What should a cyber job description require, and what shouldn’t it? What’s reasonable and not reasonable?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rob Duhart (@robduhart), deputy CISO, Walmart.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Normalyze
Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.
Full transcript
Intro
0:00.000
[David Spark] What should a cyber job description require, and what shouldn’t it? What’s reasonable and what’s not reasonable?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series, and joining me for this very episode, it’s Geoff Belknap. You know him, you love him because he’s also the CISO over at LinkedIn. Is that why your kids love you is because you’re the CISO of LinkedIn?
[Geoff Belknap] You know, I never thought about that, and now that you mention it, I’m starting to wonder if that’s the only reason my children, who don’t have LinkedIn profiles, love me. But could be other things too.
[David Spark] You weren’t always the CISO of LinkedIn, so did they love you less before?
[Geoff Belknap] Unclear, but as soon as we finish this I’m going to have to go ask some tough questions of my family.
[David Spark] You do that. Our sponsor for today’s episode – it’s Normalyze, the data first cloud security company. More about just that a little bit later in the show. There is a lot of frustration in the cyber hiring process. Yes, Geoff?
[Geoff Belknap] There’s a lot of frustration.
[David Spark] You’ve heard of it before from all sides?
[Geoff Belknap] Mm-hmm.
[David Spark] And a lot of the visible frustration is around cyber job descriptions. Christopher Zell of Dell posted a job that had 20 bullets, and these were all requirements. Nineteen of them had a five-year requirement in some cyber skill. One of them provided some relief, the last bullet only required four years’ experience but that was for an undergraduate degree.
They weren’t requiring five years undergraduate degree.
[Geoff Belknap] Mine took 12 so I think I’m overqualified.
[David Spark] [Laughter] It was absolutely insane and the 150+ comments expressed that frustration. Now, my question to you is do these completely unrealistic job descriptions hurt the entire industry, or is your attitude “Bring ’em on, it just makes mine look that much better,” and what is it we need to put in a cyber job description, and what do we need to leave out?
[Geoff Belknap] The short answer is this is not good for anybody. I think in this specific case – and it’s really important to say this upfront – almost certainly this job description was a product of some kind of bug in whatever the hiring software that they were using, and it sort of inserted five years, literally the word “five years” in front of everything in the job description.
But it highlights an important point which is there are a ton of unrealistic expectations when it comes to cybersecurity hiring, and we are not doing ourselves any favors trying to make cybersecurity hiring of today look like hiring engineers of 20 years ago. And I think this is an important thing that we all need to talk about and make sure we make better to improve security for everybody.
[David Spark] Good point. Now I will also say as someone who just hired, I had very, very low requirements, and I still struggled to get people who met those incredibly low requirements. But it can be tough. Let’s get to our guest who’s going to join us in this very discussion. Very thrilled to have him because it’s actually been a long time coming and I’m thrilled that he’s onboard.
It is a deputy CISO over at Walmart, Rob Duhart. Rob, thank you so much for joining us.
[Rob Duhart] David, the pleasure’s mine. Really glad to be here with you all.
What are they doing wrong?
3:16.656
[David Spark] Anthony Rodriguez of Baptist Health South Florida said, “This is a perfect example of what is generally wrong with the information security industry today. The largely accepted and promoted view of requiring a potential candidate to have a photogenic memory, multiple years of experience doing anything, and more certificates than what exists on the internet today, all before even considering them for an interview creates artificial entry barriers.” And Rob, I didn’t even realize we had picked you.
You had said this in the discussion, “Someone threw ‘unrealistic and irrational expectations’ onto a page and called it a job description. If this candidate exists, she would never accept the job of manager. She’d be all of our bosses.” And complimenting that comment was Luis Valenzuela of InComm Payments who said, “They’ve been looking for this candidate for five years,” and probably another five as well.
Geoff, this post was outrageous but every time we see one of these outrageous posts, which do come up, it sort of lights a fire under everybody, doesn’t it?
[Geoff Belknap] It’s a great opportunity to have this conversation, which is “Hey, we understand that you’re trying to look for an experienced cybersecurity engineer or technician, but you really have to get your HR team, your recruiting team, your hiring team, whoever’s going to be involved and be your partner to hire that person, to spend a little time talking to you about this role because it’s probably going to be very different than all the other roles that you hire for.” And you cannot in this hiring environment, even though at the time that we record this, tech is going through a little bit of a moment, things are not great right now, but even in this moment, cybersecurity people are in high demand, very skilled people and even people that are just getting into the space are not going to respond to an ad like this because they’re going to go, “This is ridiculous and if a company like this cannot even get a job description out to hire for this organization that is not ridiculous, what’s it going to be like working for them?”
[David Spark] Yes.
[Geoff Belknap] So right out of the gate, you’re putting a bad foot forward and you’re just not going to get value for the buck using a ridiculous job description like this.
[David Spark] Yes. Red flag on employer branding here, in a big way. Rob, let me ask you, do you qualify for this job?
[Rob Duhart] [Laughter] Not even on a good day, right? This is the joke, David and Geoff. My boss wouldn’t either, right? At Walmart, we have a saying which is we don’t want to create a job description that neither I or Jerry, our CISO, could qualify when we started our journey. Neither of us were traditional hires.
He didn’t have a college degree when he started at the company 32 years ago. So if we were going to miss out on Jerry Geisler, why would we make a description that could not reach that group of people? Our best geniuses are sometimes people that don’t meet any of those characteristics. And I spend time with Chris, I know Chris.
We joke about this all the time. Half the time, we have to have very serious conversations with our HR partners to land this plane, as Geoff said. To make sure that we’re asking for the right things, that we’re not unreasonable, and really we’re being a brand that people want to be a part of.
Does anyone have a better solution?
6:45.154
[David Spark] Marc Varner, Global CISO over at Lowe’s Corporation, said, “An easier route would have been to just simply say, ‘Be a security person, have 5 years of experience.'” Yolanda W. of CompQsoft said, “Organizations really need to rethink what is the minimum requirements they need than some unrealistic wish list.
You still have to learn the company and the job role within the company’s framework.” So, Rob, just think about some recent job posts that you’ve put out. What are some minimum requirements? And you have to have minimum requirements. What are some of the ones you’ve done? And have you started with a long list and started to pare it down?
[Rob Duhart] Paring it down is the beginning, right? First get rid of the requirement for a degree. I’m sorry. We don’t require them for any of our jobs.
[David Spark] We heard that if you do require a college degree, you just knocked out 50% of your candidates.
[Rob Duhart] And we saw the same and it was terrible, right? Some of our best members of our department today are working on their college degrees now after 20+ years of being at the company. We missed out on our geniuses when we filtered out for college degrees. Look. I think another part of this is speak to what you’re actually going to do.
Take out the fluff around the caged wording that people use.
[David Spark] Can you give us some examples here?
[Rob Duhart] Yeah. Look. Sometimes you say, “Hey, this is an information security role. Information security is da-da-da-da-da-da-da.” Right? No. Cut to the chase. We are looking for somebody who loves vulnerability management. We are looking for someone who has an experience in these vulnerability management platforms.
We’re looking for someone who’s a go-getter, who has integrity, right? Look for the characteristics that you could find in a store, and that’s our difference.
[David Spark] But always my concern is when you do that, it’s like how does someone reflect that on a resume that you can actually trust?
[Rob Duhart] This is another good point. My best hires have never been resume driven. Our best hires today aren’t resume driven, right? They’re relationship driven, they’re conversation driven, right? And the question may be, well, how do you get that conversation, right? How do you get to the stage where you can prove yourself that way?
Resume is usually a gateway but being simplified and having a view that simplifies the conversation makes it much better. Because I can teach much of that, David. I can teach most of what’s in that 15-, 19-line description. I need someone that works hard, who cares, and I can trust.
[David Spark] Good point. All right. That’s a really good point, that, and I’m going to agree the same here. We have not hired based on resumes. We hire based on everything but the resume. But the resume just gives me a general idea of where that person’s coming from. What about you, Geoff?
[Geoff Belknap] David, I think the really important thing here is to lean into really what both Rob and you are saying is you want to take a skills first approach. And this is something that I’ve been advocating for a long time, especially if you’re going to write a job description. Just start with what skills do you want this person to have.
We are past the time in hiring where you can go, “Oh, as long as they have a bachelor’s degree in A, B, or C, they will have all the skills and knowledge they need to do this job.” We work in a much more complex space where not only is it complex, we want people that are complex, people that might not have gone to college or chose an alternative path to getting to those skills.
But the most important thing we want is people that have the passion, that have those skills, and that want to do the work.
As Rob said, you can teach a lot of stuff but I can’t teach that passion. I might not be able to teach you every skill, but I’ll tell you what – you didn’t get those skills from going to college. You got those skills from doing the work, from teaching it yourself, from being part of the industry. And at the end of the day, those skills, the things that you’ve learned, the things that you can do regardless of how you came to those skills, are the thing that I’m compensating you for.
That’s the thing that I want on my team. I’m not hiring you for your degree, for your certification, for where you worked before. I’m hiring you to do a job. And I think the sooner people can let go of this old approach to technology hiring and think about what skills do we need on the team to be successful and who’s got them and how do we identify them, the more we’ll just stop having this kind of ridiculous job description conversation.
[David Spark] Let me ask you this. I had a very interesting situation where I had a job out and there was a requirement of cybersecurity knowledge and journalism experience. I had one candidate who was extremely skilled, I mean literally perfect for the job, his passion and desire was at a zero. I mean truly a zero.
On the opposite side of the spectrum, I had a candidate – crazy levels of passion, super excited, I was excited, skill just was not there. At all. Now, I ended up hiring somebody else who actually fit the model but can you work with either side of that extreme?
[Geoff Belknap] I think you can. But I think one element’s really important. If you’ve lost all motivation, you really have to dig into why. If you’ve lost all that motivation and it’s because you just hate what you’re doing or where you work or your team, it’s possible that just a change is what you need to change those up.
But there’s a lot of reasons why somebody might feel that way.
Now, if you’re super passionate, if you are looking for a career change, like maybe you were a plumber and now you are super excited about cybersecurity, and you’ve taught yourself, you started to read, you’re listening to these podcasts, you’re doing all this, you’re consuming all this information, the chances that you can continue that to the point where you have skills that are worth compensating for are pretty high.
I mean, as people, you can learn anything. If you have enough self-motivation and drive to do that, I am convinced you can do just about anything. I certainly think, like, maybe you can’t be an astronaut but you could certainly be an engineer in the cybersecurity space. I would be happy to take a risk on both of those people.
[David Spark] Quick comment from you, 30 seconds, Rob?
[Rob Duhart] Yeah. Completely agree with Geoff here, right? I mean, cyber’s complicated but it’s not brain surgery, right? And the passion and the spark is fantastic. We have a program we call Live Better You where we bring people straight out of stores, we train them, we get them certifications, and then we pull them into our cyber department.
And oftentimes, they perform just as well if not sometimes better than others because they know and they care about the company and they’re passionate about what they do.
Sponsor – Normalyze
13:20.441
[David Spark] All right. Before I go on any further, Geoff and Rob, I do want to mention our sponsor Normalyze. You remember I told you they’re the data first cloud security company? Well, the rise of cloud computing and the resulting data sprawl is creating more security and compliance challenges for organizations across the world.
We all know this. Today, enterprises find their most important asset – their data, that’s what it’s all about – it’s scattered throughout multiple cloud environments, and security teams are hampered by limited visibility and control. We hear this complaint is, “Where the heck is my data?” More data movement means more exposure and risk, so both data security posture management and around-the-clock monitoring of this movement across the environment is key to securing the data and preventing expensive breaches from occurring.
Guess what? This is what Normalyze does. Normalyze – you can discover, visualize, and secure all your cloud data in minutes. In a nutshell, Normalyze enables security teams to analyze, prioritize, and respond to data threats and prevent damaging data breaches without spending days on manual discovery or drowning in alert noise.
That’s not helpful either. So, the Normalyze cloud-native platform manages data security posture and compliance by automatically tracking all risks to sensitive data, visualizing who can access what, and quickly blocking unauthorized access to vulnerable points of attack. With data-in-motion, data lineage, and anomaly detection capabilities, security teams can continuously identify cloud [Inaudible 00:15:02] sensitive data, both at rest and in motion, to secure access paths and reduce the risk of breach.
Why don’t you get the full picture of your cloud data now with – listen to this – Normalyze Freemium. Sounds good. That means you have an actual free product you can play with. Here’s where you go, you go to their website, Normalyze.ai.
What’s the optimal approach?
15:36.025
[David Spark] Brandon Keath of RapidAscent said, “What is it the organization actually needs? It should start with the objectives the organization needs, reverse engineer that into the role.” E.J. Hilbert of KCECyber said, “One, industry and its members need to have an agreed upon definition of ‘skills’ and ‘experience.’ For me, skills are those things you have experienced and can now accomplish in a reasonable manner.
Experiences are simply something you have knowledge of and worked to understand/handle in you past.” And lastly, Darren Young of iManage said, “Stop with counting years. What matters is demonstrable experience and produced results. Some folks can demonstrate proficiency faster than others but that requires a hiring manager to be able to clarify what proficient means in their organization.” Geoff, I’ll start with you on this.
I have heard the reverse engineering and also specifically matching talent to risk or risk management or to threats. Do you go that deep? How do you sort of reverse engineer what you need?
[Geoff Belknap] I think the first thing we start to do, at least at LinkedIn, is look at what are the different disciplines of roles that we have, and what are the skills, talents, and experiences that make people successful in those roles? And I think the skills is where we start, and it is a very difficult thing to start with because it’s not always obvious, right?
Especially as we sort of acknowledge that cybersecurity is a growing space, we need people in cybersecurity that may not have experienced working in cybersecurity before, which means we have lean into skills and attributes and things that make them ready to be successful for what they’re going to experience.
You have to sort of look at, okay, what’s a skill? Am I a curious learner? Do I know a certain kind of computer system? Do I have an analytical skillset? What are the skills that you might need? And to start to sort of look at in an abstract way what do you want? What kind of person do you want in a specific kind of role?
And I think that’s what we start to look at is at a base level, are you a curious lifelong learner? Do you have a certain base level of computer skills? And then we start to branch out. Like, okay, if you’re going to go to GRC, do you have experience with any kind of public policy? Do you have experience sort of taking a bunch of complex requirements and understanding and applying those and making policies or decisions about how we might implement those?
If you’re going to work in incident response, do you have very specific security skills and computer skills that will help you look at malware, investigate incidents, understand what happened, take that apart?
These are very different things but at the end of the day, none of those conversations come down to, “Did you go to an Ivy League university in the traditional sense for four to five years?” It’s all about where did you gain those skills and what level are they at so we can sort of understand do I start you in an apprenticeship program or do I start you as a senior staff engineer.
And start to identify, okay, now that you have those skills, do you also have the personality traits that will make you successful in the role? So I think regardless of what we’re doing, it’s really the focus on what are the core things that you need to drive success in that role.
[Rob Duhart] I love what Geoff said, right? I think we start with what success looks like in the role itself.
[David Spark] That’s a good way of putting it.
[Rob Duhart] Yeah. Not just today but also tomorrow, right? Because we’re thinking about longevity of career as well, and what are the pathways to that success? Sometimes it’s technical skills, sometimes it’s ability to organize, sometimes it’s ability to drive and execute, right? Looking at those skillsets and then, to David’s point earlier, I believe, one of the quotes, then reverse engineering.
Look. Sometimes you have to move beyond the job description. And what I’ve seen as an optimal solution that we’ve done is hosting actual events where we go to where the candidates are, where the talent is, and we have conversations. And we’ll have interviews on spot, we’ll look at their resumes on spot, and if we think we see potential, if we think we see the spark, if we think we see something that could grow into a unicorn, we interview them right there and sometimes we hire them right there, right?
So, it’s almost circumventing this whole circuitous process as a whole and just cutting straight to the point, straight to the meat. If you don’t mind, I’d love to tell a story, I knew a lab.
[David Spark] Please.
[Rob Duhart] I knew a lab, a hardware reverse engineering lab that was looking for someone to take that lab to the next level and they wanted a hardware reverse engineer. They spent months looking for somebody with this background and this degree. And then one day, the leader of that lab was introduced to an Android hacker who wrote papers by day but hacked Android devices by night.
Had energy, had passion, was curious, had the capacity to learn, had an engineering mind. Maybe didn’t have an engineering background, but an engineering mind, and this individual was hired. That individual was me.
[Geoff Belknap] [Laughter] I wondered if this is where we were going.
[Rob Duhart] And that was when I got my first opportunity in the hardware reverse engineering world. Three, five years later, we’re doing amazing, wonderful things, but it started by a hiring manager who was a trained engineer, right, had a master’s degree in it, saying, “Let’s look outside the box and let’s look for someone with the passion,” you heard Geoff talk about, with the propensity to learn you heard Geoff talk about, and that had a deep desire to be good at this, and then give them what they need to grow.
And I use myself as an example to say there are many of us out there. Some of the best security leaders I know at places like Google and other places had that opportunity, seized it, took it, had mentors that supported them, and everybody won at the end.
Who are the winners and losers?
21:38.953
[David Spark] Norman Hunt, deputy CISO over at GEICO says, “It’s a great job description to help one determine that’s likely not a great place to work since they don’t really seem to know what they want.” Hence what we were talking at the beginning of the show.
[Rob Duhart] Mm-hmm.
[David Spark] He goes on to say, “Willing to bet compensation also reflects the out-of-touch description.”
[Rob Duhart] Absolutely.
[David Spark] And Marie Nellist of MUFG said, “You aren’t going to get anyone with five years of experience that has done all of this. I can guess that the compensation also isn’t in line with the requirements. This isn’t a manager. You’re advertising for Iron Man.” Which that’s a good line, I like that.
So, this is a good bookend to our discussion of you want to have a good employer brand out here. You don’t want to put a job listing out there that other people will laugh at as saying unrealistic, do you? Right, Rob? I mean, you don’t want to be seen as whoever company this is.
[Rob Duhart] A million percent. Everybody loses, right? You said who’s losing out here. Everyone loses. I think we as hiring managers and companies lose the most because not only do we look like we don’t know what we’re doing and we don’t know what we’re talking about, so bordering on incompetent. We also are missing out on this genius talent that’s often right in front of our face but we can’t get out of our own way enough to see it, find it, and capture it, right, and grow it, retain it, so on and so forth.
So we lose, I think we lose the most, but I think everybody loses from the way things are done today sometimes.
[David Spark] Geoff, do you lose?
[Geoff Belknap] I think everybody loses. Rob’s exactly right. If I can make this a little more serious for a second, we’re in a time where all of our data and most of our lives run through digital systems, right? They’re running through an information system of some kind, whether it’s paying your taxes or doing your work or getting your paycheck.
It is important for all of these industries to hire competent security professionals. And if we can’t even do that, if we can’t even be successful posting a basic job description, it’s really an indicator of a systemic issue that we have trying to be better at security and privacy.
So this is one of those things where we really need to pivot as fast as our industry pivots and focus on hiring for those skills, hiring for the people that could do the job even if they didn’t do the job before. And just remember that the firefighter academy is not full of people that have been firefighters for five years.
They are people that have the passion, drive, and dedication to probably be successful at being a firefighter, and we just have to be more realistic about how we bring people into this profession.
[David Spark] Last comment, it’s like I’ve worked at companies where I’ve seen job listings like this. I wasn’t working in HR and it wasn’t my job listing, but I kind of like, “Guys, really? What are you doing here?” I mean, do you just shake your head or do you sort of intervene or what do you do?
[Rob Duhart] You step in and I think you step in with stories, David, right? I often tell people my boss started at the company as a cashier. He then became loss prevention, right, chasing people down in stores, right? So he evolved to being what he is. Our CEO started as I think a part-time distribution center worker at some point.
We have to make decisions that mean we would have caught the future leaders of the company, successfully recruited and groomed them into the leaders they are today, upfront, and if we’re not making those decisions, we’re losing the soul of the business and we’re losing the soul of the organization.
[David Spark] Excellent point.
Closing
25:24.895
[David Spark] That brings us to the point of the show where I ask which quote was your favorite and why. Rob, you cannot choose the quote I chose of you.
[Geoff Belknap] [Laughter] No choosing your own quote.
[David Spark] …your own. You said a lot of good things during the show but you can’t choose yourself. So, which quote was your favorite?
[Rob Duhart] Well, look. In our business, there is no such thing as an easy day. I wish I could quote Geoff because I think he did a great job encapsulating the challenge we have.
[David Spark] You can compliment him later. Quote one of the people [Inaudible 00:25:52].
[Geoff Belknap] No, no, wait. Let’s keep going on this thread. I like it.
[David Spark] No! Enough! You’ve gotten your compliments!
[Rob Duhart] No, I like Yolanda, Yolanda W. from CompQsoft, she said, “You still have to learn the company and the job role within the company’s framework.”
[David Spark] That’s a good point. Yes.
[Rob Duhart] It gets to the heart of what does it mean to be successful. You can have a PhD in reverse engineering, and if you don’t learn the company and understand the job role and have passion, you are going to fail.
[David Spark] You’re useless, yeah. That’s a really good point. Excellent point. Geoff, your favorite quote and why?
[Geoff Belknap] I’m going to go with Brandon Keath from RapidAscent who said, “What is it the organization actually needs? It should start with the objectives the organization needs, reverse engineer that into the role.” This is exactly what Rob and I are both hitting in terms of what are the keys to success and long-term career success in this role for us in the context of our organization?
What is that really? And that requires people like Rob and I to put some work into it and put some thought into it. But you’re not going to get a job that you love with a job description that looks like this. So, when you see a job description like this, unfortunately I think you have to do yourself a favor and pass it on and look for a job description that really speaks to you.
That you feel like the culture of the company’s coming out.
And I can’t stress this enough – if you’re in a role like Rob or I and you’re hiring people, spend an extra 30 minutes or an hour and just make sure that the job description you’re putting out not only reflects the culture that you want to have, but also the role and the kind of people you want in the team.
Don’t just hope that your recruiter’s going to take care of it. You have to take some ownership of this.
[David Spark] Very good point. Well, that brings us to the very end of the show. I want to say a huge thanks to both my guests, but before I get into the details of that, I do want to mention our sponsor. That’s Normalyze. It’s the word Normal, then you add a Y-Z-E.ai, and you could be playing with their Normalyze Freemium product.
So, check them out at Normalyze.ai. Rob, any last words you’d like to say and are you hiring cybersecurity talent over there at Walmart?
[Geoff Belknap] And do they require five years of experience?
[Rob Duhart] [Laughter] We are absolutely hiring. We do not require five years of experience. And quite frankly, look, we often talk about diversity, equity, and inclusion in this business. The best way to do it is to go to where the talent is and to have conversations. This isn’t a resume business.
This is a relationship business.
[David Spark] And as he mentioned, that’s how he hires. And actually, if you would like to initiate a relationship with Mr. Rob Duhart, would it be appropriate for them to reach out to you via LinkedIn?
[Rob Duhart] Absolutely. Please find me on LinkedIn. Please go to walmart.com/cybersecurity to learn more about what we do and how we do it. My LinkedIn name, you just type in LinkedIn.com/robduhart.
[David Spark] And in fact, we’ll link to directly your profile on the blog post for this very episode so people can see it.
[Geoff Belknap] What a handy website, that LinkedIn.
[David Spark] It is a handy website.
[Rob Duhart] Who’s their CISO? I don’t know.
[Geoff Belknap] Some joker.
[David Spark] I will tell you – his children love him a lot now.
[Laughter]
[David Spark] They didn’t like him much when he was at another company.
[Geoff Belknap] Thanks for the complex. I appreciate this.
[David Spark] We’re all about backhanded compliments here on the show.
[Geoff Belknap] That’s right. My therapist, it’s just another week of therapy paychecks.
[David Spark] Thank you very much, Geoff. Thank you very much, Rob. And thank you, audience. As always, we greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.