All experienced security professionals were at one time very green. Entry level status means risk to your organization. That’s if you give them too much access. What can you trust an entry level security professional to do that won’t impose unnecessary risk? And how can those green professionals build trust to allow them to do more?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Kemas Ohale, vp, global information security, Lippert.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Normalyze
[David Spark] All experienced security professionals were at one time very green. Entry-level status means risk to your organization. That’s if you give them too much access. What can you trust an entry-level security professional to do that won’t impose unnecessary risk? And how can those green professionals build trust to allow them to do more?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, producer of the CISO Series, and joining me for this very episode, you know him, you love him, it’s Steve Zalewski. Steve, say hello to our audience.
[Steve Zalewski] Hello, audience. How are you doing?
[David Spark] They’re doing fine. I’m speaking for them right now. If you disagree with me, send me a message, and tell me you were not doing fine. Our sponsor for today’s episode is Normalyze – regain trust, visibility, and control of your cloud data. Hey, that’s something we would all like, isn’t it?
Nobody says, “Oh. I’m set with my cloud data. Nothing for me to worry here, no problems whatsoever.” Well, if you’re that person, then you don’t need to listen to what I’m going to say about our sponsor later in the show. But my guess is you’re not that person and you’re going to want to hear what I have to say about them later.
But first, our topic here at hand. On LinkedIn, Edward Hickcox said, “Here’s the deal with entry-level jobs in cybersecurity – nobody wants to trust someone with no experience to be responsible for any aspect of the security of their organization. Period. End of story.” Well, I don’t know if it’s end of story.
We wouldn’t be doing an episode if it was end of story. Because ironically, his effort to say, “I’ve got the final word on this,” elicited another 90+ comments. So, all security professionals, including Edward Hickcox who posted this very topic, started from ground zero. Our discussion today will be what can they do with zero experience and how can they graduate upwards.
Steve, you were one day green. Do you remember that day?
[Steve Zalewski] Yeah, but TVs were black and white back then.
[David Spark] [Laughter] Yes. That was a long time ago. So, this is a really good topic of discussion because there is a lot of fear but you do need to bring people on. And I’m assuming there’s a process of graduating them upwards, yes?
[Steve Zalewski] We would like to think so, but the reason why I thought this was such a great conversation for this podcast is this is a chicken and an egg problem. If you really take a step away, chicken and an egg. I’d like to make sure I can trust you before I give you trust, yet in many circumstances we’re forced to trust you, and then hopefully you don’t violate that trust.
[David Spark] Very good. All right. Well, I’m very excited to bring our guest on to talk about this very topic, who has plenty of thoughts on it. It is the VP of Global Information Security over at Lippert, none other than Kemas Ohale. Kemas, thank you so much for joining us.
[Kemas Ohale] Thank you, David and Steve. So wonderful and great to be with you today.
This problem won’t change on its own
[David Spark] Roy Keck of Happily Ever Life & Cyber said, “Why would the board, CEO, leadership, hiring managers expect they need to trust this person with the company’s secrets and security measures in an entry-level role? Is that more of a problem for the company culture, company security policies, structure and etiquette, best practices than the actual employee?” Good point.
And Eric Staffin of BlueVoyant tags onto this, and he says, “We don’t have entry-level jobs in security. We have roles that make sense for varying levels of institutional and domain knowledge and experience. It’s our job as leaders to cultivate talent and in doing so, create sufficient guard rails so that these amazing people at all stages of their personal and professional journey can learn, fail, challenge, and flourish while contributing to the culture of the organization, protecting shareholder value, and mastering their particular craft.
Those are the table stakes for leadership.” I like Eric Staffin’s line of, “We have roles that make sense for the varying levels of institutional knowledge. Not everybody gets the same access, depending on where you’re at.” Right, Steve?
[Steve Zalewski] I love that quote because it makes it sound like it’s solvable.
[David Spark] Well, that’s the idea. We want to make this solvable, right?
[Steve Zalewski] Yet unfortunately life has a way of taking something that sounds so simple and making it complicated. And when I read that quote, what came to mind honestly when I said chicken and egg was for everybody that’s had children, myself included, at what age do you give your child the key to the house so when he comes home from school, he can let himself in?
Okay? And you’d like to say, “Oh, so what I’ll do is I will put him through a 90-day training course to evaluate his maturity, validate that he’s ready for the responsibility, and then have cameras and somebody watch him for 45 days to make sure he doesn’t make a mistake.” Awesome. But how does it really…
[David Spark] But hold it, wait. I’m going to give you a perfect example of a guard rail because I just experienced this myself. I didn’t want to give my kids keys for fear that they would lose it. That was my main concern. So, I purposely bought a lock that they could open with their fingerprint, hence the guard rail of losing the key.
My kids don’t have keys but they can get into the house with their thumb.
[Steve Zalewski] That’s great. Okay, so you’ve solved one.
[David Spark] But that’s a guard rail, that’s a guard rail.
[Steve Zalewski] That’s a guard rail, see? What do you do when they decide to bring a friend home because it’s raining and the friend’s mom couldn’t pick them up and so he said, “Come to my house”? Well, what’s the guard rail for that? See, the reality is it’s not the known circumstances. It’s all of the unknowns where we have to trust people and we can’t verify first.
Right? That’s what gets us in security in most other cases is it’s all the things where we ask them to think and make good decisions that oftentimes can create a situation we didn’t anticipate and then what’s worse.
[David Spark] Mm-hmm, good point. Kemas, I’m throwing this to you. What are your thoughts on…? And both of these, both Roy’s comment and Eric’s comment of saying that it’s about the culture and it’s about, hey, we all start somewhere and we get the authority that is deemed appropriate where we’re at.
[Kemas Ohale] Right. So, absolutely I think we all start somewhere, right? And coming back to the guard rail conversation, if you are green, you’re entry-level, you’ve gone through the schooling side of things, you’ve acquired a lot of knowledge, and you know the content pretty well. Well, generally when you come into an organization, you will start off with what we call checklists, right?
Those are the things that are predefined that you can just work through and you don’t have to think. At that point, you can then have a mentor who can guide you through what you should do and avoid those things that you shouldn’t do until you get to a certain level of maturity, then you can gain more access to do more.
[David Spark] And so give us some examples. I’m assuming you’ve had entry-level people, yes, Kemas?
[Kemas Ohale] Absolutely.
[David Spark] Give me an example of what you give them access to and the kinds of guard rails you put on top.
[Kemas Ohale] So, there are two things, right? So, one could be something as simple but also very complicated as doing a vulnerability assessment, right? Where all you have to do is to go into a technology, right, preconfigured, and then do your discovery. You want to find bad things. Once you’ve found those things, you may not have the knowledge to analyze them, and you can have somebody else who’s a bit more experienced to help you analyze the findings.
And that helps you to begin to understand the risk profile from a vulnerability standpoint of an organization. So, if you think about something as vulnerability assessment, that could be a pretty good starting place for an entry-level job.
[David Spark] And just a quick answer here, Steve, shadowing. Because Kemas sets it up very well. How does someone shadow someone more senior, someone who’s going through that process Kemas just described?
[Steve Zalewski] So, best practices with regards to doing that in my experience has been you bring the individual in, you say, “This is going to be your partner. His job is to answer all the questions you have, and you don’t have to feel guilty interrupting him and him doing his job. Because for the next 90 days, it’s to make sure that you can successfully do yours.
And so therefore you can interrupt, ‘Hey, this is the first time I’ve seen this. In an abundance of caution let me ask questions first before I do anything.'” And I think in mature organizations, a reasonable size, that’s great. But then on the other hand of me I think look at all of the SaaS companies where the security teams are very small, and you may be the only one doing this and your boss is the CISO.
And so therefore even though he says, “Interrupt me,” you feel guilty. Those are the realities of the friction of things like doing mentorship against the maturity of the organization to be able to give you as much support as you would like.
No one said it was going to be easy
[David Spark] Duane Gran of Converge Technology Solutions said, “My first security role was an internship with root access on 60 Unix servers to build an auditing system. I suppose they never should have trusted me to do this, but I was careful and it is part of what makes me who I am today.” And here is an answer – by the way, I’m setting this up from a non-security person, listen – Kendrea W.
of Horizon Nursing Services said, “The cyber world is weird with this gatekeeping nonsense. Skills can be learned, just like in other professions. Did I know everything as a new nurse? No. But I learned. I was thrown to the wolves after one month with patients going downhill every shift. Nobody wants to trust someone with no experience, yet hundreds of nurses every year with no experience are trusted daily with human lives.
Make it make sense.” I love that quote because she brings in some reality of like, “Hey guess what? There’s another profession that deals with some more severe stuff than you’re dealing with, and we can figure it out. What’s wrong with you?” Kemas, what’s your answer?
[Kemas Ohale] Yeah. I love that, right? We can absolutely figure it out, right? I think it boils down to the key word internship, it boils down to the key word practice and understand what you are trying to do and provide a level of assurance that you understand the basic concept of the work itself, right?
I mean, that’s the reason why people out of college with no knowledge of the industry do have a level of knowledge they can bring to bear, right? And then at that point, you have to provide a level of trust that they’ve gone through the grind, they have done some practical work, they have some level of simulation, they’re not as green as we think.
They’re coming into the job with a level of knowledge. What is missing though may be real-life experience around how and what to do in the same situation. And I think that comes back to really having somebody who’s going to shout as you, a mentor who’s there to really respond to things that you just don’t how to deal with.
[David Spark] The perfect example here of nursing is, and also the whole medical previous profession, in a previous episode of our other show someone had brought up the military where the military trains soldiers in six weeks.
[Kemas Ohale] Right.
[David Spark] And the medical profession trains people but it is all institutionalized. Like nobody becomes a nurse or a soldier without training, but people become cybersecurity professionals without training all the time. And that I think is the big difference. We don’t have anything institutionalized.
Steve, you keep nodding your head.
[Steve Zalewski] Yeah. I love this nursing analogy and I love the military analogy because there’s parts of our community in cybersecurity, think governance, risk, and compliance, that all we’re doing is we’re a measurement organization for others to make decisions. The reality is we’re in front of a common enemy attacking us, trying to do damage, okay?
Or to the nursing analogy, we are taking organizations or individuals that have been compromised and trying to make them whole again. And so in my mind, part of what makes a good cybersecurity practitioner and part of our responsibility to prepare them is to get them to understand exactly what they’re getting into first.
When you’re a nurse, if you go into nursing, you are not walking into nursing thinking, “Oh, I am just going to take their temperatures and write it on a chart and my day is done.” Okay? You’re going to be in circumstances where you’re going to have to make life or death decisions, and you have to have that in your mind to understand the responsibility and maybe you’re not cut out to be a nurse.
So, it’s not just the training and certification, but it’s the mindset to realize that.
I oftentimes have said my job at Levi’s I felt was to do triage in a mass unit because bad things happened every day and therefore, who lives, who dies, so to speak, which was how can I keep the business going and what’s the level of impact I have to put on them based on the incidences that are hitting me.
And so there’s a reactive mode that you have to get people to understand that they got to be comfortable with in taking on cybersecurity roles.
[Kemas Ohale] And you’re right. We can even throw in additional profession, right, in a pilot, as an example, flying planes.
[David Spark] Also institutionalize learning too as well.
[Kemas Ohale] Exactly, right. So, you have to do simulations and before someone trusts you with flying somebody else, you have to be able to first understand all that goes into flying in the first place, right? You have to go to school for that, you have to do simulations, and then [Inaudible 00:14:56] you fly with the copilot for quite some time before you are allowed to be the captain of that particular plane.
So, if we apply the same analogy here as well, again, depends on the role you are going into in cybersecurity because we have a lot of them, you can definitely get yourself a good mentor that can guide you through. And also if you are in IT, transition to cybersecurity’s a little bit easier because you’re already dealing with all of the technical things that you will also deal with in cybersecurity as well.
So, there’s always that natural transition between IT and cyber.
Sponsor – Normalyze
[David Spark] Before I go on any further, I do want to mention our sponsor Normalyze. I am so thrilled that they’ve joined us. So, the rise of cloud computing and the resulting data sprawl is creating many security and compliance challenges for organizations across the world. Surprise, surprise. Today, enterprises find their most important asset, their data, scattered throughout multiple cloud environments, and security teams are hampered by limited visibility and control.
More data movement means more exposure and risk, so both data security posture management and around the clock monitoring of this movement across the environment is key to securing the data and preventing expensive breaches from occurring.
With Normalyze, you can discover, visualize, and secure all your cloud data in minutes. In a nutshell, Normalyze enables security teams to analyze, prioritize, and respond to data threats and prevent damaging data breaches without spending days on manual discovery or drownding in alert noise. The Normalyze cloud-native platform manages data security posture and compliance by automatically tracking all risks to sensitive data, visualing who can access what, and quickly blocking unauthorized access or vulnerable points of attack.
With data in motion, data lineage, and anomaly detection capabilities, security teams can continuously identify cloud resistant sensitive data both at rest and in motion to secure access paths and reduce the risk of breach. So get the full picture of your cloud data now with Normalyze Freemium. You heard me right.
There’s a “Free” word in there, and then a “mium.” That means they have as solution that’s on the free scale. Check them out. Go to their site, it’s normalyze.ai.
Where do we begin?
[David Spark] Alex P. of Millennium Space Systems, A Boeing Company, said, “Cybersecurity isn’t a starter role. That’s one of those roles that people hope you moved from somewhere else in tech, like Help Desk 1. That’s a great starter role.” And Eric Silberman of USDA said, “There are tons of jobs where you contribute but you are not capital R “Responsible” and concurrent with that notion, I do indeed see that there are some entry-level jobs in cyber that do exist, an example is Tier I SOC analyst for example.” So, Steve, I’d like to discuss with you.
What are great entry-level jobs, responsibilities for security professionals?
[Steve Zalewski] So, I agree Help Desk, SOC analyst where there’s run books, circumstances where they have to be intelligent to be able to follow direction and have interpersonal skills – great start. Okay? As you get into those roles where there’s a decision-making process involved in determining what to do, that’s where I’d say it gets gray.
Now you’re starting to realize if you’re putting individuals in those roles, maybe because you have to because you’ve just been right-sized and your team is half the size and you have to cover some of these areas, so this is what I would call like field-grade promotion. “Congratulations, you survived.
Congratulations, you now do this. And therefore hopefully the training I’ve given you in what you’ve been doing gets you comfortable with knowing when you’re uncomfortable making a decision.”
[David Spark] That’s a good point.
[Steve Zalewski] And that’s actually something that I talk to a lot of the folks that I’ve mentored or as I’ve brought in, which was, “My job is to let you fail and have you fail fast and learn from the mistakes. But what I need to do is to be comfortable with where you can fail and where you can’t.” And I often would say, “If you feel comfortable making a decision, make it, and I have your back even if there’s consequence.
If you’re uncomfortable, come to me.” And I said, “Once we get that balance, you’re going to start to get more and more comfortable making decisions because we’re going to talk about the ones you’re uncomfortable with, and I will either coach you or encourage you to have the confidence so that we maximize your ability to accept that decision-making role and build that maturity in decision making as quickly as we can, always knowing that you are comfortable with when you’re uncomfortable.”
[David Spark] Kemas, when someone comes to you and says, “What should we do here?” let me ask you because my dad used to do this because my dad was a doctor and he taught medical school. He would never answer outright. He would just say, “What do you think we should do?” And he wants to hear their thought process.
So, do you do that to learn their thought process? Because this seems like a great educational moment, yes?
[Kemas Ohale] Absolutely. It helps you to self-think. It allows you to go deep into your problem-solving skills as well, right? Because at the end of the day, your ability to put things in the right sequence to be able to identify workable solutions and get them done is not always something that someone gives to you.
It’s something that you can also work through yourselves. As leaders, right, we are in a position to ask probing questions that can allow people to self-think. And then along the way, you give them enough guidance that would help them reach the same conclusion, right? Because if we continue to provide answers to questions, people are not going to learn.
But if you ask them to provide their options and how they think we should solve a problem and help them refine their thought process, you get them from learning to maturing, right? So, I think as leaders, that’s really the role we should be playing to really help people to self-think.
What are they looking for?
[David Spark] Drew Herrema of Rakuten Kobo said, “Companies are going to have to invest in new talent at some point. It’s better to start now so you have more people with the experience and give them more time to train.” And Derek A.’s last three hires were all very green. He hired a former intern, a service desk person, and a system admin with no security experience, and Derek said, “I didn’t hire them for their certs or their hack the box ranking.
I hired them because they were people who wanted to learn, wanted to work hard, were highly motivated and accepted that no task was beneath them and they’d learn from everything they got to do.” So, Steve, I’m going to go to your example of giving the kids the keys to the house. In Derek A.’s example, the kind of person they are determines how eager you are or not eager to give those keys.
So, not every entry-level person is the same, as you’re nodding your head. Yes?
[Steve Zalewski] Correct. And that’s why I like analogies like this is because people would like the answer to be yes or no, and when I say things like, “The chicken and the egg,” it frustrates people because they understand that chasing their tail or whatever, then they don’t want to hear that. We still need to give them some guidance on what to do.
When you hire a person, right, you are evaluating their capabilities, and those aren’t just technical capabilities, those are critical thinking skills, it’s what Kemas said. And so absolutely you’re figuring it out. And in some cases, you trust the child and you give him the key knowing, being confident that when those circumstances come up, he’ll make the right decision because he’s got good critical thinking skills.
There are other children and I have some like that, where you’re like, “I will give you a key only as a last resort, and I’m probably coming home early.” Because your critical thinking skills are not where they need to be but I’m forced to have to do it because I don’t have any other possibilities and then I got to put all the guard rails around you.
Unfortunately, that’s the world we live in for kids and it’s also to a certain extent the world we live in in cybersecurity because the job you have today does not mean it’s the job you have tomorrow and it’s those critical thinking skills that give us the confidence for you to enter those environments and do the right thing.
[David Spark] Kemas, I’m going to let you have the last word on this of it’s the individual that obviously helps you make the decision, not the role, correct?
[Kemas Ohale] That is correct. So, it boils down to the person. How much can you trust him or her with the key, and that would come with time, right, as they continue to show up and embrace the role, make decisions, give them an environment to really fail fast – Steve, like you said earlier, like that – and allow them to grow from there.
I think that in of itself would go a long way. As an industry, we need talent, and the talent we need are not the most technical talent. Most times we’re looking for a talent with passion, with the right mindset, with a viewpoint that allows us to drive an effective program within an organization. Those that are willing to learn, those that are willing to take risk and make measurable mistakes, if you will, they can grow them.
[Steve Zalewski] So, I’m going to dovetail on that because it’s something, David, you said earlier which is guard rails. But let’s talk about guard rails for a moment in a cyber perspective, which is what’s your defense in depth. Depending upon my ability to have compensating controls also gives me a lot more flexibility to have those inexperienced make critical decisions where even if they’re wrong, I can manage the consequence.
So, if I give David administrative privilege to 50 servers, but I have a privilege access management system that he has to go through in order to be able to get that access, I have a compensating control where it looks like I’ve given him a lot of responsibility and potentially he can do damage, but I’ve got compensating controls to be able to give him an opportunity to think through what he’s doing and for others to be able to realize if he pulls the admin console access for all 50 at the same time, odds are that’s going to trip an alarm.
We’re going to go ask David what he’s doing. And so to everybody, we talk about defense in depth and compensating controls and realize it’s as important for us in order to be able to maximize the growth potential and the ability to make mistakes quickly with limited consequence.
[David Spark] That’s a very good point and that can make a whole other episode right there, Steve, in that. How do you create either a sandbox or defense in depth environments for your staff so they can learn safely. All right.
[David Spark] Kemas, we’ve come to the portion of our show where I ask you which quote was your favorite, of which there’s a lot of really good ones in this one and coming all from different angles. Which was your favorite quote and why?
[Kemas Ohale] I really love the quote by Drew Herrema talking about really, this is the time for companies to invest in new talent and also to get those talent trained up at a level that allows the organization to maximize the value of the spend.
[David Spark] Steve, what was your favorite quote and why?
[Steve Zalewski] This is a tough one but based on what I was talking about, I have to go with Kendrea W. from Horizon Nursing Services, which is, “Nobody wants to trust someone with no experience yet hundreds of nurses every year with no experience are trusted daily with human lives and they make it work.” I would say so the conversation around compensating controls and defense in depth, which is cybersecurity, is train them up as best you can, give them smart people that you hire that are creative, and then let them do the right thing.
[David Spark] I’m in agreement here, Steve. I love that analogy as well. And I think what it really boils down to and why we have this discussion is this works with doctors, it works with nurses, it works with pilots – great example, Kemas – it works also in the military. But for some dumb reason, it’s not working so seemly in security and that’s because we do not have institutionalized training.
We do have training, but it’s not regulated and institutionalized. And until that happens, which I don’t see happening anytime soon, we’re going to keep having this discussion. Aren’t we, Steve?
[Steve Zalewski] Yes, we are.
[David Spark] Very much so. Kemas, thank you so much for joining us today. It was a thrill having you onboard. Are you hiring over at Lippert, by the way?
[Kemas Ohale] We are always, always looking for good talent.
[David Spark] Yes. And how can someone demonstrate their passion to you so they could be the one that could be given more authority?
[Kemas Ohale] Right. So, their willingness to really understand the material and solve problem and ability to show the human side of them that they’re not perfect, they’re willing to learn, and they’re going to bring a lot of value to the organization.
[David Spark] I’d say admit your faults. Steve, you’re perfect, right?
[Steve Zalewski] My kids would tend to argue that every single day, but I’m perfectly imperfect. How’s that?
[David Spark] There you go. Thank you very much, audience. I want to also thank our sponsor Normalyze – regain trust, visibility, and control of your cloud data. Check them out. Again, it’s spelled oddly as all these companies are – Normalyze. That’s Normalyze, go check them out for your cloud data needs.
Thank you so much for sponsoring and thank you to our audience for all your contributions and for listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday and Cyber Security Headlines Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and “What’s Worse?” scenarios.
If you’re interested in sponsoring the podcast, check out the explainer videos we have under the sponsor menu on CISOseries.com and/or contact David Spark directly at David@CISOseries.com.