“Does anyone else feel like the security field is attracting a lot of low-quality people and hurting our reputation,” asked a redditor on the cybersecurity subreddit who remembers a time when security personnel were seen as highly experienced technologists. But now they believe people view cybersecurity as an easy tech job to break into for easy money.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Stephen Cicirelli, CISO, American Bureau of Shipping.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor
[Voiceover] Ten second security tip, go!
[Stephen Cicirelli] With gambling online being legal now and the Super Bowl coming up, you’re going to see a lot of phishing coming out. Make sure you avoid that.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me as my cohost of this very episode, you’ve heard him many times before… I hate to break it to you, you’re going to hear him again right now. His name is Andy Ellis. He’s the operating partner of YL Ventures. Andy, thanks for joining us.
[Andy Ellis] Thanks for having me, David. Really, really fantastic.
[David Spark] Awesome. I do want to mention that we’re available at CISOseries.com. This is not the only program on our network. We have many shows on our network, and you should go check them out. Oh, by the way, for those people who don’t know, we’ve got an awesome newsletter which we had via traditional email. But now, you can get it via LinkedIn, and it has this episode will be baked right into the newsletter. I find the LinkedIn newsletters just look a lot better than our email newsletters, so please join. Within the first 24 hours when we put this newsletter out, we got 3,000 subscribers. Spectacular.
[Andy Ellis] Which means that only a tiny fraction of those of you who listen to it have actually already subscribed, so subscribe now.
[David Spark] Subscribe. Well, they’re going to hear this in January. We’re recording this in late October, but they’re going to hear this in January when it comes out. So, please do that. You subscribe to the general newsletter via my account on LinkedIn. So, you got to go to the David Spark page, and you will find it right there on the front page. But if you want to listen to the daily newsletter, which is our cyber security headlines, you would go to the CISO Series account. I can’t do both on the same account. LinkedIn has that limitation. Only one newsletter per account.
[Andy Ellis] Maybe it’s time for Substack [Phonetic 00:01:57].
[David Spark] That will help.
[Andy Ellis] Yeah, and I think you can do multiple newsletters on Substack, but I could also be totally wrong.
[David Spark] Also if you want to, you could just get the newsletter via our regular account. You just go to our site and hit register for the newsletter. That’s the traditional way. Our sponsor for today’s episode is Stairwell, a brand new sponsor with the CISO Series. Keep your organization’s defenses out of sight, outside of time, and out of [Inaudible 00:02:23] from attackers. Sound interesting? More about that later in the show. Andy, right over your right shoulder that I see in this Zoom call that we’re having is your “1% Leadership” [Inaudible 00:02:36] copy which is over, I believe, if I remember, 228 pages long?
[Andy Ellis] About that, yep.
[David Spark] About 228 pages long. Of which many of the great tips you have heard on this show… So, I’m getting the sense that people who listen to the show regularly, they’re going to be cheated out maybe 15 to 20 pages. Is that right?
[Andy Ellis] Maybe, but, look, here’s my whole take on leadership books – 99% of books out there are really a Tweet that was expanded into like 400 pages.
[David Spark] [Laughs]
[Andy Ellis] They do everything they can to hide the Tweet from you so that it takes you like 150 pages to realize what the story is. In this book, every chapter is it starts with a Tweet. That’s the lesson. If you understand it, just skip the chapter. You’re fine. In fact, the table of contents is just a list of all of the lessons. So, if you already know them, it’s great. But each chapter gives you a refresher, a quick focus, a nice story, and understand how to apply the lesson.
[David Spark] I like that advice. Do you ever listen to these…? And I have yet to do this. These apps that give you abridged versions of often business books?
[Andy Ellis] I’m familiar with them, and I can’t wait to see how somebody tries to abridge my book, which is already its own abridged.
[David Spark] But have you ever listened or read any of these abridged versions?
[Andy Ellis] I think once a long time ago.
[David Spark] I’ve never done it.
[Andy Ellis] So, they’re really… It’s true that so many of these books are one lesson.
[David Spark] Well, I’m thinking I should do it because I’ll read a whole business book and really retain two to three pages of knowledges off of that thing.
[Andy Ellis] Yeah.
[David Spark] Which I think I could have just read the abridged version and saved everybody a lot of time mostly.
[Andy Ellis] It is a great way to approach. I think there’s the one-minute summaries as well, and those are an interesting way to approach it. Like there’s no way to do a one-minute summary of my book. Good luck to those folks.
[David Spark] Well, I will say this to anyone who’s listening who’s a fan of these apps… I’ve seen there’s two, and I can’t remember the names of them. I could go to my phone, but nobody wants to listen to me look on my phone. There are a few apps. I’m interested to know which ones is everybody’s favorite, and why they like it so much. So, please us know.
[Andy Ellis] Yeah, especially with my book coming out. I want to know if I should be suggesting to them they try it with my book, even though I don’t think they’ll succeed.
[David Spark] Do the authors actually get any money off of these things or no?
[Andy Ellis] Probably not. It’s probably not considered…
[David Spark] It’s like editorial on a book. It’s like you’re writing a review of a book, but you’re really just summarizing it.
[Andy Ellis] So, if you do go and listen to my book on one of those, please also buy it because that’s how I get paid is when you buy my book. Or when you get somebody else to buy it like your employer. Have them buy them for all of your colleagues, and you get one, too.
[David Spark] Do you have any book signings already…? Because this is not coming out until April, and we’re going to have you on the April 18th episode.
[Andy Ellis] Yes, I will be doing a signing certainly at RSA. We’re still working out the deal on where that will be. I will also be doing a signing in Israel two weeks after RSA. I think YL Ventures is having an investor conference, so I’ll make sure I’m doing some signings there.
[David Spark] Have you ever signed this much? Are you concerned about you getting hand cramps?
[Andy Ellis] I’m a little bit worried about it, but I’ve got a pretty clean signature I’ll do. The real issue is not everybody is getting an inscription. You may just get my quick signature. Inscription maybe we’ll have to negotiate that.
[David Spark] Some, if you really don’t like them, you’ll just put an X.
[Andy Ellis] Oh, I love that. David is going to be like, “Wait, why is there an X in my book?”
[David Spark] [Laughs] All right, let’s get going to the show. Our guest, who I meet often as part of a CISO meet up that happens every couple of months, thrilled to have him on. He’s awesome in that meet up, so why not have him as part of our show. We’re going to have a many meet up here. Huh? He’s the CISO of American Bureau of Shipping, Stephen Cicirelli. Stephen, thank you so much for joining us.
[Stephen Cicirelli] Thanks, David. It’s a pleasure to be here.
That’s something I’d like to avoid.
[David Spark] A friend of mine, this is true, who leads HR at a major company just had to let go of a mechanic because the person simply kept failing their phishing test. The person is not a knowledge work, and his access to computers is minimal. But he does access for payroll and other company related activities. This is the first time they have ever let a person go because of repeated failure of phishing tests. This person definitely got plenty of warnings and training. So, question. I’m going to start with you, Andy. Would you have done the same thing? And secondly, what if this employee was a really talented mechanic, and you wanted to keep him or her on? Could you create some type of sandbox environment or a quarantine [Inaudible 00:07:21] so they couldn’t harm themselves? Something akin to like a virtual padded room. Or would you do something else?
[Andy Ellis] This is one I obviously don’t have enough details here, but I’d just start out with a face palm of you have somebody whose job does not relate to computers, and then you have given them computers because it made your job easier to not give them humans to support them. Then you didn’t provide them security, such as they didn’t have to worry about being phished. And now you’re grumpy because this person that does not operate in this environment gets tricked by software that is taking advantage of the insecurities in your software to trick them. This is not cool. You have fired somebody for clicking. Now it might be that these were really stupid phishing tests, but let’s remember the dirty secret of the phishing simulation industry, which is that they have a knob to crank up how close to reality these phishes are. And when that knob goes all the way, your click through rate gets close to 100%.
And then people [Inaudible 00:08:22] the news because it’s awful that the phishing test sent out the link saying, “By the way, you’ve all been fired. Here’s your severance package if you would like it.” But everybody is going to click that link. And so blaming the user is a problem. Now, it does remind me I once had this conversation many years ago with the CISO who had gone into a financial trading firm. He was livid because of one of the security practices that I thought was pure genius, which is they had these traders, and the traders make a ton of money for the business. So much so… And they had these old computers that took 15 minutes to log you in and boot up because they were loaded down with security technologies. So, the practice on the trading floor was that the admins for the traders knew their passwords, and the admins logged in 20 minutes before the trader got there. The trader showed up, did all their trading, didn’t send email. That was the job of the admin. So, any time the trader’s account interacted with anything that was not the trading application, that was the admin doing it. I’m like this is genius. How do we figure out how to standardize this to say, “You have a user account that is so locked down it can interact with these four things.”
[David Spark] So, essentially you have an assistant that does all your communications for you.
[Andy Ellis] Right. And in fact for most people who are…
[David Spark] So, that’s what this person should have had.
[Andy Ellis] That’s what they should have had. Why do they not have an assistant? If they’re a great mechanic… Let’s assume that this person is a fantastic mechanics, and mechanics actually make pretty nice salaries.
[David Spark] Yes. Yes.
[Andy Ellis] They bring a value.
[David Spark] And getting good talent is always tough, as we know.
[Andy Ellis] Okay, so imagine you’ve got a floor with like 40 mechanics on it or however many it is, and you went and you got one executive assistant to manage the 40 of them. And that assistant’s job was deal with email, deal with payroll, whatever. And that’s it. They would provide more value than another mechanic and cost you less money.
[David Spark] All right, I’m throwing this to Stephen. Stephen, do you agree? Would you have fired this person, not fired, agree with Andy or the company that did the firing?
[Stephen Cicirelli] Well, I know a lot of friends in legal who would really like to fire the person, but I don’t think that’s the right way. I think we’ve got some really great technology now, as Andy was alluding to. We’ve got the ability to limit the access of a computer to just the corporate necessary websites. Kiosk technology has come a long, long way. I’ve seen that used in a lot of places where you’ve got a bunch of people who really don’t use the computer. They’re putting bolts on things. They’re painting stuff. They don’t need to be on the computer, and you’ve limited the ability for them to do anything there as well.
[David Spark] So, this was an easy problem to solve, and they didn’t bother solving it is what you’re saying.
[Stephen Cicirelli] Right.
[Andy Ellis] Yeah.
Hey, you’re a CISO. What’s your take on this?
[David Spark] Realistically how proactive can a company really be about cyber security? In an article on CSO Online, Mary K Pratt notes these proactive hallmarks – know what they have, know what they must protect, and what they’re protecting against. Strong user authentication and zero trust approach. Agile and adaptive, planning for the future. They watch for impersonators. They hunt for threats and vulnerabilities, and they do tabletop exercises and drills. So, we have addressed all of this, and this looks like a wish list. So, Stephen, I’m starting with you. Can anyone truly achieve all, or are we doing partial versions of all? What’s seriously realistic? And obviously this varies by size of company and their security staff.
[Stephen Cicirelli] I think these are really good guidelines except the first one. I think you really need to have a good understanding of what you’ve got before you can do anything else. But once you get past that, every organization I think is going to have a different approach to how they want to do things, what works best for them, how their business works. And taking the pieces and bits and putting them in a priority order or implementing to a certain level in order to make sure that you’ve got the things that make your business still work but keep you at a reasonable level of risk is really where you need to go.
[David Spark] Andy, what do you think? Again, it’s one of these things. I read this list. It is good, but it’s like, “Really, can we achieve all of this?”
[Andy Ellis] I’m actually on a different spot on this list, and it’s closer to where Stephen is, which is except for the first item… And I’ll come back to the first item on the list. This list is trappings. If you are good and successful, this is what you’re going to end up with. This is not the path to getting there. And we see that in a lot of places that people look at some policy or some outcome, and they get correlation and causation backwards. Consider honestly US policy. We looked 70 years ago and said, “Oh, you’ve made it into the middle class if you own a home and have a college degree.” And so we created a debt fueled model for everybody to get a home and a college degree. That doesn’t make you middle class anymore because those were the effect, not what pointed you into it.
And so similar model here. Some of these are effects. What makes you proactive is understanding your environment, understanding how as things change that changes your risk profile, and addressing your risks. That’s the first item here – know what you have, know what you have to protect, and know what you’re protecting against. That’s not a static list. It grows over time. And now if you’re doing that, all of a sudden you’re going to discover, “Oh, yeah, strong user authentication.” Because right now you can’t protect your environment without that. 20 years ago, that was not the hallmark of a team that was foresighted because that wasn’t the big issue. Agile and adaptive, like what does that mean. That’s very vague and subjective. I worry that someone would say, “Oh, I need to be agile and adaptive.” And they would make that goal.
[David Spark] But you know what that means. If you got a lot of hoops to jump through to get anything done.
[Andy Ellis] It can, but sometimes that isn’t the… Just being able to quickly make changes doesn’t make you foresightful for the future. You could just as easily be throwing out work and progress to jump to the next new thing. But before that gets released, you jump to the next new thing. So, that’s agile and adaptive, but that doesn’t make you proactive. You could just be rapid reacting to whatever it is in the headlines and never actually improving your security because you don’t know what benefits you’re getting from those things. So, to me, that’s the important thing is you got to know, have this mental model – here’s what my problem is, here’s what I got to solve, here’s how my tools actually work and work together with my people, and my process, and my technology.
[David Spark] Stephen, if you were to throw this list at a security team, is this a list that scares them? And they’re like, “No, this is what we’re going to do.”
[Stephen Cicirelli] The first thing they’d do is like, “I don’t know how to do this.” They know how to use tools a lot of times. They know how to make configurations. But if you say, “We’re going to plan for the future.” “What? What?”
[Andy Ellis] Right. Well, and tabletop exercises. Like how many people do them without understanding the value and how they work? And so it’s just to make work. They’re just doing this thing because they were told you should run a tabletop exercise. You have to actually understand what benefit you’re getting out of these things, and then I can look over at your program. And if you say, “Oh, we’re fantastic. We really look forward to the future.” And I’m like, “Where’s your tabletops?” They’re like, “Oh, we don’t do any.” Okay, that’s a question mark for me. Are you really planning for the future? Are you really proactive if you’re not testing and practicing what you would think you were doing? So, these are almost ways to check if somebody is doing it versus a checklist of how to get there.
Sponsor – Stairwell
[David Spark] Before we go on any further, I am thrilled to introduce a brand new sponsor that we’re very excited about. It’s from Mike Wiacek, and it’s a new company. It’s called Stairwell. We’ve actually worked with Mike before. He’s the former founder of Google’s Tag and Chronicle. Stairwell helps you stay ahead of attackers. Stair steps? Get it? Very clever, always. These guys are on top of it. Stairwell starts with this premise – that the cyber security blueprint doesn’t work because attackers know the defenses as well as, if not better, than you do. The very security blueprint that is supposed to protect an organization is actually a roadmap on how to evade those defenses. Yikes.
So, Stairwell took the approach of saying, “How do you keep an organization’s defenses out of sight, outside of time, and out of band from attackers?” The answer, the industry’s first continuous intelligence detection and response platform. You want all three. The inception platform that Stairwell has built automatically uploads every file to a dedicated Cloud environment and continuously analyzes every file, looking for malware, vulnerabilities, low prevalence files, and more that you don’t even know to look for, including things that snuck pasty our EDR. This gives you better detections, confidence in response, and reduces the costs related to protecting against and responding to cyber-attacks. Check out more at stairwell.com, spelled exactly the way it sounds. Go there to learn more.
It’s time to play, “What’s worse?”
[David Spark] Stephen, I’m sure you’re familiar with “what’s worse”, yes? You know how this game is played?
[Stephen Cicirelli] Indeed.
[David Spark] We come from a new submitter to the “what’s worse” scenario. We have some people who submit lots and lots of “what’s worse” and we’ve used them many times. This person, first time. And I hope I’m pronouncing their name correctly. Their name is Matthew Troisi from Troy Mobility. And I’m going to also say this – apologizes, Matthew. I made some slight edits to your “what’s worse” scenario to make them, I think, a little bit more even if you will. Because I thought it was…
[Andy Ellis] Imagine if I say that they’re really easy, then I’m going to ask David to tell me what the original ones were.
[David Spark] Well, I think it was a little lopsided. I think it was a little too… I think one of them was way too obvious over the other. I was reading them, “Well, I know Andy is going to choose that.” So, I made them a little bit more even, what I think. We’re going to find out. All right, you’re a CISO at a company, Andy, that gets hit by ransomware, get ready for this, once every two months. That sucks.
[Andy Ellis] Oh, we’ve had a scenario similar to this one.
[David Spark] No, no, the second one is completely different.
[Andy Ellis] Okay.
[David Spark] Or your company acquires a company, and you’ve become the point person to integrate IT and security departments with horrible culture and systems. Which one is worse?
[Andy Ellis] First one.
[David Spark] First one is worse?
[Andy Ellis] First one is worse.
[David Spark] Now, do you think this is lopsided? I can tell you the edited… I made it every two months because it was just a single ransomware attack. Would it have made it different if it was just one ransomware attack?
[Andy Ellis] I think one I guess would have been difficult, but because… But I’m not comparing apples and oranges. The reason that I went with the ransomware is the bigger problem here is because I do have a philosophy that works for the integration for acquiring companies. It’s what we instituted at Akamai that solves this problem. I picked it up sort of from a colleague of mine who had a lovely phrase. He said if you pave a road, you know it’s flat. He said you don’t try to fix certain problems. You just fix the dang road.
[David Spark] You just pave the road. So, you just literally pave over the security department.
[Andy Ellis] Yeah. When we acquired companies, we showed up day one with brand new laptops that were already configured on our systems. Their entire IT organization, put them to use doing something else. We’d occasionally integrate them, and they would come in and be part of our teams. There was none of this, “Oh, we’re consolidating and connecting your stuff to our stuff.” Nope, nope. Everything you built is going away.
[David Spark] Everything is brand new.
[Andy Ellis] We did not buy you for your IT organization. We bought you for a product organization.
[David Spark] So, would you have changed your mind if it…? Because the original just said a single ransomware attack. Would you have changed?
[Andy Ellis] I think at that point I just would have been like… No, I think I still would have gone with the same one simply because a ransomware attack is worse than being in charge… Put me in charge of the problem that I can pave over.
[David Spark] I’m going to also point out, one of the things you can’t pave over, it’s horrible culture.
[Andy Ellis] Yeah, there’s no culture… That culture is gone by the time we’re done.
[David Spark] So, you’ve fired everybody pretty much.
[Andy Ellis] Maybe something… Given I’ve been involved in one acquisition where we paved over the IT, but, oh my God, was there a problematic culture there that ended up being issues, I might pivot. But it’s culture that the people who are responsible for it went on and published… Actually stories about them hit the New York Times for the culture they instituted at their next company.
[David Spark] Wow, all right. Stephen, I throw this to you. And you can answer whether I say the single ransomware attack or multiple. What do you think? Which one is worse?
[Stephen Cicirelli] I would say the culture is probably worse. Where I’ve been, with the organizations I’ve been with, we’ve had pretty good controls over dealing with ransomware over the years. I might get a little irritated with having to deal with that every couple of months. But trying to turn the culture around can be exceedingly difficult. Although I haven’t tried firing everyone before, so maybe that might work, Andy.
[David Spark] There’s no technology, Andy, to fix culture. While you say that you can provide all these new laptops, what are you going to do to make this very toxic environment not toxic anymore?
[Andy Ellis] The answer to that one is that you’re not leaving the culture separate managing its environment.
[David Spark] Andy, I set you up. The answer is you buy your book, “1% Leadership.”
[Andy Ellis] Right. You buy my book, and you turn to the first set of chapters in organizational leadership, and it gives you the roadmap to setting out vision, and values, and culture in a way that will help you incrementally. But the real goal is burn that culture down.
[David Spark] Burn it down. The thing is if you’ve got a toxic environment, it’s like imbued within the environment. I think it’s actually an opportunity because if they’re in a horrible environment, bad culture, and you’re saying, “Hey, you know what crappy culture you have? It’s gone. You’re joining the fun group. This is a great culture.”
[Andy Ellis] Right, it’s a great culture. You’re going to invest in adopting people. You’re going to pay attention to toxic behaviors, to make sure those don’t come over. And, look, you will have employees who would have been fantastic had they not been poisoned by the toxic culture. I’ve absolutely seen where you inherit staff who are just so jaded by the culture they were in that at the end of the day they’re going to leave the organization. And your job is just to make that as gentle and peaceful as possible for them.
[David Spark] More in “1% Leadership.”
There’s got to be a better way to handle this.
[David Spark] Newsflash, Stephen and Andy, it’s becoming increasingly harder to secure environments. Did you know this?
[Stephen Cicirelli] Amazing.
[Andy Ellis] Wow, when did that happen?
[David Spark] It’s a good thing I’m around to tell you these things.
[Andy Ellis] Thank you, David. I appreciate that.
[David Spark] An article on ZDNet by Jada Jones reveals some interesting stats from a study by Foundry. Now, tip of the hat to Adrian Sanabria of Tenchi Security for posting this on LinkedIn. So, of the survey respondents, 34% said non-malicious user error was the top cause of cyber security incidents. 28% said third party security vulnerabilities, and 26% said unpatched software vulnerabilities. Now, all of these are fixable if you have infinite time and people. “If you’re short staffed, you can’t have someone looking at every alert,” said Bob Bragdon of Foundry’s CSO Worldwide. So, hearkening back to our second segment, I’m going to start with you, Stephen, here. News like this makes us feel we’re chronically losing this infinite game. Do you let this kind of stuff get to you, or you’re like, “No, we’ve got control of this.”
[Stephen Cicirelli] I think we’ve got control of this, and I think this is really more of a number game. Next year we could see a lot more of the vulnerabilities coming from unpatched software versus the other things. And then the year after that, we’ll be up on user error again. How long ago was it that every other week it seemed like we’re hearing about an S3 bucket that was misconfigured? Folks made some changes over at Amazon, and the default now is no longer to give the whole world access, and those problems dropped dramatically over the time. Patches issues… How many exchange problems have we had in the last year? Three big ones, right? It doesn’t really matter how fast you were getting that done, that was going to be a problem anyway. But the year before there were [Inaudible 00:25:28] exchange problems.
[David Spark] Andy, do you think we’re getting ahead of any of these problems?
[Andy Ellis] So, first of all, full disclosure, I’m a contributing writer for Foundry, so yeah. But that’s okay because I’m about to trash our own methodology. I think their methodology…
[David Spark] They’re going to love that.
[Andy Ellis] The methodology, it’s a survey. We ask people questions, and the answers are vague. Let’s just take this one that says you basically had 34 said it was user error was the top cause. 28%, third party security vulnerabilities. And 26% unpatched software vulnerabilities. First of all, how many people who were answering couldn’t tell the difference between the second and third one that they answered. Like what’s the difference between unpatched software vulnerabilities and a third party security vulnerability.
[David Spark] Well, we’ll just add it together, 54%.
[Andy Ellis] So, you add it and get 54%. But okay. So, if we got better at two things, would either of those numbers change? If we reduced vulnerability as a way in and we reduced non-malicious error, the percentages don’t change. So, it’s really hard for us to measure on a complex ecosystem.
[David Spark] Right, because what we need to see is the quantity overall.
[Andy Ellis] And it’s people’s perceptions rather based on data, and it talks about root causes. And complex systems do not have root causes of failures. They have underlying hazards with some trigger. Non-malicious user error is always a trigger, it is never a cause of a security incident. What caused it was the hazard underneath it, and that’s the deep thinking we as security professionals need to have so we don’t just blame the user. So, that said, I look at the survey, and I’m like yeah, security is complicated. There are still problems. But when I think about how hard it was to design security systems 15 years ago and now it’s like, oh, any problem I have there’s a good chance that there are 30 vendors trying to solve that problem for me. And sure, none of them are probably perfect, but most of them get it 80% right. Great, buy something 80% and move on, solve the next thing.
[David Spark] Stephen, do you agree with Andy here?
[Stephen Cicirelli] There’s a lot of what he’s saying that’s [Inaudible 00:27:33] right there.
[Andy Ellis] I want the list of what wasn’t now.
[Stephen Cicirelli] When you talk about the user doing something wrong and that’s just the hazard, the underlying problem is probably that vulnerability that didn’t get patched. So, which one was it?
[David Spark] It’s often hard to see the source. And going back to what Andy said, this is just what people said. Who freaking knows for that matter.
[Stephen Cicirelli] That’s why we go around on that carousel.
They’re young, eager, and want in on cyber security.
[David Spark] “Does anyone else feel like the cyber security field is attracting a lot of low quality people and hurting our reputation,” asked a Redditor on the cybersecurity subreddit who remembers a time when security personnel were seen as highly experienced technologists. But now, they believe people view cyber security as an easy tech job to break into for easy money. And that I could not disagree with more. It’s not easy. So, the question blew up on Reddit with one person noting that there have always been low quality people in the industry. But at the same time, they still provided a much needed function as the so called security guru. This thread turned into a little bit of a trash fest, but the original poster brings up a good point as an overwhelming amount of cyber content I see on Reddit and TikTok is focused on how to get a job in cyber. I’m going to start with you, Andy, here. With all the talk of needing more cyber talent, are we attracting quality or just quantity?
[Andy Ellis] I’m just going to tackle the question in a moment, but first I want to say that the original poster, if you’re listening, I will just say that the wording that you chose to use was really awful and unwelcoming to fellow human beings. You should think about that, and I’d be happy to have a consultation with you about that.
[David Spark] Well, they’re obviously frustrated.
[Andy Ellis] I don’t care. I don’t care how frustrated you are. You don’t call people low quality. That’s just…
[David Spark] Well, he wasn’t pointing out people by name.
[Andy Ellis] Yeah, but he said… But anybody who’s trying to break in is a low quality person is the message. I’m not a big fan of this, but that’s okay.
[David Spark] Hold on. I’m not defending, I’m just saying that he was saying that I’m seeing what’s coming in as being low quality. Again, this is subjective like our last segment. Two for that matter.
[Andy Ellis] It is. So, here’s the issue. There are so many gatekeepers at this point around getting into security… And, again, let’s take the CISSP. By the way, I hope that the vote failed to accept the new bylaws for ISC squared, but I dumped my membership a long time ago. They’re just really a gatekeeping organization now. Like, “Give us a bunch of money if you would like a cyber job, and we’ll give you a certification.” The problem is that people don’t know how to hire, and so they’re looking for magic unicorns. And so people are trying to paste on the horn and strap some fairy wings onto their bag so they can be a magic unicorn. You can’t blame them for that.
If you’d like to criticize someone, it’s all of the employers who do not know how to hire an entry level person into security and do not know how to develop talent of people where you take somebody who is fresh out of college and say, “Yeah, you might have a college degree in computer science, but you don’t know anything about security yet. But I’m going to put you on the rounds where we’re going to teach you how to do this job, and you will be one of those magic unicorns in ten years if you’re willing to focus.” But we don’t have employers who are investing in that development. We do not have recruiters and HR organizations that understand and are pushing for how to bring people in who do not yet have all of the skills to do the job but are ready to learn and have some of them. We don’t have hiring managers who are focused on solving this problem. So, the last thing I’m going to do is blame the people who are trying to get a job when we talk about how there are not enough people applying for jobs. There’s a huge pressure here. There’s a mismatch, and there are problems, I agree. We aren’t getting these people experience who desperately want the experience and would take an entry level job if only we would make one available for them.
[David Spark] I would wholeheartedly agree with that very last statement because the number of entry level jobs, there is a paucity of them. But I’m still going to stress… And I know you don’t like the language of it. I’m going to use Stephen on this one. And please feel free to agree or disagree. Ignore what Andy said if you don’t care for it. Do you believe that this sort of, “We need help, floodgates open,” in the sense of you can get all the security training you want, but the actual…when it comes to getting the job, far more difficult. I got to, by the way, assume… You guys tell me. Maybe you’ve heard from your own employees. That these security education companies, which can charge 15 to 17 grand for certificates, are selling the maybe guaranteed job, guaranteed position, or, “70% of our people get hired,” some nonsense like that. What do you think? What do you think this is attracting?
[Stephen Cicirelli] I feel like it’s back to the 1990’s, anyone who can spell MCSC can get a job. You get ridiculous requirements for a lot of these things, too. The problem is not, I think, just with the industry but with our HR establishments.
[David Spark] But I want to go to the individuals that it’s attracting, the people that are out there, the what’s coming in. Do you think that it’s attracting the right crew? That we’re getting a lot of poor quality? Maybe not use that term, as Andy says. What do you think?
[Stephen Cicirelli] I wouldn’t call them low quality. I’d call them low skill. They haven’t had a lot of time to learn their trade. They haven’t had any experience. We need to give them that. I think we need to spend a lot more times working with internships and some of the junior colleges to get people those experiences so that they can come on the job and have at least some knowledge, and we can help train them up the rest of the way. Of course we’re going to lose them in a year or two.
[Andy Ellis] You don’t have to lose them in a year or two if you design your program to give them a place to promote. Now sadly, most HR teams are like, “Oh, we don’t promote people for three years after they’re hired.” I’m like, “But if I hired somebody out of a ju co, I need to promote them actually within like nine months.” Because in nine months either I know that they have a permanent job, or we’re letting them go because they didn’t work out at all.
[Stephen Cicirelli] I agree. And with the rates and the low levels of experience necessary to hit those rates, I think they’re going to leave even if you do have a place for them to go because they can… You’re not going to be able to jump that salary most of the time.
[David Spark] All right, I’m going to push this a little bit more here. This redditor made the comment of… And I’ve seen this – where people said, “I’m not that interested in cyber security, but I like the money.” And this guy says, “See cyber security as an easy tech job to break into for easy money.” Do you see that at all, either of you?
[Andy Ellis] Yeah, absolutely. And they should be excited about that. I’d be excited about that. Look, I’m a cyber security guru. I can do basically every job in cyber security because I have done them all, and that is not the way to build a career anymore. That’s not a way to build a team, more importantly. If you’re sitting here and you’re listening to this, and you have a team of more than ten security people… Hey, Stephen, do you have a team of more than ten security people?
[Stephen Cicirelli] No, not yet.
[Andy Ellis] Okay, great. I wanted to make sure I wasn’t putting you on the spot here. If you have more than ten security people, my suspicion is that the best next person for you to hire is somebody you would consider nontechnical. I don’t necessarily do so, but you should hire a project manager, possibly an administrative assistant, a basic junior analyst – somebody whose job is to take all the process work off of all of your technical people. Because guess what? Your technical people hate it, and they’re bad at it. And you should hire somebody who’s good at it and let them do it. They can then learn the technical pieces that you think you value, and maybe they move into one of those jobs.
But too many security organizations are trying to only hire technical people who can do everything, and there are very few people who have deep technical architectural skills who understand operations, who can write coherently, and drive projects at scale. And guess what? They will all make a lot of money, and they’re going to be the ones that leave. But if you bring in somebody to a good culture, and you’re like, “Hey, we just need somebody to make sure this process gets followed, to optimize it over time, and you get to work with these brilliant engineers who will love you for doing this work,” look at that – you just basically hired a cyber security professional, but you didn’t even have to look in the security career field to find them.
[David Spark] Last thoughts, you get it, Stephen.
[Stephen Cicirelli] I’ve got to agree with Andy on a lot of that. You’ve got the opportunity to take this person who wants to learn, needs to learn, and can help and support the people that you have. You’re not going to find the guy that has the skills or the gal that has the skills…
[David Spark] And that’s a good point. I agree with both of you in that they are trying to do everything right up to the point of getting hired in the hope of getting hired. And then when the industry fails them in hiring them then yes, it is our problem.
[Andy Ellis] Yep. And we have a shortage of people, and salaries are going up. We should not be surprised that this convinces people that this is an interesting career field. That is literally how economics works.
[David Spark] Let’s wrap it up. Thank you very much, Andy. Thank you very much, Stephen. By the way, we let you have the very last word. And the question I always ask is are you hiring essentially to increase your cyber security team to hopefully break the big down ten marker. I’ll get to that in a moment. But first, I want to thank our sponsor for today’s episode. It is Stairwell. Thank you very much, Stairwell. We love having you on as a sponsor of the CISO Series. They are the first continuous intelligence detection and response platform. Check them out at stairwell.com. Andy, any last thoughts?
[Andy Ellis] I’d like to send out a happy birthday wish to my father, who turned 85 today.
[David Spark] 85. Congratulations to your dad. And let me ask, what is his name?
[Andy Ellis] His name is Robert Maurice Ellis or Bob. In fact he is the original Bob the Builder. Before there was a cartoon, Bob the Builder, he has his contractor’s license. General contract in the state of California was issued to Bob the Builder.
[David Spark] Very good. I have another friend named Bob Ellis, believe it or not. Lives in northern California.
[Andy Ellis] There’s a lot of Ellis’ who get either the name Robert, or William, or John, or George. There’s so many of them.
[David Spark] All right, Stephen, are you hiring? And are you hoping to grow your team to ten?
[Stephen Cicirelli] I am hiring, and I am hoping to grow my team to ten. It’s been a rough year. We’ve been trying to expand our capabilities [Inaudible 00:38:28], and we are needing some people from experience to brand new hires looking to break in.
[David Spark] So, you could hire someone green.
[Stephen Cicirelli] I could.
[David Spark] And bring them up. Well, excellent. So, they should contact you via LinkedIn maybe?
[Stephen Cicirelli] Indeed.
[David Spark] All right. And are there jobs listed on your company site?
[Stephen Cicirelli] They are, yes.
[David Spark] All right. So, mention that you heard Stephen Cicirelli. By the way, on the blog post for this episode there will be a link directly to his LinkedIn page so you can contact him that way. So, thank you, Stephen. Thank you, Andy. Thank to our audience as well. We greatly appreciate your listening and your contributions to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.