for being here, too.

[David Spark] Oh, thank you. Thank you, Mike. All right. Hadas, thank you. Mike, thank you. Thank to our sponsor, Keyavi, everyone. We’ll see you on the next show. Send in some more “what’s worse” scenarios. We need Mike stumped more. Good job, Nir, this time.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.