If you’re struggling to get your first job in security or you’re trying to get back into the industry after being laid off, you need to lean on your security community. But like networking, you should find it before you need it.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. We welcome our guest, Shahar Maor, CISO for DarioHealth.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Egress
Full transcript
[David Spark] If you’re struggling to get your first job in security or you’re trying to get back into the industry after being laid off, you need to lean on your security community. But like networking, you should find it before you need it.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, you know him very well, his name is Steve Zalewski. Steve, say hello to the audience.
[Steve Zalewski] Hello, audience.
[David Spark] We’re available at cisoseries.com. This is not the only show that’s on cisoseries.com. We’ve got plenty of shows. We drop nine episodes every week. If you haven’t spent time over there, I suggest going over there and checking out our other programming and maybe even subscribe to it. Our sponsor for today’s episode is Egress, integrated Cloud email security that prevents human activated risk.
This is really interesting, what they’re doing. I’m going to explain more of it later in the show. Stay tuned. Let’s talk about today’s topic. This is kind of a soft topic, if you will, Steve. In a very confessional post on LinkedIn, CISO and friend of the show, Olivia Rose, wrote about the struggles she was having landing her next position, and as a result, found herself leaning on her security hive or security community and what value it brought to her as she questioned her own ability as a security professional.
I know we all go through this of like when you’re out, you’re like, “Does anyone want me? Am I worth anything?” What should you look for, Steve, when you’re building a security hive or community? It’s the same thing. And what should you expect to put into it, and what should you expect to get back? That’s what we’re going to discuss.
What are your thoughts about this?
[Steve Zalewski] I would say very timely given the market and what we’ve seen in the last year. There are a whole lot of people wanting to have this conversation.
[David Spark] Yeah. So, I think this is a timeless conversation. I can’t believe anyone doesn’t want to discuss about this. We all like to help others, and we all like to be helped. I think this is kind of a win/win all the way around here. And the person who’s going to join us for this very discussion is the CISO for Dario Health.
It is Shahar Maor. Shahar, thank you so much for joining us today.
[Shahar Maor] Great to be here. Thank you very much for having me.
This isn’t just a security issue.
2:24.301
[David Spark] John Delacruz of Lowe’s Companies said, “We’re all still human and have our own journeys that lead us to the mud sometimes.” That is very true. And Anthony or better known as Tony Chryseliou of Sony said, “For all those struggling, I guarantee there is not a single successful person, however you want to define success, that has had a career trajectory that went straight up.
People have had to pivot, change direction, change tactics, take steps back, and even sometimes step out and recuperate and reevaluate before getting back into the game. Being flexible and open to all of life’s possibilities is key.” I love that quote. I think that’s on the money. Yes, Steve?
[Steve Zalewski] So, easily said. That’s be flexible. But what you’re doing is it’s not just a security issue, but I also say it’s also kind of a personality issue. Because having a set of people, having a community around you… In the security field, IT field, many of us are introverts, not extroverts.
And so what you find is it’s not just a security issue. And often times, you don’t invest in it because you’re busy in your job, or you’re just naturally not inclined to reach out to people unless you need something or are trying to do something.
[David Spark] And yet then there gets into this moment of desperation. I think when we get into that moment of desperation, that’s when we start to question ourselves? Shahar?
[Shahar Maor] Yeah, definitely. I think that having a good community can help you better understand what you need and how to focus on what you do. I think that creating a community if you have a good community of mentors makes everything more affective in your work and definitely helps you achieve your goals in a much better way.
[David Spark] Let’s get into details of that. So, first of all, do you have some kind of a hive or community that you rely on, Shahar?
[Shahar Maor] Yeah, definitely. In Israel, we love to collaborate. It’s a very small community by design. It’s a community by design. It’s a small place with short distances, so we meet a lot. And we have a few very good communities, mostly on WhatsApp. At least for me. And we really like to collaborate.
I think that from my perspective when I join a community and I want to challenge or ask a question, I think it’s very important to come prepared. It’s not enough to broadcast and ask a very generic question and hope to get something in return. You need to come prepared and mostly validate what you already suspect or assume.
I think that’s very important in having a community.
[David Spark] I can’t agree more with that. You’ve seen this behavior, Steve, where someone has had a job…and I’ve had this…where they just sort of hand you their resume, and goes, “Hey, if you hear anything, let me know.” There’s literally nothing you can do at that point, is there? There’s nothing.
[Steve Zalewski] Yeah, you can get lucky.
[David Spark] Lucky is the only thing that happens. But if someone says, “Hey, Steve, I’m really interested in job/company XYZ. I see that you’re connected to person A. Would you make an introduction?” That’s something you can do, right?
[Steve Zalewski] It’s possible.
[David Spark] Possible. Let me not say… Yeah, there’s a lot of variables involved here.
[Steve Zalewski] And that’s what we’re talking about here, which was a lot of people, if they find themselves out of work or wanting to get back in, the first thing that they’re often surprised about is many of their people in their community were at their job. And then you find out who your friends are versus who your acquaintances are.
Because many of them won’t do anything. It’s like, “Okay, well, Steve is gone from Levis. He’s dead to me.” You know what I mean? And so therefore he was just a work associate. That’s when you find out where your true friendships are and your community and folks that reach out and be able to help you.
And so often times people that haven’t built a community or just have this expectations, that’s just it. They kind of do a cold reach out. And if I don’t know you well or if there hasn’t been some way for me to be able to validate you, a lot of folks have to realize I’m putting my own reputation on the line when I’m making an introduction, especially cold.
[David Spark] This is the variables, yes.
[Steve Zalewski] And these are the variables we’re talking about where you have to understand that you kind of weren’t aware of the greater world, and now you just want to be able to touch parts of the world and expect good things to happen.
[David Spark] Let me put a quick button on that, too, in that it’s very, very important… I’ll just say people say to me, “Oh, David, you got this audience. Would you mind promoting this?” Well, no. First of all, that’s our product. But the way our audience respects us is that we are critical about what information we put out.
We don’t just because someone asked for it, we do it kind of a thing. And similarly… I have a friend who I lean on for recommending camera people. Unfortunately one day he recommended a camera man that I worked with who was not good. And I said to him this, and he was aghast to find out. He felt horrible, and he wanted to see sample of the material, and he agreed, yes, he was not good.
And so you don’t want to get in a situation where you’re recommending something bad because it reflects poorly on him. And so he doesn’t want to recommend that person anymore given the situation that had just happened.
How do I start?
8:11.183
[David Spark] Richard Greenberg of Security Advisors said, “Networking is a huge key to success, both professionally and personally.” And Ken Brothers of Federal Home Loan Bank of New York said, “Finding local peer groups of all careers going through the search process is also very helpful and encouraging just when you need it.” So, I’m going to start with you, Shahar, on this one.
You said that your communities are on WhatsApp. Can you give me some ideas on how it operates? And have you been in a situation where you’ve been looking that you’ve been leaning on or I’m assuming vice versa? You’ve seen others that have been looking for help?
[Shahar Maor] Yeah, definitely. We’ve seen it all. I use my community on a daily basis, and I think that for me I ask questions, and I ask them every once in a while. And I try not to [Inaudible 00:09:08] the group with questions. It’s important to balance between your eagerness to get answers to whatever you’re working on at work and versus helping others.
I’ve seen cases where people are asking generic questions that you can actually search on ChatGPT or Google it. And it’s very annoying. It’s not professional, and it’s something that people should avoid. On the other hand, you can come up with a short list of vendors that you’re looking for, and it can easily be filtered out to the right vendor that you need to work with.
So, it can be very affective and very, very beneficial for both sides.
[David Spark] Steve, what have you asked the community you realized, “I couldn’t have done this if I haven’t asked them.” And for example, we have a small community of the CISO Series. We have a Slack group of past guests who have been on our podcast. And I’ve seen some value through there. Whether that group or any other group, where have you gotten some value?
[Steve Zalewski] The first thing is think of this as business development. Many people are terrible at business development.
[David Spark] Yes.
[Steve Zalewski] What you realize is the relationships themselves are the business. And if you don’t invest in the business consistently then it’s not there for you when you need it. And so to your point, David, like for us is there’s a set of CISOs that have been on there. And often times they may reach out with a question, or I may have a question where we’ve got some relationship.
And so when you pose an ask, you will get a response. As opposed to just dead air. That gets back to bus dev, which was most people want that human connection and some level of trust so that they will spend the time to be able to pay back that relationship that you’ve built. That’s the underpinnings for all of this – to be able to simply realize no matter what problem you have, if I’m buying a washing machine, if I’m looking for a job, you have to have that community of people that you built trust in and that you put time into so that you can ask those open questions to be able to get to a situation where you may get the new job, or you get the job lead.
And so I can’t overstress enough this is business development, and you got to learn how to do this. It doesn’t come natural to many people. And the earlier you start, the better the network is going to be there for you when you need it.
Sponsor – Egress
11:46.941
[David Spark] Before I go on any further, I do want to mention our sponsor, Egress. Now, look, I talk to a lot of CISOs, as you know. And I’ve yet to meet one who feels fully at east with their email security. Nobody does. But at Egress, they believe the only way to stop email security risk to address both inbound and outbound threats together and put people at the front and center of the solution.
As advanced and persistent cyber security threats continue to evolve, Egress recognizes that people get hacked. They make mistakes, and they break the rules. Egress is intelligent Cloud email security suite. They use patented self-learning technology to detect sophisticated inbound and outbound threats and protect against data loss.
In particular, inbound email threats have evolved. It’s constantly chasing. It’s cat and mouse. You know how this works.
Account compromise and advanced phishing techniques mean that increasing numbers of attacks get through signature based detection. That’s not enough. Egress takes a zero trust approach to inbound threat detection, inspecting every email into your organization using AI models and natural language processing to detect anomalies, to protect your organization from the attacks that matter most including business email compromise, supply chain compromise, invoice and payment fraud, and ransomware.
Those are the big ones. Egress is dealing with it. So, go to their website. Check it out now. In fact while you’re listening if you’re not driving, please, visit egress.com to learn more about Egress’ intelligent Cloud email security suite and start detecting email threats your existing solution is missing today.
What aspects haven’t been considered?
13:36.445
[David Spark] Mary Midwinter of Women in Tech said, “The idea of building a community, or joining one or a few helped me switch my focus from rejections while job hunting to understanding my value and strengths.” This was also something that Olivia Rose commented on. And Lisa Shaw of Cyber Risk Opportunities said, “Job hunting is so, so hard.
I remember feeling very empowered when I changed my mindset to, “I am the one doing the interviewing to see if they’re right for me.” And so this is also switching the angle of the emotional support that is needed from the hive and the community of when you just get rejections, you start to build a lot of stories in your head and question your value when there is so many other variables that are involved that may have absolutely nothing to do with you.
Have you provided that support, Shahar, and/or seeked it out yourself?
[Shahar Maor] Definitely. By the way, it’s not only community. It’s about the market situation now with the slow down, and it’s very difficult to search for new jobs. I find myself mentoring and helping colleagues to find their next challenge. You need support. Even if you think that you have a huge amount of experience and you just came up from your dream job, when you take the next leap, you need someone you can trust to actually provide you good feedback.
And sometimes the feedback are not that easy to here, but it’s super important to find the people that can provide an honest and straight feedback. Otherwise you will find yourself still working and answering or interviewing in not an optimal way. That’s one thing. Another thing that I need to add is the difference between a community and what I call broadcasting.
If you post it on LinkedIn, for example, I assume you’re searching for attention more than you actually seek for advice. If you really need advice, you need to know or make sure that you actually know the people that you seek advice from. I think that you should really target the right audience if you want to seek real advice and real feedback.
[David Spark] That’s a really, really good point. And I really like the point you talked about giving real feedback that sometimes people don’t want to hear it. Just briefly, I was writing something. Actually it was a book a while ago, and a friend of mine… I asked him to look at it, and he gave me feedback I didn’t want to hear, and I didn’t agree with him at the point.
I don’t think I had the vision at the moment. And it was about three or four months later, I looked at it, and I go, “He was 100% right.” I let him know he was 100% right after the fact because sometimes you’re just not ready for it. Steve, you’re nodding your head.
[Steve Zalewski] Well, I was looking at the what aspects haven’t been considered here, and I’m realizing the first thing is you have to understand that when you don’t have a job, if you’ve been laid off or whatever the circumstance is…there’s a grieving process. You have to understand that you’ve put a lot of time and effort in.
Often times you’re surprised, or you’re just so unhappy that you quit. But you’re going through a grieving process. You’ve been working. Now you’re not. You had friends there. And so I will often times be there for folks, always happy to. And I say, “Look, you’re going through a grieving process. Step back.
Give it a chance. You may not realize it. But having been through it, work through the grieving process. Give it a couple of weeks. You’ll start to see that you change in your behavior as you start to decompress and everything.” But this is where the community helps you because it’s not something you do all the time, and so therefore you’re not aware of the process.
Whereas the community, you’ll see other people. You’ll be participating. So, you’re a little more aware of what’s going on.
Then the second thing I say to that what hasn’t been considered is once you go through that and you want to engage, most people aren’t hiring all the time. They do once in a while, or they’re not a manager. So, they don’t really see what the current kind of hiring process looks like – the ghosting, the extra time it takes.
Or now that you’re trying to get a job and days are important, in a corporate environment weeks can go by just trying to get people ready for a meeting because there’s no the same urgency. So, again, having some perspective as you’re engaging and realizing what it’s really like either to remind yourself because you’ve done it but just you’ve been on the other side, or you don’t know this is a reasonable expectation, and ghosting hurts.
And you feel like, “Why don’t they talk with me?” But it commonly happens, and you just kind of have to accept it and move on.
What’s everyone obsessed about?
18:37.783
[David Spark] Suzanne Nill of Norwegian Refugee Council said, “I think we all have been in this situation before and/or will be again at some point during our career regardless of our experiences, skills, etc. It is never an easy experience, but it helps to know we are not alone with the struggle. We should stop doubting ourselves.” And I’ll just sort of add to Suzanne, she’s right but easier said than done.
Our emotions get ahead of us. We also had Jackson M. or CISO over at the University of California Merced, “In sharing, we get encouraged. This happens to all of us. We hit walls, and we turn around. We fall down and get up. There’s an opportunity that is just right for you, and it’s coming. Keep going.” And we hear that as well.
It’s like keep plugging. I will say that I’ve seen this on LinkedIn. I’ve seen this more on Reddit. You see a lot of this on Reddit. Jus people so beaten down, and everyone’s response is, “Just keep going.” What more can we do than just that? Steve, you’re nodding your head like that’s not the advice.
[Steve Zalewski] For the senior folks out there like myself… For the folks from World War II, we only knew how to work. We were working when we were 15 years old. We worked our entire life. It’s what we knew.
[David Spark] By the time, ageism starts sadly at 40 these days.
[Steve Zalewski] Okay.
[David Spark] Yeah, we don’t have to go to senior moments. [Laughs]
[Shahar Maor] Definitely.
[Steve Zalewski] It’s just if you look at the classes… And I have this conversation probably at least once or twice a month with folks that are out. It’s like, “Steve, all I’ve ever done is work, and now I’m not working. I don’t actually have other things to do because work was kind of my personality.
It was just what I always did.”
[David Spark] Good point.
[Steve Zalewski] “And I wasn’t ready to retire, or I’m not ready to not work, so I don’t have hobbies. I haven’t emotionally and intellectually come to grips with what do I want to do with my time, and so therefore I don’t know what to do. And so I just sit around the house because I don’t have the hobbies.” That’s part of what we say is, “Okay, understand.” Whereas if you’re a millennial or you’re different circumstances where you may have other hobbies or you’ve been in other things is, guys, it’s okay.
Rest. Walk away. Take a walk. So, again, the community is coaching you to be able to understand kind of your career journey where your head is at and offer some of that perspective where you just realize I’ve got gaps. And so to your point, Dave, where you’re like, “Oh, ah-ha.” No, it feels weird to be able to say, ‘Well, go take a golfing lesson because I have to save my money because I got laid off.’” No, no, no, no, no.
The $10 or $15 in going out for a couple hours and meeting some people and hitting some golf balls has got huge positive mental energy for you to come back and feel good about yourself and then go ahead and tackle the job problem again.
[David Spark] Shahar, you’re ready to jump in.
[Shahar Maor] Yeah. Everyone wants to be part of a pack. It’s very important for us as human beings. And we really need this feedback, and we really need these communities to help us to our next step. I think that especially if you’re looking for a job or you’re in the process of interviewing, I interview a lot these days.
And I make sure that I provide feedback to the interviewee and provide them tools for the next interview about what they did wrong and what they can learn for the next interview. Even I can sometimes know after 15 minutes that it’s not the right person for this job. Then I will provide the feedbacks that can help him through this next interview.
This is super important because one day we are all going to be on the other side, so we need to make sur that we take care of each other whenever we can.
[David Spark] I want to throw out one other thing that we haven’t talked about yet but I think is an extremely powerful element of community, and that is being the connector. I mean the connector. You know how you’ll go to an event, and you’ll say, “How do you know so and so?” “Oh, so and so introduced me,” or, “I went to so and so’s event.” Or something like that.
And everyone is talk… And there’s usually a handful of people who were responsible for everyone in the room. You know what I mean? Because everyone knows that one person. And when you stop for a moment and you think about those people who are the connectors, we all have extremely warm feelings about them because they are so responsible for us having a community.
And think about that for a moment. If you were to take on that role as a connector, the power it brings you and that others start coming to you rather than you always having to go out to them. A, I’ll ask both of you, do you feel like a connector sometimes? And B, do you know who these people are and what’s valued?
And I’ll ask both of you. Shahar, you’ll speak last. Steve, what’s your thoughts on this?
[Steve Zalewski] What I say to that is as awareness, look up and out. Get out of your comfort zone. Because many people in the room, they know two people, and they stay with the two people. They’re not actually getting situational awareness and seeing what’s happening around them to understand what the connectors do, to see the role that they play.
So, the first thing I say is make sure you’re looking up and have that situational awareness. Again, the community can help you. “Hey, look, here’s good connectors.” In my case recently, I spend a lot of time connection in what I’m doing now as an advisor.
And I realized that was part of the role, and so I have to put time and effort in to be available to people or to make the connections because they don’t see it. And so that may be a responsibility you have in your career at certain times to be able to pay it forward for others. So, you’re absolutely right, David.
There is some that do it naturally. There is others that don’t, but they realize it’s a role to play depending upon what you’re doing. But I think everybody has a role in the connector community. Do something. You can even say, look, once a month, if you haven’t made a connection for somebody, just done something…and it doesn’t have to be for work…that should almost be a red flag that you’re not thinking about community and you’re not preparing for the unknown.
You’re setting yourself up to be a victim of the unknown.
[David Spark] Shahar, I’ll let you have the closing thought on this.
[Shahar Maor] Yeah, I have a great story for that actually, and it’s a great follow up on what Steve just said. I was approached by many young startups during their ideation process, and I realized that maybe I’m not the only person that is having these talks. So, I reached out to my community on WhatsApp.
It’s a group called Cloud CISOS. Israeli group. Then we started a discussion about the fact that we mentor all the time. We mentor new startups, help them, and guide them. And then we…the spinoff was to create a new group of CISOS, and later on we established a venture capital…a CISO based venture capital called [Inaudible 00:26:12] that was the result of this discussion.
And it all started with a series of discussions and ideation processes as mentors with young startups, and it was a great closure for having a very affective community that turned out to be a venture capital only because we meet a lot of startups and help them. That was still a great way to create an effect and create an impact on the market.
Closing
26:42.483
[David Spark] Excellent. Well, we have now come to our portion of the show where I ask both of you which quote was your favorite, and why. I always start with our guest. So, Shahar, which of all these quotes that I read was your favorite, and why?
[Shahar Maor] I really liked the John Delacruz one about us being human and the journey that leads us to the mud sometimes. I think it’s really representative of a community.
[David Spark] All right, Steve, your favorite quote, and why?
[Steve Zalewski] I like that quote, too. But I’m going to go with Jackson M., the CISO at University of California, Merced. And it’s the beginning that says, “In sharing we get encouraged. This happens to all of us.” I think the whole point here with the community is you have to be able to share. You have to be able to be comfortable talking about how you feel and reaching out to people.
And that if you don’t, that’s the death spiral that you really got to be aware of. So, even if you don’t, build your community. You’re in the situation and you have to build. You have to share to stay encouraged to realize it might take a lot longer than you want, than you realized you didn’t do some things.
But it’s the sharing, and the learning, and the journey that’s going to get you to the next job.
[David Spark] And I think Olivia, who posted this, proved that exactly. Because she did a very sort of confessional post that was a lot of exposing of herself that a lot of people would be very uncomfortable, but it was very inspiring as well. So, thank you very much, Olivia, for doing just that and allowing us to have this very discussion.
Thank you to our guest, Shahar Maor, who is the CISO over at Dario Health. Shahar, I ask all our guests, are you hiring right now?
[Shahar Maor] Yes, I am. I’m hiring for dev ops actually. Dev ops position, yeah.
[David Spark] Oh, really? Okay. Good. Cool. So, we’ll have a link to Shahar’s LinkedIn. So, if you’re interested, please follow up. Huge thanks to our sponsor, Egress. Thank you, Egress, for sponsoring us. Remember, they’re egress.com. Integrated Cloud email security that prevents human activated risk.
Steve Zalewski, I always think you as bringing the wisdom and challenging our audience as always. I greatly appreciate that. Thank you very much. And to our audience, greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please, write a review. Leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to Defense in Depth.