How Can We Improve Recruiting of CISOs and Security Leaders?

How Can We Improve Recruiting of CISOs and Security Leaders?

Interviewing for leadership positions in cybersecurity is difficult for everyone involved. There are far too many egos and many gatekeepers. What can be done to improve recruiting of CISOs?

Check out this post and this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn with our guest Ty Sbano (@tysbano), CISO, Vercel.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Thinkst Canary


Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this.
Deploy Canaries in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.

Full transcript

[David Spark] Interviewing for leadership positions in cyber security is difficult for everyone involved. There are far too many egos and many gatekeepers. What can be done to improve CISO recruiting?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of CISO Series. And joining me for this episode, a man whose voice you’ve heard time and time again – it’s Geoff Belknap. He’s the CISO of LinkedIn. Geoff, what do you sound like?

[Geoff Belknap] This is not what I sound like. This is what I sound like. I wanted to clear that up.

[David Spark] People will like to have that comparison.

[Geoff Belknap] Yeah.

[David Spark] Our sponsor, by the way, for today’s episode is Thinkst. You know what? They were I think our second sponsor ever on the CISO Series. They’ve been a phenomenal sponsor of the CISO Series, and we adore Thinkst. In fact I ran into the founder of Thinkst, Haroon Meer who we’ve had on the show before, over at RSA. And he was being talked up heavily. For those of you who are not aware of their deception devices, the Canary Conception Devices, we’ll talk more about that later in the show. But first let’s talk about our topic. That is recruiting. Specifically the more leadership level of recruiting. We’ve spoken a lot about recruiting on the show, but we don’t focus so much on that leadership recruiting. Everyone has a different experience. And those who have a negative experience definitely want to tell others about it. But at the same time, we all know that getting bogged down by antiquated processes is irritating. So, most of the complaints I get are the time it takes to hire. High level, Geoff, what do you think is working, and what do you think is not working in let’s say leadership recruiting in cyber security?

[Geoff Belknap] I’d say what is working is that most businesses have around to the idea that security leaders at not just fancy engineers or expensive specialist CIOs. They’re business leaders. Executives in their own right. And CISO roles have an enormous impact on the business. There’s a lot more stakeholders involved now. It’s not just the CIO or the CTO doing the interviewing or the hiring. All the executives from the board on down want to be involved in this process, which brings us to what’s not working yet which is all the executives from the board on down want to be involved in the process. That can make it take a while. So, what’s interesting is let’s talk about this. Like how is this going? How has this changed over the last few years? Let’s talk to our guest about it. What do you think?

[David Spark] Our discussion today actually comes from Chris Roberts, who is the CISO over at Boom Supersonic. But joining us in the discussion about this topic of debate is someone who has been on the show before, and I’m very excited to have him back on again. It is the CISO now for Vercel, Ty Sbano. Ty, thank you so much for joining us.

[Ty Sbano] Hey, David. Hey, Geoff. Thanks for having me. Really appreciate the opportunity to come chat again. This is near and dear to my heart as I’m a CISO role number 2.5, but I’ve been doing security for about 17 years now.

Does it play nicely with others?

[David Spark] Crawford Rainwater…

[Geoff Belknap] That’s a good name.

[David Spark] …of the Metropolitan State University of Denver said, “If an organization cannot figure this out,” meaning this hiring process… “…figure this out with four or dare I say less even interviews, perhaps an internal self-review is in order.” And Evan Francen of SecurityStudio said, “Dragging things out might be a red flat. It may be an indicator that the organization doesn’t really know what they want. People who don’t know what they want make a decision when they see what they want and when they don’t.” And Mike Wolbrink of Azule Cyber said, “When they go dark for over two weeks it is a sign of a ship that takes too long to turn.” So, this is a lot talking about the delay in the process of hiring, which I think this is universal in all industries. I don’t think this is unique to cyber security by any stretch. Geoff?

[Geoff Belknap] No. No, but what is unique to cyber security, like I mentioned at the top of the show, way more people are involved in this process now than ever before. So, now where it might have been a CIO hiring or maybe a general counsel, you got the CTO. You got general counsel. Maybe you have an existing CISO that’s retiring. The CEO wants to be aware of who you’re hiring, and the CFO wants to be involved in the process. So, now… And what’s interesting enough, I was talking to a friend of mine who’s recruiting for a lot of CISO roles. She said everybody wants to be involved in this process. And now where you might have had two, or three, or four stakeholders you’ve got anywhere from five to ten stakeholders that need to meet the cabinet. And all of those people have to find time in their schedule, because these are all senior executives in the organization. And where three to four months might be ideal, even that might seem longer to some of our friends that are commenting here, what’s more realistic is six to nine months could end up being the case. Because so many people want to be involve in this process.

[David Spark] And the CISO’s job is to serve those departments. And if they’re going to be serving my department, I want to talk to who the new person is going to be.

[Geoff Belknap] Absolutely.

[David Spark] Ty, you’re nodding your head.

[Ty Sbano] 100%. I’m fascinated by some of these quotes. If an organization cannot figure this out with four interviews… I on this side would go, “That’s not enough.” I want to speak more stakeholders. And in fact if I can’t influence the interview process to get ahold of like, “Who’s your GC? Who’s the person leading infrastructure? Let me get one to two engineer leaders…” I want the opportunity to sell myself as well as get sold. So, when I think of is that timeline or even if there’s a two-week period of going dark I don’t mind. I actually believe it to be very important to have the time to think about the experience and also extend the duration out. Because some CISOs, some of us can have the best day in the world, and we can nail it. But we have ups and downs, too. Especially when you’re in the thick of things. And having that consistency throughout the 10, 11, 12, 6 months, whatever it is, I think it’s a really important factor when having that discussion with the rest of the stakeholders, too.

[David Spark] That’s a really good point. Now, if I can ask from personal experience, you’re a fairly new CISO at this new position, correct? How long have you been at that?

[Ty Sbano] Yeah, about 100 and some odd days now.

[David Spark] 100. Okay, so you’re within the first six months it sounds like.

[Ty Sbano] Yes.

[David Spark] So, my question is did you see a consistency in all the stakeholders that you were speaking to, and what was that consistency you saw?

[Ty Sbano] Yeah, for me in my last round of interviews I can speak to it kind of candidly. I started early. I actually gave notice in my previous role for a six-month notice working with the CEO to figure out the timeline, which is not super common. My lesson learned is it’s probably not the right amount of time. I think about 100 days is about the right amount of time. Maybe three months and some change and then have a little bit of transition with being available for calls. But for me, I kind of worked through that six-month period. As I was doing that, I shared the information with one or two friends. One happened to be a VC, and they said, “I would like to meet the founder of this company. They’re in the process of prioritizing security. It is already part of the values, and they need the right person. So, would you be open for the chat?” I’m like, “As long as they’re willing to wait because I have no drive to accept a job this early. I have no drive or ability to make that decision. In fact I need breathing room.” So, it gave me the opportunity to have a lot of talks across the org and even throughout it. One thing that was interesting and very unique to this experience – one of the security folks just didn’t make the cut, which led to another person leaving at the same time. So, having that discussion with some of leadership through that process was interesting for me, but I didn’t have to over index on the conversation. Because what I learned through the process is some people in security are not the right people for the organization or the culture, and that’s okay. So, as I was having that chat, it didn’t raise a red flag for me. It allowed for an easy decision process because I heard consistency across the team as we went through.

How do we handle this?

8:06.217

[David Spark] Peter Strouse of InfoSec Connect said, “If the first recruiter can’t confidently screen someone, discuss salary, and get all the logistics out of the way in the beginning, get a new recruiter and/or process.” This is speaking to the gatekeeper issue. And Howard Holton of GigaOm said, “My first conversation involves salary, or I don’t go further. I learned long ago there was a gross range of pay for similar titles, and I’m not having my time wasted.” So, these two quotes really are talking about just specifics of you don’t want to go too far down the line in understanding of what’s expected on both sides in terms of services and pay because at these early gatekeeper stages you should realize that it’s not going to be right. Have you ever seen an experience like this, Geoff? Or maybe you do it on your side. Let’s just make it clear on both sides we know what we’re getting into.

[Geoff Belknap] Yeah, I think the first contact with a recruiter is usually all these things. I can’t think of any recruiting engagement or recruiting discussion I’ve had with somebody where we didn’t have this conversation where it was a serious conversation. You’re always going to talk about at that first engagement what’s the company or organization, what’s the role, what’s the scope, what’s the reporting structure which turns out to be really important depending on your style and that company. And then what are your comp expectations. I think it’s very rare that they come and say, “Hey, we’re paying exactly this much.” It’s usually you as the candidate need to be clear about your expectations. Because the market is so hot for security leaders right now, it can swing wildly. Then again talking to some of my friends that do recruiting for this space, often an organization has no idea what the market rate for a senior executive, especially for a CISO. So, a lot of times they’ll have a big range, and you need to say where you are in that range. I think Ty was kind of making this point – and that just needs to be that. If they’re not interested in paying for that or if they’re serious about it, they need to be serious that compensation structure and total comp might be really wildly differently. But most of those engagements you’re going to have that conversation in the first call or the second call. Nobody should spend six months interviewing and then find out at the end that it pays $75,000 a year.

[David Spark] I’ve had the reverse happen where I was… And again, this isn’t for a security leader position. But I make it very clear you do know what the pay for this is, and they’re like, “Yes.” And then we had a good engagement. Then later [Inaudible 00:10:43] they go, “Eh, I decided I don’t like the pay.” I’m like, “What? We did have this conversation. What changed your mind?” [Laughs]

[Geoff Belknap] It was interesting, I was talking to my friend about this, and they said, “That does happen sometimes because the market might shift.” If it takes this long to hire somebody, the market rate might shift, or expectations might shift.

[David Spark] With inflation going up, it should.

[Geoff Belknap] Yeah.

[Ty Sbano] I feel like this is a really actually important topic to this conversation because I’m curious when a lot of these statements were made and the snapshots of time around them. Because I read them, and I don’t know if they reflect current state. With all of the remote work available, with all the opportunities at our fingerprints we’re seeing a completely different market not just for CISOs but everyone in tech or that can do a remote job. And within that, people are still interviewing even after they get offers. And sometimes they wait for the highest bidder, which used to be kind of like a Bay area thing. Now this is becoming more consistent across the US and dare I say the globe because you have a chance and no commitment and no risk compare to yesteryear where you lived in a specific city or a town that had three or four major employers, and you had to be very careful around which bridges you burned. So, I think the world has changed quite a bit. And when I read some of this, it doesn’t really reflect where we’re at in current state, especially with inflation in mind.

[Geoff Belknap] Yeah, I do feel like if you’re not a current security leader that has actively interviewed in the last couple of months. And frankly I think, look, occasionally I’ll talk to people. I have a great job. I’m not interested in leaving, but it’s really good to stay in touch with recruiters because you don’t know what’s going on in the market. If you haven’t been in touch with recruiters or talked to anybody recently, things are dramatically different than they were five years ago, ten years ago. The other part of it that is really important – people are not just making decisions about jobs, to Ty’s point, on comp anymore. It’s reporting structure, what is the role, what is the actual scope of the role. I know CISOs that are also managing IT now which seems really crazy to me but is becoming more and more common.

[David Spark] You’re managing IT, Ty?

[Ty Sbano] I have IT. I have privacy, and I got a chunk of legal, and it may continue to grow.

[Geoff Belknap] Yeah, and that’s a trend that has just started in the last I’d say three years. Where I know four or five other people just like you, Ty, that are doing that. but to me, that seems wild. I never imagined that that would have been the case until just recently.

[Ty Sbano] So, which would be better is always the question in my head. Should security report up to IT? And I think we’ve all lived that life at least some point in our early careers of what security was. And now I think we’re seeing the change in the direction of the importance, the collaboration, and how we make decisions. But I look at it as employee experience. We’re support functions. How do we enable the business? And IT is so on the forefront, why wouldn’t I want that part of my team? If we get to a massive, huge organization then a different story. But in the early phase of startup land, I think it’s very critical to think how are you collaborating effectively.

Sponsor – Thinkst

13:36.062

[Steve Prentice] Thinkst is the company that built the Canary, the device that sits watching for danger and then warning you in advance. The product and the company are well known for the quality of the service they provide. And Haroon Meer, founder of Thinkst, is very passionate about this principle and feels everyone else should be as well

[Haroon Meer] What gives me hope in the marketplace, what’s certainly worked for us is we are incentivized to build a product that doesn’t suck. Then the market is incentivized to say nice things about us while we’re not sucking. And as long as we cannot suck, the market will say nice things, and the company will survive. In some ways it’s a more honest way of doing business, but in many ways I think it’s the way of the future. And really as a company, we’ve gotten to where we are with literally just one salesperson. At this point, we’ve got Canaries on all seven continents. So, the whole company has to focus really hard on building the right thing and then giving customers the right support. So, literally if a customer mails in with a problem, every person in the company is like, “Let’s fix this.” And so it aligns incentives the right way. Nobody is incentivized to just sell a ton the wrong way. We all incentivize to solve the customer’s problem, and that’s what we try to do.

[Steve Prentice] For more information about Thinkst and Canary, visit thinkst.com.

What are they doing wrong?

15:08.101

[David Spark] Gary Adams of Adam-IT Consulting said, “I have been on both sides of the desk, and one thing I’ve noticed is over inflated egos. HR departments are abysmal. Most do not understand the business of the companies they work for.” Now, let me also… I want to qualify this. A lot of negative here because the post had a very negative bent to it. I just want to stress that. There’s a lot more positive speaking from Ty and Geoff’s side. Sky Kennedy of Studio Sky Video Content Creation said, “Companies are so bogged down with their own red tape that you have to wonder why are they profitable.”

[Laughter]

[David Spark] Look, as someone who has dealt with the industry of HR recruiting because we used to do some work, I do know that often recruiters or HR people are not that savvy on what their business is in general. I have seen this many times. I can’t say I’ve been close to it recently, so I didn’t know what the situation is recently. But, Ty, what has been your experience?

[Ty Sbano] I think there are different expectations. I’m fascinated by the inflated egos piece. But yes, you’re talking to CISOs. We have to some sort of ego about this but not an inflated one. We have to be very confident about what we’re doing, and I don’t know of any softer CISOs that would go into a role, and they’re like, “Well, I don’t know if I believe in what I’m doing.”

[David Spark] I don’t think you would hire…

[Crosstalk 00:16:38]

[Ty Sbano] You wouldn’t get hired, so you really need confidence oozing from folks that have had tireless nights, been through incidents over and over or multiple incidents, and they have to stay calm. They have to realize and rationalize through logic to get through these things. But when I think of the interview or think of who I’m talking with, I try to have empathy. I understand from what their perspective what do they do, how’s their job, and what are they doing to empower me to get to that role. If you have an executive recruiter, I think it’s very different than a standard recruiter or an external recruiter. Depending on those personas, I don’t jump to judgements. For me it’s really the foundational conversations with the executive leaders, the founders, the very long beards that are walking around the company that have the institutional knowledge. I want to get to know them to know that I’m making the right decision. Especially if I’m going to sole source it and just say, “Here’s the one that I’m going into, and I don’t need to talk to anyone else. This is the right thing at the right time.”

[David Spark] How is your ego inflation currently, Geoff?

[Geoff Belknap] [Laughs] I can still make it through doorways.

[David Spark] Is it at 8.5%? Is it higher than it is currently for the US inflation?

[Geoff Belknap] No, my ego needs to catch up with inflation then. That’s for sure. I got to look out for that. I think I don’t feel ego in the hiring process. I just don’t see it a lot. Now, there can be HR people involved if you’re recruiting for a senior role or if you’re interviewing, if you’re on the other side if you’re a candidate interviewing for a senior role, and I think sometimes the mistake that happens if you involve HR because you don’t know…you as a senior executive at some traditional organization… Maybe you’re a manufacturing company, or a pharmaceutical company, or something like that. you’re not a tech company. You’re not hiring CISOs very often, or maybe this is the first ever CISO that you’re going to hire. You don’t know how to screen these people. You don’t really know what you’re looking for. And a lot of times HR might be involved in a very close partnering. Maybe you’re learning on them to do a culture screen or help you find a good candidate. That’s what your HR business partner is supposed to be there for. But if you don’t really know what you’re looking for, sometimes the interaction with HR can be awkward. And yeah, maybe HR is not great always at articulating the value of the company. To Ty’s point, you’re going to talk to a lot of people in the process. You’re going to get a good sense if the company knows how to be in business or not. Chances are if they’re hiring a CISO they know how to run their business. I wouldn’t put too much credence in that. but I would tell you as a candidate that’s seeking a role, have some humility and some patience. Because even though we’ve had CISOs for a long time, many companies are still new to it. Maybe a company is hiring an executive for the first time or a very senior security leader for the first time. What you’re going to do is talk to a bunch of people. You’re going to want to talk to as many people as possible at that company about the company to get a full picture of it. Just like they’re doing the same for you. It’s a two-way street. There’s work on both sides of this.

Can it be solved?

19:25.991

[David Spark] Joseph Hall of Fortinet said, “Panel interviews are great. You should be able to do it in one meeting that way. If not have an HR interviewer, manager, and a technical compliance interview. More than that, you’re wasting everyone’s time.” Ty is shaking his head. We’ll come back to that, Ty. Here we go. Phillip Swaim of Elanco said, “You need three – a hiring manager, peers, and the team. If you can’t decide to hire from those three meetings then you shouldn’t hire the person, or your interviewing skills are not good.” And Jared Michael Coseglia of TRU Staffing Partners said, “Anything more than four, and you’re likely to lose the candidate to another opportunity…” This may be teasing what you said, Ty. “…where the employer moves faster and shows the talent how deliberately they make decisions.” So, Ty, you were shaking your head on the first one, but the last one kind of leans a little bit towards what you were saying. A little bit. What’s your take?

[Ty Sbano] I feel like we have a little confrontation bias with our research as part of this because the post probably started from that place. But I don’t know if these are fully representative of CISO recruiting. I feel these are generalizations.

[David Spark] Yeah, I think this is generic recruiting. I have been feeling this, too, is… Let me ask you… And I’ve never interviewed to be a CISO. Have you ever had to have like a HR interview where they ask you, “Tell me your three best qualities and your three worst qualities.” You haven’t had to deal with that, have you, as a CISO?

[Ty Sbano] No.

[Geoff Belknap] No.

[Ty Sbano] I think you have a lot more humane interaction of, “What is your persona? What can you do for the business? What are the problems that you want to help solve for? And do you understand the business, or can you understand the business? Can you work with the team to get there?” But when I read and hear these quotes – three to four interviews or one panel – I’m on the other side, sitting here looking at Geoff like, “Would you accept that job if they made an offer that quicky? And are you going to have enough information to really understand?” Before I even get to my 100 days, I already planned in advance of walking in the door of how I’m going to do this. Now if it gets all messed up because of changes, cool. I’m going to roll with the punches. But I’ve already started to execute on this idea of how to build a program based on the interview cycle, so then I can show up affective as opposed to I get there, and now I’m trying to figure everything out. I can’t do that in three or four chats.

[Geoff Belknap] I feel like to that point exactly… There’s no way I’m taking this job if all I’ve met is the recruiter, HR, the hiring manager, and one of my peers. Because, look, sometimes I want to meet the CEO. Sometimes you need to. Sometimes you don’t. I want to meet the general counsel. I want to meet the CTO. I want to meet key leaders. Probably the chief privacy officer. I want to meet a number of people, and these don’t have to be three-hour interviews. But I want to meet them and understand them because they’re all going to be my key partners. And if I have no idea what that partnership is going to be like, if that person exists, where we are from a maturity perspective, that’s a big leap of faith you’re taking. Especially from the perspective where we’re having more and more discussions about whether there’s personal liability for decisions that happen to the company for this role, whether that might be shareholder lawsuits based on something I’m walking into that I don’t know about. There’s a lot of diligence as a candidate you want to have go through. Now, I think also what’s important to point out – to Ty’s point, look, if you’re hiring IT engineers, or you’re hiring like your 50th software engineer, you could probably crank through that in three or four interviews. Absolutely. You can’t hire a CEO in three interviews. You’re not going to hire a CISO in three or four interviews.

[David Spark] Very, very good point.

Closing

23:08.045

[David Spark] It comes to the end of the show right now where I would like you to pick your favorite quote. Now, this is going to be a hard one though because we’ve been sort of… It’s interesting. Chris Roberts, who posted this, he was talking very much about his leadership…about getting his CISO position. And yet at the same time, most what we have discovered in this discussion was not specifically targeting leaders. We outright said that, “Uh, this doesn’t really speak to leadership here in general.” But with that said, either you can say your favorite quote, or I’m going to ask you what quote do you think brings up the most interesting debate necessary for a CISO. So, I’m going to start with you, Ty. Your favorite quote or the one that you think brings up the best debate.

[Ty Sbano] I think for CISOs, the best one that we can debate is from Sky Kennedy – “Companies are so bogged down with their own red tape that you have to wonder why are they profitable.” As a CISO, you are there to enable the business. And if they are not profitable, how can you enable functional security practices, controls, and help the company scale. So, I think the recruiting piece has been interesting, but that one for me is fascinating that you would have that thought in the interview cycle. But they’re hiring for a CISO, so likely they are profitable. I think there’s a lot to unpack there. All the other…

[David Spark] That’s a good point. if you’re hiring for a CISO, you got the money.

[Ty Sbano] Well, not always true. Sometimes you want a CISO, and you can’t afford them, right? But I think it begs a good conversation. Everything else is really limiting around how few you should be to interview with to get a job opportunity, and I don’t think that’s that interesting. I think we all kind of alluded to maybe this is not oriented towards leadership roles, and it’s probably more for generalized roles. I think that’s where I can double down and probably have a 60-minute conversation. Why are they profitable? Well, you’d be surprised how much money people spend on all sorts of things.

[Geoff Belknap] [Laughs]

[David Spark] All right, Geoff, your favorite or things that brings up the best debate.

[Geoff Belknap] Yeah, I think the ones I want to pull out here are Evan and Mike at the very beginning. Evan from SecurityStudio said, “Dragging things out might be a red flag.” And Mike from Azule Cyber said, “When they go dark for two weeks, that’s a problem.” And, look, yes, that is a problem, and it can be a warning sign. The number one thing if you are recruiting, whether it’s a CISO or any kind of security engineer…the number one part of that process is candidate experience. If the candidate suddenly has no idea what’s going on in the experience, that’s a red flag. That is a concern. Good processes will tell you even if you’ve just interviewed they will get you rapid feedback to tell you it went badly, or you’re going to move forward. That’s really important in this process. Because even if you don’t get the job, you had a great experience, you might apply for something else later. It’s all about brand.

[David Spark] And also the other key thing is we talk to other people. “How’s your hiring experience going?”
 

[Geoff Belknap] Yeah. “Oh, I never want to work at that company. Boy, they suck at hiring people.”

[Crosstalk 00:26:01]

[David Spark] “I’m not going to send my resume in there.”

[Ty Sbano] You might be surprised how many CISOs talk to each other, especially when the interview process is not great, and it’s been open for 6 to 12 months. And we’re like, “What’s the deal?” And everyone has their two cents to weigh in on.

[Geoff Belknap] Well, not just CISOs. Look, LinkedIn hired one CISO. We hire a ton of engineers every year. If any of those engineers get a bad experience and even if they don’t get the job, we want them to be like, “That was a great experience. I had a great conversation. They told me what was going on.” I want their friends to apply for the job, too. I don’t want them to have a bad experience. And if they do, people talk. There are websites. You can post on LinkedIn, or Blind, or who knows. That’s a bad sign. So, in the CISO space, if they disappear for two weeks, three weeks, four weeks, six weeks, why would anybody want to engage with you.

[David Spark] Very good point. Well, that brings us to the very end of the show. Ty, I’ll let you have the very last word. And by the way, we ask all our guests are you hiring, so make sure you have an answer for that question. Huge thanks to our sponsor, Thinkst. Thinkst Canary. You actually can find them on the web at canary, like the bird, .tools. You’ll find more about them. They’re Thinkst Canary. Thank you very much for sponsoring this very episode and being a true supporter of the CISO Series. Geoff is always hiring. You can work for Geoff. If for some reason you don’t want to work for Geoff, LinkedIn has all these great tools to find a job. I actually used them myself when I was hiring people as well. I did not hire a CISO though.

[Geoff Belknap] You should think about it.

[David Spark] I should think about it. I know lots of CISOs in fact.

[Geoff Belknap] Yeah, it turns out you got an okay network. Maybe you should be recruiting them.

[Crosstalk 00:27:37]

[David Spark] There you go. Ty, any last comments, any pitch for your company, and are you hiring?

[Ty Sbano] I am absolutely hiring. I’m looking for the key builders out there that want to start in a hyper growth company. We are not at a place where we have all those roles defined. We are in a place where we’re being very creative and defining those roles as we go. What I found interesting in the hypergrowth world, anything is possible. And we’re going to scale with the company where standard math has not added up for [Inaudible 00:28:04] traditional security team. So, I’m looking for the right candidates. But in full reality, I have been mentoring, training, recruiting people for years for some of these roles. But knew because of the space of Web3, because of the future of the internet of what we’re trying to build out here with the really modern mobile framework, we need some very talented folks. So, I will say absolutely hiring. Follow me on LinkedIn. Just let me know if we can chat and figure something out.

[David Spark] Awesome. Thank you very much, Ty Sbano, who is the CISO over at Vercel. Would you be vercel.com?

[Ty Sbano] We sure would be vercel.com.

[David Spark] And I’m assuming there’s some type of job board there?

[Ty Sbano] There is, but that is not where you’re going to find my job postings that I just described. Hit me up on LinkedIn.

[Geoff Belknap] Hey!

[Ty Sbano] Hit me with the DM. Happy to chat there.

[David Spark] By the way, the link to his profile on LinkedIn will be on the blog post for this very episode. Thank you very much, Ty. Thank you very much, Geoff. Thank you, audience. We greatly appreciate your contributions and for listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.