Onboarding new cyber talent sets the tone for their tenure with your organizations. So what should CISOs do to make sure onboarding is effective for both sides?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Paul Connelly, former CISO, HCA Healthcare.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, OffSec
Full Transcript
Intro
0:00.000
[David Spark] Onboarding new cyber talent sets the tone for their tenure with your organization. What are the mistakes you should avoid, and what are the best ways to excel when bringing on brand new talent?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And, hey, it’s a voice you’ve heard in the past. It’s coming back again. Do you recognize this voice?
[Geoff Belknap] My voice is my passport. Please verify me.
[David Spark] That would be Geoff Belknap. That was his voice. He’s the CISO of LinkedIn. We do not recommend you use his voice to log into anything whatsoever.
[Geoff Belknap] But if you do, you owe me residuals.
[David Spark] Yes, that is true. He would like that. Our sponsor for today’s episode is OffSec – elevating cyber workforce and professional development. Uplevel your staff. Take them from where they are, make them the team you want them to be rather than trying to go out and find it. Make them that good today.
Start with the right training. More on how OffSec helps you do that a little bit later in the show. Also, note that we are also available at ciso-dev.davidspark.dcgws.com where you can find not just this show but all of our wonderful programming at the CISO Series. But let’s get to our topic at hand. Geoff, as budgets get tighter, it’s not prudent to waste the effort on bringing on new security talent willy nilly.
You have to be very cognizant about how you deal with it. So, a lot of that comes down to the successful onboarding process. Jerich Beason, who’s the CISO of WM, outlined some steps in a recent LinkedIn post, including having new employees meet with the CISO one on one, outline career paths in the organization, and give an overview of the security team’s mission and values.
Now, what have you seen, whether you were onboarded yourself or you’ve onboarded others, that’s led to successful onboarding, and can you own up to any mistakes? This one I would like to know. And, again, we’re going to talk about this in greater detail, but let’s just set the stage. Have you made any mistakes, or have you always been perfect, Geoff?
[Geoff Belknap] I, as always, refer you to my lawyer on any question about whether I’m perfect or not. That lawyer would be my wife, and she would have stories to tell you.
[David Spark] Yeah, so the answer is no, you have not been perfect. But your wife helps you with the onboarding process at work?
[Laughter]
[Geoff Belknap] No, but she’s regularly there with feedback about how I deliver in other ways. Let’s get this show back on track. Onboarding is one of these things that especially in a space where there’s so much pent up demand for solid talent, you have to make sure that that talent lands and can be as successful as possible as soon as they hit the ground running.
And while we know they cannot be instantly valuable to your program on day one, there’s a lot you can do to make sure that they ramp up and they can deliver as much value as possible as early as possible, and let’s talk about how we can do that.
[David Spark] And let me stress this… But you bring up an interesting thing, and we’re going to talk about it on the show is the people who got hired by you are eager to prove themselves as fast as possible. So, while you may have difficulty trying to get them ramped up, they want to be ramped up as fast as possible.
There is definitely an eagerness there as well. Well, to help us with this discussion is somebody who has onboarded plenty of talent himself. He is the former CISO over at HCA Healthcare. It is none other than Paul Connelly. Paul, thank you so much for joining us today.
[Paul Connelly] Great to be back. Thank you, David. Great topic, too.
This is not just a security issue.
3:47.419
[David Spark] Christine Ko of Dell Technology said, “We always go over the team strategy and ongoing initiatives to give the person an idea of what they’ll be engaged in and to show how it ties to the overall security initiatives. We also encourage social one on ones after a general meet the team meeting since we’re all remote.
Establishing a sense of community will be important as we work from home so people don’t feel isolated.” And Dan J. Kreuger over at Grainger said, “Make sure you add a daily touch base meeting for 15 to 30 minutes, especially during the first week two, to make sure you answer any questions the individual may have, resolve any remaining access requests or remote requests.
I would assign a peer as ‘buddy’ that he can reach out to about our IT environment and other tech questions.” So, these are just sort of basic, “Welcome to the team,” suggestions. I got to assume you have that, and you’ve always kind of done that, yes?
[Geoff Belknap] Yeah. I think the most important thing here is to understand that every bit of this advice you need to scale up or scale down according to your organization’s size and needs. But I think the underlying message is really key. No notes for both of these commenters, right on the money, which is you spent an incredible amount of time and energy finding these really wonderfully talented people.
The time and energy you invest in them cannot stop the moment they walk in the door. You need to connect them to your value, and your vision, and your mission, and your strategy. You need to make sure that they are connecting with the people that are the right people in the org. I, when I joined my current organization, was assigned…I don’t know if I would call [Inaudible 00:05:40] a buddy, but I was assigned another senior leader as a partner or a mentor that could sort of help me walk through, “What do these acronyms mean?
What are these regular meetings I’ve gotten assigned to?”
And just questions you might want to ask somebody who’s not your boss but is somebody who has sort of done a similar job or at a similar level to yours. Those are really helpful suggestions. And then I can’t underscore enough, if you can’t do a one on one, you definitely should be, as the senior most leader in your organization, engaging with new people in your organization on a regular basis to make sure that they understand both who they can ask hard questions to and so they can hear directly from you and understand where you’re trying to take that organization.
[David Spark] Good points. All right. What would you add to this sort of making a, “Welcome to the team,” model, Paul?
[Paul Connelly] I think a good analogy nowadays is if you’re a college sports fan, the transfer portal and name, image, or the likeness, the ability for players to just jump and go wherever they want to go. It’s a very similar situation. Like coaches talk about how you have to re-recruit your players every season.
And I think information security leaders need to think about it the same way. You make an indelible impression on people starting on day one. And while compensation is a huge factor in keeping people and attracting people, they also want to know about the mission—is it something that they can develop a passion for?
Are they going to have an opportunity to learn and grow? What’s the team culture like? What’s the management like? And those are all factors that starting the day they walk in the door you can really make a huge impression that will carry forward for a long time.
[David Spark] I love that term, re-recruiting your staff. And I think we can expand this conversation here for just a second in that this behavior of onboarding, it sounds like it should be kind of a rinse and repeat. Yes, Paul? And have you done it in that way? What is sort of, I guess, the annual repeat function that would be similar to onboarding?
[Paul Connelly] Well, to the suggestion in the quote having the touch bases and the regular contact, if everything is huge and exciting the first week, and then suddenly they’re in the mill, and they never see the CISO again or whatever, it all feels very hollow. So, I think a big part of it is starting off right and then having the right follow-up and continuing contact.
And Geoff made a point about establishing the culture, kind of creating this open-door. If you think about it, a new recruit, a new person joining your team, is bringing a whole new set of perspectives. They’re looking at things through a lens that nobody else in the organization is looking through.
So, there’s this opportunity for them to bring up new ideas, question things that need to be questioned. And if you can establish that sort of open door or that open dialogue from the beginning and then carry it forward, that’s just a really valuable cultural part of your team.
If you looked at the problem this way.
8:45.158
[David Spark] Jonathan Waldrop, who’s the CISO over at the Weather Company, said, “Introductions to the key nontechnical and non-security team members the individual will need to know and work with. For many security teams, having a ‘friend’ on the legal team and privacy teams is a critical relationship.
On top of that, it’s always good to have a friend in the audit organization.” Carlos Guerrero of 360 Advanced said, “Reach out to sales to learn more about our process. I think that cross pollination in as many areas as possible can really benefit the entire organization. I always use the front of house and back of house restaurant analogy.
Got to be in sync to provide the ultimate customer experience.” So, it’s interesting. We talk about cross pollinating teams in general but not in the onboarding process. And there is also the fear of too many cooks in the kitchen kind of a thing, could this cause problems. This all sounds great, but where does this make sense, the cross pollinating, Paul?
[Paul Connelly] I do think it makes a lot of sense, but candidly I’d think about in terms of a little bit further down the line than the first week. And going back to what Geoff said on the first question, a lot of this depends on the size of the organization. I came from a really big organization, and we were a healthcare provider, 187 hospitals.
So, it was really important for us very early on to get new members of our team out into a hospital so that they could see the deliver of patient care and connect back to the things that we were doing that were protecting our ability to take care of people who are sick and in the hospital. So, that’s a really powerful thing, but it’s not something that we typically tried to do in that first week.
We kind of brought people in, got them settled, know where the bathroom is, know where the cafeteria is, know where your desk is, who’s on your team, some basic things like that. Get them started and then start to introduce getting out to the hospital, working with key partners like internal audit, and legal, and privacy, and so forth.
It’s a great point, it just all comes down to when’s the right time to fit it in.
[David Spark] And I’m going to concur with you. I will need to know where the bathroom is before I meet anybody on sales. Geoff?
[Laughter]
[Geoff Belknap] I feel like the most important thing is coffee.
[David Spark] Yes. Well, the coffee leads to the bathroom, too. Geoff, when is it the right time to cross pollinating?
[Geoff Belknap] Oh, I think this is exactly right. You got to start right away. And I don’t know that I would think about it so much as cross pollinating as, look, security is not only very multidisciplinary, it is an extremely horizontal function. You are not securing just the technology part of the business or just the finance part of the business.
You are there to ensure that the entire organization can be successful. You can’t do that if you don’t know how the organization works. If I steal his back of the house, front of the house restaurant analogy. If you start working someplace and you don’t know they’re a restaurant or what the people in the front of the restaurant are even doing, pretty good chance you’re going to fail or not nearly be as successful as you can.
And I think that is what our job as security leaders is, especially in an onboarding, is sort of, “Look, we hired you to do the job. We assume you know how to do the job. Now you got to know what the organization is all about and how it operates so you can start figuring out how to apply your specific skills and talents to the role.” That is really what’s going to enable somebody to really just take off and be very successful.
I think that plus telling them where the coffee maker is. I think those are essential roles. Like understand how the business works, understand how to be caffeinated, understand where the bathroom is. Boom, immediate onboarding done.
Sponsor – OffSec
12:39.254
[David Spark] Before I go on any further, I do want to mention our brand new sponsor, and that is OffSec – discover the power of OffSec. Now, they were formerly known as Offensive Security. They shortened it. And they are the force behind the renowned OSCP Certification and Kali Linux Distro. They’re trusted by big hitters such as Cisco, Google, and Sales Force.
OffSec is your partner in upskilling cyber talent with extensive training and resources. And I can’t stress this enough – this is what your staff wants. They stay because you train them. So, OffSec’s regularly updated learning library includes over 1,500 videos, 2,000 practical exercises, and more than 800 hands on labs.
Their programs cover a variety of domains, including pen testing, cloud security, incident response, security operations, and more.
Their content spans all level, from entry level to advanced. You can even tailor your team’s learning by exploring various learning paths designed to meet your team’s unique needs and job roles. They’ve also got a Cyber Range that includes simulations for red and blue teams and tournaments that develop offensive and defensive skills in preparation for real world attacks.
Ready to elevate your team’s skills? Request a free trial today to get a sneak peek at OffSec’s learning library and Cyber Range. How do you do it? You just got to their site. Visit offsec.com/trial. Go there. Take advantage of the free trial and check out their learning library and Cyber Range.
What aspects haven’t been considered?
14:39.703
[David Spark] James Barnes of Leidos said, “Implement an information scavenger hunt with appropriate clues to gamify the discovery process and have your new resource report back at the end of the week with their findings.” This is kind of a clever idea. “Taking this approach also starts to show you where you have gaps between documented knowledge and institutional knowledge to resolve.” And also, this sort of goes to what you were saying, Paul, of like, “Hey, it’s a new hire.
We’ve got new eyes on the place.” Carlos Rodriguez of CA2 Security said, “I’ve built an onboarding binder everywhere I’ve been that included corporate strategy, IT strategy, things like audit plan a result of last fee audits, assessments, and pen tests, umbrella security strategy, and other sub strategies in flight.
Then I would make sure that I personally walk the new employee through the binder, even if I wasn’t a direct report, with emphasis in strategy, corporate culture, and team culture.” So, when I started to read this quote from Carlos, I was like, “These were the worst jobs I had, where they just shoved the binder in my face, ‘Read it.’” But I think he salvaged it when he says have someone walk you through it.
If someone walked me through it, that’s a completely different story. Paul?
[Paul Connelly] Totally agree. And those are both really good ideas. The scavenger hunt, that’s a really clever thought, a way to have some fun and maybe peel down some of the barriers of introducing new people by working together like that on something that’s fun. But the idea of a binder, I think it ties into what we were just saying on the last question – being able to explain the bigger picture, let them know who the key connections are, the extent of the organization, the scope of the role.
I think that all has a really big effect on somebody when they realize they’re joining something that’s big and important. And right away, it can start to develop that passion for the role.
[David Spark] Let me ask, is there anything…? Because you did this job for many, many years. What were…? Pick one or two things that you changed early on in your onboarding process that you started to do later? Like, “Ah, this isn’t working, and now we started doing this.” What did you learn over those years, Paul?
[Paul Connelly] My last organization was a very big team of almost 300 people. And for a period of time, I was letting the managers and the directors run with it. I’d let my administrative assistant set up a one on one, and sometimes it might not be for three weeks. And I realized that that was a mistake and made it a point that every single new hire on day one I was going to meet them.
I think it was important. And one other thing kind of under the category of what hasn’t been considered is we were treating new hires one way, and we were treating contractors and interns another way. And we found that contractors and interns were a great pipeline into our group, so we changed it, and we were treating everybody the same way to try to give them that “wow” experience on day one and during the first week.
[David Spark] Excellent point. All right, Geoff, two things. First, I want to know… I think the scavenger hunt idea is actually kind of a creative, fun idea. What do you think? Have you done anything kind of fun and creative when onboarding anybody?
[Geoff Belknap] I’m taking lots of notes here. This is so far fantastic advice. I haven’t done anything quite that fun. I like to make sure that… My team is rather large, so it’s hard to meet everybody first day. But we try to get…coffee chat we call it, which is just some time together with everybody who has started that week.
I think that’s really important. Then the other thing I just want to go back to here, this is really important, the sort of like identifying the gaps between what you think exists and how it really is. I worked at another place where what we used to do is say, “Hey, you’re not really done with your onboarding until you have made your mark on the onboarding checklist.
You just went through onboarding yourself. You are the most recent set of fresh eyes on this process. What works? What doesn’t work? What was hard for you to find? What was easy for you to find? What should we do to make it easier for the next person?”
And I think, also, it sort of brings it to the full circle where you’re not really good at something, you don’t really understand something, until you can teach somebody else that thing. And when you can start to teach somebody else how the organization works, it’s a great way to sort of go like, “Great, you’ve graduated,” so to speak, “from new hire to like a full employee.” I also can’t stress enough what Paul just said, which is your interns and your contractors are not disposable humans.
Those are the people that you will probably turn to first when you have an opening or a new job that has come up. You’re going to go to these people that are already interacting with your team. They are a fantastic resource. Do not treat them as other. Treat them as maybe they’re on a temporary contract, whatever it might be, but bring them onboard just like everybody else.
[David Spark] I want to pick up one thing that you said about treating contractors, and employees, and interns all the same. Everyone sees this is what’s also really, really important. Because I have a good friend, this happened to them where one of their contractors who everyone loved, everyone was working with, was having weird contract negotiations just because it was a big organization.
They couldn’t clear something. And the person who they wanted them to work on something next week, whose three month contract was going to be up that Friday, nobody knew if they could work with that person. And the company literally was stringing this person along until the very last hour, and everybody saw it happening.
And it did not speak… Of course, it spoke poorly about working with contractors but everybody else. So, how you treat one individual, everybody else sees that. And so that’s what everyone needs to see. You’re nodding your head, Paul.
[Paul Connelly] Absolutely. And you have a culture, and it works with everybody. Or you don’t really have a culture, and everybody sees it, as you said, David.
[Geoff Belknap] It really just goes to what we’ve been talking about all along. You can’t stop treating people well and showing off your great culture after the recruiting process has ended. You have to live it every day. I used to have a CEO I worked for, not my current one, who used to say, “I have to audition for my job with the board every single day.” And not literally.
He meant, “I have to be trying to be worthy of this job every single day.” I think people in Paul and I’s role have to sort of do the inverse. We have to be worthy of the people that we are working with every single day.
What must a security leader be able to do?
21:25.982
[David Spark] Joel A. of Lineage said, “If you’re hiring someone into a leadership role, ensure that they meet and engage with their team. This was something that was overlooked in a previous role and resulted in my new manager not meeting with many of his staff for almost three months. That, in turn, drove disengagement and inbuilt a sense that individuals felt not important to the team and the organization.” Oh, I worked for a company where they brought in a new president, and he went to his office, and he talked to no one.
And it was one of the things where everyone had those clear office rooms, so we all saw him not talking to anybody. [Laughs]
[Geoff Belknap] What did he do? How long did this person last?
[David Spark] Oh, this was… The whole company imploded and shut down like within months after that, so it was…
[Geoff Belknap] This track.
[David Spark] The writing was very much on the clear window walls.
[Geoff Belknap] The writing was behind the glass for everyone to see.
[David Spark] Yes. Ryan Lindley also, of PeopleConnect, said, “Paying attention to the small details that make people feel valued lays the foundation for strongly engendered loyalty and a desire to excel.” That’s a really nice sum up of everything. So, I kind of… We’ve been talking about this throughout, and I mentioned it at the very last end if that all of this behavior is brand building.
It’s employee brand building, and people see it. Geoff?
[Geoff Belknap] I think that is a great point. And I think just like the contractor story we talked about, whatever you’re doing, people see. And I think this is also why I go back to it is a fantastic opportunity when you have people who are new to ask them what they think – what are their first impressions of the organization, is there any feedback that they want to give you?
Because that fresh opinion where they are not afraid to give you feedback at that point, that’s going to be some of the most valuable feedback you get. I think at the same time, you’re going to have a real sense of all the effort that you’re putting into paying attention to these details, whether that’s really paying off or whether the things that you think are small details aren’t really that important or not.
So, you got a lot of opportunities here to drive engagement, drive that culture, and get really short-cycled feedback on how that’s going.
[David Spark] Paul, you had mentioned earlier about getting feedback. What is some good feedback that you have received?
[Paul Connelly] I do think it’s you’re basically creating a standard of open-doorness so to speak. The ability for people to feel comfortable coming in to speak with you. When you start off in that first week or that first day and you’re having a one on one, and then you’re checking back with them the next day.
And two weeks later, you’re checking in. And then you’re walking by their desk three months later, and you’re stopping by to see how they’re doing on the project. Not to say that these are the only times. But when you have that…you establish that standard that it’s an ongoing conversation, and you’re valuing their feedback, and you even say, “Hey, you’re looking at this in a different way than anybody else who’s here.
I would love to hear your thoughts.” Whether you’re talking about the onboarding process, or the way we’re approaching this project, or how we’re utilizing this technology. I just think there’s so many benefits to taking advantage… It’s another type of diversity. A new person is another type of diversity.
It’s bringing different, new ideas.
[David Spark] I was just having this conversation with one of my employees, who is extremely valued but operates but differently than the rest of us. And I acknowledged his value today. I was just saying this. And explained that this is… “You provide that exact diversity that we need because we don’t operate like you, and it’s great.”
[Geoff Belknap] It’s so important to remind people, the value they add is not being like everybody else. It is their skills and talent applied to the organization’s mission.
[David Spark] One of our other hosts, Andy Ellis, has this book called “1% Leadership,” and one thing that he mentioned… This is something that never crossed my mind, and I thought it was a really good point to make. I’m wondering if, A, you’ve sort of not been aware of this, you’ve seen this, or you take it to heart, was there’s a classic thing that people do in the office where they go, “Oh, did you see the game last night?” And a good number of people in the office are talking about the game last night.
Well, there’s a good percentage of the people in the office that like to have side chatter but could care less about the game last night. And if that’s the only kind of side chatter you do, you’re not including a percentage of people who do not care about the game last night. So, do you have to go out of your way to find the thing that they care about, which is not the game last week, and make sure you eventually include them in some kind of side chatter?
A, have you seen this? Have you acknowledged this? How have you addressed this? I’ll start with you, Paul.
[Paul Connelly] Yeah. Yeah, maybe it’s, “Have you been to that pinball arcade?” It starts right in the beginning in establishing that relationship, getting to know somebody outside of what their job is, and building on that over time. I keep referring back to the word culture. I do think that that’s part of how you establish a culture.
And as a leader, you should know these thing about every single person in your group, no matter how big it is. That’s what really differentiates a great leader, I think.
[David Spark] Geoff, have you run into this? Like only having the, “How was the game last night,” side chatter and other people being left out?
[Geoff Belknap] Not specifically that, but absolutely. So, I have the privilege to lead a team that is globally diverse and has people from all different cultures and walks of life and in different locations. Many of them are not in the US. So, I think what I remind myself… And I had somebody else on my leadership team remind me of this, and I thought it was great.
People get really hung up on diversity and forget sometimes about inclusion and belonging. And for me, inclusion and belonging are about exactly what we’re talking about – making your culture a place where people can feel like themselves, and they feel like there is a group that they belong to, even if it’s a subgroup of your team.
And there are going to be people that are super interested in football, whether it be American or European football. And there are going to be other people that identify different ways or identify with different hobbies, and activities, and things that they’re into. And as long as you’re creating an environment where they feel like they can express those likes, they can talk to people about different things, even if it’s just another part of security that they’re all very excited about [Inaudible 00:28:04] You just have to create a place where that’s fun, and it’s not just whatever sport or hobby the boss has.
[David Spark] Good point. But it doesn’t hurt to like the sport the boss has.
[Geoff Belknap] It never hurts, but it shouldn’t be the only thing you’re allowed to like.
[David Spark] It’s not required by any stretch of the imagination.
Closing
28:23.661
[David Spark] All right. We’ve come to the point of the show where I ask both of you which quote was your favorite and why, and I will start with you, Paul.
[Paul Connelly] Well, I loved the Ryan Lindley quote about paying attention to the small details that make people feel valued. I’m a big culture person, and that’s really about establishing a culture right from the beginning with someone.
[David Spark] Excellent, excellent point. Yeah, it’s amazing how these small, little things are very, very sticky to people. Geoff, your favorite quote and why.
[Geoff Belknap] Boy, there’s so many here to choose from. I’m going to pick two here from Jonathan and Carlos where they talked about introductions and connecting people to the rest of the org. I think Jonathan said it really well, introductions to key, nontechnical, and non-security team members. And Carlos kind of talked about this as well.
What you really want to do… It’s like, absolutely, you should introduce them to where their desk is, and how they get paid, etc. But now once you’re past those very basics, you want to start connecting them to what do we really do as an organization, who are your key partners that are outside of your team, whether they be legal, or audit, or sales, or marketing.
And you know, build those relationships. Because you know what? Some people are great at going out and doing that. They’re extroverted. They love to make new friends. There’s a lot of people in infosec that are not those people, and they would really appreciate a warm hand off and a warm introduction.
And that really gets people off on the right foot.
[David Spark] Thank you very, very much. Well, I want to thank our guest, Paul Connelly, former CISO over at HCA Healthcare. I want to thank Geoff as well for all your awesomeness on the show. And I want to thank our sponsor, OffSec. Remember their web address, offsec.com/trial. Take advantage of that free trial.
Get into their learning library. Take advantage of Cyber Range. Start up leveling your talent right now, today. Turn them into the unicorns you always wanted them to be and they want to be as well. And I want to thank our audience. As always, we greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic yet in cyber security. This show thrives on your contributions. Please, write a review. Leave a comment on LinkedIn or on our site, ciso-dev.davidspark.dcgws.com, were you’ll also see plenty of ways to participate including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to Defense in Depth.