To be successful working in cybersecurity, you need an inquisitive mind with an eye for problem solving. Yet so many organizations are turning a blind eye to talent who lack technical degrees. How do we move past this kind of criteria to find the talent we need for our security programs?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Jimmy Benoit, vp, cybersecurity, PBS.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Bitdefender
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO. Go!
[Jimmy Benoit] Don’t attribute to malice that which can otherwise be attributed to ignorance, meaning your colleagues aren’t out to get you. And if you have disagreements on trying to get something done, it might be because they don’t understand why it needs to get done, and the best thing you can do is help educate them, work with them, and work together to get what needs to get done, done.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me as the now partner of YL Ventures, which we’ve mentioned before, he was before an operating partner. I don’t understand how operating partner is worse than partner, but it supposedly is.
So, he was “sub” a partner. I think I should have called you sub-partner and now you’re partner. Anyways, it’s Andy Ellis. Andy, say hello to the audience.
[Andy Ellis] [Foreign Language 00:01:02].
[David Spark] What was that and in what language?
[Andy Ellis] That was in Finnish. That was good morning, or depending on when you are in the world, good afternoon, good evening, or good night.
[David Spark] Oh, my God. Okay. So, the whole point of this, we’re going to get to that in a second, by the way, I do though, first I want to mention our sponsor. There’s a reason Andy did that specifically in Finnish. Our sponsor though for today’s episode is Bitdefender. They’re a brand-new sponsor with the CISO Series, thrilled that they’re on board.
As you know, they’re a global leader in cybersecurity. We’re going to be talking about them later in the show. But now, why did Andy read that entire thing in Finnish? Because he knows that I was going to bring up the following comment from Jukka Pasanen, who is Finnish himself.
[Andy Ellis] Yep. This one is just for you, Jukka.
[David Spark] Just for him. So, A, you can tell us if Andy pronounced that well, be interested to know. Andy normally says the thing that he just said in English which we all understood, just sort of welcoming everybody in the world who listens to us no matter what time it is, wherever it is they are listening.
And Jukka, because you asked the audience because I challenged you on this, “Like, I think we’ve heard enough of it.” Jukka said, “Since he and David Spark asked for feedback about the opening words, I can say that I have heard it plenty of times now to be able to say, “It is enough. Stop doing it.” [Laughter]
[Andy Ellis] Well, now I might have some new words to go with. Maybe you’ll get different languages as we go forward.
[David Spark] Oh, God. Let me repeat what he said. “It is enough. Stop doing it.” He did say, “It is enough, stop doing it.” He didn’t say, “It is enough, let me hear it in Finnish.”
[Andy Ellis] He didn’t give me advice on what to do. This is very helpful when you’re trying to give somebody advice. If you just say, “Stop doing X,” you might get something that you’d like less than X because now they’re hunting for the next rock. “Start doing Y,” is sometimes a better piece of advice.
[David Spark] I believe you’re taunting our listeners is what I think you’re doing.
[Andy Ellis] Actually, I’m taunting David. And just to be clear, before David said this was going to be the cold open, I had prepared this, so I was good to go.
[David Spark] Oh, of course. Of course.
[Andy Ellis] Although David did comment on the LinkedIn post, so I knew it was coming.
[David Spark] Yes, yes. Well, it was pretty clear that it was coming.
[Andy Ellis] Yep.
[David Spark] All right. Enough of that banter. Let’s get to our guest, which I’m thrilled to have on board. My cousin is actually the executive producer of the PBS NewsHour. So, if you are a viewer of the PBS NewsHour, you probably see her wonderful work. Her name is Sarah Just. And now we have the person who runs cybersecurity over at PBS to join us, specifically the VP of cybersecurity, none other than Jimmy Benoit.
Jimmy, thank you so much for joining us.
[Jimmy Benoit] It’s great to be here. Thank you for having me.
Pay attention. It’s security awareness training time.
4:10.114
[David Spark] Why does our interest in cybersecurity awareness training start and end with someone’s employment? Even with employees fresh out of college, you’re trying to train against decades of ingrained behavior. Cybersecurity isn’t going anywhere for future generations, so why not shift this training to earlier in our lives?
Shift left, anybody? Now, this was the argument made by Alex Martin on LinkedIn. He shared a recent activity kit aimed at school kids, providing activities to teach basic security awareness ranging from Spot the Phish exercises to coloring book activities, even up to activities on Roblox. Now, I will start with you, Andy.
Can this rising tide of early security awareness actually make a difference? And how do we convince organizations to invest outside of their own workforce? That being the key question.
[Andy Ellis] So, I think the answer is yes, it can help, but it has to actually be targeted to how people think. Most security awareness training that we do in the corporate environment, it’s pretty awful anyway. We try to tell people, “Don’t click expletive.” Excuse me, if your employees never clicked on links, they would never get paid.
So, you’re going right up against the incentive that we, the employer give them, which is click the links that HR sends you. So, when an adversary sends you a link that looks like it comes from HR, everything that security professional told you goes right out the window. So, if you want to go early, you have to actually think about what is appropriate and relevant and how do you get people really into the mindset where they say, “This could be bad, or it could be good.” Because that’s often what you’re struggling with is this moment when an adversary looks like they might be doing something legitimate.
And I like to talk to parents actually about this, which is you talk about stranger danger with your kids all the time. Like don’t engage with strangers, don’t engage with strangers. You need to actually teach your kids how to engage with strangers. If your child gets separated from you in a public place, have you taught them who to go talk to?
Like almost everybody knows that when they realize this, like, “Oh, I should teach my kid to walk up to another parent and ask for help or walk up to a police officer.” Don’t wait for someone to walk up to you. That’s when that person is usually more likely to be a problem because an adversary is going to walk up to you, and most people are afraid to walk up to somebody else’s kid because they’ll get in trouble for it.
So, teach your kid things that are age-appropriate and relevant. Don’t try to teach them about the safety of vishing or something else when they’re still seven or eight, but teach them to be aware, to be able to engage with the world that has both adversaries and reasonable people and juggle the equities of both of them at the same time.
[David Spark] And I got to assume, I mean, we’ve done it with our own kids, is we do educate them on certain levels of cybersecurity, security awareness, like you would teach your kids about just physical security awareness of not talking to strangers and things like that. Yes, Andy?
[Andy Ellis] Oh, absolutely. My kids were on social media basically from the day they were born. They both had Twitter accounts and yet their faces were never in a picture. We always took pictures from the back so family and friends could see what their activities were. But our kids knew if the phone came out, turn away from the phone.
That’s an example of an awareness activity of these pictures are forever. When our kids would throw tantrums, and I know I’ll have people who will yell at me and say I’m a bad parent here, but our kids knew about all the videos on YouTube of parents showing how awful their kids were. When our kids threw a tantrum that we knew was just a tantrum, we pulled out the phone and we said, “Let’s capture this for YouTube.” Just to be very clear, we never pressed Record, and we never had an intent of publishing those, but our kids were like instantly dry up and they’d be fine.
What lesson were we teaching them?
[David Spark] That’s like a Pavlov’s dog response.
[Andy Ellis] Yeah. Besides don’t throw a tantrum when you don’t mean it, we actually wanted to teach them you can trust no one with a phone. Anybody who pulls out a camera and is going to start recording, does not matter who they are, whether they’re the person that you most love, most trust in the world, the moment they record you, you’re in trouble.
And so that was a lesson we taught them. I think it might’ve worked out well, but you’ll have to ask my kids.
[David Spark] We’ll have to get them on the show. All right, Jimmy, I’m throwing this to you. Two questions. One is how early can we do training, and B, the more important one, is this possible that we can incentivize corporations to deal with this?
[Jimmy Benoit] Yes and yes. First thing I want to start with is I just got to plug PBS Learning Media. So, I like what Alex Martin had mentioned on LinkedIn about shifting left and getting kids younger. PBS Learning Media exists to enable teachers to inspire their students with thousands of free teaching resources, including videos, lesson plans, and games aligned to state and national standards.
And there’s plenty of cybersecurity content on PBS Learning Media that’ll help kids understand these things, especially what Andy was mentioning a moment ago, stranger danger and the like, and it’s completely free resources. I wanted to piggyback on something Andy was talking about with regards to the workforce.
I think at some organizations, they beat people over the head, and they don’t align the cybersecurity training in the most effective manner to be as effective as possible.
Here at PBS and other organizations that I’ve been a leader at, we do a cyber fair. So, we do a half-day event where we have games, we have snacks, we have educational elements and swag. And we invite people to join us, and we really spend that time with them playing games, having conversations, having fun, and learning together.
We learn what the business is interested in. They learn what’s important about cybersecurity. And we say, “Look, you come to the cyber fair, you have some games, you have some snacks, this is going to fulfill your annual training requirement.” I’m happy to send you the computer-based training. We still have that.
We still do that. It’s a must sometimes, but you got to meet them where they are. You got to find a way to engage them. The gamification that you do is just critically important. You got to retain their attention long enough. And I’ve just seen that be highly successful at my current organization and other organizations I’ve been at.
It’s just more effective from time to time. A little bit more effort, but effective.
[David Spark] And effective, you mean that just more people attended or you’re actually seeing more sort of culture of improved security awareness?
[Jimmy Benoit] Yeah, I would say improved culture and behavior. Consistently for weeks following our cyber fair, I have people who I did not previously know or did not previously know well emailing me and saying, “Hey, this person said this thing about this stuff. Could you elaborate on that?” And I can tell you when I’ve sent out computer-based training, I never get that.
Nobody reaches out and says, “Hey, on the 500th slide of this computer-based training, they said this thing. Could you tell me more about how I got this answer wrong?” That never happens. So, the engagement increases significantly, and we can really see the culture and behavior of the organization changing as well.
[David Spark] This reminds me, I did a live show a number of years back and I asked the audience, by applause, how many people have done security awareness training? And just sort of the overall groan in the entire audience.
[Laughter]
[Andy Ellis] I will give a slight counterpoint, Jimmy, because I have had people do that, but we did it very differently when I was at Akamai. We literally sent people a webpage that was like, “Just click here. Here’s three paragraphs about why security matters. Here is links to more training material if you really want it.
But I just need you to acknowledge that you know where that material is and that you’ve been briefed. Boom, that’s it. You want to spend 30 seconds? You can spend 30 seconds. I’m not going to fight with you.” And I would say every year, we would have somewhere between 5 and 10 almost always developers would send us pages of feedback on all of the material that we had linked to, including one I’m like, “You should be a copy editor because you’re literally arguing about punctuation in like a 90-page policy document.
But okay. Clearly you read it.”
What works? What’s not working?
12:09.390
[David Spark] “Everything is spoon fed to you, preventing your brain from having to work and figure things out through questioning, researching, and experimenting.” That was Daniel Gilbert’s critique of gamification of cybersecurity, especially that it dulls the curious instincts that makes for great practitioners.
So, challenging what we said in the last segment. So, it’s not though all doom and gloom. He still finds out a great way to introduce concepts in cybersecurity, but doesn’t care for it when used extensively, “To chase clout through mini accomplishments that leave you feeling hollow.” So, do gamify to a certain extent through a fair, which doesn’t sound exactly the same of what Daniel’s talking about here.
I’m going to ask you, Jimmy, does gamification do more harm than good when pushed too far in the cybersecurity education? What do you think?
[Jimmy Benoit] Yes and no. I am a chronic goal setter, so I’ve done my strengths finder, personality assessments, all of that thing, and goal setting and achievement is one of my fortes. And I think there are a lot of people out there who do like to have, “What are the steps and how can I achieve these steps?” I think it’s good to have a roadmap.
I think it’s really good to have a plan. It’s good to have smart goals. It’s good to know what are those things that you have to check off to get to your final destination. On the other side of the house, and perhaps what he’s talking about, I see some LinkedIn posts where somebody says, “Hey, I just did my 48th certification.
On to the 49th.” And in those instances, I think to myself, “I don’t know how much value this is bringing.” I think there are highly diminishing returns when you do your A+, Net+, Sec+, CySA+, Etc.+, and then you go on to Cisco, and then you go on to ISE, and you go on to all these different organizations.
At that point, I think it’s a little bit excessive, but I do think it’s critically important, especially for people who just aren’t in this world to have that North Star and to know what is the first target I should have? What is the first goal I should set to begin my journey towards cybersecurity?
[David Spark] All right. Andy, I throw this to you.
[Andy Ellis] I think Jimmy nailed it when he said the North Star, right? That there should be a goal. And it doesn’t have to be like a concrete I will get to X, but there needs to be a vision of development that goes into the gamification so that when somebody walks in, they’re like, “Oh, I can do step A or step B first,” but either one of those steps is valuable intrinsically.
The gamification is just to help them get there. The challenge that I often see is people just add gamification to ensure someone does an activity, but there’s no like, did this activity help? Oh, I spotted a phish. Okay. It’s a stupid phish. Like, great. I’m glad you’re practicing spotting phishes, but did you have them respond in an appropriate way?
Did they learn something? Like, what’s going on here? That’s I think where the challenge comes in is like how do you actually make sure that they’re developing the right skills rather than anything else? It’d be like if you want to take up a sport, we’ve all seen the athletes, if you watch college football.
They have all these stickers on the back of their helmet, right? This is a complete gamification of do excellent things, whether it’s practice, academics, whatever, you’re getting a sticker. But every one of those stickers says something about this person’s development as a football player. And we need to think the same way.
The sticker should be your development as a cybersecurity professional, or as somebody who is aware of cybersecurity, and not just a sticker because you did the activity that the security team wants to make sure gets done. Because we have a compliance requirement that this activity happens to everybody, but we don’t actually tie that to a business outcome.
Sponsor – Bitdefender
15:51.142
[David Spark] Before we go on any further, I do want to tell you about our brand-new sponsor, and that is Bitdefender. And those of you listening, I am sure you know Bitdefender but let me give you a little bit of history on that. What sets Bitdefender apart? Well, it starts with their solutions, which are natively built from the ground up and run on a single platform.
They offer comprehensive security that covers endpoints, networks, and cloud environments with capabilities for prevention, protection, detection, and response, kind of like everything you want. Now, for those of you who prefer a more hands-off approach, they also offer managed services.
Now, second, I want to point out Bitdefender’s strength lies in its research. I am sure you’ve all seen Bitdefender’s research with hundreds of experts from their labs, teams, and strong ties to academia. They continually discover new malware, vulnerabilities, and cybercriminal techniques, helping businesses stay ahead in an evolving threat landscape.
Their extensive technology licensing program provides access to vast amounts of telemetry data, enabling fast threat detection licensed by more than 180 of the world’s most recognized technology brands. And chances are you encounter their technology every day.
And finally, Bitdefender is deeply committed to fighting cybercrime and building trust. They collaborate closely with law enforcement on joint investigations to dismantle cybercriminal operations and release free ransomware decryptors to help victims recover their data. This commitment to security and trust underscores their dedication to protecting customers and society as a whole.
Pretty darn good. You should check out what Bitdefender is doing. Just go to their site, bitdefender.com.
It’s time to play “What’s Worse?”
17:39.204
[David Spark] Jimmy, you are familiar with how this game is played, yes?
[Jimmy Benoit] Yes.
[David Spark] All right. The way this works though, I make Andy answer first, and you agree or disagree with this. Now, Andy, this comes from Nir Rothenberg, who’s the CISO over at Rapyd, and he’s got a very specific comment to you.
[Andy Ellis] Oh, come on, Nir.
[David Spark] More of a chastising to you, and he says, “Please stop Andy from cheating and twisting these scenarios. In both cases,” so that’s what his first comment is. That is targeted at you.
[Andy Ellis] Okay, Nir, you should write more ironclad scenarios. That’s all I got to say.
[David Spark] Well, this is what he writes. So, I’m setting this up. In both of the cases here, the net amount of work done by the team is equal and very low. There is nothing you can do will ever change that. Just setting you up.
[Andy Ellis] Okay. So, I have a team that does not have high output, does not do very much work, and I’m kind of stuck with that. Great. I love that we’re agreed on that one.
[David Spark] They’re agreed on that. Okay, more. Here we go. You’re a CISO, and your measurement for the effectiveness of your security engineering teams are high priority tickets closed. So, the more of those closed, that’s the effectiveness of your team.
[Andy Ellis] Okay.
[David Spark] In both scenarios which I’m about to give you, the number of high priority tickets closed is the same, so which one is worse of the two? One, your teams are led by team leaders who try to close as many high priority tickets as possible. Sadly because they aren’t technical, they have a hard time pushing critical tasks forward.
[Andy Ellis] Okay.
[David Spark] Number two, your teams are led by excellent technical leaders that can theoretically push tasks forward, but they spend most of their time doing POCs of flashy cool new startups and hardly move the needle for your security program. Which one is worse?
[Andy Ellis] Okay. So, Nir, I will say you’ve left me an out, which is you did not specify whether the effective tickets in either case were different. Like I’m going to assume that since you’re trying to lock it down, the exact same tickets get solved in either case.
[David Spark] Yeah. It’s the same tickets. We’re going to assume that.
[Andy Ellis] Rather than it being like high priority but better tickets in one than the other. I’m just I want to point out that Nir doesn’t like that I cheat, but it’s really important that Jimmy and I are on the same page about what the constraints are. So, the exact same work is getting done in either case.
[David Spark] Pretty much. Yes.
[Andy Ellis] Okay. And I cannot change the work. So, my choices are, I have a team full of people who are not actually competent to do the work but are muddling through and getting some work done.
[David Spark] They’re trying to close those tickets.
[Andy Ellis] They’re still trying, but they’re closing the same amount of tickets as my highly technical team, which is in the second case, right? So, I’m getting the same work done. So, this is just about work environment. So, in one case, I have a team that’s spending all their time beating their head against a wall.
[David Spark] But they don’t, wait, I’m not saying that they… Hold on.
[Andy Ellis] He said the same tickets get closed, same amount of tickets. We were specifying it’s the same tickets.
[David Spark] They say the net amount of work done. It’s not saying specifically number of tickets closed is the same.
[Andy Ellis] I believe you said that at the start of the measure of tickets.
[David Spark] . Yes. The number of high priority tickets that’s closed, the same. I take that back. You’re correct.
[Andy Ellis] So, they get the same number and we’re going to specify it’s actually the exact same tickets so that we can’t argue about that one. Right? So, I’m getting the exact same work done. So, really this is just a question of which team do I prefer to have.
[David Spark] Essentially the technical or the non-technical team.
[Andy Ellis] Who are not technical and are frustrating themselves because they struggle to get done this amount of work, or the team that isn’t quite as engaged in getting that work done because they’re off playing around and doing POCs with startups. I would way rather have that second team because they’re having more fun.
[David Spark] But the first team is actually focused on your work, unlike the second team.
[Andy Ellis] Sure. But they’re wasting energy. If they’re only spending 6 hours a week producing good outcomes, and 34 hours being frustrated at how hard it is, versus the other team spending 6 hours a week on good outcomes and 34 hours expanding themselves and playing with new startups, I’m going to take that second team.
So, the first one is worse.
[David Spark] Understandable you would say that coming from a VC. All right. And a new partner VC.
[Laughter]
[Andy Ellis] Fair point but I think it’s reasonable that if I’m getting the same amount of work, I’d rather have the team that’s having more fun and developing themselves.
[David Spark] All right. Jimmy, are you agreeing or disagreeing with him?
[Jimmy Benoit] I disagree.
[David Spark] Oh.
[Andy Ellis] Yeah. So, when you were like, “It’s obvious,” Andy.
[Andy Ellis] But your team isn’t getting better. The non-technical team is not becoming technical by beating their head against the wall. That’s an important caveat here, Jimmy.
[Jimmy Benoit] Yeah. I think again, both situations are bad, right? I think both situations, they need more leadership, right? They need somebody to help both teams out.
[Andy Ellis] Yep.
[Jimmy Benoit] I think on the folks who are frustrated, right, I see that as an opportunity. I see that as they’re trying their dang best. They’re getting as much done as they possibly can. They’re frustrated, which that’s not fun to your point, Andy, but that shows a lot about character, right? They’re bringing the right attitude, energy, and effort to this thing.
They care, right? They really do care. And even though it’s pushing the boulder up the hill, they’re trying. So, I see that team as a team that could achieve just amazing things with the right type of leadership.
[Andy Ellis] Ah, but they can’t. That’s key to Nir starting this of they’re never going to produce more.
[David Spark] He’s saying right type of leadership but the thing is, in both cases, you two are the leaders. So, you’re saying both of you are not the right leaders.
[Andy Ellis] Actually, just to be clear, I agree with Jimmy, but Nir tied our hands. He said their work output will never get better.
[David Spark] It’s never going to get better.
[Andy Ellis] Does not matter what leadership you provide.
[Jimmy Benoit] Well, never, that makes it even worse then.
[Andy Ellis] Right.
[Jimmy Benoit] In that case, I think POC, not because it’s more fun, I think because they’re continuously learning at least.
[Andy Ellis] Right.
[Jimmy Benoit] So, I see a benefit there, right?
[David Spark] So, you’re now agreeing with Andy.
[Jimmy Benoit] Not for the same vein. Yeah. It’s still tough, but if they can never change, yeah, I would rather not have a team of folks who are just perpetually frustrated to no end, right, if there’s no possible way to change that, given the parameters of this question.
[Andy Ellis] Yeah. And if we took the constraint out, just to be clear, if we remove that constraint, I completely agree with where Jimmy was headed, which is I’d rather have the team that I can develop and is earnest and focused. But if they can’t actually get better, which is part of what makes this the worst scenario.
Basically, you’re in hell. Are you Sisyphus who’s actually protecting the city behind you from the rock or not? And that becomes a really big question.
[Jimmy Benoit] Yeah. So, at least the POC, they’re learning. They’re continuing to learn, which presumably would become an asset down the road because that is a constant state of change, you know.
[Andy Ellis] Right. And even if it doesn’t become an asset and they leave and I get somebody else who’s going to do it, I’ve helped them on their career journey. They’re going to remember their time with me pleasurably. Maybe they’ll send me more technical people to continue to not actually do very much work.
Should we lower the barrier to entry?
24:33.341
[David Spark] “One of the key challenges in addressing the cybersecurity skills gap has been the perception that these roles require extensive technical backgrounds or computer science degrees,” said Chris Konrad of World Wide Technology. Now, recent work by the White House Office of National Cyber Director is trying to dispel this perception with its Service for America program.
This includes moving from degree requirements to skills-based hiring for federal IT positions, expanding access to paid apprenticeships in the field, and coordinating with non-profits on training initiatives. “This approach recognizes the diverse skill set needed in cybersecurity, problem solving, critical thinking, and even roles in governance can be just as valuable,” said Akhil Mittal of Synopsys Software.
So, I’m going to start with you, Jimmy, on this because I know this is something you’re very passionate about. How important is the idea that these positions are attainable without technical degrees? And how do you show that other experience actually translates to work in cyber? That’s the one I’m really interested in knowing, how you actually show that, Jimmy.
[Jimmy Benoit] This is something I’m passionate about. I’ve had a lot of teams at a lot of different organizations, and I love when I get a resume and they’ve got an unorthodox background, right? Some of the best folks I’ve had, I had a philosophy major who was a rock star. Some of the best cybersecurity training I ever received was from an instructor who was an English major, right, and they became technical over time.
I have another individual who he went through a basic IT kind of training program, but he had no IT background, jumped right into a SOC, hit the ground running, just messaged me that he had a major achievement. So, I love people with an unorthodox background.
[David Spark] Here, before you go on any further, I’m very interested in that gap that you refer to as philosophy, English. A, somehow they express interest in cyber, I don’t know how that leap happened, and how they expressed it and how you recognized it and led them on the path. That’s what I’m really interested in.
[Jimmy Benoit] Okay, I can’t take credit for recognizing it in them. I think they recognized it in themselves and were already starting that journey. I think it kind of goes back to something we spoke about earlier with Daniel Gilbert’s post on LinkedIn, right? I think the philosophy major, if you’ve got a philosophy background, maybe you’re more in tune with the Socratic method, right, asking questions.
What happens if I do this, right? The cause-and-effect type thinking. If I turn this knob, what breaks? Why does it break? Well, why does that break if I break this, right? And that’s the kind of mentality that really helps tremendously in security operations, as an analyst, thinking through those things.
It’s not as important to know DNS is port 53 and the request receives a response and Wireshark can pull this. That stuff’s important, but it can come with training. Just having that way of thinking, the why does this happen? What happens if I do this? That’s just critically important. And again, I think non-traditional, non-technical backgrounds sometimes have that thought process a little bit more ingrained from their divergent backgrounds.
[David Spark] All right, Andy, how, A, often have you looked for people with very sort of different backgrounds and what success have you had with it? And how do people sort of even see – because this is a big thing – how does someone with a philosophy degree even see or recognize that cyber could be a career path?
[Andy Ellis] Yeah, so actually about four years ago, I did an AMA on this one, I got the same question. So, it’s on Reddit, if you want to go digging for it, where I listed the non-traditional backgrounds in my team at the time. Because I had people who were librarians, journalists, philosophy majors, structural engineers, people who’d worked in water safety, everywhere from across the board.
Now, I will note all of them had degrees. We’re a little off from the original question, so I want to come back to that one specifically in a moment. The most important thing if you do not have a traditional background is to figure out what your skills are and strip them out of all of the jargon and then see how you might apply it.
Like, what is the fundamental skill of a journalist? It is being able to walk into something that you knew absolutely nothing about, talk to an expert who only speaks jargon about this, and to learn enough that you can turn around and tell a layperson the interesting story about what this person is doing.
Now, that set of skills right there, oh my God, do we need that in cybersecurity?! Right? We have researchers discovering things who do not know how to communicate and tell that story in a way that’s consumable. We have architects talking about security flaws in ways that engineers don’t understand, let alone their managers.
Massive skill there. So, that’s a really important thing.
Let’s talk about the degree requirements. First of all, I think degree requirements in this country are pretty awful right now. There’s a handful of really amazing colleges. You walk out with a technical degree from MIT, Columbia. These are amazing schools that you’re going to be like, “Oh yeah, this person has a math diploma from there.
I’m totally copacetic. I know what they’ve got.” Most schools don’t really have that, right? And whether that cachet is earned or not, like, you have a college degree. Maybe you learned a couple of things, but really it was you got accepted to college is most of what that tells us. But unfortunately, the H-1B visa system in this country requires that if you’re going to hire somebody in on a visa into your company, that you require a degree, and that you couldn’t find other people to do that job in the US.
Which both of those requirements are BS, but those are sort of there. So, if you expect companies to start removing degree requirements, then you’re expecting them to no longer have H-1B visa holders working for them, and that’s a huge challenge. Like you can’t have shadow jobs without, that say, “Oh, these ones don’t require a degree and these ones do.” The government will at some point twig to what you’re doing there.
I think this is a huge problem that we need to address and fix. We should make it easier to get an H-1B visa, and we should make it easy for someone to sit in that job without a degree if they’re qualified to do it, right? And then we need to say, how do we teach people? If you’re going to bring in somebody at a low level without a college diploma, and then you want them to have a long-term career with you, then you have to give them the skills that you expected them to develop in college.
Maybe that’s in writing, critical thinking, etc., all of these other things, but if you want somebody to get out from your SOC all the way up into management, then you have to provide whatever you think a college education would provide to them.
How can we align different departments’ objectives?
31:18.034
[David Spark] Let’s face it, nobody actually knows their organization’s risk tolerance off the top of their head, right? So, CISOs might have an intuitive feel for the risk appetite of a specific board member or executive, but formalizing that into risk tolerance needs to be based on a particular objective and hypothesis, argued Rosalyn Page in CSO Online.
Now, a couple of years ago, I actually spoke with a CISO who asked the business how long could they be without the internet, and without thinking, and this is my assumption, they just said, “Oh, 48 hours. We could definitely keep operating for 48 hours.” I don’t know. You’re shaking your head. Well, they actually had an incident where they had an internet outage, and they realized that, no, we can’t survive an hour.
So, it’s clear more analysis and discussion needs to actually happen when you ask this question. So, I’m going to start with you, Andy. How does a CISO go about validating this risk tolerance? I mean, I know you could ask the question, but are you really going to get the correct answer? Because in the case of that other CISO, definitely did not get the correct answer.
[Andy Ellis] So, the challenge is that risk tolerance is not something you can measure, and unfortunately, so many people think it is. And so they’re saying, trying to say like, “Oh, we have a $5 million risk tolerance.” Like, what does that mean, right? What really matters is the stories. You have to walk through and say, “Well, here’s the story of what would happen.” So, I’ll use an example.
It was many, many years ago. We did a business continuity exercise, and I said, “Okay, let’s figure out how resilient our systems are.” And so we went around to every person who owned a system in the company. And we were very vague on what system meant, like everything from the edge content delivery network to a system to the desktop under somebody’s desk that actually held some secrets on it was also a system.
And we basically asked them a couple things. We said, like, if your system went down, how bad would it be? How bad do you think it would be? Who do you rely on? And if they became unavailable, how bad would it be instantly, and how long until their down meant you were down? And then we just said, “And how highly available are you?
Like are you many sites high availability or are you a single site?” And then we built this amazing flow chart that just put everything together and had a nice visual that showed at the center how durable you were, and the outside was how weak you were based on everybody you depended on.
And what was amazing was it actually turned out that a whole bunch of our developers had decided that the easiest way to do message passing on a deployed production network in like 2006, you have config files that need to be produced in one place, shipped somewhere else. They were checking them into our source code repository.
So, all of our machines had access to the source code repository, and they locked down to only one spot and one system would check in the file and everybody else would read it. And the people in the source code repository were like, “If the source code repository goes down, people can work off their laptops for days, it’ll be fine.” And the answer was, “No, no, no.
Our production system like immediately is stale, no longer can monitor the internet, and things will break pretty quickly.” That’s the story that’s interesting. Not hypothetical. I had a team who said, “I need the internet accessible to that device at this frequency,” and that device holder saying, “I didn’t realize that.” That’s how you explore risk tolerance is you have a very real, very actionable scenario, especially when you can point two development teams at each other and let developer-on-developer crime happen.
This is not the security team telling you, “You have a problem.” This is a pair of developers pointing out that they have a problem.
[David Spark] All right, Jimmy, I’m going to ask you the same question. Do you create the same scenarios? Have you done something different? How have you been able to get these stories, like how long could you be without the internet? Things like that. Which I’m thinking of PBS, not too long at all.
[Jimmy Benoit] Yeah. Separating this from technology because it’s not a technology discussion, I think every CISO needs to ensure that there’s a business continuity or business resiliency program in place, right? Business impact analysis, figure out what are the core business functions, right? Pay employees, pay vendors, distribute widgets, acquire and process raw materials, whatever those core business functions are.
What are the essential supporting activities of those functions? What are the systems that those activities rely on? And what are the interdependencies between those systems? When you do that, you can start to explore the recovery time objectives. Then you really know this business unit, which owns this function for the business, is telling me that they need this activity to be back up and running within X amount of time, which means these systems which support that activity need to be up within that period of time.
I am confident there’s not one single person at any organization who understands the complex weave of interdependencies of all of their technology solutions with their business functions. So, it really requires a program of work. Again, that business resiliency or business continuity program and some really sharp folks going back to the last thing we spoke about – they’re not technical people with technical backgrounds.
But you bring in somebody who knows how to interview people, how to speak with people, and how to get those things out of them, you can document that really well and start to understand where your crown jewels are, if you will, and understand what are the real recovery time objectives. Maybe Box does need to be up within an hour because it supports the most critical business function for your organization, and nobody can live without it.
Well, if you ask the wrong person, they might say, “Box? Forty-eight hours, don’t worry about it.” But when you ask the right person, you start to understand what the business can and cannot tolerate.
[David Spark] So, what I’m hearing from both of you is you have to tell real stories, and second, don’t rely on an answer from one person.
[Andy Ellis] Yes.
[David Spark] Because everyone’s view is very jaded to whatever they want specifically.
[Andy Ellis] And in fact, generally, don’t rely on the point of view of the person responsible for the system you’re asking about. Talk to their customers.
[Jimmy Benoit] The customers. 100%.
Closing
37:34.800
[David Spark] Well, that brings us to the very tail end of the show, and I want to thank you, Jimmy and Andy, for joining me. This was a great, great episode. I also want to thank our sponsor. That would be Bitdefender. Remember, Bitdefender, they pretty much do a suite of awesome stuff in cybersecurity and their analysis, their research has been seen world renowned for many, many years.
So, please go check out Bitdefender at bitdefender.com. Any last words from you, Jimmy, on today’s episode? And anything sort of specifically want to push people to see or participate over at PBS?
[Jimmy Benoit] Yeah, guys, this was a blast. Thank you for having me. It was a lot of fun. I do just want to say before I go, I’d be remiss if I did not tell everybody to support your local PBS station. Please support your local PBS station. It’s tremendously valuable for your community.
[David Spark] By the way, do they say that to every employee? Like, “Anytime you are in front of a microphone, you have to make a pledge pitch.”
[Jimmy Benoit] No, no, they do not. But I feel like it is my responsibility as the CISO here that I have to say it. It goes a long way.
[David Spark] Awesome. Well, thank you very much. Support your local PBS station. Andy, what’s the PBS station in Boston? I forget.
[Andy Ellis] WGBH.
[David Spark] WGBH. I’m sorry. Yes, WGBH is the PBS station out there. All right. Well, thank you very much, Jimmy. Thank you very much, Andy. Thank you very much, audience. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.