We Look for Candidates Who Already Know Everything

We Look for Candidates Who Already Know Everything

Future cybersecurity talent is frustrated. The industry demand for cybersecurity professionals is huge, but the openings for green cyber people eager to get into the field are few. They want professional training, and they want the hiring companies to provide the training. Problem is not enough companies have training programs in place and as a result they can only hire experienced cyber talent, shutting out those who want to get in.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Matt Radolec, sr. director incident response and cloud operations, Varonis.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

Full transcript

[Voiceover] Who should be listening to the CISO Series podcast? Go!

[Matt Radolec] Everyone should be listening to the CISO Series podcast because it’s quality content across a broad range of topics in cyber. Whether you’re new to cyber, or you’re a guru, the CISO Series podcast is for you.

[Voiceover] It’s time to begin the CISO Series podcast.

[David Spark] Welcome to the CISO Series podcast. My name is David Spark. I am the producer of the CISO Series. My cohost… You love him, you know him. His name is Mike Johnson. Mike, how do the words out of your mouth sound when you speak them?

[Mike Johnson] I think they sound like this usually.

[David Spark] They sound exactly like that.

[Mike Johnson] Yeah, I think pretty close. Close approximation at least.

[David Spark] We’re available at cisoseries.com. If people have not had that tattooed on their forehead yet, I highly recommend they don’t, but…

[Mike Johnson] I’m cancelling my appointment right now, David.

[David Spark] Were you seriously considering that?

[Mike Johnson] This weekend, I was going to get that tattooed on my forehead.

[David Spark] I bet you… Here’s what I want to know – does any member of our audience have a web address actually tattooed on their body?

[Mike Johnson] That’s a good question.

[David Spark] Have you ever seen that? Have you seen a web address tattooed to a body?

[Mike Johnson] I’ve seen IP addresses. I actually saw someone had tattooed on their knuckles “127001.” I’m like, “Why did you do that?” But yes. So, I’ve seen it.

[David Spark] Tattoos on the faces, that’s the one I’m like, “Hm, you’re not looking forward to future conversations, are you?”

[Laughter]

[Mike Johnson] Or you are.

[David Spark] Or could you tell us what went wrong there?

[Laughter]

[David Spark] All right. Our sponsor for today’s episode is Varonis, reduce data risk at record breaking speeds. They brought us our sponsor for today, and Varonis has been a spectacular sponsor of the CISO Series. But first, Mike, I want to bring up something that you brought up, which is the issue of ChatGPT, writing phishing emails. And you say, “I don’t see it.” Yet it generated a lot of discussion. Did anyone say anything in this commentary that made you think, “Eh, maybe I should be worried about ChatGPT?

[Mike Johnson] I didn’t get anything from that. I didn’t get that message. I didn’t get that coming through. I think there was people who were talking about novel uses of ChatGPT.

[David Spark] There were plenty, yes.

[Mike Johnson] Right. Some of those I hadn’t thought of.

[David Spark] Can you give us one that you were stunned by?

[Mike Johnson] There were some dialogue that someone had presented where they had entered a conversation with ChatGPT and leveraged it to write a web penetration testing test suite all the way down to, “I just got this parameter. What should I enter?” It was a dialogue that kind of had ChatGPT walk them through how they would attack this application.

[David Spark] That’s pretty cool.

[Mike Johnson] I thought it was pretty cool. I thought it was a novel way of doing it, a novel way of getting there. I think really kind of the point I was trying to make is essentially it’s a fancy front end to Google. That same knowledge is sitting in Google today. It’s not creating anything new. I think the thing that folks miss about ChatGPT is it’s not introducing new knowledge to the world. It’s taking additional knowledge, organizing it differently, making it generally available. But it’s not creating anything novel. That’s really what I was trying to get across.

[David Spark] It’s also recreating content in other digestible forms that people like. Because you can tell it to create something in different formats like you can do with these image generators. Which we love. Which by the way, we use for many of our post images now. We’re using the Midjourney tool to create our images, and I love it. It’s a lot of fun.

[Mike Johnson] That’s cool.

[David Spark] I want to bring in our sponsored guest. We’ve had this gentleman on before. He’s been on Defense in Depth and on this show before. I want to reassure our audience that he is not a bot. He is not artificially generated. He is in fact… I believe all the words that come out of his mouth will be generated by him and him alone, nobody else. There is no hand operating him from underneath if you will.

[Mike Johnson] Well, that we can see.

[David Spark] That we can see. That’s true. We can only see…

[Mike Johnson] We’re seeing shoulders up.

[David Spark] …from the shoulders up. You are correct there. There could be someone operating him. All right, let me bring him in before he gets any more embarrassed. It is the senior director of incident response and Cloud operations at Varonis – the one and only, Matt Radolec. Matt, thank you so much for joining us.

[Matt Radolec] It’s great to be here again, David. Thanks for having me back.

That’s something I would like to avoid.

4:52.625

[David Spark] In our rush for digital transformation to the Cloud, have we just created greater security problems? I’m talking specifically about APIs, which have exploded as of recently. According to reports by Google Cloud, the average large company has, get this, three times the number of APIs than just a year ago. And more than half are communicating with outside entities. This was what Rod Lemos said in an article on DarkReading. So, Mike, I’m going to start with you on this. Can that kind of growth…? That’s pretty darn explosive in one year. Can that kind of growth be maintained securely? And I’m going to say especially around APIs, which have a lot of security issues connected to it.

[Mike Johnson] One of the neat properties about APIs is they’re generally designed to be machine consumable. Which makes them a standard format. It’s not something… It’s not arbitrary. It’s not random field names. It’s a standard, even if it’s a custom standard. But it’s a standard that can be documented, explored, and matched against. And I think that’s one of the interesting things about APIs is if you’re using one, if you’re using 100, if you’re using 1,000, it’s actually not that different because you can understand how to deal with one API. One of our cofounders talks about the idea of zero, one, infinity. And the idea is going from zero to one is a big leap. And then anything from one further, it’s no different. One to two, one to ten, one to a million is no different. So, I really think that what we’re going to see here is we can scale with this because they are understood things.

[David Spark] So, one to infinity is actually the easy part? The hard part is zero to one?

[Mike Johnson] Quite often, yes. It’s really more that those are the leaps. It’s not one to two. It’s not one to ten. When you’re thinking about the way that you’re looking at APIs, if you’re already looking at 5, or 40, or whatever, it’s not that much different to go to the larger amount. And why I think this is a good thing is in the past these were arbitrary text fields that humans were inputting random data into. That’s actually a lot more difficult to deal with.

[David Spark] Aw, so you’re saying this is actually a good thing that we’ve tripled on APIs because it’s probably reducing human input. Matt, where do you stand on this?

[Matt Radolec] I think just to echo Mike’s point, the growth of the adoption of APIs can be maintained securely. I think as long as we keep certain principles in place. Like for instance, it’s actually fairly trivial for a person with knowledge of how to operate [Inaudible 00:07:48] in the middle of an attack to intercept an API call that might come from your personal laptop and then replay it on another device. And so as security professionals, we really need to think, “Who do we give API access to?” And so as long as security pros are still always asking that question, are we giving all employees access to APIs, or are we reserving APIs for machine to machine, or automated requests…I think we will be able to sustain that growth into the future. But I think the kind of biggest unknown risk, just to give you an example… A lot of companies have Sales Force, and they don’t realize that when they turn on API access to Sales Force, many user accounts are getting access. And so all it really takes is one savvy employee to figure that out, and then you can get at data that might not be logged in the same way that using a user interface or accessing it in another place that generates a log event is.

[David Spark] I just want to sort of circle back again. So, there’s a couple of things here. One is, Mike, your argument of zero to one is the tough part, one to infinity, it’s easy. Once you really solve the problem. But then, Matt, you bring up a good point as well. As we start introducing APIs, we’re introducing people getting access to APIs. And then that becomes a major issue in itself, which is kind of where I was looking at it, too. Is just in the sheer number of these things, with more of these, doesn’t that become a problem? So, I’m going to circle back to you, Mike. What about Matt’s point there about now more people are getting access?

[Mike Johnson] I could tell you stories about Sales Force API access, but the reality is that still comes down to managing access.

[David Spark] So, it would be either the human or the machine?

[Mike Johnson] Right. And it’s not to say this is not something that you should be concerned about. But imagine that you’re giving a human API access versus you’re giving them arbitrary access to a data store. That’s kind of how I’m trying to really frame it is the API is structured. The arbitrary access is unstructured. Structured is always going to be easier to deal with. 

Well, that didn’t work out the way we expected.

9:51.719

[David Spark] The internet is a wash with breach and attack simulation vendors, each offering the most up to date breaches, the ability to automate the simulated attack. But as we all know, simulations are only as good as how we use them, who uses them, whether we read the reports, and if and how we act on that information. Matt, starting with you. First, what’s enough, and what’s too much for a breach attack simulation? And where do you find these simulations fall apart? Either with the technology itself or how we’re using them?

[Matt Radolec] Let’s start with the first one, which is what’s enough. I think enough is having diversity of attacks. So, some things that are more on the sophisticated side and some that are more on the routine malware side. I also think you have to try simulations where you remove either a part of your security ecosystem or some of your security personnel. Where I think we go too far is if we overburden the team with simulations. So, if the simulations are happening multiple times a day, or every single day, they might not be able to distinguish simulations and simulated attacks from real attacks. Which might be okay at first, but then you’ll get this false sense of, “Well, we’re constantly under attack. We’re constantly in incident management and containment mode.”

And that might stress out your people too much. I often find that these simulations fall apart kind of one of two core things. Either A, too many people know. Like the CISO and the SOC manager. That might be just enough. But if everybody knows then it sort of defeats the purpose of having the simulation in the first place. And the second thing is when leadership isn’t involved ever. Does leadership need to be involved in every breach simulation? No. But we should do full blown breach simulations on a somewhat regular basis so that we’re involving leadership in what would it be like if this thing were to really happen just to save it so that when it does it isn’t our first time dealing with that.

[David Spark] All right, Mike, I’m going to throw this to you. Let’s just mostly say where do you feel these simulations fall apart. And you can have answers to both of these. Either with the technology or the individuals. And by the way, Matt, I agree with much if not all of what you just said right there.

[Mike Johnson] It’s entirely possible that I’ve used these kinds of products incorrectly.

[David Spark] I don’t believe you’ve made mistakes, Mike. You are bursting the bubble of many of our listeners right now.

[Mike Johnson] I’m sorry that I’ve let everyone down. I’ve used them primarily as regular automated testing at a granular level of our controls. I don’t think that these automated, out of the box tools are actually a good simulation of a true breach because the breaches that are happening, the incidents that are happening, they’re different every time because there’s humans behind them. And these tools… There’s not creativity involved. So, when I think about them, it is how do I know that my existing controls are working correctly. It’s essentially a cert – every step of the chain, this is how this control should work. I will have a precise test for that.

If I know that that test fails, I now know where in the chain my particular control set has failed. And I think that’s how my usage has been, and so turning it around to where these weaknesses are, I do think it’s that lack of creativity. And that kind of limits their overall usefulness beyond just individual control testing. There’s value in that, but because they don’t have the human element, the human in the loop of making decisions, of reacting to a control, and taking a different path, exploring something new that’s maybe not within your library of tests, I think that’s really the limit here. I think if people understand that that’s what’s…those are the limits you can still get value out of them. But people need to understand that these are not replacements for a true human driven attack simulation versus a machine driven attack simulation.

Sponsor – Varonis

14:09.507

[David Spark] All right, before we go on any further, I want to bring a little bit more in on our guest, Matt Radolec with Varonis. And Varonis, again, we’re thrilled having them as sponsors of the CISO Series. One of their big mantras is reducing blast radius. We also talk about this in terms of resilience. Honestly I think this is just kind of another term to describe resilience. Yes, Matt?

[Matt Radolec] Yeah, absolutely.

[David Spark] And so describe what is it you’re trying to get across with reducing the blast radius. And also we were talking about this just yesterday – that how we’re trying to take yesterday’s disasters into today’s hiccups. So, how are we turning yesterday’s blast radius disasters into blast radius hiccups?

[Matt Radolec] I think many people want to think about the things that can be attacked, and everybody throw around the term “attack surface.” But they focus less on what’s going to happen when that thing gets compromised. That application, that Cloud application, that workstation, that user’s account. And then thinking, “How do I limit that? How do I limit what could go bad if that person’s account got compromised?” Which to Mike’s point earlier, gives your security ecosystem a chance to pick it up. If you make an attacker’s job harder, well, that’s where your ecosystem gets to kick in and potentially identify that attack.

[David Spark] Very, very good point. And I just want to mention some other things about Varonis because a lot of you may not realize that so many security incidents are caused by attackers finding and exploiting excessive permissions. We know that they find permissions, but there’s some really excessive ones going on. And all it takes is one exposed folder, a bucket, or API to cause a data breach crises. So, the average organization has tens of millions of unique permissions and sharing links. And even if you can visualize your Cloud data exposure, it would take an army of administrators years to right-size all these privileges.

With how quickly data is created and shared, it’s like painting the Golden Gate Bridge. And guess what? We all know this happens, and it’s a team of people of who do it year over year. So, Varonis reduces data exposure while you sleep with the industry’s first fully autonomous data remediation. Varonis continually and intelligently removes unnecessary permissions, sharing links, and fixes misconfigurations without any human intervention. Because Varonis monitors who uses data, their free incident response team will actually watch for alerts and call you if they see abnormal behavior like insider threats or compromised service accounts. Now, if you want to see how Varonis can reduce risk while removing work from your plate, head on over to varonis.com/cisoseries. Remember that. You know their site, varonis.com. Well, you just add a / and then CISO Series. And start your free trial today.

It’s time to play, “What’s Worse?”

17:04.615

[David Spark] Matt, you’ve played this before, and you’re going to play it again. But I always make Mike answer first. This one I’m going to say is a tip of the hat to Dustin Sachs over at World Fuel Services. Because we actually…we were debating this a little bit. I said, “Eh, maybe this will be a good debate right here.” It’s a pretty quick, and simple, and easy “what’s worse” scenario. Mike, what’s a worse attack takeover – the CEO or the CFO?

[Mike Johnson] [Laughs] Wow.

[David Spark] Okay, not an easy one? Let’s just start with that.

[Mike Johnson] No, not an easy one.

[David Spark] Okay, good. Because I don’t like it when I hear an easy one out of you because I’m like, “Eh, I thought we were going to challenge you.” I think this is a good one.

[Mike Johnson] Where I immediately go is I could almost just flip a coin.

[David Spark] Yeah, this is… It seems like that, but one has got to be worse here. I need rationale why which one is worse.

[Mike Johnson] I’m just going to pick one and run with it. I’m going to just charge that hill. So, I’m going to take the side that the CFO is the worst in this scenario. Part of that is because a lot of the financial controls that are set up in an institution require the CFO’s approval to make a change. They don’t require the CEO to make a change. They require the CFO to make the change. So, if you wanted to steal money out of a company, a CFO could actually make approval changes that says, “You know what? Anybody can actually transfer out a million dollars, and that’s fine.” Then you can just steal a million dollars very easily. I’m just going to pick the CFO because I think it’s the quicker path.

[David Spark] It is a quick path, and it’s quick to money specifically.

[Mike Johnson] Exactly. Exactly. It’s quick to money.

[David Spark] Quick to money. All right. Matt, I throw this to you. Do you agree or disagree with Mike? And if you agree, is it the same reason? Disagree, same reason, different? Whatever. What’s your take? Which one is worse?

[Matt Radolec] I actually disagree with Mike. I think the CEO is worse. I think the CFO, it’s valid in that it is the quickest path to exploitation. It’s the quickest path to making a quick buck. But the CEO is like the nuclear option. Imagine that BCC email to all employees or a large numbers of employees, your position has been eliminated. You’ll receive a letter in the mail with your benefits or with all these things. All these layoffs are happening. That’s a nuclear event for an organization. Or we bought someone, or they tweet something. That could be the end of the brand. Whereas…

[David Spark] The game is “what’s worse,” Mike. I hate to break it to you.

[Matt Radolec] Yeah. Whereas the CFO…yes, a million bucks is bad. Even if you emptied all the cash accounts of a company, really bad. But there’s still accounts receivable coming in. Whereas if you get rid of the company or you do something that really limits the brand or impacts the brand, there is really no turning back.

[David Spark] That’s a good point. Financial accounts can be recovered, but a brand often has irrecoverable damage sometimes. Mike, where do you stand on this? Because Matt makes a damn good argument.

[Mike Johnson] It’s a good argument. But I genuinely think that both of these can be bad.

[David Spark] Yes, they both can be. The game is called “what’s worse,” Mike.

[Mike Johnson] I can continue down the CFO path that says yes, you have accounts receivable, but your accounts payable is empty. You’re declaring bankruptcy because you can’t pay out any of the things that you’re owed. So, I think both of these, you can actually have company ending events come out of them. But I think your average attacker is just trying to figure out how to make a quick buck, and so that’s why I went with the CFO route.

[David Spark] All right. I still think Matt is correct.

[Mike Johnson] It’s a good answer.

Please, enough. No more.

20:59.346

[David Spark] Today’s topic is zero trust as a product/solution versus a mindset/strategy requirements. We have discussed this before and how it is often marketed as a product because it is a strategy that security teams are trying to achieve. Now, Mike, what have you heard enough about with zero trust, and what would you like to hear a lot more?

[Mike Johnson] So, I remember back in 2014, Google released a paper. It was called “Beyond Corp, a new approach to enterprise security.” And the keyword here is “approach.” And it’s this beyond corp thing concept that Google created that has morphed into people trying to sell a zero trust product. That’s really where my frustration with this is. And what I’ve heard enough of is I can just go buy zero trust. That’s not it. It’s not a thing you go buy. It’s marketed that way, but you’re not going to go buy it. And so what I’d really like to hear more about is how we look at zero trust as an approach, as a concept, as a philosophy and how you then implement those concepts within your environment to take advantage of the benefits of the concept.

[David Spark] All right, very good point. And by the way, I will just say this is a hot button issue with a lot of CISOs. And also like you said, I think they’re all on board with the concept. They just don’t like how it’s being abused by marketers I think is the general concern. All right, Matt, with this whole set up of zero trust, what have you heard enough about, and what would you like to hear a lot more?

[Matt Radolec] I think you both put it really well. I’ve heard enough about zero trust. I’d like to hear a lot more about zero trust account management, zero trust Cloud application management, zero trust data management. Let’s get into the specifics. Let’s get into the different subcomponents.

[David Spark] Let me pause you right there. So, it’s like we say zero trust as a global entity for the organization. But how are we applying this concept to each of these issues. I love it. I’m sorry I slowed you down, but I really like that take on it. Matt, go ahead.

[Matt Radolec] Yeah, I want to hear a lot more about zero trust on my data. I want to hear a lot more about zero trust on my Cloud applications. I want to hear a lot more about just the basics of security with zero trust like creating different accounts. Zero trust started with having an admin account and a user account and using them differently so that you didn’t have too many privileges on that one account. But taking it to another level would even be separating that admin account from the really, really dangerous stuff to the not so dangerous stuff that an administrator can do. I think every aspect of security could go all the way to zero trust where it’s all logged, and it’s all verified by a second person just like in financial account controls. Talking about our CFO from earlier in the show. I’d like to hear a lot more about that – the methodologies that were implemented and how people were able to do it without hitting the reset button. So often I hear zero trust talked about as something that is so impossible to conceptualize that the only way an organization could get there is starting over. I think the DOD is a great example of this. They have this zero trust lab that they talk about. It’s called DreamPort. Really amazing project that’s going on, but it does operate under the principle of if we could start over, what would it look like.

[David Spark] We’ve had that discussion, like if you could have a green field security program, what would it look like. Because a lot of people and CISOs are starting with some legacy or an environment they would not have created themselves. So, I want to talk specifically about what you and Varonis are doing. You sort of brought this up, which I really liked of Zero Trust applied to specific use cases, I guess if you will. Take any one of them and explain to me how you’re walking through, how Varonis is walking through it.

[Matt Radolec] Let’s talk about zero trust for data. Data isn’t just a file. A lot of people think of data as a file. I want you to think of it as the records that you care about – the actual bits of information. Whether it’s your social security number, your credit card number. It’s the patent that you haven’t submitted yet. It’s the CAD drawing that has the invention for your company. That is not just a thing that exists in one place. That’s data that could be all over your network. And so if you want to have zero trust on that data, you need to not just figure everywhere that it is, but you need to manage access to it using those zero trust principles everywhere that it goes. Where we help out a lot with this is using automation to do that. Once we find that data, we can set up a policy that restricts access to that data using automation. So, even if one of your employees goes and puts that somewhere new, that policy is going to kick in and say, “Nope, only these users can have access to that data type no matter where that data sits.”

[David Spark] I want to get into the whole issue of setting the policies. Give me the real world of how you’re dealing with this. Because sometimes we don’t even know what policies we should apply, and we can’t extrapolate and conceive like, “Well, how is this going to travel? What is the limits I’m going to need to put on this? Because I don’t know where this could conceivably go.” How do you address that?

[Matt Radolec] Yeah, I always like to talk about where we’re going to start and how much risk that’s going to remediate. Earlier in the show you actually talked about how attackers find wide open access. When we’re talking about moving towards zero trust, you don’t have to go from 100% open access to 0 access. What if we could go from 100 open access to just 10% access by removing everything that everyone can get to. There’s a lot of ROI in that. That’s something that you can do quickly, and you can do confidently as long as you know who actually uses that data. Or as we think about other resources, those other resources. So, the approach that we take is, “Let’s get you 90% of the way there quickly with automation so that those kind of more nuanced things like controlling access to R and D information can be something that’s done diligently and carefully in line with your business objectives.”

[David Spark] This seems very in line with the classic line of don’t let perfect be the enemy of good. I know, Mike, you’re a fan of that.

[Matt Radolec] Yeah, or perfect be the enemy of progress. So often people spend so much time in design that they never actually get into execution. I think zero trust is the perfect concept for that. If you design this zero trust world, that’s great. But what most people are struggling with is taking the next step towards zero trust.

[David Spark] That’s a good point because the name, zero trust, is literally begging you to be perfect.

[Matt Radolec] Absolutely.

[David Spark] And the other thing we also talk about is someone has got to trust somebody at some point. I got to trust the vendor I’m working with. I’ve got to trust you. Somewhere there exists trust. Somewhere. It can’t truly be zero trust, can it, Mike?

[Mike Johnson] I think folks get very easily wrapped up around the name. Zero trust, where you have to trust something… That’s such an easy pot shot to take at it.

[David Spark] And that’s what I like to do. You know that.

[Mike Johnson] You could call it Fred. You could call it David. You can really… It doesn’t matter. It’s really about the concepts and how you’re implementing them. And it’s more around where you’re putting the trust. The original concept was you assume you cannot trust the network. Start from there. And if you can’t trust the network, what do you build? What does your world look like? I think when Matt is talking about the same concepts is applied to data, it’s very similar. Assume that there’s things that you can’t trust, that you can’t trust that people know where the data is or that they know what to do with it. And then what do you do once you have those concepts in mind? So, it’s really more start with a concept that this thing that has classically been trusted can’t be, and then what do you build as a result.

Why are we still struggling with cyber security hiring?

29:00.047

[David Spark] A hiring manager wanted some honest feedback, so he asked the cybersecurity subreddit, “What do you want to say to hiring managers?” Now the majority of responses were to train people, and the other half was, “I need to fulfill business needs first, and nobody has bandwidth to actually train people.” So, here’s a summary of some of the quotes here. “Take a chance on someone who wants to learn.” Another quote, “How does a candidate affectively convey their desire to learn without sounding desperate and unqualified?” Another quote, “This is really a budget issue. If I have 12 discipline areas I need to be able to cover in cyber security and only budget for five people, those five people have to be experienced rockstars.” And lastly, “When people say, ‘Just also train them,’ when I’ve got three people working their butts off all day to keep up on new projects and operations how are they going to train green, new people at the same time?” So, Mike, I’m starting with you on this. I know you have a lot of passionate opinions on this. How do we deal with this blatant dichotomy that just continues to persist? We need to grow the pipeline, and we need to also at the same time do the work at hand.

[Mike Johnson] I think these can both be true at the same time. Where you can both recognize that there are these teams of five, these teams of three, that they can’t take time to actually train somebody new. But there’s also massive teams of 500, of 1,000, of 2,000 that can absorb folks who are more green in the field, can take a chance on someone who wants to learn. And I think that’s… We can’t just say there’s one solution to “solving” hiring in cyber security because it’s not a one-size fits all. I’ve had teams in the past where I’ve needed to hire 15 or 20 people in a year. We actually were able to do that. We built a structure. We had these concepts of, “Hey, we can bring people in who are early. We can train them. We have the specific set of tasks that they can work on. And we can progress them forward as a result.”

I’ve also had very small teams where if I’ve got somebody, just one person, who’s spending their time training somebody else, I’ve taken a team of five and reduced it to three. And I’m now providing negative value to the company. And that’s where you have to focus is what is the value to the company. So, it’s always going to be the situation where you’re going to have some managers in some situations where they can and should take a chance on expanding the overall pool of candidates, the overall pool of skilled workers. And then you’ve got other people who cannot. And they have to just keep working their butts off, given the small team that they have.

[David Spark] It’s always a push/pull going all the time. Matt, your take on this? What’s your grand solution to solve this problem? Give it to us in just about a minute or two. Can you do that?

[Matt Radolec] Yeah, we need to build better managers for one, and we need to understand when we need to outsource. I’ll cover both points. When I say we need to build better managers, whoever the manager is in this, there’s always going to be someone… Building a training program to bring people up to speed and make them affective, assuming that they have some amount of the base skills that you’re looking for is a must. And if you’ve got a team and you’re managing people who don’t feel like documentation and knowledge sharing is a priority, I think you have to take a hard look at the manager and that team, and how you can change that culture. Because it’s only going to make it easier to grow. Whether it’s 3 growing to 10, or 12 growing to 50, or even bigger teams.

Which is thinking about what’s going to happen if one of us gets sick, what’s going to happen if someone takes paternity, who are we going to backfill them with, and how are we going to get them up to speed quickly. The second thing that I think gets missed in this conversation is what can I outsource. From the top, we always hear about vCISO all the way down to the bottom like outsourced managed security services. Thinking about how outsourcing can help you solve some of those challenges as you grow and get more mature would be another thing. I think it’s just entirely missing from this conversation. But obviously like a recruiter might not want to hear that.

[David Spark] Very good point. So, why is it valuable for experienced professionals, Mike, to be training younger staff? Why is that a critical part of their job? What can they learn from it?

[Mike Johnson] I think there’s a few things. One, it helps them grow personally. If you’re progressing in your career, if you can teach other people, that’s then giving you additional skills if you want to become a people manager. If you want to have broader sets of responsibilities. There’s that aspect of it. The other aspect is as soon as you sit down to train…teach something to someone, you’re actually kind of teaching yourself at the same time.

[David Spark] This is what I was going to get to, yes.

[Mike Johnson] And I think that’s really important is it actually reinforces your own knowledge and also causes you to check yourself. Like, “Oh, wait, maybe I’m wrong about that. I shouldn’t actually tell this person that.” So, I think there is a personal knowledge gain that comes out of trying to teach others as well.

[David Spark] Hugely. I’ll throw this to you. Matt, I’ll let you have the last comment. But I truly believe – learning something as a student is one level of understanding. Learning something where you have to teach that thing to others, that you have to digest and then communicate it is a much stronger level of understanding. My personal… I remember taking statistics in college, and then I became a stats TA. I didn’t learn it until I became a TA. At all. Matt, your feelings about requiring teaching or why it’s so important for senior level people to teach?

[Matt Radolec] It’s that logical next step in your career, and it does demonstrate an excellence in understanding. And not to sound too jedi, but the padawan becomes the master when the master can take on a padawan. I think that if you think about all of us in cyber, we’re always trying to be better. And so how can you be better if you keep doing the same thing? You have to learn how to take the things that you’re doing and train someone under you to take some things off your plate so you can tackle those next big challenges. That waterfall effect I think is really the core aim. At least this is how we manage my organization at Varonis. It’s all about constantly evolving and having your most senior people work on the evolution so that the newer and more junior people can be trained up on what would be considered a little bit more routine.

[David Spark] Very good point.

Closing

35:53.606

[David Spark] Well, that brings us to the very end of the episode. Thank you very much. I love closing with jedi thoughts. I’m going to let you have the very last word here, Matt. I do though want to mention your company, Varonis, for sponsoring this episode and just being a phenomenal sponsor of the CISO Series. Go try them out. Seriously, everybody. Go try them out. They even made a custom page that has our name on it. So, go to varonis.com/cisoseries. You can all remember that. Mike, any last thoughts?

[Mike Johnson] Matt, thank you so much for joining us. What I really enjoyed about the conversation is you always seemed to bring it back to scaling and growth.

[David Spark] And Mike just wrote a lot about this recently.

[Mike Johnson] It’s near and dear to my heart. So, it was really great to listen to how you were relating and really trying to coach folks on thinking about scaling and thinking about growth. But there is one quote that I wanted to pick out that I thought really, really resonated. You had said, “Don’t let perfect be the enemy of progress.” I think that’s really a great way of putting… We often say, “Don’t let perfect be the enemy of good.” But I really think letting perfect get in the way of progress is something that folks need to think about.

[David Spark] I like that, too. I’m doubling down on that, Mike.

[Mike Johnson] So, thank you for that nugget. Thank you for joining us, Matt.

[David Spark] All right, Matt. Thank you. Any last thoughts? Any pitch you want to give to our audience?

[Matt Radolec] Yeah. Got blast radius? Wondering what that is? Go to www.varonis.com/cisoseries to find out more.

[David Spark] All right. So, if anyone has not remembered that address, varonis.com/cisoseries, I think you now know it. So, go there please. You’ll be pleasantly surprised. Or at least I hope you will. Thank you very much, Matt. Thank you very much, Mike. Thank you to our audience. Send us more contributions, more “what’s worse” scenarios. I want a “what’s worse” scenario where Mike goes, “This is easy.” Which he did not do today, so kudos to Dustin on that. And kudos to Matt, who got the correct answer on the “what’s worse” today.

[Mike Johnson] [Laughs]

[David Spark] Thank you, everybody. Thank you for listening to the CISO Series podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the CISO Series Podcast.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.