We talk a lot on this show about what makes cybersecurity such a hard job, yet there are so many people who are in it and love it. What draws people to this profession and why do they love it so much?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest David Cross (@MrDBCross), CISO, Oracle SaaS Cloud.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Orca Security
[David Spark] We talk a lot on this show about what makes cyber security such a hard job. Yet there are so many people who are in it and love it. So, what draws people to this profession, and why do they love it so much?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series, and my CISO cohost, who loves working in cyber security, he is Geoff Belknap, the CISO of LinkedIn. Geoff, you love working in cyber security, don’t you?
[Geoff Belknap] It certainly has its days, yeah. There are great days in cyber security. Very rewarding.
[David Spark] We are going to talk about that, what makes a great day in cyber security, coming up. But first I want to mention our sponsor – Orca Security. Quicky discover, identity, and remediate Cloud risk to keep your business secure. More about exactly what that means and what Orca Security does a little bit later in the show. But first, Geoff, let’s get to the topic of loving cyber security. So, Helen Patton of Duo asked the very simple question on LinkedIn – why do you, the community of cyber security professionals, love working in cyber security. There were a few tongue in cheek answers, but predominantly there was a lot of passion that the community showed for this very difficult job. So, briefly, Geoff, tell me and our audience what is it that you love about cyber security.
[Geoff Belknap] For me, it’s two key elements that come together. Number one is I’m very entrepreneurial, which is a very fancy way to say I have a problem with authority, and I’m a terrible employee. But I also perform very well and am very comfortable in very ambiguous situations where we’re solving, and we don’t know all the factors that we’re solving for yet. Which turns out to be a lot of cyber security. So, if you enjoy that, it’s a great career for you. And then I think two, and probably more importantly for me as a human being, is I like to help people. I like to make sure that the work I do has a big impact both on the companies I work for but also I want to make sure that I’m helping protect people and doing what I can to elevate things in general. And cyber security certainly has a lot of that going for it.
[David Spark] You are not alone, as you will see as we go through the quotes in this very episode. And joining us for this discussion is a guest we’ve had on the CISO Series before but not yet on Defense in Depth. So, thrilled that he’s here for that. It is the CISO for Oracle SaaS Cloud, Mr. David Cross. David, thank you so much for joining us.
[David Cross] Thanks, David and Geoff. Glad to join you. It’s kind of fun to join again in the Defense in Depth episode.
Why does it matter?
[David Spark] Drew Brown of the Federal Aviation Administration said, “I actually like being able to influence the organization and leadership.” Very much like what you said, Geoff. And Christophe Foulon of Capital One said, “I love knowing that I can make an impact by helping people and businesses with safer behaviors and activities.” Again, similar. And Peter Soulsby of DXC Technology, “It’s like being a ninja sometimes.” So, there’s a lot of cool factor to it I’m getting here and a lot of, “Hey, I like having an impact on the business.” Which by the way I would say that’s not unique to cyber security because a lot of people take jobs I would say specifically in technology that cite that as a reason. Geoff?
[Geoff Belknap] Absolutely. That’s one of the key things that motivates me is I, as much as this may be crazy…I’m not an adrenaline junky, but I am an impact junky. I want the decisions I make, whether they be right or wrong, to have a big impact. Because I feel like if you make a bunch of bad decisions and they don’t matter to anybody, neither probably do your good decisions. So, I really like that – that cyber security is one of those places where if you make some bad decisions, they’re definitely going to matter very acutely to somebody. And then the good decisions have an even bigger impact. You can help people. You can grow a business. You can help it be more competitive, and you can certainly protect your organization against any downside that might come. This is a really cool way to be involved directly in that.
[David Spark] Excellent point. All right, so I throw this to you, Mr. David Cross. I’m going to give you the opportunity now to explain why you love cyber security, and what do you think of the takes from the community of Drew, Christophe, and Peter as well.
[David Cross] Well, I have to start…it’s that it’s a very long list of why. But certainly it’s important to call out that security and subsequently cyber security, it’s a fundamental of life society. We must have security. It’s always been here. It’s always going to be here. But the thing that’s exciting, I think, is that it’s never the same. It’s always dynamic. It’s never boring. It’s always changing. You always need to learn. This means there’s always opportunities. I get myself in trouble and say, “Let’s see the supply demand curve,” right? The supply of cyber security people and the demand, they’re off kilter. That means it’s a great place to be in the business.
[David Spark] So, let me get to this one line that Peter Soulsby said of it’s like being a ninja sometimes. Geoff, do you agree with that, and do you sometimes feel like a ninja? What aspects of cyber has that sort of maybe cloak and dagger feel to it?
[Geoff Belknap] I don’t know that I’ve ever felt like a ninja. I’ve certainly neve been a hired assassin. But I think in the sense that…
[David Spark] But you’re open to it, yes?
[Geoff Belknap] I actually don’t think that’s something I’m open to. I feel like maybe earlier in my career, but now I’m a little more settled and less angst. So, I think what Peter is really referring to is there is some cool things you get to do sometimes.
[David Spark] There’s a cool factor.
[Geoff Belknap] Yeah. And I would have to say this is a pretty regular feeling, as long as you as a security leader step away from the politics and bureaucracy, and sort of the narrative weaving you’re doing with the executive teams. And you take a minute to take a step back and look at the things your teams are building or implementing and the work that they’re doing. Boy, it is really cool sometimes. We’re frustrating a human threat actor on the other end, you’re playing a dangerous game with them. And when you win, it feels really cool. And when you come up with some new clever way to give you an edge, that can definitely feel very cloak and dagger or ninja like, or whatever your favorite analogy is.
[David Spark] David, what do you think is cool about it?
[David Cross] Well, I think the element of being a ninja implies it’s only offense. It’s actually offense and defense. I think certainly I think in my veteran experience is that sometimes we’re here to play the defense, to protect thing – to protect a business, to protect people. And that’s what makes it… That’s why it matters. That’s why it’s exciting. And that’s sometimes the role we need to play in society.
Why are they behaving this way?
[David Spark] Dutch Schwartz of Amazon Web Services said, “I love that it is constantly changing.” We hear that a lot. And he goes on and says, “It’s an Infinite Game, nod to Simon Sinek.” I’ve read the book, too. I highly recommend it. He goes on, saying…Dutch that is… “Rather than being a binary one. So, if you frame the strategic goal as staying in the game beyond your own involvement then the intermittent losses aren’t failures.” I like that. And Dan Watkins of the Ohio State University College of Engineering said, “I like the opportunity to think like a bad guy while being a good guy.” So, I’m going to toss this to you, David. I really like this concept of we’re staying in the game and that here are some intermittent losses, but we’re still sort of ahead of the game. Then Dan Watkins, I like thinking like a bad guy while being a good guy, which has a little bit of that cool factor that we heard in the last segment. Yes?
[David Cross] For sure. And I think both Dutch and Dan, as you described and imply, it’s always a horse race that never ends. It’s what makes this business exciting and exhausting. I’d like to use a military analogy here in how teams can actually be successful. So, the example I like… I’ll go back to my US Navy days even though I was not in the missiles, I was in aviation. But the newest Navy ballistic missile submarines, they have the gold and blue team rotations. The gold team goes, and then they return. Then the blue team goes out, and then they return. And you always have a break. You’re always at the top of your game. But you need to be trained. You need to have breaks. The idea in the cyber security world is how you can have an incident commander that’s on call and can respond while the previous commander and the other team members are getting a break and recovering from the previous adventure incidence. And so this is one of the main reasons you should have a deputy CISO. You take turns in being the executive incident commander. This is very important at kind of maintaining that balance over time.
[David Spark] That’s a really good reason why the need for a deputy CISO is that. Geoff, as awesome as you are, you can’t be available 24/7, can you?
[Geoff Belknap] I cannot. It’s something I don’t aspire to. I think there’s a lot of good reasons to have a deputy, and that’s definitely one of them.
[David Spark] So, let’s go to Dan and Dutch’s comments here about being able to think like a bad guy. That’s kind of got a little bit of a thrill to it, a cool factor there. Yes?
[Geoff Belknap] Yeah. I think, look, any time you’re working in a space where it requires you to put yourself in some completely different shoes and think differently than how a normal businessperson might think, that’s fun. It triggers your imagination. It forces you to be innovative and inventive, and really look at problems differently. This is also one of my favorite reasons to have a public bug bounty. What you’re really doing is you’re inviting a whole bunch of other people around the world who are absolutely thinking about problems differently than your team that wrote the software and saying, “Go ahead. Have at it. You bring your unique perspective from your upbringing, and your training, and how you look at things and apply it here and see what you can think of.” Those are just inherently, if I use the game theory motif here…they’re inherently fun games to play. I think it attracts a certain type of person that likes those ambiguity, and the uncertainty, and the people that like to play on the edges. I think that is fun for people like us.
[David Spark] David, do you like thinking like a bad guy? Being that you were in the military.
[David Cross] I think this is something actually where diversity comes into play. I think cyber security teams, you want people with different experiences. You want some people that have maybe been on the hacker side. You want some people that have some different education. You want some people that have different thoughts. This is how you can [Inaudible 00:10:52] not likely to miss things because it’s not just about group think and thinking one way. But you want to have people with different perspectives. This is very, very important I think in our business.
[Geoff Belknap] Yeah, this is something we’ve talked about a lot. I think even on this show where we’ve said that diversity of perspective is essential for a well-functioning security program. You can’t have everyone on your team coming from the same school, the same upbringing, the same technical disciplines. If you want to have a really big and impactful security program, you’ve got to get people that have different training. Some of them are going to be self-trained. Some of them are going to have worked in avionics, or the military, or maybe they went into computer science. But bringing that diversity of perspective, that diversity of background, approach to the problem, that’s really going to make a big difference for you.
Sponsor – Orca Security
[David Spark] David Cross, you have spent some time in the military – posted in the Navy and also in the Army Reserves. Here’s my question – what is the type of security training, of which there is I’m sure a load of it…what is the kind of sort of security thinking that one has coming out of the military the average lay person simply can’t ever get unless they have military training?
[David Cross] I think one of the most important elements or fundamentals of people that come from the military, and the veterans, and why you should try to recruit them is because it’s the fundamentals of honesty, integrity, attention to detail. And it’s also how to operate under fire. You’re trained to operate by the play book. And even under the most tense situations, you know how to operate during that and follow your play books, using your muscle memories. That’s so very important. I think in the cyber security space, which are often under fire, this brings a lot of value to many, many organizations.
[David Spark] Excellent answer. I love that. All right. Before we go on any further… That is awesome, David. I do want to mention our sponsor I mentioned at the beginning of the show, and that is Orca Security. So, Orca Security, for those of you not aware, they are a pioneer of agentless Cloud security that is trusted by hundreds of enterprises globally. Orca makes Cloud security possible for enterprises moving to and scaling in the Cloud with its patented SideScanning technology and Unified Data Model. So, the Orca Cloud Security Platform delivers the world’s most comprehensive coverage and visibility of all risks across the Cloud. With continuous first to market innovations and expertise, the Orca platform ensures security teams quickly identify and remediate risk to keep their businesses secure. Connect your first account in minutes by visiting their site – it’s an easy one. It’s just orca.security. And Orca is spelled like the whale. So, orca.security. Check them out.
What aspects haven’t been considered?
[David Spark] Prasad Shenoy of Cisco said, “Cyber security is a melting pot of personalities and talent.” Ah, you were just talking about this, Geoff. “No other specialty domain can afford to tolerate in a good sense what cyber security can. I have hired and/or worked with cyber security professionals who were once…” I love this list. “…athletes, mortgage consultants, gamers, entrepreneurs, nurses, and medical professionals, actors and entertainers, mathematicians, and physicists, IT consultants, and on and on. How can you not love something that can so well accommodate such a diaspora and continue to be in a learning is always on mode?” And Jessie B. of Bolt Resources said, “The people. Whether you’re a security practitioner, manager, or consultant, or employee – if you’re in cyber security or GRC, I’ll bet that you’re incredibly resilient, loyal, and determined, hold a high EQ, practice some level of humility, work your tail off with little to no recognition or appreciation, and you genuinely care about your work, those whom it directly or indirectly affects.” So, Geoff, we’ve heard this line. This whole thing about the people. The fun it seems is the melting pot. The fun is how many different people come in your environment. Do you have an environment of people with varied backgrounds?
[Geoff Belknap] I absolutely do. This is hands down probably the best part about the job. Because let’s be honest, there are a lot of bad parts about the job that people are not fond of. I think the reason we all stay in this space is because the people are great. The challenge is great. The outcomes can be great. And it all balances itself out. But, look, I’m in this career for the long term. My favorite part about the career other than having a big impact is the people. The people you meet and the relationships you build. Whether they be in the trenches, in the foxhole, and working on an incident, or the thought leaders and other people you get a chance to interact with like Helen and others. That’s phenomenal. You just don’t meet a broader cross section of people with interesting backgrounds and interesting perspective than in this career path right here. I’m very happy with at least that part of my choice to remain.
[David Spark] David, we hear this… No one is going to admit, “Well, I love everything about it but the people.” I don’t think that would ever happen. But what is so unique about working with the cyber security community, and do you have a unique crew like what Geoff and Prasad has said?
[David Cross] I certainly am very excited to say we are a very diverse crew in different experiences, but I think one of the things that’s… I came here to Oracle five years ago. And it really helped to transform the organization. I know this may be a topic that may be a little controversial to some, but one of the major elements and attributes of great security engineers is they’re also great developers. And sometimes your customer is not an external customer. It may be just internal customers – the developers in your company. This could be a big thing in the technology verticals. And so we’re there to help make the developers, the analysts, the service engineers, the operations people successful. And so sometimes it’s important to really how you service them is to understand their roles. You need to sometimes be a great developer to actually be a great security engineer for the developer. And so I think it’s all about how we help make them successful, how we make them productive. I know Ira Winkler has kind of spoken about this quite a few times, but I’m a long follower of that cult in saying great security engineers are great engineers to start.
[David Spark] I’m going to ask this question of both of you because I’ve had this in the past in jobs I’ve done. Is that when you work on a team and you’re sort of handing something off to somebody else, you’re working in tandem, and you’re doing it. And you have a sense of how good your work is, but then when you work with someone else who elevates your work it kind of makes you feel amazing about yourself and amazing about your team. Have you had those experiences?
[Geoff Belknap] Oh, I have. I feel like I have those experiences every day. I have developed a sense that recently my spike and the things that I’m really good at are I’m great at communicating to the business, I hope. I am really good at understanding how we should be thinking about risk and how we translate that. But I’m not a fantastic… I’m certainly not our best engineer. That’s not why I’m running security. The work that I see from the people that I work with sometimes is shocking because I’m expecting it to be one way in my head, and then I give it to somebody, and they sort of take their take on it. And you’re like, “Wow, this is really good.” Not only because it meets all the requirements of whatever it is we’re working on but because it influences my thinking and elevates my thinking on that. I think when that stops, that’s probably when I need to step away.
[David Spark] Good point. You’ve had the same experience, yes, Mr. Cross?
[David Cross] I think sometimes it’s just like when you’re going skiing. Really you’re only a blue square skier, but your friends are going down…your teammates and operations or products are going down the black diamond. The feeling at the end when you learn something – going with them, going down together, the euphoria, the feeling, it’s amazing. I think a big part of it is how you think about things end to end. It’s not just about you versus them. It’s not just you’re throwing things over the wall. It’s how you think about the end state as what you did together, and that’s where is the real big win and excitement.
[Geoff Belknap] That’s such an important point, is this is not a solo sport. You are not… As much as we joke about ninjas or whatever earlier, it’s like this is not a solo mission. It really is only successful if you go together. To David’s point, the fun when you succeed together and the long-term bonds, they’re phenomenal.
[David Spark] I’ll tell a story that is not even cyber security related, but I used to be a comedy writer for Second City out of Chicago. And I would always have…when I would write a script, I’d have this sort of sense in my head of how funny it is. I was not a great actor by any stretch, so I would hand these off to actors. Again, I would have the vision of sort of the humor level in one sense. But then when I’d see really talented performers take it and put it on, I’m like, “Oh, wow. That’s way better than what I thought.” And that’s such a great feeling to see someone take your work beyond even the level that you thought it would be at.
[Geoff Belknap] Yeah, I think that’s exactly the experience we’re having as well.
What are they looking for?
[David Spark] Kent King of State of Ohio Department of Transportation and Department of Health said, “At this point in my career I really enjoy mentoring and coaching. It is a great feeling to help new people enter the profession and help them develop skills needed to survive this insanity. Giving back the years of experience makes all the past seem worthwhile.” And Frank Friedman of Victoria Secrets and Co said, “I had managers that gave me some breaks and help throughout my career. Doing the same while in a leadership position feels good, too.” I must say that I’ve been on both sides of this as well, just like Frank said. And I think what’s really key when you’re the mentee is letting your mentor know that I took the thing you told me to do, I did it, it worked, thank you. And also let them know, “This didn’t work.” But mentors love hearing that. Yes, David?
[David Cross] I agree 100%. I think that one of the best things of being a mentor is what you learn from the mentees. It’s the opposite. Sometimes people think, “I’m just trying to help others.” But no, it’s actually how you’re actually helping yourself as well.
[David Spark] Yeah, because also when you learned, you learned in a different generation. They’re in a different generation than you, which is often a very different experience, yes?
[David Cross] Absolutely. I think that’s something why we’re always learning – why am I learning the Rust programming language now. It’s like is my job day to day to code anymore? No. But if you don’t stay in touch with what is modern and current then you’re going to have a hard time managing others.
[David Spark] Geoff? Now, you have been on both sides of this equation. Yes? Mentor and mentee.
[Geoff Belknap] I have. I was fortunate enough to start my security leadership career when there was a lot less ability to learn and to grow into this role. I had a couple of people just be very, very generous with their time and their insight when I was at the beginning of this career path. And it was hugely impactful for me. I find that now one of the things that I really enjoy doing is working with… LinkedIn has an internship and an apprenticeship program that is geared for people that come from nontraditional backgrounds. Some of those people are going to college now. Some of those people are cashiers, or waiters and waitresses, or they were mechanics, or something else. But they have decided that they’re going to self-train themselves and turn to a different career path.
[David Spark] What was the first job you ever had?
[Geoff Belknap] I was a paper boy. Then I got fired from that.
[David Spark] Hold on. What did you do to get fired from being a paper boy? [Laughs]
[Geoff Belknap] Oh, boy.
[David Spark] You just obviously couldn’t…you probably didn’t deliver them.
[Geoff Belknap] There was this paper that I delivered… Boy, I can’t remember the name of it now. Had a free paper that I was supposed to deliver every Wednesday that would instead of just going to the houses that were on my route go to every house in my neighborhood, which is about three times the amount of papers that you would deliver. And I was a small person when I was a paper boy because I was 14, maybe 13, something like that. And when you’re 13, you’re like, “I’m not delivering all these.” Then eventually they find out.
[David Spark] So, the answer is you will never hire a 13-year-old. I don’t think you’re legally allowed to, are you?
[Geoff Belknap] I think for paper… In New York, you were allowed to hire children.
[David Spark] Yes. Well, paper boys are usually young.
[Geoff Belknap] Yeah, coal mines and newspaper delivery. I think those are the two things that children are allowed to do.
[David Spark] All right.
[Geoff Belknap] Gosh, where did we start with this?
[David Spark] I don’t know. I was just thinking you were saying about waitresses, people…
[Geoff Belknap] Oh, yeah.
[David Spark] Because I’m thinking that you may have started at that point. David, I’m assuming your first job was not in the security field, yes?
[David Cross] It was not. It was a cook in the back at a rest stop gas station in Michigan during the hunting season. So, yep, I’ve grown a lot from that.
[Geoff Belknap] Oh, boy.
[David Spark] Excellent.
[Geoff Belknap] Yeah, and I think people grow a lot from that, and people get this grit in them. They want to change careers, and it’s a ton of fun to mentor them. Now there’s a ton of ways for people to learn about this career discipline and educate themselves. And the conversations I find myself having with these mentees and these apprentices is so engaging. To watch them sort of learning this craft their own way, it’s very, very cool.
[David Spark] David Cross, you get the last comment on this.
[David Cross] Yeah, one final thought. I think what’s very exciting I think about my own experience but really especially the veterans that are returning to service or people that want to join cyber security, the most exciting and best people you can hire are the people that have the hunger, the passion, the drive the perseverance to get in. Because they are the ones that are not just seeking out the opportunity. They will do whatever it takes to win and do the right thing, and make a difference. That’s very infectious. That’s very motivating. And it really makes a very strong cyber security team and organization.
[David Spark] Excellent point. All right. Well, we have come to the point of the show where I ask both of you which quote was your favorite, and why. David, I am going to start with you. Which quote was your favorite, and why?
[David Cross] My favorite quote is from Prasad of Cisco. Cyber security is a melting pot of personalities and talent. It is exactly I think that…Geoff and I both agree to is the diversity of our organizations and the experiences is what makes us successful short and long-term.
[David Spark] All right. Mr. Geoff Belknap, what’s your favorite?
[Geoff Belknap] I love that quote, but I feel like I stole enough good ideas from David today. This pains me, but I’m going to go with Dutch. I feel like Dutch gets… He has way too many great quotes. But Dutch says, “I love that it’s constantly changing. It’s an infinite game rather than a binary one. And if you frame the strategic goal as staying in the game beyond your own involvement then the intermittent losses aren’t failures.” I think at some level this is exactly right. This game is constantly changing. You’re playing against an adversary or multiple adversaries. There is always something new. This is what I talk about – there is ambiguity. There is never a clear understanding of what you’re up against. There is rarely a clear understanding of how capable you are to play the game at a professional level at any given moment. But you’re always trying to be ready to go. It’s something different every day. Putting aside some of the frustrating things that are there every day as well it really is something that if any of this sounds reasonable to you, this is a career path you should think about.
[David Spark] Excellent. Well, I do want to mention our sponsor, Orca Security. They are at orca, like the whale, .security. You can find them. They are a complete solution. So, quickly discover, identity, and remediate Cloud risk to keep your business secure. Thank you very much, Orca Security. And I know you, Mr. David Cross…this episode is airing early April. At the end of this month is RSA, and you’re going to be speaking at RSA. Is that true?
[David Cross] That’s correct. I’m pretty excited about that – to be talking there. And look forward to actually meeting and chatting with people there in person.
[David Spark] Let him know that you heard him on Defense in Depth. What’s the name of your session, by the way?
[David Cross] It’s actually about how to adapt and the change from moving on premise applications to the SaaS Cloud, and how you’re ready to adapt to those changes from a cyber security perspective.
[David Spark] And correct me if I’m wrong, it’s just lift and shift, right?
[David Cross] It’s a little more complicated than that.
[David Spark] We hear that endlessly. It’s not lift and shift.
[Geoff Belknap] Baiting him, huh?
[David Spark] Hey, nobody said it was. [Laughs] All right. Thank you very much, David Cross, who is the CISO over at Oracle SaaS Cloud. If anyone is going to give you good advice on it, it will be Mr. David Cross. And Geoff Belknap as well. We greatly appreciate all of your contributions. If you see an awesome topic on cyber security on LinkedIn, on Twitter, on Reddit, wherever, send it our way. We love to turn whole episodes of the show into just that. Thank you for contributing and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at email@example.com. Thank you for listening to Defense in Depth.