Why We Quickly Reject 95% of All Applicants

If you’re asking what certification you should go after to get the perfect cybersecurity job, you’re asking the wrong question. Most hiring managers are inundated with resumes so they’re looking for ways to get rid of yours. Don’t be fooled thinking you’re going to be seen because you have the “perfect” resume.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Mike Hanley (@_mph4, on Github at mph4), CSO, GitHub.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, BitSight

These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody’s, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com

Full transcript

Voiceover

Ten second security tip, go.

Mike Hanley

We’re starting a new year, it’s a great time to go back and look at what you’re thinking about for professional development for your teams in the year ahead. My recommendation this year, look at product management fundamentals, especially for some of your leaders in your organization. If your security team is easy to think about what you think is the right thing to do, it’s a little harder to think about what’s right for your customers or your constituents or stakeholders in other parts of the company. Product management training is a great way to learn some of the skill sets that’ll make you a better security practitioner.

Voiceover

It’s time to begin the CISO Security Vendor Relationship podcast.

David Spark

Welcome to the CISO Security Vendor Relationship podcast. My name is David Spark, I am the producer of the CISO series, and, joining me as my co-host for this episode is Mike Johnson, you may recognize him because his voice sounds a lot like this.

Mike Johnson

You’ve heard me in such podcasts as this one.

David Spark

[LAUGHS] We’re available at cisoseries.com, our sponsor for today’s episode is BitSight, you know third party risk, we’re all dealing with it, and, guess what? That’s their expertise, and they’ll be talking about it more later in the show. But first, Mike, we are recording this episode on December 17th, and you did something that you’ve never done before, and I was actually shocked, it was the first time you’d done it in our three and a half years of recording, and that is you canceled a recording last minute, but, very understandably, Log4j. So, I want to know, because this is going to air in a month, a little than a month, like five weeks from now, what’s the last week been like?

Mike Johnson

It’s interesting we are recording this a week late, because a week ago the world woke up to Log4j.

David Spark

And what does that mean for people who don’t understand what that means?

Mike Johnson

So, the Log4j vulnerability is a weakness in a piece of Java code that is embedded in so many different products, pieces of software, systems, that you don’t even know it’s there in so many cases. And the vulnerability is relatively easy to exploit, and it results in what’s called “Remote Command Execution.” So, the ability to run an arbitrary command on a vulnerable system. And one of the challenges is, it’s not necessarily the entry point for the string or the vulnerable, the exploit code, it could enter your web server route through any number of different systems, eventually land somewhere as a log line in your logging infrastructure, and that turns out to be the vulnerable system. So, you end up having to look across your entire environment, and that’s what’s been so hard about this vulnerability is the combination of the ease of exploit, the seriousness of it, and the pervasiveness of the software to where you just don’t know where it is. And this is, you know, I get to get on my asset management soap box here, again, that this is a prime example of where having good asset management, to know what’s where, what does what, and, frankly, even tell you where you’re running Java, where you maybe running the Log4j library, and then you can do something about it. You can do something about it quickly. And it’s been a long week as a result of trying to track everything down, trying to communicate with customers to make sure that they understand how we’re doing, because, like us, they’re reaching out to all of their partners that leverage whatever, and saying, ‘hey, how are you doing with this?’

David Spark

I actually want to bring our guest in now to talk about this as well, because what I think is interesting, this is something that affected everybody, and Mike Hanley, who’s the Chief Security Officer over at GitHub, is our guest. Mike, thank you for joining us.

Mike Hanley

David, thank you for having me, good to be here.

David Spark

So, this affected you as well, and I want to know how was your experience? Similar or different than Mike? And then the other thing I want to hear from both of you is, what I’m amazed by is that the whole community was looking to help each other on this one, and I know you did that, what value did you get from the help of the rest of the community on dealing with this issue? And I’ll start with you, Mike Hanley.

Mike Hanley

Yeah, I think, you know, in terms of value that we get from the rest of the community, I mean, in many cases we’re all customers and partners of one another in some way, shape or form, so it’s in my best interests to make sure that Mike and some of my other partners and colleagues across the industry are in a great place, right? Because it directly affects our security and it affects the security of our shared sets of customers that we have. So, I think the information sharing piece of this, of, like, what’s working well, have you tested this, what’s your team thinking about right now, where are you struggling? It’s not about trying to catch somebody, right, it’s about trying to make sure that we’re all kind of moving forward through this together. Because the reality with a bug like this is, we’re going to be talking about this six months from now, probably 12 months from now, probably 18 months from now, much in the same way we found out about all the stuff that we missed in Heartbleed six months, 12 months, 18 months after it happened in 2014. So, in some ways this will be the gift that keeps on giving, we’re going to have to continue to help each other out, and I think, you know, as we’re recording this today, a few days after the news has broken we’re still waiting for the after affects of everybody and their cousin now looking into what are the variations of this bug that we don’t know about next. So, by the time this publishes, I’m sure that we’ll have seen maybe the second, third or fourth shoe will have already dropped on this one. So, the information sharing piece on this, and the collective nature of defense there is, I think, very important.

Mike Johnson

I think that’s a really good point, Mike, because it’s definitely an evolving situation, and that information sharing really helps. On one of our slacks I saw this morning that there’s been another vulnerability found in the updated version of Log4j, and that was the one that everyone rolled out to be the solution, and it turns out there’s a vulnerability there. And, being able to share that rapidly across the community, across trusted communities, and that’s really the key, that then says, alright, well, we need to make sure that we’ve done everything the right way the first time, and, if not, we need to go and do it again.

Why is everyone talking about this now?

00:06:41:20

David Spark

On the cybersecurity subreddit, a cybersecurity hiring manager wrote a confessional post about the stark realities of the hiring process. He was speaking to the young cybersecurity professionals who are struggling to get into cybersecurity. Having hired about 25 people recently, he broke down the types of resumes he receives. In essence, only about five percent of the people have a combination of a few years of help desk experience, a certification or degree, and have put in some real time teaching themselves, like, through Hack the Box or attending conferences. And these people have personal references. Now, while many people complain, “That’s not fair,” the hiring manager was just saying, “Well that’s what you’re up against.” And, we also know, if you only take from personal references you’re going to have a hard time building a diverse team. But, at the same time, it’s really hard to get people without a good word from someone you trust. So, does this hiring manager speak the truth? Mike Johnson?

Mike Johnson

So, as I look back on the hires in the past couple of years, there’s only been a couple that were known by someone on the team already. So, the point being, it is possible to hire people that are unknowns, and is it easier? Sure. But, the comment that you made you can’t build a diverse team if you just keep hiring the same people that you know or that they know. You get so much value over getting folks from different backgrounds, from different experiences, that can bring different perspectives.

David Spark

I agree, but I just want to address what this hiring manager said, he talked about the huge swathe of garbage resumes that he gets, because people are saying, “I just want to change my career” kind of thing, with no background. Like, will you take a chance with me? Kind of an attitude. And those are usually tossed. I mean, I can imagine there’s a certain percentage that you’re tossing, right Mike Johnson?

Mike Johnson

Absolutely, and that is one of the beauties of working with an awesome recruiting team, they recognize those very quickly. It’s not uncommon to get people applying for positions who are coming from a physical security background, and I understand why they’re doing it, but that is definitely not what we’re looking for in these particular positions when we’re looking for cybersecurity. And there’s a filter that goes on, I’m not reviewing hundreds of resumes personally, but, working with an awesome recruiting team, they’re able to recognize what should be passed along and what should be filtered out as this person isn’t even close to meeting the requirements.

David Spark

Alright, let me throw this to Mike Hanley right now. What do you feel of this extremely confessional, very open response by this recruiter, saying, hey guys, if you’re just not nailing all these things, I mean, this is what you’re up against?

Mike Hanley

Yeah, you know, my view on this, and I’ve done quite a bit of hiring in the year that I’ve been in GitHub, in fact, I’ve hired actually several dozen roles just in the 11 months that I’ve been here, and I have several dozen more to do in the next six months, so we’re in a pretty steep hiring ramp. And, one of the things I tell my team often is, when you think about hiring and recruiting and sourcing, if you follow the same play book and you go to the same places, and you look for the same things, you’re going to get the same results. And this field has changed so much in the last few days, few weeks, few months, few years, that the things that were relevant, you know, in early 2020, still have some relevance today, but, we’re fundamentally in a different place than where we were two years ago before the pandemic. We’ve seen the rapid and accelerated and unceremonious arrival of zero trust as a necessity rather than a gradual change, and you just fundamentally need to have people who are thinking about things differently and have different sets of experiences if you want your team to be able to adapt to the challenges that are emerging day in and day out inside the company. Now, to Mike’s point, you still need to have a close partnership with your talent team, because you’ve got to do some filtering and screening there at the edges, you can’t simply review, you know, every single thing that comes in, and you can’t possibly triage all those. But, what I would say is, you do need to very consciously and intentionally, as a leader, think about what’s my distribution of seniority of talent? Like, if you’re only hiring, for example, senior engineers that have 15 years of experience with cryptography, you simply have a very small pool of people from which you can pluck to hire into roles like that, and you are going to run into challenges with diverse hiring there. But, if you look especially for early in career, people who have demonstrated a propensity to pick up some of the new skills and capabilities, or people who demonstrate a willingness and a coachingness to learn and be trained, that you’ve got a lot of opportunity there to really develop your talent, have people potentially to go through two, three or four jobs just within your team as part of their own professional development and growth.

David Spark

Let me ask the two of you a question, so, I am actually hiring my second full time employee, and hopefully by the time this airs I will have hired somebody and already had a few good interviews, and it’s very much a junior position. And I need some very clear instructions in terms of applying, and, the sad reality is, and, by the way, my instructions were pretty simple, they were just go to our website and acknowledge you’ve actually gone there, like that’s not a pretty high hurdle to clear is it? Pretty low.

Mike Johnson

Yeah.

David Spark

Of the, I’m going to say maybe about 50 resumes I’ve received so far, a total of five people have done that, two of them got the name of the company incorrect, one of them called it CISO creative and one called it CISO, the other three did an excellent job, and those are the three I’m interviewing. They are far from the three people who had the best skills, but they’re the three people who actually followed directions, and part of the job is attention to detail. Do you put directive explanations, and I want a quick answer from both of you, and do you just throw things at it, if they can’t follow directions, forget it. Mike Johnson first?

Mike Johnson

It depends on the role, some roles are very important to follow directions explicitly, and you laid out a very good case. Some of them it’s actually more important to be creative and be thinking outside of the box, as it were, in those cases you can be a bit tolerant about the strictly following directions or not.

David Spark

Again, my hurdle was not high. Alright, Mike Hanley?

Mike Hanley

Yes, I think, similarly, there’s some amount of flexibility there, but, one of the most important things I look for behavior wise, especially for early in career individuals who we’re hiring in to hope to develop, is there needs to be a demonstration that they can receive feedback and have open growth-minded conversations about their career and their trajectory and willingness to learn. If you can’t see that, especially in the form of like, well, I don’t care that I didn’t follow directions, or you know, sort of a rejection of the initial conversation, that’s a fast screening thing for me.

What’s your security advice?

00:13:38:17

David Spark

What have been the most effective techniques to building a resilient security team? Susan Morrow of Avoco Secure, has a lot of good advice supported by some data from InfoSec Institute on how to go about building your security team. One interesting data point was that 52% of security professionals join the field to solve problems. Now, all of the advice was solid, but, the ones that really stuck out was, taking the long view, creating realistic job descriptions and recognition builds confidence. Mike Hanley, what are the three core tenets do you believe to building a team? And would you hire the other 48% who don’t want to solve problems?

Mike Hanley

Yes, that’s a good question. I’ve got to believe somewhere, if you untack that, people do generally want to solve problems to some degree, but I understand that’s how it shows up in the survey. I mean, as a leader, I can’t make anybody do anything, right, I can work to understand what their motivations are and align those to the jobs that need to be done and the incentives that I can offer organizationally, but I can’t make anybody do something. Now, it’s entirely possible that of those 52% who didn’t answer that they wanted to solve problems, some of them are motivated by money, some of them are motivated by job titles, some of them are motivated by whatever’s in the coffee machine, maybe we have particularly good coffee in the office, which I think we do at GitHub. All of that’s actually fine with me, to some degree. I think that’s okay if you’re motivated by some of these other factors, and I think that those all balance out and it takes a little bit of all kinds. But, what I think needs to be true in all of those cases, independent of somebody’s motivation, and, again, I think your job as a leader is to sort of discover that and figure out how to align somebody’s motivations to the jobs that need to get done, back to your three points, are one, having a really crystal clear agreement on what needs to be done. Like, what is the thing that you are trying to do as a team for the organization, and what do you need or expect from that individual, so that’s the most important thing. Two is agreement on how you are going to support that person as a manager, so, this can come in the form of questions of like how can I help you? What additional questions do you have? Do you have what you need to get this done? What are your expectations of a partner team? Sort of work through that to make sure that you’re actually giving that person everything that they need to do in order to achieve the objective that you talk about. And then third, I think, is just creating a culture that welcomes open conversation, especially about bad news, because if something’s not going well I actually want to have that conversation early and often, and have a safe space there for somebody to raise their hand and say, “Hey, you know what? This is actually not on track,” or, “I don’t actually think we’re going to be able to get this done,” or, “This partner team’s not following through on their commitment,” or, “I don’t have a particular skill set or capability that I need.” Because then we can go back and problem solve in spirit of the first thing we agreed on, which is, what are we trying to do together as a team and what’s your role on completing that.

David Spark

Alright, Mike Johnson, I throw this to you, would you hire the other 48%?

Mike Johnson

So, to some extent I agree with Mike, that there’s got to be something a little bit weird with the survey in there, but, at the same time, there might be some skills that people are more focusing on strategic roles. You know, it’s not necessarily going out and laying hands on a keyboard to solve a problem, and so they might view that as not solving the problem, but, in reality, they still are, they’re having communications, they’re partnering with others, so it’s still problem solving, but, just maybe in a different direction. And then there’s also support roles, like, I’m not necessarily maybe even the one making the thought or writing the process or what have you, but, I actually am the one executing the commands. And, so maybe that’s, again, in some people’s mind not problem solving. I view them all as problem solving, but, back to the survey. So, yes, for certain roles I wouldn’t rule someone out if they selected that in the survey. On the other hand, if they came and said, “I’m not here to solve problems,” that’s a different discussion, you know, that is someone who’s not a team player, that is someone who’s not going to really be driving the program forward. But maybe they’re, again for the survey, people answering different things.

Mike Hanley

And I think a good example in the field that we have right now is, like, the fact is, you can make a lot of money working in cybersecurity right now, and that is an attractive reason for people to pursue careers in this space. And if somebody came into an interview and said, “I offer these skills that you need and I’m looking to get into a job in this field because I can be well compensated here and provide for myself, my family, my future, the things that I want to do outside of work,” I’d say, great, it’s good to know kind of where you’re coming at this from, and I totally get that and don’t put a value judgment on that as a motivator.

Sponsor – BitSight

00:18:21:09

Steve Prentice

BitSight, already famous for its security ratings solution, has now joined forces with Moody’s to provide a comprehensive risk assessment platform that includes cyber risk quantification. Jake Olcott, Vice President of Communication, explains what this is.

Jake Olcott

Cyber risk quantification helps executives and board members understand their financial exposure to prioritize investments, calculate opportunity costs, capital decisions etc. And what Moody’s has said is that cyber risk quantification is credit positive, what they mean by that is that organizations that are doing cyber risk quantification have some sort of repeatable process to understand their financial exposure from cybersecurity. And, that repeatable process then leads to better decision making. And so we know one of the challenges in cyber is that organizations are often responding to yesterday’s attacks, and sometimes we make investments to respond to yesterdays attacks but not necessarily thinking about the future. And so, having a strong and consistent cyber risk quantification program allows a CISO and a Chief Risk Officer or CEO, the CFO, to all collaborate together on a common understanding of the risk, and then they can focus on prioritizing those investments that will reduce that risk over time.

Steve Prentice

To learn more about BitSight, its services and its partnership with Moody’s, visit bitsight.com

It’s time to play What’s Worse.

00:20:00:17

David Spark

Mike Hanley, are you familiar with this game?

Mike Hanley

I feel like I’ve been preparing my whole life to play this.

David Spark

You lived it all last week.

Mike Hanley

That’s right.

David Spark

All last week. Alright, well, just so you know, Mike Hanley, I always make Mike Johnson answer first, it’s a risk management exercise, both options stink, you just have to choose which of these two crappy options is the worst. And, Mike Johnson, it’s another one of these brilliant jerk bad scenarios.

Mike Johnson

Oh, I’ve missed those, I’m so glad we have another one.

David Spark

Now, here’s the thing, it’s brilliant jerk on both sides, so it’s going to be the lesser of two brilliant jerk evils.

Mike Johnson

Oh great.

David Spark

So, you have to pick a brilliant jerk.

Mike Johnson

I think that’s not fair, I’m now backed into a corner by the game of having to pick a brilliant jerk.

David Spark

There you go. Well, brilliant jerk always being the worst actually, you always do pick the brilliant good jerk because you always feel that that’s the worst. So, essentially, the better is also going to be the brilliant jerk. Alright, this comes from Nico Valcarcel of NextRoll, I believe it’s his first What’s Worse scenario that he’s contributed. Option number one, it’s a brilliant jerk in the security team, though has no contact with other teams, so he’s a brilliant jerk just in your environment, or, a brilliant jerk in the engineering team with high influence in pushing back on all security efforts. Which is worse?

Mike Hanley

Oh wow.

Mike Johnson

So, first of all, hi Nico, we actually know each other, so thank you for this one. Thank you for making me pick a brilliant jerk here. You know, if I think about these two options, it’s really who’s going to have the broader influence on the company, and what is the worst for the most number of people, is where I go with this. In my mind, the brilliant jerk always comes down to that’s a toxic person who’s toxic to other people, and in these two examples we’ve got one person who’s toxic to a small number of people, the security team, and then one person who’s toxic to a broader number of people, to the broader organization. That’s why I would choose the latter, the one in the engineering organization as the worst, just by numbers. Yeah, it’s kind of a numbers exercise.

David Spark

Alright, I take this to you, Mike Hanley, do you agree or disagree with Mike, and just not to push you too much, but I do like it when people disagree with Mike Johnson.

Mike Hanley

Yeah, I mean, with respect to Mike’s opinion, I am going to disagree a little bit.

David Spark

Excellent, and why?

Mike Hanley

Mike’s point is I think very valid, especially about the spectrum and overall influence that their individual in engineering has, I think it’s a great point and it certainly can be more disruptive in the short and the medium term. But, I think, as a leader in the security organization, your tolerance of that sets the tone for your team, and it doesn’t actually matter to me that that person only has a, you know, is only making a bad time for a few people on the team, it’s the mere fact that I’m tolerating that that actually sets the culture and tone for the rest of the team. So, as a leader, I’m basically telegraphing that it’s okay for everybody else on my team to exhibit those behaviors, or, that I will only selectively enforce what I want in terms of values and cultures within the team. So, I would say that the one on my own team is the one that’s more important to address because if they can’t demonstrate the values that I expect of a team, they can’t be on the team.

David Spark

Mike Hanley wins, hate to break it to you Mike Johnson.

Mike Johnson

It’s a good answer, I don’t disagree, they both suck and the flip-side is, that means we can both be right.

David Spark

There you go.

Is this where I should put my marketing dollars?

00:23:31:02

David Spark

I talk to a lot of vendors about sponsorship for the shows on CISO Series, and unless they’re a very big, well known brand, the story I hear consistently, I think it’s every one of them, is, we’re new to the market, or we’ve been in the market a while, and we have a really great product, but nobody knows we exist. We just want to be considered. So, I’ll start with you, Mike Johnson, what do you believe most security vendors are not doing now that would greatly improve their visibility and attract interest from security professionals?

Mike Johnson

So, I think they should dump all their money into SEO, because I just Google everything. You need a solution I just go to Google and ask for it.

David Spark

Okay, first of all, Mike Johnson, this was a gimme to you, the correct answer was not dump all your money into CISO series.

Mike Johnson

Oh, you’re right, I missed that.

David Spark

Yes.

Mike Johnson

So, shall we do another recording of this? So the real answer, I don’t think that companies leverage their existing customers enough, your existing customers are your biggest opportunity to get your name out there. If you’re doing amazing things, if you’re making your customers successful, you’re making them delighted with your product, they’re going to spread that good word to their friends. That word of mouth just means so much. If I’ve got a problem that I’m trying to solve I’m asking Mike Hanley, we’re having these discussions, and he’s saying, “You know what? I use this particular product, it solved all of my problems,” that’s my first phone call, that’s the first person I’m talking to. On the flip side, if he says, “I use this vendor, it sucked and I switched to someone else,” we’re then talking about who he switched to, and I’m striking off the one that he switched away from. So that’s like the main thing, make your customers successful and turn them into your own advocates and your own champions, and that’s the best place to put it. I recognize that’s not where you put marketing dollars, but maybe shift some of your marketing budget.

David Spark

Supporting customers and customer growth, I mean, that’s part of– a financial investment can be made there. Mike Hanley?

Mike Hanley

First off, I totally agree with Mike, and I’ll take it a step further and say I see a lot right now, in particular, and this is a trend that I think is just going along with the current funding climate, which is, the vast majority of security companies are actually leading a discussion about their offerings and their business by talking about how much money they just raised, at what valuation. I don’t actually care about that at all, and, in fact, the main thing I care about is what Mike said, which is, what problems do I have that I need to solve for my team at GitHub or for GitHub’s customers and developers that rely on the platform? And I want to know how you solve that. So, leading a marketing email or a press release or a webinar about your latest funding round might be interesting to some people, but it’s not interesting to me as a practitioner. And, most of the time it’s going to be what Mike said, it’s going to be, “I’m going to talk to Mike Johnson and ask him who are you using in this space? What do you like about them? And, really, how are they treating you?” Okay, so this is a lot of the discussion on how do you set up a good partnership and a good successful relationship on that front. Now, where can your marketing dollars go to support that? Find the communities and small forums where these intimate conversations between practitioners are happening and invest in facilitating those conversations between CISOs. I think, actually, we were joking about this a minute ago but I would say there’s a lot of truth to, these are the types of podcasts that I listen to, to hear from people whose opinions I care about, about what is and is not working for them, so, these types of things can go a long way, I don’t need another pair of air-pods, I have two, I’m not going to open the marketing email on that, I’m not going to attend a webinar just to get a $200 pair of air-pods. I will go to a small forum where I can chat with Mike over dinner and hear from, you know, potentially interesting vendors with VCs that I trust, for example. Those are the types of things that, you know, in a smaller setting, where you can really develop that relationship, I’m much more interested in that.

Okay, what’s the risk?

00:27:43:01

David Spark

Jack Rhysider, of Darknet Diaries, a very popular and great podcast, he asked this question on Twitter, “Have you had to make any security exceptions just because an executive needed something?” Many people said yes, if they signed off on the risk, meaning the executive, but, others talked about the need to do something, because there was a level of executive urgency. But, as we’ve seen, that’s often a ploy used to compromise an account. Mike Johnson, I know you’ve said it before, that you’re willing to drop something if the executive understood and was willing to accept the risk, have you, though, actually done that? And then can you give us a scenario where that happened?

Mike Johnson

So, my job is to educate and provide recommendations about risk, that’s what I do. If my CEO wants to accept a risk after I’ve adequately explained it, and I am certain that they understand it, I’m okay with that. It’s not my job to accept the risk, it’s my job to make sure they understand the right decision and have the right information to make their decisions. At the same time, the point about compromising accounts, I’m not going to take an action because they sent me a text and they’re urgent about it, I mean, that really is a flag that something’s going on and I will double check it. And I know my CEO is not going to do that, so I’m not worried about that. But, in terms of a scenario, it could be, “Hey, we need to ship a product, we’ve made commitments to our top customers and they’re going to leave if we don’t ship it,” and in a late stage test of the product we found a security vulnerability, it has a medium impact, and we have a plan to address it, yeah, that’s an example where we’ve evaluated the risk, we’ve had the discussions, and if we move forward with it that’s fine, it’s the right thing for the business in that particular scenario.

David Spark

Alright, Mike Hanley, have you ever made an exception because an executive needed something?

Mike Hanley

Yes, I mean, I think Mike’s scenario was a great one of just kind of working with the executive to educate them on, you know, like what are you really asking for here? Because in a lot of cases the CEO is trying to make a quick decision, or if it’s one of your peer leaders, is trying to make a quick decision on something, they may not, or probably don’t, understand the full impact of what they’re asking for, and your job as the security leader is to help educate them on that. Now, your job as a security leader is also to help run the business, and I think this is kind of what Mike was getting back to, which is with the fullness of knowledge and time, you can manage any of these risks, and you want to be a good partner to your team mates, so, so long as they understand the risk and the case of the CEO, and they say okay great, I accept that, we’re going to go ahead and do it, I think that’s actually a good outcome. If you’ve had a constructive dialog about it and they understand what they’re accepting, and it’s not in any way orthogonal or incompatible with the company’s values. But, if you do run into a situation that hits the ladder I do think it’s important to make sure that you follow back up with the leader and say, hey, maybe it’s a fundamental security control, they say I don’t actually want to use 2-FA for my accounts, so that’s a good opportunity to circle back and say, hey, we’re on the same page about what are really important, effective controls and what kind of philosophy and team we want to run here? I haven’t personally had to have that conversation, I’m grateful for that, but I would say for folks out there who might be having some of those where you’re not aligned on the risk management discussion, good to just go back and reset expectations and make sure you understand what the organization, or in particular your leader, values from the security program to make sure that your work is aligned with that.

Closing

David Spark

On the money, love these answers, and this is a great place to stop our conversation. Thank you very much, Mike Hanley, and thank you very much, Mike Johnson. We have come to the end of our show, I want to thank both of you, and, Mike Hanley, I’ll let you have the last word. And what I usually say at the end of the show, hey, I’m going to ask you if you’re hiring, but you said earlier that you’re hiring, so I know that you’re hiring, so I want you to let us know where people can go to get more information about the jobs available at GitHub. But first, I want to thank our sponsor, BitSight.com, BitSight, they are third party risk management leaders, please go check them out at their site. Alright, Mike Johnson, any final thoughts you may have?

Mike Johnson

Mike, thank you for joining us, I’m so glad we were able to get you on this show, I remember the first time we met, years ago, at a coffee shop, and it was a great conversation there, and we’ve had so many great conversations over the years. So, thank you for coming on and sharing with our audience your thoughts, your perspectives. What I really wanted to call it was two different pieces of advice that you gave for two different audiences, frankly. The first one being educating your team on program and product management, great way for security folks to understand the business and to get more involved, so, that was a great tip to open the show. And then, also, your point of in marketing dollars, investing in small communities, small forums, and where the practitioners are where you can have those intimate conversations, as a good guide towards the vendors out there and how they can improve their reach. So, thank you specifically for those two pieces of advice, and generally for coming on and sharing with us what you think, thank you, Mike.

Mike Hanley

Yeah, thanks Mike and thanks David, you know, I just want to thank you both for having me on the show today, great conversation. I’m glad, you know, with this week, as we said at the time of the recording, it’s been a busy week for everybody, so I’m glad we were able to get together this week and close out the week with a great conversation. I will say, David, like you mentioned, we have literally dozens of roles open here at GitHub on the security team, the team is already two and a half times larger than it was when I got here 11 months ago, and we’re, we’re growing strong. So, you can check out github.com/careers if you’re interested in checking us out. And just a parting word of wisdom for your listeners out there is, just remember your security team is there to help other people get stuff done safely and securely, and think about how to not be the department of no, but be the department of yes and in 2022.

David Spark

Ah, so be an improv team if you will.

Mike Hanley

That’s right.

David Spark

Let me ask one final thing, and both Mikes can answer this one, you mentioned the github.com/careers, is there something that peeks your interest, or peeks the recruiting team’s interest, as to getting through that very first layer, if you will, like something about identifying something in the job listing, or what would be that thing, Mike Hanley?

Mike Hanley

Yes, for us, obviously the vast majority of open source lives on GitHub, so, something that demonstrates an interest or a passion for the mission around open source and securing open source communities, is a big one for me. But I’m very much a mission oriented person, that’s why I took this job, I’m passionate about helping other people and have a bigger impact on the broader software ecosystem, so, something that comes through in that, in your application to us, is much more likely to make it through to our hiring managers than a resume with out that.

David Spark

And Mike Johnson, what’s to get through your first layer?

Mike Johnson

I would actually agree with that same thing.

David Spark

About open source specifically?

Mike Johnson

Open source, but also broader mission, right, the way that we look at the world is we handle a lot of traffic for so much of the world, and we take that very seriously. That means that we’re looking for people who will also take that seriously, so that they can show that they’re willing to help elevate the global security of the Internet, that’s the kind of person that we’re looking for. So if you can show how you’ve done that, and, a great example of that is your GitHub links, you know, where you can show that you’ve been contributing. So, it very much is right in line with what Mike was saying.

David Spark

Awesome. Thank you Mikes, plural, greatly appreciated. Thank you to our sponsor, BitSight, and thank you to our audience, as always, for your great contributions. I should mention that I need a lot more What’s Worse scenarios, so give me some really good, creative and tough ones. Please send them in, you can just send them to me at david@cisoseries.com, or ping me on LinkedIn, either place works as well. Greatly appreciate all your contributions and listening to the CISO Security Vendor Relationship podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”