I Said I Was Technically a CISO, Not a Technical CISO

The road to becoming a CISO is highly individual. Often a CISO will not come from a technical background, or their technical background is long in their career rearview mirror. Can a CISO be effective today without a technical background? And how do you keep up on your technical chops once you get the role?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is Fredrick Lee, CISO, Reddit.

Huge thanks to our sponsor, ThreatLocker

ThreatLocker® is a global leader in Zero Trust endpoint security offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com.

Full Transcript

Intro

0:00.000

(Voiceover) Best advice for a CISO. Go!

(Fredrick Lee) Go to amazon.com, search for Renewed HP Mini PC, buy that HP Mini PC, install Proxmox, then go to rancher.com, download Rancher RKE 2, install that at home and start running some of this critical infrastructure in your house for your life because that’s going to help you be better prepared to deal with real life threats and to actually talk to engineers.

(Voiceover) It’s time to begin the CISO Series Podcast.

(David Spark) Welcome to the CISO Series Podcast. My name is David Spark. I’m the producer of the CISO Series, and my co-host for this very episode, you love him, you can’t do without him. It’s Andy Ellis. He’s the operating partner over at YL Ventures. Say hello to the audience, Andy.

(Andy Ellis) Good morning, or depending on when you are in the world, good afternoon, good evening, or maybe even good night.

(David Spark) Or maybe wake up.

(Andy Ellis) That was the good morning to start with.

(David Spark) No, wake up because maybe they set a podcast as their alarm.

(Andy Ellis) Then they get a good morning from me. I don’t try to yell at people to wake up unless you’re my kid who’s slept through the first three good mornings.

(David Spark) Do your kids listen to the show?

(Andy Ellis) No.

(David Spark) There you go.

(Andy Ellis) Although the last one we recorded, one of my kids may listen to because the guest excited him very much.

(David Spark) An episode a long time ago, my son was responsible for the “What’s Worse?” episode and he actually listened to that episode.

(Andy Ellis) Although given that we do have the CISO of Reddit today, I might get my kids to listen.

(David Spark) I told my son as well. He’s a big Reddit fan as well. We’re going to introduce him in a second, but first let me mention our sponsor. It is ThreatLocker. Zero trust endpoint protection platform. That’s what ThreatLocker has. It has a whole suite of wonderful things. We’ll be talking about that a little bit later in the show. But first, Andy, a few episodes back, I asked you what was your podcasting pet peeves? And then this has been building up in my head, so I started writing it down. I was like, oh, I’ll have like 5 or 10. My list is now well over 30. It is quite a long list.

(Andy Ellis) I’m not at all surprised.

(David Spark) It just keeps growing. And I was looking at others to really remind me. And then I asked my team, I’m like, “Oh, yeah, I completely forgot about that one.” By the time this episode is released, the article will be released as well. But I realized that a lot of the podcasting pet peeves I am guilty of at one time.

(Andy Ellis) Yep.

(David Spark) And I realized you can’t make a podcast without doing a lot of these early on.

(Andy Ellis) Yeah, and it’s like nobody hates cigarette smoke worse than a reformed smoker. I think in every technical discipline, all of the mistakes you’ve made and you learned from them become your pet peeves when other people make them.

(David Spark) Yeah, and now trust me, I did not make all of these by any stretch. There’s plenty I hated out of the get go, but there’s a good number I made these mistakes myself. So, anyways, currently I’m at 30. I think I’m going to be stopping around 30, but we’ll see what the final result is. Let’s bring on our guest who we teased just moments ago. We’ve actually had him on the show when he was at a different employer and actually took a while to get him on at his new employer but thrilled to have him on. We actually had his predecessor on.

(Andy Ellis) Right, so entertainingly we’ve had both him and his predecessor in this role, but not him in this role yet.

(David Spark) Exactly. So, now it’s all coming together. It is the CISO of Reddit. His full name is Fredrick Lee, but nobody calls him that.

(Andy Ellis) Except Mom. Everyone knows him as Flee. Flee, thank you so much for joining us.

(Fredrick Lee) Thank you so much for having me here, and I’m excited that I can be part of this community. Just like Reddit, it’s part of everybody else’s community.

What’s a CISO to do?

4:03.201

(David Spark) We often talk about the need for a CISO to serve as a bridge to the rest of the business, but a CISO’s role still needs to be grounded in technical proficiency, argues Jeff Hancock, who’s the CISO over at Access Point Technology in a recent LinkedIn post. Now, many CISOs come from a technical background, but it becomes hard to maintain once you’re in a CISO role. Geoff says that while no one can be a master in all technical disciplines, CISOs should make a goal of selecting a few to retain mastery of over a long-term plan. Now, Andy, I’ll say, does this reflect your experience? Is this a matter of credibility with the rest of the security team, or does a technical understanding allow a CISO to do their job better? As you were a CISO, how much of your technical skills were sort of staying intact?

(Andy Ellis) So, I think you have to have a deep grounding and understanding in a lot of technical domains, which as you become a CISO, you might call it, oh, I know more about DNS than anybody else in the company or SSL or whatever it’s going to be. But once you are a CISO, it is your job to hire people who are smarter than you about that because you cannot afford to retain that as a core competency. I will never be unknowledgeable about DNS ever again. I have enough knowledge about it, but I will tell you every time there was an interesting DNS vulnerability that I’m going to have to talk to the rest of the business about, the first thing I’m doing is getting a briefing from my team, and then I’m going to repeat back to them what I believe I just learned and how I’m going to message it to the rest of the business so that they can correct me. You have to have that humility. If you think you’re smarter than your team, your team will not tell you when you’re wrong. And then at some point, one of your business partners will find out you’re wrong and now nobody’s going to trust you.

(David Spark) By the way, I want to double down on that line you just said before about I repeating back to you what I heard. I used to do this all the time when I wrote technical articles, I would interview someone and I’d say, “All right, I’m going to repeat back what I heard.” I sort of digested in the David Spark brain and this was an extremely good exercise because it did two things. It communicated how well they’re communicating this to me and also how right or wrong I got it when it came back. And what it would often be is, it wasn’t that I get it wrong, but they realized that they left something out when I regurgitated it back to them, and that’s why that’s a key exercise.

(Andy Ellis) Yep. And especially because mostly this is going to happen during incidents. Like all of a sudden, there’s this big data breach and people want to say like, “What is Snowflake?” to take a recent one. And you’re learning about the data breach and about how this architecture works. You’re echoing it back to somebody on your team and they’re also probably learning things right now. And so you echoing back might help them realize, “Oh, I need to go learn more about that because I didn’t explain it well.”

(David Spark) All right, Flee, I take this back to you. And the reason we’re talking about this is you feel very strongly.

(Fredrick Lee) Yes.

(David Spark) And you know what? Your opening tease very much spoke to that as well.

(Fredrick Lee) Yeah, so I want to double down on the thing that both of you are here talking about, which is that ability to actually do the act of listening, right? It’s like the ability to actually say like, “Oh, you said this to me as a CISO, this is what I’m hearing. And this is what I’m going to communicate to others.” And this idea of like, hey, there might be some nuance I missed, or I got it wrong, etc.

(David Spark) Or essentially they have a dialogue in their head, but they probably forgot something when they communicated to you.

(Fredrick Lee) Yes, exactly. Part of that S in the CISO is not just for security, it’s also for storyteller, right? And so that’s actually part of it. It’s like, hey, can I actually understand this well enough to actually tell the story? I feel strongly though that CISOs should be technical and that if a company has a technical CISO, they literally have an advantage over others. Now with regards to what that technical acumen needs to look like, yeah, it’s going to vary. Most of us started in one particular discipline and I generally encourage people to actually double down on that. I’m a huge proponent of kind of like this idea of the talent T for people that…or maybe the people that actually can’t see my visualization here. This idea that, yeah, it’s actually good to kind of know things across from a horizontal standpoint, but at some particular area, you should actually dive deep, right? And I think that actually gives you as a CISO the ability, one, to be able to actually kind of call BS on certain things. And in particular FUD, right? Be able to actually say, “Hey, you know what? This is maybe not as big of a deal as you actually think.”

The other aspect is that if you are a technical CISO, your ability to find yes is much greater than anybody else’s, right? Your ability to say, “Hey, I see this new AI product. Everybody else is afraid of it. I think we can have a competitive advantage. And because I’m technical, I believe that we can actually find a technical solution to enable this.” For me personally, I definitely recommend that CISOs learn a programming language. I think every CISO should be able to actually code. And if you can’t code, go learn it.

(David Spark) All right, hold it. Can I challenge you with that on a little bit? Now, yeah, I learned to code too when I was in college and a little bit afterwards but let me give you an idea of what I learned. I learned Fortran. So, how much Fortran is being used these days?

(Fredrick Lee) No, I can agree.

(David Spark) I mean, I understand the concept of coding, but Fortran, I might as well have learned hieroglyphics.

(Andy Ellis) Yeah. Well, yes, that’s not coding anymore, that 30 years ago.

(David Spark) Yeah, yeah.

(Fredrick Lee) Let me defend my professors because some of them actually are also on the Fortran language board. Fortran is still a very good language. And also as somebody who is a recovering meteorological computer scientist, yes, it still is in good use. But the power of learning to program is not about the language that you’ve learned. It’s the concepts that you learn and the mentality that with programming, you can solve so many problems. And I find that a lot of CISOs hit dead ends because they themselves don’t understand that you can use programming to enable and create a better and more secure outcome.

How can we secure new technology without creating new risks?

10:14.870

(David Spark) At its 2024 Build conference, Microsoft detailed a new Windows feature called Recall, a way to “access virtually what you have seen or done on your PC.” But security researcher Kevin Beaumont found that on Windows Recall, it stores its data in a plain text database without any content moderation. And Susan Bradley at CSO Online wasn’t alone in thinking how this could be a gold mine for threat actors. By the way, I just want to point out, just before recording, there was so much backlash against Recall that Microsoft determined not to turn it on by default, it was originally on by default, and that you had to opt in if you want to use it. But I want to know – I’m going to start with you, Andy, on this – how the security department could manage Recall. Now, assuming the business wants to leverage the utility of this feature, they say, “We’re gung-ho, we want Recall.” How do you start dealing with the security and privacy concerns? And on top of that, does storing that much data mean you have to rope in other departments for compliance purposes?

(Andy Ellis) Well, I don’t think that modern businesses in this world are ready for the harms that Recall exposes them to. And I think rather than hiding them, our job should be to highlight them. I think you should go to your chief revenue officer and you should say, “Hey, if we enable Recall, like we’ll do the best we can, but just so you know, the next time that one of your VPs of sales gets a lawsuit sent our way for sexual harassment, just so you know, every single communication they ever sent while employed by us in any medium will be available to the prosecution.” And just stop there. Like, doesn’t matter what I do to secure it, if it exists and we can use it, it’s discoverable. Like every single communication, have that with general counsel. Go talk to HR, talk about, “Okay, let’s talk about your recruiters and the way in which they’re probably discriminating in various ways, but we’re not talking about it.” And all that discrimination is now discoverable. I don’t think American businesses conduct themselves in ways that they are ready to have exposed in discovery. And Recall is a discovery nightmare. Let’s just ignore the security issues. This would be a disaster for a business.

(David Spark) You’re not going to even go down this road of how you would actually secure this.

(Andy Ellis) No, I want to make sure the business knows what it’s getting into.

(David Spark) Yeah. Let me ask you, Flee, would you take the challenge of trying to deal with this? Or you’re like, no, there’s no way a business is going to jump on this.

(Fredrick Lee) David, you are talking to a disciple of the Church of Find Yes. So, I am, I am going to say like, hey, well, what can we actually do here? But I do want to double down.

(David Spark) All right, so I just want to point out here, Flee is taking this challenge, Andy, and you sidestepped it. I’m impressed. Go ahead, Flee. You found the yes, how are you going to deal with this?

(Fredrick Lee) Yeah, one of the things that actually Andy mentioned is critical is actually really laying out the entire threat model to the business and saying like, “Hey, okay, well, hey, here’s the threat model. You now have context about why we’re concerned around this, but hey, are there ways we can actually isolate this? Can we isolate the environment? Can we make it so that this is only used by a handful of people with certain datasets, etc.? And can we also just add additional scrutiny and monitoring around it?” Now, mentioning all of that, it does mean that, hey, you will probably be in a situation where using Recall will have a lot of friction, but if there’s actually true value there, then that friction actually just turns into intentionality, right? You’re saying, “Hey, this is sensitive, this is dangerous. Here’s some things we actually want to do to remove some of those sharp edges, but there’s still going to be sharp edges. And here’s what we actually want to think about.”

And the other thing that you want to pair that with is that essentially pre-mortem, which is like, “Hey, let’s actually model about what this is going to look like if it goes wrong and how we intend to respond and plan.” I’m not a huge fan of CISOs that say no. Our job as CISOs is to enable the business and to figure out like, hey, what can we do? And yeah, in certain cases, the kids want to run around with scissors. And so we’re going to say, okay, you want to run with scissors? Well, let’s at least give you some safety scissors and let’s also teach you how to hold them properly, right? But the more we as CISOs can lean into this concept of Find Yes, find enablement, etc., the more we will be successful and the better outcomes our companies will have. And I’ve worked at tons of companies where the thing that we were doing, other people said like, “This is crazy. This is insane.” Reddit, we deal with a lot of user-generated content. Most other people are afraid of that. We’re like, no, well, we can actually build ecosystems. We can build systems. We can build processes in place to actually make this safer. At Square, we were taking credit cards on some random person’s phone, etc., right?

(Andy Ellis) Originally coming in through the microphone jack. Remember that?

(Fredrick Lee) Oh yeah, oh yeah. There are tons and tons of ways to actually do that. And when you think about it, the companies that are super successful, the ones that we actually idolize are those ones that leaned in and said, “Hey, that is a risk, but we can manage that risk. And if we manage it, we will be more successful and win over everybody else.”

(Andy Ellis) Yeah, the key point in what Flee just said is that they took the risk, and they knew how they were going to benefit. And I think if you’re going to go in on Recall, in addition to the risk conversation, you should actually go with it because you’re saying here’s how we will benefit, not it’s this cool feature, maybe we will benefit.

(David Spark) So, if the business assumes they’re going to benefit from this, do you even take the challenge, Andy? Or you say, you know what, let someone else do it?

(Andy Ellis) No, no, I want to know how are we going to enable the business to benefit? Even before we talk about the security, I look at Recall right now as it’s posited today, and I don’t think most businesses would know how to actually benefit from it. A few users would get some benefit because, oh, I need to go back and find a thing, but it would not be structural. And then with the level of risk you would be taking, you want some structural benefits. I can conceive of ways to do that, but the business should have that as a serious conversation.

Sponsor – ThreatLocker

16:18.904

(David Spark) Who’s our sponsor this week? Why, it’s ThreatLocker. You remember I mentioned them at the top of the show? Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving your business’s sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats entirely. That’s the power of ThreatLocker Zero Trust Endpoint Protection Platform. Now, robust cybersecurity is a non-negotiable to safeguard organizations from cyber-attacks. ThreatLocker implements a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless it’s specifically authorized by your team. This least-privileged methodology mitigates the exploitation of trusted applications and ensures 24/7/365 protection for your organization.

And then the core of ThreatLocker is its Protect suite, including Application Allowlisting, Ringfencing, and Network Control. Additional tools like ThreatLocker Detect EDR, Storage Control, Elevation Control, and Configuration Manager enhance your cybersecurity posture and streamline internal IT and security operations. Remember I told you a big old suite of applications? This is it. You got to go look at their stuff to see. So, to learn more about how ThreatLocker can help mitigate unknown threats in your digital environment and align your organization with the respective compliance frameworks, go to their website. It’s ThreatLocker.com.

It’s time to play “What’s Worse?”

17:54.877

(David Spark) Flee, I know you know how this game is played. You missed it in our last recording, Andy and I, we talked about how often people agree or disagree with Andy, and I just want to point out…

(Andy Ellis) 74% of the time agreement.

(David Spark) 74%, he gets agreement. But again, he goes first and usually, if you go first, and some of them are a little bit weighted towards one.

(Andy Ellis) Flee’s already disagreed with me twice on this show, which is your quota. So, now you have to agree with me, just so you know.

(David Spark) Oh, damn it, okay.

(David Spark) No, no, it’s not your quota. You can keep disagreeing. Now, here’s what makes it difficult. There are three options on this one, Andy.

(Andy Ellis) Oh, you’re cheating.

(David Spark) I’m not cheating. This is what was submitted.

(Andy Ellis) Okay, whoever sent it in. That’s cheating, making it harder.

(David Spark) By the way, I’m going to say these are literally three variations of the same darn thing. This is what’s going to make it difficult for you. You’ll see what I’m saying.

(Andy Ellis) What’s worse? A question with three different answers. That’s what’s worse.

(David Spark) Yeah, yeah, okay. This comes from Nir Rothenberg, who’s the CISO over at Rapyd.

(Andy Ellis) Okay.

(David Spark) And he’s got three scenarios. Your employees are having a bad day. Scenario number one, malicious actors flood your network with fake requests, preventing your legitimate workforce from accessing online services. Not good. Number two, an internal IT admin with high level privileges accidentally misconfigures access policies and your workforce is unable to log in. So, the first one, can’t access online services. Second one, screwed up the misconfiguration. Workforce can’t log in. Third is your public cloud provider services, so AWS or Google Cloud, it goes down, and your workforce cannot access anything that’s reliant on those spaces or whichever space that you use. So, there’s three variations of kind of the same thing, but in different spaces. Which one’s worse here?

(Andy Ellis) So, it’s fascinating is that none of these are actually that bad. These are all things you just have to prepare for. First one sounds like a classic DOS attack. As described, I’d look at that DOS attack, and not to shill from my former employer, but that one sounds like a call Akamai, get Prolexic set up because it sounds like you need your network-based filtering versus application filtering.

(David Spark) The thing is this is happening.

(Andy Ellis) This happens all the time to people. You’re going to be down for a number of hours while you do a provisioning because this does require some GRE encapsulation. It’s not trivial. Second one, boy, does this happen more often than people want to talk about. In a sense, it’s often the easiest to fix, but sometimes the hardest to find what you screwed up. And then which follows one of my rules of network-based troubleshooting, which is the closer you are to the problem, the longer it takes to find it. The people who are physically far away, I’ll call you up and say, “Oh, I know exactly what you did.” And you’re like, “No, no, it couldn’t have been that.” No, yes, in fact, you basically just went in, and you accidentally changed the role of everyone to “everone” and a silly typo is all you have to go fix. Takes you four hours to find it and 30 seconds to reprovision it. So I don’t think this one is the worst, even though it’s personally the most embarrassing because your team screwed it up. But it’s easiest to fix. Now, the third one, what was the third one? Oh, the third one was like…

(David Spark) The third one is your cloud provider goes down, so any service that’s reliant on that, you’re screwed.

(Andy Ellis) Yeah. Actually, I’m going to tell you right up front, this one is the worst. Not for what happens, but for the outcome. Because the challenge is the first two, the outcomes are really simple. Like management looks at you and says, “Great, you’ve provisioned a DDoS service, we’re done, we’ll never talk to this again.” Second one, they’re going to make you put in some onerous process. It’ll probably be really badly written, but that’s okay. And then you can move on. The third one, they’re going to now say, “Oh, my God, we need to be multi-cloud, multi-availability zone. Everything has to move and do this.” And nobody’s actually going to do this architecture. Multi-cloud just means different apps in different clouds.

(David Spark) No, but the thing is but it’s your cloud providers services.

(Andy Ellis) Right.

(David Spark) So, it could be… Yeah, okay.

(Andy Ellis) But you never have them all down at once. Like AWS and GCP don’t go down at the same time. But if you build on AWS and GCP, you’re probably using AWS’s application load balancer. So, when it goes down, you lose them both anyway. Oops. So, very few people are actually doing real multi-cloud, and it’s expensive and hard, and everybody hates whoever has to drive the initiative. And if that’s going to be because of what’s perceived as a security issue, that’s now you. So, everybody hates you for doing it. So, this is the worst one, not because of the bad day, but because you’re now going to have a bad couple years.

(David Spark) Okay. All right, Flee, do you agree or disagree?

(Fredrick Lee) I guess I’m going to continue my track record. I disagree.

(David Spark) Ah. I feel so much better now.

(Fredrick Lee) I agree with a lot of the points that you’re mentioning, Andy.

(Andy Ellis) Okay, we’re done. (Laughter)

(Fredrick Lee) I think that the first scenario is actually worse. And it’s actually somewhat simplified because in the first scenario, you’re actually dealing with two problems, right? You’re dealing with the just general DOS or potential or suspected DOS, and you’re also dealing with the fact that your employees can no longer be productive, right? And so you’re trying to actually solve two things at the same time. And unfortunately, more than likely you’re trying to use the same set of responders to deal with both of those problems at the same time.

(Andy Ellis) You have that in all three cases. Your employees aren’t productive in any of the three cases and you’re solving a problem.

(Fredrick Lee) Yep, yep, yep, yep. But in those other cases, the people that are actually going to help you are also aligned and also supportive, etc. Like in the cloud going down case, unfortunately, that’s actually just kind of par for the course now in the industry. We, to some extent, treat it like a plane being late. Right? You kind of expect it.

(Andy Ellis) Yep.

(Fredrick Lee) I remember back in my days at Twilio. Oh, yeah, we expected AWS to just go down, right? This was going to be just days where US East was just not going to work, right? And the cascading impact of that. However, in those scenarios, we knew that AWS was also on it and tons and tons of other customers are trying to actually debug it, etc. And to some extent, you’re setting expectations with everybody really, really quickly. Going back to that first scenario however though, one is you’re saying that, “Hey, we think there’s a DDoS. We think there’s a DDoS attack.” You don’t actually know that. You actually do want to actually do deeper dives into it. You actually have to do more investigative work, etc., to determine what that root cause is.

And at the same time you’re trying to actually fix that root cause, you also are hearing from tons and tons of your employees. And for those of us that have CISOs that are also CIOs, etc., you’re also dealing with that help desk aspect. You’re dealing with that customer service aspect. And you also are trying to essentially protect your responders on the actual incident. And that’s the reason why I think that one is worse. All of them suck. I really, I was hoping that this would just be a much easier, better, or worse conversation because you’re just kind of picking which knife you want to stab yourself with.

(Andy Ellis) So, well done, Nir, that we think these were all sort of comparable in badness.

What’s broken about cybersecurity hiring?

25:06.729

(David Spark) Cybersecurity hiring is full of headaches on both sides. Over on the cybersecurity subreddit, someone asked for the frustrations on the hiring side. And the top response really resonated with “enterprise-grade BS processes.” Everyone really rang the bell on that one. Essentially recruiters slowing the job posting and hiring of candidates to a crawl. Other items include resume inflation for candidates, corporate politics, canceling a position after you’ve done the legwork, and candidates fresh out of school overestimating their qualifications. So, I’m going to start with you, Andy. I know you feel very strongly about this topic. What procedures in the hiring process cause you to grind your teeth? And just pick two or three that drive you nuts.

(Andy Ellis) So, I’m just going to say the job descriptions are disasters and nightmares. Here’s my position on job descriptions. You’re allowed as many total lines as years of experience that you expect from the people who are coming in. If this is an entry-level position, you get one line.

(David Spark) That’s a good way of seeing it.

(Andy Ellis) And maybe it is a little extreme. Okay, I haven’t thought through this one too. But I am tired of weird, ambiguous BS speak. In fact, I heard this recently. Like, how do you feel about dealing with ambiguity? I am sorry, but that is not appropriate in a job description. Tell us what you mean by that. Be very explicit but narrow it down. Like, if you’re trying to hire a CISO where you expect 20 years of experience, then it’s fine to have lots of content. But the more vague your words are, the more you’re going to get people who don’t actually match what you’re looking for. You have to remember, you are trying to turn your job description into a filter that only pulls in the people who are qualified for your job. If you’re getting people not qualified for your job.

(David Spark) Unrelevant people always apply all the time.

(Andy Ellis) Right, there are people who always apply, but there are people who then apply because they think they’re qualified because you didn’t tell them what the job entails.

(Fredrick Lee) Andy, did you just suggest that people try to make ambiguity unambiguous?

(Andy Ellis) Yes. So, I’ve seen this. I’ve seen this in a job description. It says dealing with ambiguity. I’m like, exactly what does that mean? Because you probably have in your head something like management will ask us to do something vague and we’ve got to figure it out. Then say that. That’s very different than, “I, your boss, I’m not going to tell you what to do, and I might choose to fire you or promote you, and you won’t know which one until the day it happens.” I don’t want to work in that, that’s toxic. So, when I see “dealing with ambiguity,” what I hear is this is a toxic culture. But I’m pretty sure that most people who write it down don’t think that’s what they’re saying.

(Fredrick Lee) Oh, yeah, I would agree with that. I think most people are actually trying to articulate exactly what you said. It’s okay, this is a proxy for this expectation, right?

(Andy Ellis) Yeah.

(Fredrick Lee) We said ambiguity, but what we’re actually saying is sometimes we will give you a task and I don’t have the full details and I will need you to supplement and fill that in, ask intelligent questions, etc.

(Andy Ellis) Right, and so talk about be able to begin execution before a project is fully designed and understanding that you’ll have to pivot. Like boom, that’s a whole set of skills that somebody could look at and say, “Ooh, I’m amazing at that.” And other people could be like, “No, I refuse to start work until you fully define what success looks like.” And boom, now it’s a filtering statement.

(Fredrick Lee) Oh, so for the record, I am agreeing with Andy.

(Andy Ellis) Yes! It only took us like five seconds.

(David Spark) What? By the way, this only counts in “What’s Worse?”, Andy. It doesn’t count (Inaudible 00:28:44).

(Andy Ellis) Yeah, but Flee’s disagreed with me in every section so far. I’m just going to go with one because I tried not to be ambiguous on my one and really lay out.

(David Spark) There you go.

(Fredrick Lee) Well, I think one of the things that you’re kind of touching at Andy is essentially people that don’t fully understand the role trying to push in expectations about how to write and describe a security hire, right? Because you will have people in your talent organization that’ll be like, “Oh, nobody will read a job description that looks like this.” Well, the people we want to reach will read that job description and they will understand what we’re talking about. And one of the things you actually find is that a lot of job descriptions are optimized for the recruiter, not the candidate, right? So, one of my big pet peeves is people being filtered out because they don’t have certain certifications or acronyms or things like that. Those are good for recruiters, but it’s horrible for candidates, and it’s horrible for hiring managers.

So, I think maybe my pet peeve is, and I think one of the things that actually is causing that friction, especially in the enterprise hiring, is not really fully empowering those hiring managers to talk to the candidates they want to reach in the language that the candidates will understand and appreciate. I don’t care about somebody having a CISSP, I care about somebody understanding some core security fundamentals and having some kind of education around it or having some practical experience. But when you try to explain that to a recruiter, they’re like, “Well, which one of these things in the checkbox is what you’re asking for?”

(Andy Ellis) Yeah. If you’re a hiring manager, you own the job description, not recruiting.

(Fredrick Lee) Yes.

(Andy Ellis) So, if they’re editing the job description and then posting it, you failed at your job, which is owning the job description.

(David Spark) But I think what the problem is, is people, the way they write a job description is they search for other people’s job descriptions, copy and paste it and start adding (Inaudible 00:30:42) rather than just starting fresh.

(Andy Ellis) Right, well, and there’s a lot of reasons for it that do have to do with hiring practices to make sure you’re not being discriminatory, so nobody wants to be doing weird things. The other thing you should do is you should get a friend who is perfectly qualified for the job that works at a different company that you have no intention of hiring and they’re not actually coming to work for you. Have them apply for the job and see if you get their resume. Because if you don’t, that should be very telling to you about who’s being filtered out. And if you’re on the other side of this and you are a job seeker and you see a job description and it says something like CISSP preferred, right? If you do not have the word CISSP somewhere on your resume, you will not make it to the hiring manager because the recruiters are just pattern matching on the CISSP. So, if it says CISSP preferred, you should put in your academics or certifications, you should say currently engaged in seeking my CISSP because otherwise you will not make it past the recruiter because you didn’t have the five letters somewhere on your resume.

(David Spark) This is my rule of thumb in the little bit of hiring we’ve done here that CISO Series is create an extremely low hurdle and watch how very few people can clear it. The classic case, I’ve told this story before, the very first job that we hired, the low hurdle we requested is, and we got about 45 resumes, was please go to CISOseries.com and just give me your thoughts on the site. Of the 45, 6 people did it. Of the six, three spelled our company name correctly. Guess what happened? We did three interviews.

(Andy Ellis) Yep. Yeah, oh, absolutely. If you really want to do the filtering out, ask people to do a small, very small amount of work. (Inaudible 00:32:28) like something big.

(David Spark) Go to our website! That’s it.

(Andy Ellis) But enough to show that it wasn’t a resume service that was just spamming out their resume at you.

(David Spark) Yeah.

(Fredrick Lee) So, David, what I’m hearing is you like Van Halen and you’d like the Van Halen infamous tour rider.

(David Spark) Oh, the M&M thing. Yeah.

(Fredrick Lee) Well, the whole idea is like, hey, is this somebody who’s actually paying attention? Right? Because once you get that, that’s going to filter out a lot.

(David Spark) So, for the people who don’t know the Van Halen story, why did they do it? It was about separating colored M&Ms, explain them.

(Andy Ellis) Right, they basically said, “In the green room, we need to have a bowl of M&Ms, which all of the brown M&Ms have been removed.” And the purpose of this was that Van Halen was the first major band to play second tier venues. And they had this massive rider that included things like how much structural integrity the venue needed to have. Like, oh, you want us to be on a stage, you need to make sure that we’ll take this much weight. And so their attitude was, we will show up, we’ll walk into the green room. And if the bowl of M&Ms isn’t there before we unload our trucks.

(David Spark) And separated colors.

(Andy Ellis) And separated. We are going to go over every single requirement and now manually check ourselves before we unload and destroy the venue by taking some high school gym and destroying it.

(David Spark) Right, and the thing that’s interesting is that the way the story was told was not that. When it was originally told was, can you believe Van Halen demanding this M&M separation garbage?

(Andy Ellis) Right, and they’d throw temper tantrum and not tell you why they had done it because they wanted people to be like, “Oh, my God, these people are crazy. If we want them to play our venue, we need to carefully read the rider.”

(Fredrick Lee) It’s a really good concept and it’s a good tool. And for those that are listening, you can actually just go and Google about this concept of letting the garden weed itself. Right? Like how do you get the right people to self-select?

(David Spark) I’m telling you, put a low hurdle in there.

(Andy Ellis) Yeah.

(David Spark) We had a situation where we had what we thought was a very good candidate for a job, but he couldn’t clear these low hurdles. And there was no question he was talented, but it was clear he didn’t want to work for us. And we’re like, well, forget it. He couldn’t clear these hurdles. And again, I can’t stress how low these hurdles are. They’re really low.

Red Alert! All CISOs on deck!

34:46.913

(David Spark) Municipalities are a great example of important organizations often struggling to get over the security poverty line. Often dealing with budget and staffing challenges, municipalities have to get creative when recruiting talent, search out grants for additional funding, and use state-owned fusion centers for threat intelligence sharing, noted Deb Ratcliffe in a piece on CSO Online. Now, I’m going to start with you, Flee. Is there anything else there that municipalities can do, maybe with an eye to tackle low-hanging fruit, to make themselves, this is key, less of a target? Because I think they’re really a target.

(Fredrick Lee) Yeah, I don’t know if they can necessarily actually make themselves less of a target, but there’s definitely low-hanging fruit that they can do to actually make themselves better prepared and a better-defended target. We were literally just talking about hiring, and one of the issues with municipalities is that they’re not taking advantage of all the great resources around them. So, for example, there’s this phenomenal program called Year Up, and it’s taking people that may not have had a traditional education and providing them and giving them great world-class training on cybersecurity. But because they do not have a college degree, or maybe their degree isn’t computer science, municipalities pass these people over. This is a great resource, and it actually is something that enables a municipality to have better security. It also brings more people in the community, providing better jobs. So, literally, the municipality overall does better because now you’re giving these people experience, they’re contributing, they now can actually get better jobs. And if you believe in all capitalism, etc., they’re going to be paying more in taxes, that kind of thing.

And that’s not the only organization. You think about groups like Vets in Tech and things like that, where people are coming back from deployment and looking to return to civilian life, where they are great assets. Many of them, you think about somebody that was in the Navy or the Air Force, already in those cyber roles, getting them directly into these municipalities – these are already people that have shown and expressed a desire and a passion for serving their community – and actually bringing them on board. But what I find the big issue with municipalities is that they have gated themselves in such a way that they can’t get the help that they actually need. And I do believe there’s low-hanging fruit to actually change that.

(David Spark) All right, Andy, what do you think? Where can municipalities take advantage?

(Andy Ellis) So, I love the last thing that Flee said. I just want to reiterate that one, which is so many municipalities have basically said, “We will only hire the mission-driven, highly educated workforce who’s willing to work for 30% of what they could make on the open market.” It doesn’t matter anything else you try to do, as long as that’s your filter, you’re out of luck. I think they should also recognize that a lot of people who want to get cybersecurity and IT jobs can’t get jobs because they don’t have experience on their resume. And in almost every metro area, there’s like this arms race of fighting to retrain these folks. Here in Boston, we’ve got a ton of programs that are trying to provide training, and then they’re trying to find jobs for folks. And if you were a municipality and you said, “Look, we will give you an internship for as long as you want, until you find another gig, but you can put on your resume that you worked part-time for the city or the state or whatever,” you would have these people banging down your door. And sure, you’re only going to get four or six hours a week out of them. But if you got 10 people doing that, that is so worth it because now you can hand them special projects. “Oh, yeah, we want to go roll out this thing, this new technology we just got access to.” So, I love Flee’s comment.

Then the other one is band together for enterprise-grade contracts. The problem municipalities have is they’re basically consumers. They want to buy enterprise class technologies, but we’re buying it for 50 people, so you’re paying through the nose. If you can work with your state or Commonwealth and get an enterprise contract for every municipality, you have buying power, you’re going to get a better discount per user. You can save a lot of money on these things. And I think too often that’s not the place people think cause they’re worried about giving up control to the state or Commonwealth that they’re in. But sometimes that’s kind of worth it. Maybe you don’t get to pick the right technology, the perfect one, but you’re going to get access to more technologies.

(Fredrick Lee) Well, I think the other thing that I’d maybe add on onto that, Andy, is not just the banding together for enterprise licenses, but embracing, loving open source. There’s actually a ton of great open-source products that are definitely enterprise grade. And there’s this fear that, “Oh, I didn’t pay for it. So, yada, yada, yada, I can’t use it.” And it’s like, “Well, hey, municipalities, it turns out the internet is actually run on open source. So, just go ahead and actually double down on that.” But it’s one of those ways to actually extend that budget and to give more access, etc. And when you look at some of our probably more enlightened peers overseas, we actually find entire countries that their governments run an open-source software. So, they can actually place the money where it’s actually the most useful. Microsoft has enough money. Google has enough money, right?

There’s tons of open-source projects that could definitely use some GitHub tips, etc., to make them actually work better. But it’s actually so many things that people can actually access. And it almost even also goes back to that, hey, are there other people you can hire thing? You’re getting some student from Europe or you’re getting somebody from Betson Tech, there’s a high likelihood that they’ve already been using Linux. There’s a high likelihood that maybe they’re already using something like CrowdSec, etc. There’s a high likelihood that they’re using something like Cygnas (Phonetic 00:40:31) or something that is open source to learn these things.

Closing

40:39.438

(David Spark) Excellent. What a nice wrap-up on open source from you, Flee. Thank you so much, Andy. Thank you so much, Flee. And thank you to our sponsor. That would be ThreatLocker, Zero Trust Endpoint Protection Platform, the whole platform, a suite of products. Remember, go to their website, threatlocker.com. Andy, thank you as always. We always ask our guests, Flee, are you hiring over there at Reddit? Yes?

(Fredrick Lee) Yes, we are hiring at Reddit and please come and check out our career page. Feel free to reach out to me on LinkedIn if you’re just interested in general.

(David Spark) Just interested in general. And as you heard from Flee, he has a lot of great opinions and thoughts and eager to get CISOs more technically capable, and especially if you’re gung-ho about open source as well. To our audience, we greatly appreciate your contributions and for listening to this very show, the CISO Series Podcast.

(Voiceover) That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to the CISO Series Podcast.

The post I Said I Was Technically a CISO, Not a Technical CISO appeared first on CISO Series.