There’s often skepticism about what those new to cybersecurity can do when they enter the field. But are we creating far too many unnecessary limits as to the specifics of what we need that we’re missing a massive staffing opportunity to truly help the security program?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Dan Walsh, CISO, Datavant. Joining us is Rinki Sethi, vp and CISO, BILL.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Recorded Future
Full Transcript
Intro
0:00.000
[David Spark] There is often skepticism about what those new to cyber security can do when they enter the field, but are we creating far too many unnecessary limits as to the specifics of what we need that we’re missing a massive staffing opportunity to truly help the security program?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me as my guest cohost, very excited, friend to the show, Dan Walsh, CISO for Datavant. Dan, thanks for joining us.
[Dan Walsh] Thanks for having me here. I’m excited to talk about this topic today.
[David Spark] I believe this… Is this the first time we’ve had you on from Datavant? Yes?
[Dan Walsh] Maybe the second time. Maybe the first on Defense in Depth. I’m not sure.
[David Spark] You know what? Yes, I think we did have you on once before. Our sponsor for today’s episode is Recorded Future. Brand new sponsor of the CISO Series. Get ahead of present and future attacks with Recorded Future. More about how they do just that a little bit later in the show. But let me set up the topic that we’re going to be discussing today, Dan.
What can staff with no previous cyber security experience bring to improve your company’s security posture? A lot. That’s according to a post by Jerich Beason, who’s the CISO of WM. Now, he points to a bevvy of tasks from asset management and data classification to policy reviews and project coordination.
He argues that with a little training you can bring on new people for key, albeit mundane, tasks and let more experienced staff focus on strategic initiatives. Is this your experience? That you can really bring anyone from any background to do tasks that the security needs?
[Dan Walsh] I think the answer is yes. And I think the but here is a lot of these things are very simple tasks. They’re very simple things to be done. A lot of times what CISOs are fighting with is a limited number of budget, and they can only have so many headcount. And so sometimes I think that there is pressure there to just go get someone who can do all the things and have them be one more highly paid person as opposed to providing opportunities for entry level folks.
[David Spark] And by the way, not the first time I’ve heard that, and it makes complete sense as well. Well, we have another great CISO who’s going to join us on this conversation who we’ve recorded with many times before. It is the VP and CISO over at BILL. None other than Rinki Sethi. Rinki, thank you so much for joining us.
[Rinki Sethi] Thanks for having me.
Does anyone understand what’s going on?
2:28.644
[David Spark] Nawar Kabir of DigiRISQ Consulting said, “We’re confusing ‘cyber experience’ with ‘IT experience.’ Much of what we do in cyber is built upon our IT experience. A good number of activities listed here need IT experience. For example, vulnerability scanning. How can someone configure a vulnerability scanner without any knowledge of IP subnetting and TCP/UDP ports.” Kyle Manel said, “These are all management tasks, not isolated to cyber security.
These are all tasks I completed as a system administrator at a cyber security software development firm a few years ago. These should be generalized capabilities that everyone can shift to when necessary.” So, I’m going to double down on what Kyle just said there, Dan, and kind of reference what you said at the beginning.
That pretty much could anyone do these tasks should you need it? Mentioning some of these mundane tasks that Jerich said, it’s like, “Ugh, I need someone on this. I can look to my team and really count on anyone to do it.” I mean is it kind of like one of those general skills like typing where if they’re on your team everyone could do it?”
[Dan Walsh] Again, I think it depends on what skill your team is at. So, if you are a startup, sometimes the CISO is the only security engineer that’s there. And so they have to do everything. If you’re in more of a mid-sized company, you may need to have a pool, so to speak, of engineers or staff that can do a little bit of everything depending on what’s coming up.
Because you’re both operating, and as part of that operation you’re also responding to things that are unexpected. Something broke. Something became vulnerable. You have to patch it. An incident occurred. So, you have to put that down and then go work on that other thing. And then once you get to the enterprise level, you’re very large, you can sort of take on some of those roles and have someone just focus on a particular aspect of this.
The other thing I would add, too, is a lot of these things that are mentioned, some of this stuff is very…is able to be automated away depending on the type of tooling capability you have in your program as well.
[David Spark] And I should mention that I think Jerich posted this a while ago, before AI had hit its sort of apex…I don’t know if we’re at an apex level but at a key level right now. Let me throw this to you, Rinki. Do you have a way that you dealt with these roles before that is changing today maybe because of AI?
Give us a little background and your history of how you’ve kind of been dealing with these kind of tasks.
[Rinki Sethi] Yeah. I mean I just think about when I started my career. Because I went out of college and went and took a cyber security role. And I had no idea what cyber security was. People taught me all the things that they didn’t want to do. And so they said, “Rinki, here’s how you do war dialing.” And, “Here’s how you go and configure a vuln management scanner.” And so it’s all about is the person able to quickly learn to do these tasks.
I think to Dan’s point that a lot of these tasks now can be automated and are. But there’s still a lot of things that can be done, like documentation, just updates to playbooks, education and awareness, and how do you drive cultural change. There’s things that folks can come on board, and actually that fresh perspective could really help.
But I think automation is key because the talent pool is small, and in order to retain talent you’ve got to make sure that the work is challenging.
[David Spark] Going back to the question I also asked Dan is do you think many of these tasks… And I’ll just sort of kind of point to the environment you’ve been in. Correct me if… You’ve been in sort of mid to enterprise level companies. And could these tasks…are they kind of universal? Saying like, “We started…like everyone has this skill because everyone had to learn it to get to the point they’re at that you could literally assign people these tasks if they’re needed at the last minute, but at the same time I do want to bring green people coming in on these tasks.” Is that kind of the way you look at it?
[Rinki Sethi] I don’t know if it’s that straightforward, but I do think that in certain roles, whether it be security operations, perhaps even red teaming, there’s particular functions in which you’ve got to start at a certain point in order to kind of get more and more sophisticated and build your kind of skillset.
And so in those cases, I do think that you’ve got to start from the very beginning, and you don’t lose those skills over time. So, yeah, I think that in those particular cases, that’s absolutely the case. But as you know, David, I’ve listened to so many of your episodes. Nobody has that straight kind of path to cyber security.
Everybody has kind of gone a different route, and so it just depends.
Where are we falling short?
7:01.984
[David Spark] Joe Hudson of TCM Security said, “From a big picture standpoint, there is almost no chance we see a mass overhaul in entry level roles, creating these opportunities. But most companies will have too much turnover, too many strapped teams unable mentally to commit to training, and too many of the old ways being set in stone and keeping this from happening.” I can definitely see that happening.
Joe goes one to say, “I hate to admit that, but I spent so many years in the thick of companies’ internal issues, and most just won’t be able to make this happen anytime soon. It’s five to ten years.” Aileen Kara H. of Wells Fargo said, “Two specific elements I would have to disagree with that I believe require experience.
Policy enforcement. Knowing how a vendor tool processes and enforces policy doesn’t always mean the true intent of the enforcement is executing correctly and efficiently. And secondly, policy review. Hard to complete a good policy review if you don’t know whether it’s working correctly, whether it’s written poorly, whether it contains no longer used components, or something else.” All right, I throw this to you, Dan.
And I’m going to sort of lean on Joe’s comment. He thinks most organizations are too enriched to sort of make this shift to sort of allow inexperienced people to take on all these responsibilities. And Aileen said, “Well, two of them, policy enforcement and policy review, they do require a lot of experience.” What do you think?
[Dan Walsh] I can see where both of them are coming from. I think fundamentally it’s really a cultural issue. So, let’s step outside of the security realm for a minute. How many companies out there have internships? Paid internships where they are kind of hiring or taking a chance for a few months on a young person that is wrapping up college.
How many entry level jobs is that company truly hiring for where it’s not just a call center or something very rudimentary? And do you have the documentation and do you have the bandwidth for your more senior staff to onboard these folks and take a chance on them? And really I think that’s what it comes down to.
Security is heavily context aware. And so if you lack that context, it’s very difficult to kind of break in. And so I think both the points that these folks make is very accurate.
[David Spark] Rinki?
[Rinki Sethi] I agree with Dan. I think that there is certain rules, certain things that we do that experience really helps with. I think when it comes to policy enforcement, there’s two components to it. One is do you understand what needs to be done to enforce the policy. And then two, how do you go and do that.
And to Dan’s point, I think the latter part of that is harder. It’s culture change. The former part of that now, I think that’s where AI… And you see these tools kind of morphing to say, “Here’s some recommendations on what you could do, and so you could…” And then I think the validation of that, again, requires experience.
But if you’re someone more junior who’s just learning, you could probably go and ask someone and learn that way as well.
[David Spark] What about just this negative attitude that Joe had where he didn’t want to be negative, but people are just kind of stuck in the old ways. And kind of like what you said is you’ve got to have someone with freed up time to do training. And really you have to have that sort of training system architected into the entire security program itself.
It can’t be like a one off. Like, “Oh my God…” Or, “Now you’ve got to just stop what you’re doing and just go train this person.” Like it has to be kind of architected. And honestly, I know very few organizations that truly have it that well architected. The only one I can think of very strongly… And, again, I don’t know all.
But I know Jesse Whaley over at Amtrak, he has a heavy system where they roll interns in, have them do sort of residencies in different departments within he organization. He’s got a military background, and it’s got kind of that element of military. Like, “We’ll take anybody, and we’ll train you to be a soldier.” If would be wonderful if all organizations could do that, but that’s a whole business in itself.
Dan, it’s not easy, is it?
[Dan Walsh] It’s not easy. What I have done in the past… There’s a wonderful colleague now… Many, many years ago, she was in a call center, and she wanted to get into cyber security. And she had impressed me because she had paid her way to the Black Hat DEF CON and was just all in on learning this. And today, she’s the head of product security at a startup and just super successful.
And I made the conscious decision with my GRC leader and the rest of the folks on my team to say, “We’re going to create space for her on the team because I’m just so impressed by her work ethic. I’m so impressed by her drive to learn. We’re going to do that.” When I was a couple companies back, we had a contact who was a physician, who had trained as a surgeon, who due to health issues could not stand to do surgery.
And he wanted to get into cyber security as a security analyst. So, again, the team had to be in a certain headspace to be able to take on someone that we would deem a project, but we thought that was a worthwhile investment, because I love seeing people come from these completely different backgrounds because generally I’ve found them to be extraordinarily hardworking, extraordinarily creative because they’ve had like a secondary career almost prior to stepping into security.
But as a leader, you have to create that space for that situation to happen and give space to the team and maybe a little bit of grace for that learning curve to occur.
Sponsor – Recorded Future
12:41.603
[David Spark] Before I go on any further, I do want to tell you about our absolutely spectacular sponsor, and that is Recorded Future. Now, in cyber security, your greatest fear isn’t the threats you see coming, it’s the critical signals lost in the noise. The ones that could have prevented damage to your reputation, your business, and trust.
Everyday security teams face an impossible challenge, sorting through millions of threats, each potentially critical. But somewhere in that noise are the signals you can’t afford to miss. That’s why Recorded Future was built. To give you the power to outpace AI driven threats through precision intelligence tuned specifically to your needs.
Now, their advanced AI detects patterns human eyes might miss, while threat intelligence experts…these are the veterans of military and intelligence services…they provide the context that machines alone cannot. With Recorded Future, you gain the confidence to know what matters most and the precision to act when it matters most.
Now, learn why 1,900+ customers including 45+ sovereign governments trust Recorded Future to 3x increase their ability to detect a new threat and get 350% ROI, that’s return on investment, in a year. You’ve got to start somewhere. Visit recordedfuture.com to learn more about securing what matters to your business.
What do we have to do now? What can wait?
14:16.148
[David Spark] Marvens D. of Precicom Technologies aid, “Documentation and reporting is an underdog. You definitely learn and retain technical concepts and security thought process this way. If you have no experience, take charge and start documenting. It all drills down to the fundamentals – what, why, who, when, how, and if.” By the way, we started doing this, and we actually do videos of ourselves doing the tasks that we want others to do.
And in fact, there’s some AI tools that will look at the video task and make it a written document, too, as well. Just throwing that out as an aside. Benjamin Corli of Zscaler said, “This is a powerful message. A nontechnical person can read your documentation. Do they make sense? Review those metrics and see if they make sense and of they answer the ‘so what’ and if you’re feeding the right information to the right audience.
Oh, there are so many things that those with little technical skills or little experience can do.” Rinki, have you had an experience where you could just document a lot of stuff and just hand it off, and they go? What’s been your experience? And I mean because that’d be wonderful if you can, it’s that easy.
[Rinki Sethi] Yeah. I don’t think it’s that straightforward. I do think documentation can help quite a bit, and it requires time to write a really thorough documentation that folks can use, and learn from, and maybe even be able to implement things. Those of us that have been in cyber security for a long time know that a lot of times documentation can take the back seat unless you have quite a large team and have people particularly focused on that.
I do think creating a culture where you have documentation and you’re enforcing and really trying to push for documentation. But then also where it’s an environment where folks can just come and ask a question, that, “Hey, I don’t really quite get this piece.” Slack somebody or Teams message someone.
Pick up the phone and ask. Go to their desk and ask. And folks are more than willing to help in this space. That’s how we’ve all reached where we are. And I think that it’s also, I think, in companies where the security culture is good, generally folks that do mentor and help others, they get rewarded for that.
[David Spark] You’ve mentioned this, Rinki. Dan, you’ve mentioned this as well. I think if the people are coming in with the right attitude and eager to learn… And correct me if I’m wrong. I’ve yet to meet a cyber security professional that isn’t eager to share their knowledge. They all are. So, if it really comes in with the right attitude and someone specifically says, “I need help with this specific task,” rather than, “Can you help me get into cyber security?” These very general, open… That works.
Am I right, Dan?
[Dan Walsh] Oh, absolutely. If you’re asking a specific question like that, it means that you’ve put thought into it. Maybe Rinki will judge me for this, and maybe justifiably so. But like I’m always hesitant when people are like, “I want to get into cyber security,” because my first thought… And when they’re not specific because it’s like, “Okay, well, why?
Because you think there’s some sort of prestige with it? There’s not. Do you think it pays well? It pays pretty well compared to other jobs. I think it actually pays very well. Okay.” But there’s got to be a motivation more than that. And so just because I want to do something, what are you doing about it?
Like are you putting in that work to achieve that goal or to achieve that dream that you have? And so by asking that specific question, it indicates that you’ve already shown a curiosity and interest, and you’ve done some work, and that goes a very long way.
[David Spark] Rinki, I’m just getting down to attitude of the person entering. My feeling… And the example also Dan gave. That pretty much can take you all the way, yes?
[Rinki Sethi] Yeah, I think so. I also think that there are folks that want to enter cyber security and don’t know where to start. And I think providing the guidance to say, “Hey, these are the areas that exist. Pick up a book. Here, read about it. What kind of really sparks that fire?” And then go deep into that area.
Because sometimes folks just don’t know how to make the switch. And cyber security is such a broad field. I say that not everybody is going to love every aspect of it, but there’s room for anybody who has passion in any area to come and join. So, I think there is that piece, and I do think we have to encourage folks from different backgrounds to come in even though they may not know exactly what it is they want to do from day one.
But to Dan’s point, if you’re specific about what you need help with, folks are going to be able to help you in a much more meaningful way.
[David Spark] Let me ask… I want to close this segment asking each of you this question. And I’m sure you’ve all heard it before. Someone very green comes up to you and says, “How do I get into cyber security?” This very sort of open ended one. I’ll start with you, Dan. How do you answer that question?
[Dan Walsh] I ask them what they’re good at and what they think they’re good at. What you want to understand is traits that they have, as what they’re really good at. Because that lends itself to different aspects across the domain, because it is such a broad domain. So, if someone just loves investigations, they’re very inquisitive, then maybe being incident response might be a thing.
If they’re really… They enjoy setting policy, they want to be more on the GRC side. If they love playing around with Python or something then it might be something in maybe cloud infrastructure, or application security, or something like that. So, I think it’s just trying to understand what they’re really passionate about, what they’re interested in, and kind of what existing skillsets that they have.
Because everyone has them. And then from there, you can sort of plug them in and say, “Hey, lowest barrier to entry because you have this is X, Y, or Z.”
[David Spark] All right. Rinki, I ask the same question. You’re asked, “How do I get into cyber security?” Your answer is…
[Rinki Sethi] My answer is you start by learning and understanding what it is that you actually want to focus in on. And then I think there is a slew of people out there that are more than happy to help guide you.
What’s the optimal approach?
20:06.444
[David Spark] Michael L. said, “I believe there are three key reasons we value senior level experience – innovation, triaging, and mentorship. An organization should run more smoothly on a daily basis than in a crises mode. The tasks often reserved for senior officials can be documented and detailed through standard operating procedures, complete with step by step instructions in an appendix by rare challenges that the team has encountered.
The senior process owner can train junior staff on the SOP, sign off up on their ability to do the work, and then shift their focus to higher value areas like innovation or crises management. This approach is similar to the military’s method of training. New recruits are thrown into the deep end and expected to adapt quickly because the mission demands it.
Businesses can apply these same tactics to build a more resilient workforce. By implementing a risk framework, junior team members can handle low-risk, green tasks while more capable juniors take on medium-risk, yellow ones. This structured delegation not only strengthens the team but ensures that senior leaders can focus on the strategic elements that truly drive growth.” Dan, I read this thinking, “Yeah.
Why doesn’t everyone do this?”
[Dan Walsh] Well, I think it’s because I don’t think that that’s how… You’re presuming that the organization is running smoothly to begin with, and there’s a great deal of organization that kind of goes into this. And I think that this is like a maturity thing. So, I think getting to this level is probably maybe something that one would hope to get to at some point.
[David Spark] Is this some cyber security nirvana? [Laughs]
[Dan Walsh] Yeah. Yeah. Yeah. I just don’t know how realistic it is because if you ask any…Rinki or anyone, what you plan to do on Monday is very different than what you end up doing by the time Friday rolls around.
[David Spark] It really all starts with this line of, “An organization should run smoothly on a daily basis and in crises mode.” Like who’s going to argue with that? Yeah, I’m down with that.
[Dan Walsh] Right. Yeah. Yeah, sign me up for that. Right.
[David Spark] Rinki? What do you say here?
[Rinki Sethi] Yeah, I have the same exact thought process as Dan. That there is no cyber security nirvana that exists, and… Yeah, so I totally agree with Dan on this one.
[David Spark] All right. Anything to add on this in terms of…well, achieving this kind of nirvana or, I don’t know, getting a portion of the way there?
[Rinki Sethi] It’s all about maturity, and so it’s a journey on the cyber security path.
[David Spark] All right.
Closing
22:39.531
[David Spark] Well, that brings us to the very end of this show. I want to thank my guests, Rinki Sethi and Dan Walsh. This is actually the point though of the show where I ask both of you which quote was your favorite and why. I’m going to start with you, Rinki. Go ahead. Pick a quote. Summarize it and tell me why you thought it was so good for today’s conversation.
[Rinki Sethi] Yeah, I think it’s the one from Joe Hudson, and I’ll read the particular part of it. And I know his quote sounded a little bit cynical. I do think that the cyber security industry is going to open up to enable early career individuals that are pursuing careers in cyber security. And I think that with AI and with the introduction of the change that we’re seeing and the transformation of cyber security products and just the industry that this is going to be game changing.
But the part that I do agree with Joe on is the part where he says, “I hate to admit that, but I spent so many years in the thick of companies’ internal issues, and most just won’t be able to make this happen anytime soon. It’s five to ten years,” with ten exclamation points. So, I do agree with that piece.
[David Spark] Dan, your favorite quote and why.
[Dan Walsh] Probably Marvin’s quote, where he says, “Documentation and reporting is an underdog. You definitely learn and retain technical concepts and security thought processes this way. If you have no experience, take charge and start documenting. It all drills down to the fundamentals – what, why, who, when, how, and if.” And I think that that’s sage advice for any security team.
[David Spark] By the way, I love the two quotes you picked because I couldn’t agree with them more. And in fact, from kind of two sides, being a little cynical. But if you’re going to get there, document to get your way there. All right. That brings us to the end of the show. I want to thank our sponsor, Recorded Future.
Thank you so much, Recorded Future, for sponsoring this episode of the podcast. Get ahead of present and future attacks with Recorded Future. Find out with all that noise what are the critical signals you need to pay attention to. Go to their website, recordedfuture.com. I want to thank both Rinki and Dan.
Now, we’ve been talking about hiring. Are you hiring at your companies? Rinki, yes?
[Rinki Sethi] We sure are. Come join us at BILL.
[David Spark] All right. So, I’m assuming that you have a careers page at BILL?
[Rinki Sethi] Yes, we do.
[David Spark] And when did you drop the “.com?” You used to say “beal.com” and now it’s just “BILL.”
[Rinki Sethi] Yeah, that’s been a little over a year, I think.
[David Spark] Alal right. And what was the decision to drop the “.com?”
[Rinki Sethi] It was just a rebranding as we had made so many acquisitions, and I think it was modernization of the brand.
[David Spark] Okay. All right. Dan, are you hiring over there at Datavant?
[Dan Walsh] We are. So, if you go to Datavant’s careers page, we have a bunch of IT and security roles. We’d love for you to apply.
[David Spark] Awesome. Awesome. And please, as someone who has put out job roles before, if they say a specific way on how to apply…you don’t apply to all jobs the same…follow the rules. That’s all I have to say. Because your resume will not be looked at unless you follow the rules. As someone who has experienced this, I can tell you that is the case.
Thank you, everybody, for your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com. Thank you for listening to Defense in Depth.