Working the help desk seems like a great place to get entry-level cyber security skills. So why is it so often overlooked or even looked down upon?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Sasha Pereira, vp of infrastructure and CISO, WASH.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Push Security
Block phishing attacks, detect session hijacking and stop SSO passwords being exposed. Find out what else the Push browser agent can do at pushsecurity.com.
Full Transcript
Intro
0:00.000
[David Spark] Working the help desk seems like a great place to get entry level cyber security skills. So, why is it so overlooked or even looked down upon?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me as my cohost, a fantastic cohost… I often say he’s one of the top four. It’s Steve Zalewski. Say hello to the audience, Steve.
[Steve Zalewski] Hey, audience. How you doing?
[David Spark] For those of you just listening for the first time, there are actually four cohosts. Actually five because I’m one of them, too, I should say. That means I’m leaving somebody out, or maybe I don’t think well of myself. One of them is happening, Steve. I don’t know what. By the way, we’re available at ciso-dev.davidspark.dcgws.com.
And if you have not graced yourself on our site to check out our other programming, please do so quickly. If you are driving though and listening to this, don’t do it now. Wait until later. Our sponsor for today’s episode is Push Security. Stop identity attacks at the browser with Push Security. More about that later in the show.
Steve, let’s get to the topic at hand. We hear all the time about the cyber security skills gap. We’ve done a few episodes on that and a few segments on that. But as Jerich Beason, who’s the CISO of WM and also a frequent guest on this show…well, multiple shows of ours…he pointed out in a recent LinkedIn post that help desk workers have entry level skills across engineering, analysis, awareness, architecture, and identity access management or IAM.
Now, these people have a deep understanding of an organization’s IT and the problems people are having across all departments. So, if that’s the case, why aren’t they actively recruited into Cyber Security? It seems perfect. It just seems like a perfect launchpad. Yes, Steve?
[Steve Zalewski] Absolutely, and I think it’s one of those cases where historically when we think about the help desk, cyber security presented a new opportunity to mind the help desk that we’re just starting to understand.
[David Spark] And I want to say to anybody out there who’s listening who does work the help desk, know that you are a valuable commodity. I met a guy at an event just a month ago who was like, “Well, I’m trying to get my first security job. I’m working help desk right now.” Like really down upon himself.
I’m like, “Oh my God! You’re what everybody wants.” I was trying to stress it. He was more worried about the search that you got to get. “Oh, you’re already ahead of the game, being that you’re working at help desk.” What would you say to that guy?
[Steve Zalewski] Absolutely. And, again, it gets back to cyber security is not all about hacking the bad guys back or finding he bad guys breaking in. So much of cyber security is the human side of working with the lines of business to basically help them through the use of security or understanding the implications.
So, a help desk, that’s why it’s such an ideal place is because whether you’re talking to an app developer, or you’re talking to the CEO, or you’re talking to the admin, they all basically want that human touch to feel that what they’re doing is important and that you can do it in a way to communicate the value without making them feel stupid.
[David Spark] Excellent point. Well, we are going to get into great detail about the help desk, and really how to understand it. This is a really good conversation for anyone who is at that level, considering going into help desk, or the person hiring. So, all parties should be paying attention. And we have the perfect guest for this because she oversees infrastructure at her organization, which is involved in the help desk, and is also a CISO.
Yes, the VP of infrastructure and CISO over at WASH. None other than Sasha Pereira. Sasha, thank you so much for joining us.
[Sasha Pereira] Thank you so much for having. I’m excited.
What kind of experience do you need?
4:13.400
[David Spark] Duane Gran of Converge Technology Solutions Corp said, “Even if you don’t hire help desk employees straightaway, they are a great resource to know what is really happening in the company. They are the tip of the spear in terms of hearing about staff frustrations around technology and security.” I think that sums it up perfectly right there.
And Joseph Lewis, who’s the CISO for the Centers for Disease Control and Prevention said, “Help desk is a great vantage point to learn and understand an organization, the technology and tools they use, and the people you support. I did my time back in the Marine Corps, and it has proven to be an immensely valuable part of my career.” So, Steve, it sounds to me that help desk is like just a resource in general CISOs needs to take advantage of, whether you’re in a hiring mode or not.
[Steve Zalewski] Yes. And I’m going to share. When I was actually at PG&E in the security team, we went out to one of our call centers, and we had an opportunity to sit down and actually spend 30 minutes on the calls. You could jack in with somebody and actually listen and watch what they did. I will tell you, that was so impactful for me.
Because when you’re listening to the folks that are calling in and talking about their electric bill, or their gas bill, or the concerns that they have, and you watch the help desk going through four, five, six screens of information, you’re realizing what security actually means to the customer and the impact or the friction that security had on the help desk personnel.
And so for me, I would say that’s something we should every year just to really feel the pain for the organization, but it also gives you a much better appreciation for just how good the help desk folks are.
[David Spark] This is like the equivalent of a drive along with the police, isn’t it, Sasha? This is the way you actually see things firsthand. Because you can make all your guesses, but until you see what people are dealing with, you don’t know what’s actually really happening. Yes?
[Sasha Pereira] 100%. I mean, again, I have managed help desk teams for the last 24 odd years, and the help desk team was kind of what security engineers do today. Because 20 years ago, cyber security or having security dedicated team did not exist. And so you relied on your service desk team or infrastructure team to help you out.
And, yes, it is. They see everything firsthand. It literally is like the cops in the field versus the administration guys back at the office. The captain, yeah, he does a great job, but it’s your grunts who are on the ground, which is AKA help desk.
[David Spark] Let’s get just one pinpoint example. Each of you, what did you once learn from either working a help desk, watching a help desk operate that you never saw in your behind the desk environment? Steve?
[Steve Zalewski] I was on a call, and they were trying to pay their bill. Okay? And this individual was in the hospital, in the hospital bed, senior person, trying to pay their bill, and was calling in because they didn’t have access to usernames and passwords. They didn’t understand how to use the technology, and yet they didn’t want their house to go without power.
And I was just like… Those are the kind of use cases that people sitting at a desk just don’t even think about, to appreciate what our security controls do and how we have to be flexible in allowing them to address the needs that are in front of the help desk at that moment.
[David Spark] Good point. Sometimes there are extreme cases that people need to be protected. Because, yes, I mean not all the time am I going to have my username and password, but I still also don’t want my power turned off at the same time. Sasha, interested, in all your years, what was the great eye opening moment for you?
[Sasha Pereira] I think there is like several. I’m just trying to think what I can share that is easy to share. So, one of them would be in one of the firms I worked at which had a Canadian presence, we had a user contact the help desk because she felt like she had clicked a fraudulent UPS email, and she was so afraid, she just shut her machine down.
And she’s like, “I don’t know. I’m really…” And she was literally having a stress, like a panic attack, because she was so afraid that her system was compromised. Eventually turned out that it was a legitimate email from UPS. It was some shoes that she had bought that she just forgot about it, and UPS sent her an update.
But what I really liked about that whole interaction with the help desk team was one of the guys on my staff spent 25 minutes calming her down and explained to her that… You know, helped her turn the machine on without internet, brought it back up, and just walked her through it. She was extremely grateful, and it changed her opinion on the way security was.
It went from, “I was really scared because I have all this security training, and I’m told I could get compromised by something,” to, “Now there’s…” One of my staff walked her through it and gave this really caring side of security that you don’t see every day. And that’s a really good piece of it which I think I really value that a lot.
Where you’re helping your users on one hand. You’re bringing them into it. But you’re also handholding them in an area that they’re afraid about.
If you looked at the problem this way.
10:02.268
[David Spark] Justin Furrow of Zelis said, “Help desk experience fosters a customer service mentality. This helps transform security from the department of no to a shop that asks, ‘How can we make this work for everyone?’” And by the way, both of your examples very much speak to that. Greg Mathes of Arvest Bank said, “Most of our internal recruiting involves pulling in people from our help desk or field technicians.
Another skill that is greatly undervalued is their customer service skills. This is a skill that most good help desk associates have. All aspects of security involve working with internal customers, whether it be during an investigation, trying to get additional context the logs don’t provide, or when troubleshooting on the engineering side.” And, Sasha, I think the example you just gave in the last segment very much speaks to that.
Is that when you work help desk, you are pretty much forced to learn empathy, if you don’t have it already. And a lot of times it’s blamed that security professionals don’t always have empathy, so it is a good trait to get. And let me as you this – how much harder is it to train or teach empathy if it is teachable if they haven’t been at the help desk before?
What do you think?
[Sasha Pereira] So, this is a really good point you mention. So, my last company I was at as a CIO for that firm, I hired my service desk manager. At the end of the interview, he said this one example to me, and I’ll share it really quick. Is he was a customer service rep for some company, and a woman called in.
He was talking to her, and she had trouble with something. He explained to me, he said, “Typically you have pity for the person because they can’t get into it.” He said, “Let’s solve this together.” And he jumped behind the computer with her, sat down, and said, “Let’s figure this out together.” He said, “To me, that’s empathy.”
And it was almost a turning point for me that someone acknowledged that so much. I promoted him and made him the help desk manager because I’m like, “That’s what I want you to instill into everyone that reports to you. It’s the empathy piece that we’re missing.” Because we are technical. We’re all savvy.
We’re all skilled, but it’s the empathy part that is so critical, and it really… I don’t think there’s any other team within IT that has that. Whether it’s development, engineering, operations, security. I think help desk staff…the ones that are led well and they have good managers to bring them on, I pick that above everything – is empathy.
Because it’s really key for that role.
[David Spark] And one of the things that was just mentioned, Steve… I mean this is my theory. Tell me I’m wrong here. Is that empathy is something you’ve got to come to the table with. It’s rarely taught. Teaching technical skills, I mean… There’s a bunch of programs online to teach you technical skills.
I don’t see many offering empathy skills.
[Steve Zalewski] You’re right. And empathy is definitely something that we’re starting to highlight. But there’s something else that I want to call out besides empathy that I found, which was when you’re at the help desk, whether you’re behind the phone or whether you’re at a help desk in person like if you go to Apple and you go upstairs to the Genius Bar, and the people are right there, there is empathy, but there’s also the ability to defuse.
Because when you get on a call, often times people come in hot. I’m guilty of that. I’m upset. Something isn’t right. I want it fixed, and I’m coming in hot. So, the empathy to appreciate where I am but the ability to defuse the situation, to, take me through that anger, get me to a place where I need to be is important.
Because security…often times people are calling in because the system isn’t working, and they’re hot. So the empathy and the ability to appreciate taking them through… But the one that I’ve also started to see is people come in under duress because something bad happened, so it’s almost like you’re the 911 dispatcher.
Because people are coming in and saying, “Hey, I just got hacked. I don’t know what to do. I don’t understand what the implication is. I’m afraid I’m going to lose my job.” And they are just a mess. And so the ability to pick them up at that point, understand the empathy, under the duress and them coming in hot, and also being able to do that crises management to take them through the process.
That is how helpful the help desk is and why for security it’s such a gold mine of resource.
Sponsor – Push Security
15:03.041
[David Spark] Before I go on any further, I do want to tell you about our absolutely awesome sponsor, and that is Push Security. So, we all know that identity attacks now account for somewhere between three in five and four in five of all breaches, and that’s no surprise given that most of us now work in the browser, using dozen of identities to access our work apps.
Browsers are the new endpoint and the natural point for monitoring and enforcing controls across your identity attack surface. Push Security has built a browser agent so you can prevent, detect, and respond to identity attacks.
Think of Push as like being an EDR but for identities. Let me explain what Push can do. By using Push, you can detect and stop advanced phishing toolkits like Evilginx and Evil noVNC [Phonetic 00:15:55]. You can also control what apps your people access and how they configure their identities. You can enforce sensible controls in the browser like stopping your users from sharing their SSO passwords with other apps or phishing websites.
You can even detect session token theft. So, if all of this sounds interesting and you want to know how else you can use Push’s browser agent to defend your workforce identities then you got to go to their website. That is pushsecurity.com. It’s spelled just like it sounds. Pussecurity.com. Go check it out.
What are the best practices?
16:32.549
[David Spark] Brian D. McCarthy of Veritas GRC said, “Lateral positions – call center, help desk, physical security – have the underlying foundational elements of cyber success, communications, escalation process, larger picture attack vectors, etc.” And Nick Reva of Snap said, “I could see it as a feeder.
However, in tier one, tech coding skills are mandatory to succeed in security engineering. We don’t hire analysts, hence on top of the advice stated here you must learn to code, minimally Python, ideally Go and/or Java.” I’m going to start with you, Steve. Again, coding is not required for every job within cyber security, but Nick seemed adamant that on top of this, as you’re at the help desk, learning coding skills would be rather critical.
What do you think?
[Steve Zalewski] Where I went with that initially was, no, I disagree with Nick because coding as a skill is important if you’re going to take a follow on technical role in security.
[David Spark] Right, and I said… And I think he was specifically talking about to succeed in security engineering specifically.
[Steve Zalewski] Yeah. In security engineering, I agree. But the whole opportunity here, I think…and Sasha can chime in…is what we’re finding are a set of people that have a set of latent skills that 60 or 70% of all the security functions need. Then I only have to focus on the additional 30 or 40% of the skills that are unique to that particular job function, but I’ve got a really nice pipeline.
[David Spark] All right. What do you think about this, the coding as needed for security engineering position? And to add to that, is there any entry level position for which help desk does not work do you think, Sasha?
[Sasha Pereira] So, I have to agree with the former thought that Steve had. And being a developer myself… So, I have a master’s in computer science. I did development for five years. I do not agree with the fact that you need to have coding experience to be… Security engineering I would say is a very specific field to be in.
But in general if you’re talking about cyber security, I think it’s a small, in my opinion…it’s a small window or a small group of people that would need coding experience. In terms of what help desk… And I say this based on 2024, where a lot of security tools and SaaS services that you have are now incorporating generative AI within the security tools so you don’t really need to know some of the tier one level coding you would need to get tools to work for you because you would simply speak in just language and say, “Hey, I would like a report made on this,” or, “I would like to have this done.” And gen AI will feed into your security tools.
And to the second piece you asked, about what help desk roles would not, the only role I think that would not work out well specifically within help desk would be if it’s something that’s related to hardware. So, if there is a person on your team…if it’s a really large help desk organization and you have staff that is purely focusing on like image creation…
All they do is making images for laptops. Some of those roles we’re slowly seeing going away, but those would be roles I would say that would not be the perfect case scenario because they don’t have that customer interaction. They don’t have that multi sort of faceted role where they’re managing multiple applications across your portfolio.
They don’t have that visibility into your, for example, O 365 tenant or your Google tenant, so they don’t see that suite of applications. So, if it’s a very specialized role within help desk based on the forms… I have a colleague of mine who works for a very large multinational company, and one of their colleagues who works with them, his role is to create new images for laptops.
That’s his role. And that’s his nine to five job. So, that would be not an ideal person in help desk.
What problem is this solving?
20:54.094
[David Spark] This last quote kind of brings us full circle, and it’s from Chuck Herrin of F5. He said, “The help desk also has great insight into what security processes are burdensome and how people bypass them. If they can help the CISO ‘make the right way the easy way,’ that’s extraordinarily valuable.” I think that’s an amazing quote to close on because really what it’s saying is the help desk is your source guide to improve the user experience of cyber security.
Steve?
[Steve Zalewski] Yes. You always hear from the people that aren’t happy. You never hear from the people that are. And so your help desk really is your canary in the coal mine for where the friction in the business is from a security perspective or where security can do something on a business friction process that people don’t necessarily see us as having a role to play.
And so I think Chuck is spot on. And part of what we’ve been talking about help desk for security people, and then help desk just as a way of being able to support the security organization. I think he’s right in both cases.
[David Spark] Let me… I’m going to throw a little twist to this, Sasha. Steve puts up a comment of saying, “You don’t hear about the people who are happy, you hear about the people complaining.” But often we can make… And I say we, the cyber security industry. Can make things difficult, and people “just go along with it” because that’s the way it’s done.
And maybe you’ll never hear about it in the help desk because it’s just, “Well, I guess I got to do this. I got to keep doing this.” Or they’re bypassing things and never calling the help desk anyways. That’s a significant gap I’ve got to believe. How do you get vision into that gap? Which, by the way, my feeling is this is going to be a whole new conversation all together, but let’s just touch upon it.
How do you get into that gap that the help desk doesn’t have insight into?
[Sasha Pereira] So, again, I can only speak on this from what I’ve seen. One of the reasons why I do like the roles that I have had in the last 20 plus years or in the last I want to say 12 would be specifically where I had both teams, and I literally treat my help desk team as my security team. So, when people ask me, “How big is your security team?” I don’t tell them, “Oh, I have two full time engineers,” that their roles are security engineers.
I give them my entire team. Because my entire team is aware of all our projects we’re working on. We have Teams channels that when we have a security issue, it’s not just two security engineers on a chat. It is my entire service desk team. They are all on it. So, they have that visibility, and they also can chime in.
And most times it is someone from my service desk team that has done more research than some of my security guys. It’s not that they’re trying to out prove each other. It’s just that team mentality that if we have an issue or something happens, everyone here is going to be like just going nuts. So, everyone is really using that kind of… And someone made this quote.
It’s not mine, but I want to share it. When people say, “How big is your security team?” I usually say it’s 1,400 employees. I have 1,400 people on my security team. The reason being is that I singlehandedly or even with a team of ten people cannot prevent what’s happening outside today. And so the better I train my executive assistants all the way to my production floor staff, that gives me a better stance.
How they’ll approach security, not just how my help desk looks at it.
So, I look at it from that perspective, is how can I get them open to helping out with security. How can I get them not afraid of phishing emails. They should be looking at it. That’s the mentality I’ve created. In the last five years, now people literally talk about it in the lunchroom. I literally had the board tell me at the last meeting that people are talking about it in the lunchroom.
It’s like, “Did you catch that last phishing email?” So, that’s really key. So, I think I look at it broader than what you mentioned, is, “How does help desk…?” I look at it from how does the company look at it in terms of security. But, again, with respect to help desk, I do agree a lot with Chuck’s quote.
I think it’s a really good quote. It really is something where you have to… Again, it’s probably my favorite quote of the day.
Closing
25:45.383
[David Spark] Well, then that brings us to the very end of the show. Do you want to double down on that and say that is your favorite quote of the day or quote of the episode?
[Sasha Pereira] I think that is definitely the quote of the episode for sure. I think it’s how do you make things easy. I think we overcomplicate it pretty often with the 1,500 tools we can buy out there and the 1,200 services. I think sometimes the right way is the easy way. It’s just you have to open your mind to your existing staff that you have.
I know it’s a challenge for a lot of CISOs because they don’t have the luxury in my case that I do have infrastructure. But make those connections with your help desk team because they literally are the front lines. It’s a proven case where a hotel… There was a leading hotel brand that was not listening to the hotel staff that were listening to guests complaining about the little shampoo bottles – how much waste they caused and how the lettering on them was so small.
I think I got from that and I learned if you don’t listen to your help desk staff, it’s just going to affect you in some way or the other. So, use them. They are your big… They just have so much information that they gather, and it’s so useful.
[David Spark] Excellent. All right, Steve. Your favorite quote and why.
[Steve Zalewski] I’m going to go with Brian McCarthy at Veritas GRC where he said, “Lateral positions are the underlying foundational elements for cyber success. Communications, escalation process, large picture attack vectors, etc.” The reason why I chose that one is he touches on the point that they understand how the business works, not just how security works.
And so much of security, as Sasha says, is understanding how the business has to operate and the role that security has within the ability for the business to sell more jeans.
[David Spark] Very good. Well, that brings us to the very end of the show, and I want to thank our guest, none other than Sasha Pereira, who is not only just a CISO over at WASH but also the VP of infrastructure. She oversees the help desk there. Thank you so much, Sasha. I’ll let you have the very last word on this topic.
I do want to also mention our sponsor, Push Security. Remember, go check out their website, pushsecurity.com. To stop identity attacks, it’s Push. It’s like an EDR but for your identity in the cloud. Thank you, Steve, as always. Sasha, any last words on this topic, or, heck, anything else you’d like to mention?
[Steve Zalewski] No, I just want to say stress on empathy. I think not a lot of people in IT talk about it, and I’m happy Steve brought it up because it’s a really core piece of IT as we support the business in a majority of stances. Empathy is one of those things that’s really hard. But if you find an employee that has empathy, hire them.
[David Spark] That is a good point. Thank you, audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, ciso-dev.davidspark.dcgws.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to Defense in Depth.