We’re following up on our previous email because we love to engage in self-defeat. We assume you don’t want to hear from me again, but just to make sure, I’ve delivered another email for you to delete.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Rinki Sethi (@rinkisethi), CISO, Twitter.

Thanks to our episode sponsor, Sonatype

With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code.

Got feedback? Join the conversation on LinkedIn.

Full transcript

Voiceover

Ten second security tip, go.

Rinki Sethi

I think it’s really important to protect your digital footprint, understand what about you might be out there, what data exists about you. Teach kids around you as well, around what a digital footprint is, and that they’re protecting it in the right way. What data might exist about them, so that they know how to protect themselves in the best way possible.

Voiceover

It’s time to begin the CISO Security Vendor Relationship podcast.

David Spark

Welcome to the CISO Security Vendor Relationship podcast. My name is David Spark. I am the producer of the CISO series. Joining me, as always, is Mike Johnson. Mike, everyone loves the sound of your voice. Prove to them that you have a sound that comes from your voice.

Mike Johnson

I have a sound that comes from my voice. I can open my mouth and words come out. They sometimes make sense. But I am here, I am me.

David Spark

I hope for the listeners’ sake and our guests’ sake, and my sake, that your words do make some sense.

Mike Johnson

We’ll see how it goes. It’s always a surprise.

David Spark

We’re available at CISOseries.com. We’re on the subreddit of r/CISOSeries. Every Friday we do a really super fun CISO Series video chat. If you’ve never come to one of those, please do come. They are a ton of fun. Our sponsor for today’s episode is Sonatype and they do something that I know is near and dear to our listeners’ interests, and that is… DevOps automation. And I want to point out it’s not Dev Sec Ops automation, which I know you don’t like, Mike, that term. It’s DevOps automation, because security is part of DevOps, regardless. But we’re going to be talking more about them later in the show. I want to make a quick announcement, which actually we announced earlier, but because we were recording this earlier, I’m mentioning it now, for that matter. But we are now officially partnered with GigaOm. Now, you are familiar with GigaOm, the research firm, yes, Mike?

Mike Johnson

Oh, very much. I’ve been a fan of theirs for quite some time. I’m really excited to hear the news.

David Spark

Yes, so what does that mean that we’re partnered? Essentially we are going to, you’ll see in this episode where, one of our segments, we’re pointing to some of their research, we’re going to try and point to more of their research over time, because they just have a great beehive of content that is hugely valuable to our audience. And I just love the way they write the report, they do such a great job. And I just also think they’re kind of a really good alternative to some of the big players that are out there. You know who I’m talking about. And I just kind of really like their brand, and how they’ve operated over the years. So this, honest to God, has been about a year and a half in the making. We have finally come around to do this and, in return, you know, they’re going to promote us and also feed us some really good stuff over the time. So, hopefully, this is going to be very, very mutually beneficial, so that was the goal for all of that. Alright, with that said, let’s bring on our guest today, who is a new CISO at this company, but was previous a CISO over at another company, and I’m very excited to have her on. It is Rinki Sethi, CISO of Twitter. Rinki, thank you so much for joining us.

Rinki Sethi

David, it’s great to be here.

What’s it going to take to get them motivated?

00:03:24:19

David Spark

It takes a while to hire an awesome cyber security team. It takes even more work to keep them, and it pays off, according to a study by ISC squared, I believe is how you pronounce them. As reported by Erica Chickowski of Dark Reading, 79% of security-centric firms keep their security staff on the roster for three or more years. Now, it’s clear that creating a growth path for your staff is key and I’ve heard companies say they hire within, or that they train, but then you work there, you see the opposite. And then there are the huge enterprises that do have formalized programs, for which you can see a path. If the company is not a huge enterprise, what’s the best course to build that confidence and career growth in a team, to retain them? Mike, I start with you.

Mike Johnson

You don’t have to be a huge enterprise to provide a path to show your team what’s next. In fact, once you’ve already reached a point where you have senior level, or principal level, or that’s the title that you have of people on your team, you already have the beginnings of what that path looks like. You have job descriptions that you’ve written over time, as you’ve hired people at those levels, so you can reuse those, make them more generic, and that then gives you the beginnings of describing a growth path to people, and what might be coming next. You know, take what you have on staff, go one level above that and one level below that, and you have a full path already laid out. One of the things I do want to stress, and I think it’s important, is not only providing the path for your ICs, for your managers and laying that out, is making it clear and encouraging your individual contributors that they do not have to become people managers in order to advance. If they are enjoying the IC path, make it very clear to them that there is a path well ahead of them, that they can keep going, keep gaining more responsibility, greater scope. That they can continue and enjoy what they’ve been doing, versus feeling like they have to become a people manager to advance. Two different skills. You have to be bought in on the people management path in order to be successful there.

David Spark

That is a super good point. So, Rinki, I know you’re new at Twitter. How early did you take this part on, on being able to sort of explain to your new staff, who were in place before you even arrived, that you’re going to be helping them in their growth path? And did you do similarly to Mike, saying that, you know, you can have growth even without being a people manager?

Rinki Sethi

A 100%. I think what’s interesting in the study that you stated was the termed used, security-centric firms. And what I wanted to say about that was, it’s really important in what I found from company to company that I go to, the one thing that stays the same is folks will stay longer if they can see that the company cares about security. There’s a clear aligned security strategy, and they can see how and what they’re doing actually impacts the company in some very positive way. And I think that is what matters, and that’s what keeps employees there, and that’s what creates new careers in cyber security and at the company. And so, that’s one of the things that I thought was really important when I was at Rubric, and wherever I’ve worked, and now at Twitter, is to lay out a really clear security strategy for the company, in terms of here’s what we’re going to do to protect Twitter. Here’s what we’re going to do to protect Rubric, when I was there. And ensure that each person in the security team, regardless of their title, understands how the work that they’re going to be doing will impact that strategy, will impact the company in some way. I feel like it’s not that complicated. Teams are about people and caring about people, caring about their careers, what roles they might want to take on. Whether those are individual contributor roles, or manager roles, strategic roles, or program management roles, whatever that might be, it’s really supporting them through that. And then recognizing your high potential talent and seeing also, I think, if there’s opportunities for rotation, so that they can get exposure to various parts of cyber security, I think, is really important as well.

If you haven’t made this mistake, you’re not in security.

00:07:49:14

David Spark

I’m about to record a video chat on, quote, “Hacking Failure”, or how to build a resilient team. Given that we all know that learning from failure is critical, what if we all learn from each others failures? First, and I’ll start with you, Rinki, explain specifically how you believe learning from failure has made you more resilient. But more importantly, have you been able to adapt this to learning from others’ failures? Could it be direct, or just what you see in the news?

Rinki Sethi

Yeah, I remember one of the bigger failures that I made was when I rolled out my first phishing testing program. This was when phishing testing was very early, I ran a pilot with about 25 people and I thought, no big deal, I’m going to run phishing testing with the cyber security team. It was a phish that I created. It was the first time, I think, for a company that was not in banking to actually roll out a program like this. And one of the folks was having a really bad day, escalated it it directly to the head of HR for a pretty large company at the time, and I got a phone call from HR, saying that, “If you ever do something like this, you will be fired, so please don’t do this again. It’s against the values of our company.”

David Spark

What was in the phish that drew so much ire?

Rinki Sethi

To be honest with you, I don’t even remember anymore. I don’t think it was anything bad, it was just this feeling that they clicked on the link, and then they saw the splash page that said this was a phishing learning exercise, and they felt like they were being tricked.

David Spark

Oh, and you didn’t rope other people in, or let people know that this was going to be happening, that they would be tested, or anything like that, is that the idea?

Rinki Sethi

I thought I let enough people know. There were a lot of folks I did notify. But I don’t remember explicitly bringing in HR into the conversation. Maybe not the right folks in HR. And this is not my first failure, nor is it my first learning around how important communication is in the cyber security world. Communicate, communicate, communicate. I think that’s such an important take away, that you can’t communicate enough when you’re rolling something out, and when you do communicate well, you’re actually going to get so many champions in what you’re trying to do, and so it was a learning pretty early on in my career, that sticks with me. When people communicate really well, it’s something that I actually am inspired by, and I’m constantly learning by others’ failures as well. In fact, I think the leader that I’m shaped good or bad today is based on things that I see from other leaders that I don’t necessarily like. And I think one of the key areas is, we talked about it in the previous question, which is, how do you retain talent? And you see cyber security professionals rotate from company to company, and it’s a lot of times because the leader either doesn’t care about their careers, or they’re not laying out the strategy in a clear way, or they’re feeling defeated by their executive leadership, and they’re letting that reflect back in the way that they manage the team. And so, I think that’s something that I try not to do, any of those things, and try to be better and just learn from how other leaders may not be doing it well.

David Spark

Alright, let me throw this to you, Mike. You have never, as I understand, ever made a mistake in your career, correct?

Mike Johnson

Not once, no. Not even once.

David Spark

Perfect record.

Mike Johnson

Yes.

David Spark

See, I hate to break it to you, most of us don’t make mistakes, Rinki. You’re an unusual case. Okay, let’s say you did make a few mistakes, Mike, briefly what did you learn from it? But I really want to forward to how do you learn from others’ mistakes?

Mike Johnson

It was interesting to hear Rinki talk about hers, and really focus on the communication aspect, because that’s been my challenges. Where I’ve made mistakes in the past have been around communication. Not communicating enough, not communicating to the right people, not communicating at the right time. And that’s where I also see the biggest failures elsewhere. The example that comes to mind for me, I always go back to the Equifax breach. Everyone likes to focus on how bad the breaches are, or, “Oh, company X had a big breach”. To me, it’s most important how the breach is handled after the fact. And the biggest component of that is the communication. How are you talking to the people who are impacting, what is the message, what is the temperature that you’re trying to get across? So, it’s really the communication failures that I focus on, and they’re generally very obvious.

David Spark

And this is where I think table top exercises are critical, because this is where you figure out the communication flow, right?

Mike Johnson

Yes. Gives you a chance to try that in a safe environment, before you have to do it for real, when the stress is very high, and you’re probably going to screw it up, if it’s your first time.

David Spark

So, Rinki, have you experiments with table top exercises? What have you learned about communications?

Rinki Sethi

I think what you learn is, you know, I remember doing table top exercises that felt so unreal and, actually, some of it manifested later in the last year or so, at a couple of companies ago. And what you realize is, you think you’ve laid out something really well, and that, you know, you may communicate in a certain way, and they you get these executives around the table, let’s say you’re playing out a breach with your executive and your board, and you realize half the room wouldn’t even know what to do. And so, how are you going to be effective with what you’re communicating, and how you’re going to communicate, when folks don’t know the process? They don’t know that a team exists in a certain area, that we even have a capability, necessarily, to go and tackle a certain area, if a breach was to occur. And so, I think getting everybody aligned on who is going to communicate, how we’re going to to communicate, that’s a really, really important thing. And so, that’s one of the “aha” moments. It’s not just in cyber security, it’s getting everybody aligned, because it’s really an entire company thing at that point.

David Spark

And everybody has their role to play in such a thing.

Sponsor – Sonatype

00:13:42:17

Steve Prentice

Software supply chain attacks have been in the news a lot lately, and with open source being a key component of software development, it’s inevitable that these two worlds would collide. Sonatype has a supply chain management platform that helps organizations and developers innovate securely. Derek Weeks is Vice President at Sonatype.

Derek Weeks

In the first quarter, we saw over 6,000 software supply chain attacks, specifically targeting open source projects. This is where adversaries were injecting malicious code into open source projects, that were then feeding into large enterprises. This is a kind of next wave of software supply chain attacks, where it used to adversaries were waiting and preying on the latest new vulnerability to be announced, and they switched tactics to actually start injecting vulnerabilities in open source code, that is then fed into the communities.

Steve Prentice

And here’s Brian Fox, Sonatype co-founder and CTO.

Brian Fox

2017 is when I first started noticing a new trend, which was the attacks were focused on the open source publishers. Not long after that, we saw things like typo-squatting attacks, malicious component injection, crypto miners in the open source components themselves.

Steve Prentice

This comes down to a single, urgent truth.

Derek Weeks

CISOs really need to be aware of this growing attack vector, and really investigate what’s happening within their development pipelines, and build pull chains.

Steve Prentice

For more information, visit Sonatype.com.

It’s time to play What’s Worse?

00:15:24:16

David Spark

So, Rinki, this is your first time playing What’s Worse. For those who are also listening for the first time, it is a risk management exercise. Both options are awful, I will warn you, you’re not going to like either one. And, Mike, I’m going to tell you that I put the challenge out to the audience, because one of Mike’s absolutely least favorite things in the world, are people who are brilliant jerks. And we’re trying to find the thing that you hate more than the brilliant jerk. So, just so you know, brilliant jerk is going to be one of these options, and we’re going to see if we can find what that is. So, this comes from Jesse Whaley, CISO of Amtrak, who was a guest on a recent episode. And he’s throwing down the gauntlet here. So, one of them is, a member of your security team, is a rock star, gets stuff done, is awesome, but is a complete obnoxious jerk, alright?

Mike Johnson

Okay.

David Spark

I know you hate that.

Mike Johnson

Give us the other option.

David Spark

A member of your security team is a rock star that gets stuff done, and gets along well with everyone, but, get ready for this, has been convicted of a cyber crime. Mike, which one is worse?

Mike Johnson

I somehow figured that’s where this one was going. So, it’s actually these really are both terrible, and these really are both ones that I have a personal struggle with.

David Spark

Yeah, and we’ve heard it on this show.

Mike Johnson

Yes. So, boy, I think the way that I think about it is, the second case, where somebody has been convicted of a crime. I’m making an assumption that, if they’re working for the company, that they’ve made it through background checks, that we have already had the discussions around the situation related to that. That it was not a crime that is somehow related to causing harm to others, because they wouldn’t make it past background checks at that point. And then the other one is you’ve got someone who is toxic and is bringing down the entire team. Doesn’t matter how much good work that they’re doing, they’re, in a way, making the environment worse just by being there.

David Spark

What cyber crime would make it past your background check?

Mike Johnson

There are situations where maybe someone is convicted as a minor, that, you know, they have committed a crime, but the details of that are not available. It could be a misdemeanor. I mean, I don’t know the details of how background checks are done, we have employment council for that. But there are certainly situations that, just because someone has committed a crime, doesn’t mean that they will never be employable again. So, I’m not a lawyer, don’t know where all those details are, but–

David Spark

You’re married to one.

Mike Johnson

I’m married to one, yes. But there are certain situations. And so, again, I’m no on the brilliant jerk.

David Spark

So, still? We haven’t found one. Okay.

Mike Johnson

Still.

David Spark

Alright, Jesse, you don’t win on this one. So, Jesse is the one who actually loses.

Mike Johnson

Try again, Jesse.

David Spark

Alright, Rinki, which one is worse here?

Rinki Sethi

This one was an easy one for me. I’m with Mike. No brilliant jerks. If I don’t want to work with them, I can’t expect anybody else to want to work with them. I think they ruin the brand of an organization. Although they have a lot to contribute, I think that that just gets in the way, to make impact, versus somebody who you can maybe train up to being just the brilliant part. On the cyber crime place, you know, there’s a lot of hackers that we know that have hacked for bad, and then done it for good, and so I’m making the assumption that maybe they’ve turned a corner, and have come to the good side, or the ethical side. And so, I would take the chance on the individual with the cyber criminal record.

David Spark

Alright. We do not have a split decision and, once again, nobody has found anything that is worse for Mike than the brilliant jerk. And, by the way, if you’re a brilliant jerk, don’t apply with Mike, because he doesn’t–

Mike Johnson

No, don’t.

David Spark

He doesn’t want you on his team.

Looking down the security road map.

00:19:44:21

David Spark

Given the pandemic, now all companies have been forced to become a work from anywhere organization. Interesting case study on GigaOm by Paul Lewis, now CTO at Pythian, about an entertainment company getting up to speed on work from home very quickly. They have endpoint security on all home computers and, surprise, they found malware on those home computers. They’ve got a SOC to monitor and a means to contain. But this was all done within 30 days. Pretty darn impressive. So, both of you have been already configured for work from anywhere for some time. So, what are unique aspects of work from anywhere security, that takes actually time to discover, that you couldn’t see in a quick 30-day on-ramp? Mike?

Mike Johnson

So, I think the first one that comes to mind isn’t going to be a surprise to anyone, but it does take some time to see. And that’s increased use of cloud applications, where you’ve got people signing up for new cloud services, you’ve got changing the way that they’re using the existing ones. That just takes some time to see. You don’t really know how that’s going to play our, or what those particular applications are going to be within 30 days. Because people, at first, are just going to deal with what they’ve got, and then they’re going to start branching out. I think the more non-obvious one, at least, to me when I was thinking about it, was on-boarding and off-boarding. Because you’re not going to see a whole lot of that within a 30 day time period, and you have to handle both aspects. You have to make sure that the on-boarding process, hiring someone, bringing them into the company, making them productive, that you’re able to have them be productive in a short period of time. It takes some time to figure out the, “Why can’t I do this thing?” And when you don’t have someone sitting next to you, that you can just kind of have that cyb conversation, there’s needs to be those channels where they can ask for help. So that’s the on-boarding side. The off-boarding is much different, especially when it is a high priority, or an emergency off-board. Where you’ve got someone who might wish the company harm when you’re letting them go. You can’t actually walk them into a conference room and grab their laptop, or hand over their laptop. You’re off-boarding them while they retain physical control of that laptop, of those mobile devices. So you have to be set up to deal with that. You have to understand what is your process, what are your tools and capabilities, and what are you going to do in those scenarios? And you’re probably not going to see that very often, so you’re almost certainly not going to see it during a quick 30 day on-ramp.

David Spark

Excellent point. Alight, Rinki, what would you add to that, and have you experienced the same?

Rinki Sethi

Yes, it’s interesting. I on-boarded Twitter completely virtually, during the pandemic, and I was really fortunate. Twitter already was thinking about work from anywhere long before the pandemic, and so they were already on that journey. But I can share some of the things that I’ve observed that you just don’t anticipate. And it might be going back to kind of very traditional security 101 kind of, if you will, but I’ll give a couple of examples. One example was Twitter was definitely impacted by this, because if you think of everything that happened around the US election and, you know, just the platform and what it serves, and how employees are impacted from a mental health perspective. People need breaks. A lot of people that had moved to work at headquarters now wanted to go and be back with their families. Maybe in countries where we didn’t operate, potentially high risk countries. And so, this challenge of how do you protect, now end points that, you know, do we need to issue new laptops? And looking at your IT and just kind of how you’re thinking about securing end points in a different way, in special circumstances especially.

That was something that we saw much deeper into, I would say, the pandemic. Or just into that work from anywhere. We started getting these nuanced use cases. The other was mergers and acquisitions and people not used to working from home, and this is a very simple security thing, but now you might be working with a spouse or significant other, or a child. What if they work for a competitor? How do you find space to talk about these things in a private way? And what if you have to have printed documents, how do you get rid of them in a secure way? You don’t want folks just maybe throwing them in their recycling bin, or whatever. And so, those were new things that I think we had to consider as well. And, you know, constantly, there would be somebody on a call that would remind folks how sensitive a discussion was, that they’re not in a position to take the call in a way that everything is protected and confidential. You may want to drop off, or we may need to find a new time, and just kind of operating in different ways.

David Spark

That is a really good point. I didn’t think about that. Yes, that is quite a unique situation. So, it’s just like you have to handle, like, “Everyone, we’re about to have a sensitive discussion. Is everyone in a space that they can actually have the sensitive discussion?” Wow. Just something you’ve got to bring up each time. That’s a really good point.

What annoys a security professional?

00:25:01:13

David Spark

“Folks, I’m following up on my previous email.” On LinkedIn, Jason Chan, VP of information security at Netflix, posted this quote with the simple advice of “Don’t.” There were a flood of responses all debating what is the right way to follow up? But his basic advice was not to do this, especially 24 hours after a cold outreach. What I think is missing here is the belief that there is one message, one response, one meeting mechanism that happens. But it’s extremely rare for it to be that linear. It takes a while to build your brand as a company, as an individual, and so it’s multiple touchpoints that come from different avenues. So I’ll start with you, Rinki, can you describe companies or individuals, and no need to identify by name unless you want to, that essentially you pay attention to, and explain why you pay attention to them. And if you do pay attention to them, when they reach out, how responsive are you?

Rinki Sethi

Absolutely, I love that thread from Jason Chan, and I was following it and, you know, parts of it were hilarious, because we are inundated with just cold touches from security vendors. At the same time, you know, they have a livelihood too, that they have to maintain. And so, you know, there’s an interesting group of vendors that have emerged that are super interesting to me. You know, we talked about how do you impact engineers and really have them care about security? How do you also make their lives easier when it comes to security? And I see certain security companies now that are really targeting the engineers, and I find them super interesting, and I think they’ll have huge growth in front of them. And the companies that come to mind, off the top of my head are like sneak, or level-ups that are really targeting that engineer.

David Spark

Can you tell me what exactly it is they’re doing that targets them?

Rinki Sethi

Yes. So, sneak is just how do you automate how you look for open source security issues and open source, and just all the versions of that you might be running. And how do you give that in the hand of developers, so that you can prevent issues downstream? Similar with level-ups and what they’re doing with automation and engineering space, to be able to aggregate things that you might be seeing, from different tooling, to tackle issues ahead of time. And so, I think those are really interesting and when companies like that reach out to say, “We’re not necessarily selling to you, but we might be solving a problem that you have in your engineering environment.” I will probably respond to that, and will probably be interested at least in hearing more. I also think I will add that it’s not that hard for security vendors to do a little bit of research to see what companies I might already be using, where I may or may not be interested in switching. And so, if you’re looking at going and replacing my sale point, I’m most likely not going to respond to you. Unless you know that I’m having pain points with it, or you know that I’m already out there looking. So, I think there’s so much research that can be done, rather than just sending these cold emails out, to people that are already very busy. And the last point I’ll add is that I’m not always the right person to sell to, just because I’m the CISO. There’s a lot of folks on my team that are dealing with the pain points every day and they’re probably the right ones to be reaching out to. Look on LinkedIn to see who that identity and access person might be, or who the product security individual might be on the team, and try maybe reaching them. Because they’re the ones that are going to influence me the most, is my team, to tell me, “Hey, Rinki, we should really go and take a look at this vendor”, or that vendor.

David Spark

All excellent points and we’ve mentioned a few of those on this very show. Alright, Mike, talk to me about individuals and companies, for which you like the way they’re building the brand, and how responsive are you to them?

Mike Johnson

So I totally agree that this really is about brand. If you’re reaching out to me with a cold email, and it’s the first time that I’ve heard of you, I’m unlikely to engage. And so, you have to for brand.

David Spark

I’m going to go so far as to say have you ever engaged?

Mike Johnson

I cannot recall a time.

David Spark

Okay. So we’re going to go with essentially zero. Go.

Mike Johnson

Essentially zero. It certainly approaches zero. And so, it’s really when I’m viewing your brand, I’m wanting to see you as someone who is engaging the security community, is helping to, as cheesy as it sounds, make the world a better place. That you’re not just about profits. That you’re out there, contributing, you’re building tools, you’re publishing them. Jason is actually a great example. You know, Netflix isn’t in the business of security, but they actually have a great brand about security, because they release all these tools. They release research. They’re out there talking about how do you appropriately secure AWS. And, you know, entire companies are like, “I’m just going to do what Netflix does” because they’re so successful in having an internal security program. So those are key. What are you contributing? What are your people? You know, how are you hiring? Are you keeping your people happy? The industry talks and we’re going to hear if you’re hiring people and burning them out, or not having a safe work environment. We’re going to hear about that, and we’re going to not want to do business with you. So, some of it is, like, just actually be a decent human.

David Spark

We’ve actually had that experience on this show, haven’t we?

Mike Johnson

Yes we have. So a lot of it, there’s so many ways to build a brand. It takes time, but it pays off, because you’ll send a cold contact, and we’ll know who you are. And we’ll be, like, okay, I know who you are, you’re hitting me at the right time, let’s have a conversation.

David Spark

There’s nothing better in the industry, and Rinki, back me up, and you can probably think of a few companies, when you hear other colleagues of yours talking about companies, talking about individuals. Because you do do that, I mean, we all do that. And to know that you are being talked about by others, it’s just huge. I mean, I’ll just say, I hear about it all the time and it’s wonderful, it’s great. I mean, that just seems like kind of what you’re going for, yes?

Rinki Sethi

A 100%. When you hear referrals from other colleagues, that’s the most meaningful thing. If Mike comes and tells me, “Rinki, you should really go and check out this security vendor I’ve used” then, yes, I probably will go and check someone out. Or any kind of reference, or “Hey, there’s someone I’ve worked with that you should go and take a look at, that you might want to consider hiring on your team”. That’ll just put it to the top of the list, right there.

Wrap

00:31:38:02

David Spark

And that’s where we will close the show. At the top of your list. Thank you so much, Rinki, for joining us. This was a long time coming, so I appreciate you taking the time to join us. I’m going to let you have the last word, but a few last things I will say here. I want to thank our sponsor, Sonatype. Again, if you are interested in DevOps automation, which if you listen to show, chances are pretty high you are, please check out Sonatype. S-O-N-A-T-Y-P-E dot com. Mike, I’ll let you go first, but Rinki, one of the things we ask all our guests is, are you hiring? So please have an answer for that question when I come to you. Mike, any last words?

Mike Johnson

Rinki, thank you so much for joining us. It was really great to sit down and have a conversation. We’ve had some interactions and slack space, and whatever, so it’s nice to actually sit down and chat with you face to face. And I really liked your themes about communication. That really came through, the importance of communication to you, and how you go about it in your day to day operations. Talking about strategy and how people fit into the strategy, the one think I really wanted to highlight was back to when you were talking about how to keep people motivated, and I really liked your suggestion about recognizing your high potential talent. So, these are the people who have the highest potential within the organization, and figuring out how to rotate them around, to give them more exposure and maybe find new skills that they didn’t know that they had, you didn’t know that they had. So I thought that was a really great tip for people to pay attention to. So, thank you for coming onto show, talking about your experience, your background, sharing that with our audience. It was a pleasure sitting down with you.

Thank you.

David Spark

Alright. And Rinki, any last words you’d like to say? And are you hiring?

Rinki Sethi

Thank you so much for having me, David and Mike, it was an honor. Yes, Twitter is hiring. We have many roles open. Security education and awareness, security operations, threat management. Our product security functions. We have roles that are posted on our Twitter Careers site. Please apply, please look, we’d love to have you.

David Spark

Let me also throw this at you, do you have any entry level positions open?

Rinki Sethi

We sure do. We sure do.

David Spark

That has been the major bug we’ve been finding in the security field. By the way, Rinki Sethi is available on Twitter also, @RinkiSethi, as well, as you should be. Thank you very much, Rinki, thank you very much, Mike, and thank you to our audience as well. As always, we greatly appreciate your contributions. Keep them coming in and thank you for listening to the CISO Security Vendor Relationship podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to CISOseries.com and you’ll see plenty of ways to participate, including recording a question, or comment, for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Security Vendor Relationship podcast.