#The Breaking into Cybersecurity Podcast & Leadership Series

The Breaking into Cybersecurity: It’s a conversation about what they did before, why did they pivot into cyber, what the process was they went through Breaking Into Cybersecurity, how they keep up, and advice/tips/tricks along the way.

The Breaking into Cybersecurity Leadership Series is an additional series focused on cybersecurity leadership and hearing directly from different leaders in cybersecurity (high and low) on what it takes to be a successful leader. We focus on the skills and competencies associated with cybersecurity leadership and tips/tricks/advice from cybersecurity leaders.

Sponsored by CPF Coaching LLC - http://cpf-coaching.com

This podcast runs on listener support and funding. Consider supporting this podcast:

https://breaking-into-cybersecurity.captivate.fm/support

Thank you all for joining us on Breaking into Cybersecurity Leadership.

If you had a tip shared by our guest today that resonates with you, I challenge you to share it on social and link back to this show episode so that more people can enjoy it.

If you have guest recommendations, DM us on X @BreakintoCyber or find the show’s email address. I know you can put those OSINT skills to good use.

#Check out our books:

Develop Your Cybersecurity Career Path: How to Break into Cybersecurity at Any Level: https://amzn.to/3443AUI Hack the Cybersecurity Interview: A complete interview preparation guide for jumpstarting your cybersecurity career https://www.amazon.com/dp/1801816638/

#About the hosts:

Christophe Foulon focuses on helping to secure people and processes with a solid understanding of the technology involved. He has over ten years of experience as an experienced Information Security Manager and Cybersecurity Strategist with a passion for customer service, process improvement, and information security. He has significant experience in optimizing the use of technology while balancing the implications to people, processes, and information security by using a consultative approach.

https://www.linkedin.com/in/christophefoulon/

Find out more about CPF-Coaching at https://www.cpf-coaching.com

#Websites & Resources

• Website: https://www.cyberhubpodcast.com/breakingintocybersecurity
• Podcast: https://feeds.captivate.fm/breaking-into-cybersecurity/
• YouTube: https://www.youtube.com/c/BreakingIntoCybersecurity
• Linkedin: https://www.linkedin.com/company/breaking-into-cybersecurity/
• Twitter: https://twitter.com/BreakintoCyber
• Twitch: https://www.twitch.tv/breakingintocybersecurity

The below interviews are featured from the 2022 Season of the The Breaking Into Cybersecurity Leadership Series

You will notice that the format takes a DevOps appraoch into the final concept and we appreciate your support over the years.

#Breaking into Cybersecurity Leadership: Ryan Sahadeo

Link to episode:https://breaking-into-cybersecurity.captivate.fm/episode/leadership-series-ryan-sahadeo

[00:00:00] Chris Foulon: Thank you everyone. And welcome to the breaking into cybersecurity leadership series. Today. We have Ryan. This series is geared on hearing the views, of leaders helping other leaders and how we can grow this talent segment within cybersecurity. [00:00:21] Chris Foulon: Often we have a lot of great individual contributors, but when it comes to leadership we’re needing to grow that talent in the industry. That’s the idea behind this series. Ryan is our first guest. Ryan, tell us a little bit about yourself [00:00:34] Ryan Sahadeo: Thank you. I appreciate the time for you to take, to have me off to the segment. [00:00:38] Ryan Sahadeo: Ryan side, a cybersecurity professional for the last decade. I got my start as a individual contributor slash consultant from the brand shark tank. If everyone’s familiar with the show, which I think everyone would be I had pitched back on season three and I didn’t get a deal, unfortunately. [00:00:52] Ryan Sahadeo: And my episode ended up on the cutting room floor. But ever since then, I have been. Partner with a lot of shark tank brands. I [00:01:00] was one of their cyber security SMEs for a while. And from there, I ended up going back into corporate because I felt as a GRC professional, I could continue to make an impact in that area and continue to be an individual contributor. [00:01:14] Ryan Sahadeo: But I knew that I was lacking in the tools. That makes me more well rounded. That’s why I ended up back in corporate. And ever since I, I forwarded back into corporate I’ve had the luxury of kind of leading programs from scratch, building them out from the policies, the procedures, the workflows, all the way through, building up the necessary teams to handle compliance activities and the likes. [00:01:34] Ryan Sahadeo: It’s been a fun venture ever since, but that’s ultimately. A short overview of my background. [00:01:38] Chris Foulon: That leads perfectly into our first question. As in, why did you become a cybersecurity leader versus staying as an individual contributor? [00:01:46] Ryan Sahadeo: I was always that person that was that liaison between. [00:01:50] Ryan Sahadeo: Leadership or senior leadership in any company and the ordinary employee. That’s where I felt that I fit in best. Part of that was due to my experience on chart [00:02:00] tank, working directly with some of the brands and the sharks. Others were once I left that arena and I went into other industries. I had the luxury and the privilege of working directly with C-suite. [00:02:10] Ryan Sahadeo: It’s where I started my career and I figured I might as well to stay into that and segment into that. [00:02:16] Chris Foulon: Okay. And what are some of the critical skills that leaders need, especially in cybersecurity security? [00:02:23] Ryan Sahadeo: I think honestly, one of the biggest ones is empathy, right? Like nowadays we have the great resignation and, a lot of, in a lot of individuals, whether they’re employees individual contributors or the like, or are leaving because they feel unappreciated, they feel unheard. [00:02:37] Ryan Sahadeo: Empathy is definitely a big quality. I definitely feel that the willingness to listen is another important Quality let’s say because you never know where your next idea can come from. And I think out of all the answers I could probably give, those are two of the biggest ones. [00:02:50] Ryan Sahadeo: Okay. [00:02:51] Chris Foulon: We’ve all often heard that when it comes to leadership that delegation, collaboration and communication are key. How [00:03:00] critical would you say those are from a scale of one to five? [00:03:03] Ryan Sahadeo: Five for each of them, honestly delegation is important because not everyone can do everything right. You should never feel like you’re the smartest person in the room. [00:03:12] Ryan Sahadeo: And you should never feel like, everything, right? Because one, your background differs from someone else and then two. Your responsibilities due to segregation of duties or at least privilege or whatever cybersecurity concept you want to link to your access that you would’ve gotten means that you can’t do everything right? [00:03:28] Ryan Sahadeo: So you have to delegate and you have to know what you’re good at and what you’re not good at. For example, I’m a GRC professional. I don’t touch any tools. I can’t stand looking at SIM tools anymore. That, that’s how I got started in the industry. And I just, I don’t have the mental bandwidth to do it anymore. [00:03:42] Ryan Sahadeo: So if I have a younger security analyst on my team, I make sure I pass that off because that’s how they grow. That’s how they start learning. And sorry, could you repeat the other two principles? [00:03:51] Chris Foulon: The other two would be collaboration and communication. [00:03:54] Ryan Sahadeo: Collaboration and communication. [00:03:55] Ryan Sahadeo: As a leader, you definitely have to communicate, you have to have that ability to be open. I always like to say that [00:04:00] I always have a open door policy where if anyone can come up to me, I’m not gonna make them feel small. They can feel free to ask me a question and I can have that dialogue with them because that’s how we grow as individuals and, collaboration, you have to be part of a full functioning team, and there’s you have the eye and the. You have the I in individual contributor, excuse me, but there’s no, I in team, everyone does their part. Everyone is able to contribute to the overall security architecture and therefore everyone contributes to the overall security posture, making the company stronger. [00:04:28] Ryan Sahadeo: And speaking of skills that are critically important, how would you rate influence as one of those critical skills? [00:04:35] Ryan Sahadeo: That’s a, actually a very good question. And I think the answer varies It depends on what type of influence. So as a leader, I like to influence the team members that are younger than me that are, less experienced than me, but that’s because I create this collaborative culture. [00:04:48] Ryan Sahadeo: In terms of industry like inspiration there’s people like yourself who give back to other other individuals and other people that are looking to break into the industry. And so therefore, Increases your influence to an extent, but [00:05:00] it increases your personal brand as well. I’d say the answer varies, honestly, speaking. [00:05:04] Ryan Sahadeo: It depends on what you’re looking for, but I’d definitely say that if you’re part of a team you want to be able to inspire those around you. And if you are giving back to the industry, you definitely want to be able to provide helpful hints and tips for anyone looking to break in. Okay. [00:05:17] Chris Foulon: In regards to networking, how critical of a skill do you think that is and why , [00:05:22] Ryan Sahadeo: I think that’s the most underrated skill. Everyone tends to overlook, when you get started, whether you’re an individual contributor or you’re a part of a team, I always like to say that you never know who you can learn from. [00:05:33] Ryan Sahadeo: And it goes back to that, that sharing of ideas and that collaboration you go to an. Hand out a few business cards, that’s what, and I’m from New York, that’s what people are known to do at networking events. You go to socialize, you go grab a drink, you hand a business card and oh, here’s my 15 minute spiel of what I do for my company. [00:05:47] Ryan Sahadeo: But it’s through those connections, through those conversations that the, that person can end up being your coworker someday that person could end up being your co-founder someday. And networking is so important because. Honestly, you never [00:06:00] know who you can meet. I was lucky enough in my past experience to have networked with. [00:06:05] Ryan Sahadeo: Individuals in undergrad who were way outta my comfort zone. I was a healthcare major pharmacy major, and I made friends with every single department. And that’s how I ended up on shark tank. I was friends with the business department and they had a business pitch competition, and they’re like, you know what? [00:06:19] Ryan Sahadeo: We love how you speak. We love how eloquent you are. We think you’d rec represent the school pretty well. Why don’t you go to the casting call and that’s. I was like, sure. But I don’t think I’m gonna make it, I didn’t have a business. It was an idea. And that’s how I ended up on shark tank. [00:06:32] Ryan Sahadeo: And if I ended up, if I didn’t do that, I would never have gotten into the industry, honestly. Wow. [00:06:36] Chris Foulon: Fascinating story. What idea, what advice would you give to future cybersecurity leaders? [00:06:42] Ryan Sahadeo: You have to have the ability to be empathetic and open. You have to be able to put your ego aside, focus on the business need and focus on making sure that you are aligned with. [00:06:56] Ryan Sahadeo: Both what’s required of the business, but then what’s required [00:07:00] to grow your specific department. And I say that because, we ha I mentioned earlier that we have the great resignation going on currently, right? Employees and individual contributors. They leave because they don’t feel appreciated. [00:07:12] Ryan Sahadeo: They don’t feel heard. They don’t feel like their ideas matter. And when you create a safe culture and safe environment for people to freely share idea, They stay because they feel, incorporated into the overall business mindset. And I definitely think that being approachable is definitely another one. [00:07:30] Ryan Sahadeo: To feel like anyone can walk up to you and have a conversation with you is definitely going to lower people’s fear of security, and make them more approachable. And that in turn reduces human error. [00:07:41] Chris Foulon: Ryan. Thank you very much for sharing your thoughts, your back, your background, and this advice for the future of cybersecurity leaders.

#Breaking into Cybersecurity Leadership: Duane Gran

Link to episode https://breaking-into-cybersecurity.captivate.fm/episode/leadership-series-duane-gran

[00:00:00] Christophe Foulon: Welcome to another episode of breaking into cybersecurity leadership edition. Today, we have Duane Gran who is joining us to share his experiences as a cyber leader. Duane, what made you decide to become a leader versus staying an individual contributor? [00:00:20] Duane Gran: Well, I think that the first off it maybe sort of feel like blushing a little bit at the, at the question. [00:00:26] Because I think that you know, one of my views about leadership is that somebody doesn’t have to give you sort of permission to do it at home. It was sort of a revelation that I felt that I had something to, to sort of contribute. To help out in the community and that I, that I wanted to, and I started to kind of post a little bit more on LinkedIn about some experiences or nuggets lessons learned. [00:00:51] And it was mostly to collect my own faults, but then I started to see that it resonated with others and that kind of created a sort of a [00:01:00] positive feedback cycle. [00:01:02] Christophe Foulon: And as you grew in your cyber security leadership journey, what were some of the critical skills that helped you along the way? [00:01:11] Duane Gran: Some, probably, I mean, I I’m, I’m a big believer that empathy is the sort of, sort of super power or necessary skill to start to, because if you’re, if you have staff who are reporting to you or you’re trying to set some, some vision for how a security program operates and interfaces within the business, you can’t be successful with it. [00:01:33] If you’re thinking of security, As security for security sake, you, you have to understand the other so that other is the lines of business, why the business exists to make revenue, which helps you to avoid becoming the department of no and security and among your staff understanding what, what motivates them. [00:01:55] Are we going to burn out our security operations center with Get alert, [00:02:00] fatigue, or are we going to distribute a certain amount of their workload on interesting threat hunting tasks to keep, you know, to keep engaged. And do we take time to ask, Hey, what, what really kind of motivates you? [00:02:14] What might need to, you know, engaged in your work and security. So that’s where I would always come back. Sort of empathy, trying to see the impact of security strategy as it affects other people. Okay. [00:02:28] Christophe Foulon: Okay. And as you think about your comfort level with delegation, collaboration, and communication, how would you rate yourself and how critical do you think they are? [00:02:38] Duane Gran: Well, I’ll admit delegation. I’m, I’m kind of a three. I’m not, I’m not a great delegator and. There’s what what I aspire to be with delegation is a sort of person who delegates authority and not necessarily delegates tasks. And so that’s been my personal growth effort. Typically I have delegated delegated the [00:03:00] tasks or failed to delegate them. [00:03:01] And I’m, I’m taking on too much, too much myself. And then I tell people I’m too, I’m too busy to show you how to do this, even though it will pay dividends back. And I think many of us. Have been there. So I’m, I’m a, I’m a recovering do it all. Or like, like many of us, but where I really want to grow. So I’m, I’m, I feel like I’m kind of in the mid, the mid point, I’m not an information hoarder. [00:03:22] Those are the people who’d be like the ones and twos, but, so that’s where that is. So remind me the sec, the second one. Collaboration collaboration. I feel like a more, more on the four side. And because I, I, you know, I believe on this, that if, if you want to go fast, go alone, but if, if you want to go far go together, and that’s kind of relates to the delegation. [00:03:44] Like if you have something that you need to do the quick way to get from point a to point B. Yes, do it yourself. You judge, jury executioner and all that, but you’re going to reach, you’re going to reach a limits. So I feel, I feel like I’m, I’m a good, I’m a good collaborator, but I’ve worked with some people who are [00:04:00] awesome collaborators and just have a talent for knowing that some somebody in the room is sort of. [00:04:05] Quiet, but we’ll be an ACE that they kind of are able to draw them out. I’m not there yet, but I recognize the, that kind of difference. And then the last one, I believe communication. Yeah. As long as belonging, I don’t totally you’ll stumble up what I’m talking about here. I’m I’m gonna, I’m gonna put my neck out and say that’s where. [00:04:24] I’ve got my five. Everybody ought to has something that they feel they’re very good at, before this for the session I was, I was having a conversation with my kids about writing and I was explaining it or writing. They, they had just finished the end of semester you know, papers that they’re doing. [00:04:38] And they said something you out how she had to get it. You know, five pages and then I explained to them, well, that’s good for where you’re at right now. You’re, you’re achieving the quantity of writing and making it cohesive. And I said, really good writing or communication is where. You feel like you could have written 10 pages, but that you [00:05:00] made the five pages really matter. [00:05:01] And for as an example, a recent summary of some risks and remediations that are, I wrote for the business, what I did when I was done with it, I made it about 20% shorter. That’s my signal when I know my communication is is, is, is dialed in when, when I’m making, making it more concise. If it keeps getting longer, I’m probably doing something wrong and I kinda reevaluate. [00:05:25] So that’s, that’s the point on written communication, but so that’s I’ve, I’ve, I’ve said before in security, I feel like the, the key skills, the two CS curiosity and communication. That you can do, you do those in Europe, you can be awesome in this industry. [00:05:40] Christophe Foulon: I love having the curiosity in there. [00:05:44] And speaking about curiosity, as, as you’re curious, I’m curious how you influenced others and how critical you think that is. [00:05:54] Duane Gran: Well, the, a lot of times, I mean, I’ll try to see if I can come up with some specific examples, [00:06:00] but does, but to speak generally of at first, one of the challenges that we have in this, in this field is that we’re often in a business with a security team and there’s it, sales, marketing, what, you know, what have you that well, they don’t report to us. [00:06:16] They they’re, they’re not bold and to us, and we have to have conversations with them about. In involving a scheme in the process and we can, we can, but at the end of the day, we’ve all kind of experienced being told to kind of walk, take that long, walk off the short pier where where we’re not really in their line of line of authority. [00:06:36] So you have to influence, you have to you know, make an impact. So give an example on this is that I have. Influenced software development teams to, to do more continuous integration and patch management that the, the increase in velocity actually is helpful that the, the number of days, weeks, [00:07:00] months, that something. [00:07:00] Unpatched increases the anxiety that, that something will go wrong. If you’re, if you’re regularly doing it, you feel more, more confident. So I used examples about how using source control increases con confidence. So I try to influence in that direction with Business groups. I would talk about doing privacy impact assessments. [00:07:24] Early on when we would have some proposed procedural change or a kind of software acquisition or project basically pointing out how that it is so much easier to do to bake in privacy and security strategy at the beginning of the. Projects than it is afterwards to sort of say, well, how can we change this to start masking the sensitive information as an example. [00:07:52] And once they saw that in that inaction they were believers and start searching, championing, doing privacy impact assessments to their, their [00:08:00] other peers of the business. So those are examples of, of influence because I, I don’t wield the hammer to just say, ah, you’re gonna, you’re gonna do it. And most of us. [00:08:09] Most of us don’t have, have quite that, that authority you know, good on you if you’ve been so blessed, but I say info influences is important. Sit down, you’ll get more of it. If you emphasize that your job is to help people to work safely, [00:08:26] Christophe Foulon: love that work safely. Introducing it as a different type of analogy for them to understand. [00:08:32] As you consider your career, how critical would youth to say networking is as a skill networking with people, not computers to your career and why? [00:08:43] Duane Gran: Well, I have a career change here in the last, the last year. Moving from one company to another. And the honest truth is I had to sort of neglect. [00:08:51] And neglected the network. A lot of my connections on LinkedIn were years old. And I was kinda, I wasn’t exactly sort of cruise control, [00:09:00] but I just, it wasn’t, it wasn’t nurtured. I learned sort of firsthand how that having that sort of stale was, was difficult in the job search. So it’s most, most people I’ve talked to when I asked them about their experience of getting a job. [00:09:16] Ah, they’re going to explain, they’re going to tell you that so-and-so that I knew and made an introduction which I had to add to do the interview. I had to actually bring the goods, but I got I got to the table and had a chance to tell my story. And that is the biggest limiter. Is that going through the applicant tracking system? [00:09:36] If you’re, if but networking, isn’t just about, I think I’m getting a new job. So I think, I think it’s hugely important if you’re in career transition, but networking assaults. Recently I joined an organization called the CSO society where they, it was kind of invite only. I’m kind of a very, very happy about that, but what’s really kind of cool is being [00:10:00] in a group of an organization where you can ask, Hey, has anybody had experience with vendor X? [00:10:06] And and of course, you know, you asked. Five people, you get seven opinions, but they are opinions that are, that are informed versus you know, living in Gartner quadrants and click clickbait search engine optimization answers as you start to search around. So trying to having a network that provides you some candid sounding board professionally, I think it’s also hugely impressive. [00:10:31] Christophe Foulon: With that I’ve been in many, a slack and discord where you get a lot of insightful information that you would not otherwise find on the more public web, thinking about a cyber security individual, listening to this in the future. What advice would you give them? What regards to. [00:10:50] Duane Gran: Well kind of, to what I sort of said at the beginning is nobody has to give you permission to lead. [00:10:56] It’s there isn’t a, there isn’t a sort of a, you know, [00:11:00] a writing in the sky or sort of bells that, that alarm. And it reminds me of authors that I’ve spoken with, who would explain that they, they didn’t write a book about a subject because they knew. Everything about it. In fact, the process of writing the book illuminated what they, they had to learn to, to finish it. [00:11:21] So don’t, don’t wait to be perfect to, to decide that you have something to contribute and that you can sort of speak up in some kind of circumstance to say, I believe that the direction. We should go in my, in our company and our team in this industry at large should be, should be the following. There will be disagreements. [00:11:44] Let’s let them be informed, informed. I, I love smart people who disagree with me and I actively seek, seek them out to, to be sharper. So it doesn’t mean and I think the other thing is that, leadership is not necessarily about trying. Accumulate [00:12:00] followers or a sort of ego stroke. The, some of the the topics that I’ve shared and I’m happy to share if no one ever took notice or sort of, or a pre appreciated it, I still would have benefited from writing and sharing those, those thoughts and I’ll panic. [00:12:17] And to the extent possible, I try to write as if there is no right. Share perspectives as if there’s no one listening or say dances, if no one’s watching. Yeah, I [00:12:27] Christophe Foulon: love that analogy. Well, thank you so much. I really appreciate your time. And for sharing your insights on these topics [00:12:35] Duane Gran: and happy to have the discussion. [00:12:37] Now, I really enjoyed all the content that you share. Christoph it’s had really I’ve benefited from it. And I thank you to.

#Breaking into Cybersecurity Leadership: Kerry Hazelton

Link to Episode: https://breaking-into-cybersecurity.captivate.fm/episode/leadership-series-kerry-hazelton

[00:00:00] Christophe Foulon: Hello, and welcome to another episode of breaking into cybersecurity leadership edition. Today we have Carrie Hazleton who is a. Senior individual in a cloud security space. And I wanted to bring him on to share his experiences carry as you’ve grown in this space. Why did you choose to become a leader versus thing as an individual [00:00:26] contributor? [00:00:27] And that’s an excellent question, Chris. And just, just for clarity purposes, there is a distinction between individual contributor and cybersecurity leader. If obviously a various from personal person company, company, some of you a title such as senior engineer, or even lead engineer as contributor and name only. [00:00:44] But what I’ve experienced is you are being groomed, become a potential. You’re being groomed to become that one person who can gain the competence and trust of not only your direct energy, but also from executive leadership to drive compensations on various subjects, various [00:01:00] projects to initiate those same projects and also to be able to inspire others around. [00:01:04] Okay. And as you are growing into, in that role, what are some of the critical skills that you feel a leader should have? [00:01:14] Kerry Hazelton: To kind of borrow from my current employer, which I won’t disclose here obviously, but I’m sure it’s not that hard for people to figure out where our current work, one of the values that they refer to is Gretz. [00:01:26] The others that I’ve learned along the way are motivation, courage, and honesty. Simply have that determination to never give up on your dreams and goals and you find the motivation to keep them towards them. How the court to say no, or. When you come to the realization that something isn’t working like you thought it was, you know, not in your favor and not on your destined career path, such obviously you have control over, a lesson. [00:01:49] My father taught me before I graduated from high school years ago was successes your own measurements. And basically that means is you’re the only one that can really define what success means for you to [00:02:00] let anybody else do that. Also be honest with yourself and with others, you know, people do remember you for your actions over your work or your other than your actions. [00:02:09] But if you follow through and do what to say, you will do, you know, people tend to remember that even more. [00:02:14] Christophe Foulon: Definitely. What regards to your personal comfort level for the following competencies, delegation, collaboration, and communication. How would you rate yourself on a scale of one to five and [00:02:27] why? [00:02:27] Kerry Hazelton: I say somewhere between three and four? I don’t mind delegating, but I am a lot more comfortable when I working collaboratively with other. On a team. I prefer working within a team as much as possible versus, you know, on my own. I mean, if I’m on my own, that’s, that’s fine, but I’d rather do on my own rather than deal to cause someone else, because I know that I can get job done. [00:02:47] As you consider influenced throughout your career as a school. How would you describe that? And why is it so critical for leaders to have, [00:02:55] oh, it’s a sorely, needed skill it’s certainly needed. I mean, is if you’re going to be [00:03:00] a leader or at least being grown to become a leader, you have to be able to learn to influence others and doing so in a positive way. [00:03:08] You’re going to find yourself speaking with key stakeholders across. We know various teams within an organization. Some may require a little more convincing than others I should know because I’ve had that happen to me on more than one occasion over the course of my career. And the reason behind that is because when you, you know, case in point of, you’re trying to present an idea, obviously the key question from other stakeholders who might be more skeptical as well, how’s it gonna impact my team and w. [00:03:35] And being able to house influence on that state border helps them to understand that there may not be such a huge workload of demand on your particular team, but you’re more than willing to work with that individual and the people underneath that person to make sure that the product gets done. [00:03:53] Christophe Foulon: Okay. [00:03:53] And throughout your career, how would you rate networking as a skill and why? [00:03:59] Kerry Hazelton: [00:04:00] Oh, another good one. I will say over, over the course of my career, I have learned that networking comes in handy on more than one occasion. Especially someone out there who is just starting off and, you know, once something. [00:04:13] You know, being able to network with your colleagues, with your peers within this industry is, is key. And I’ve learned that lesson many times over. So I definitely say it comes in handy. [00:04:24] Christophe Foulon: As you think about someone listening to this podcast, a potential future leader. What’s good. What advice would you give them for their future [00:04:35] Kerry Hazelton: career? Never stopped learning. Understand that this industry is very dynamic. It is constantly changing and understand where the trends are going and how to leverage them to your advantage to, by acquiring your skills or improve on the old ones. [00:04:49] And also, you know, give back and give back to the community to every opportunity. Now, remember where you came from, where you started and that one person who took you under their [00:05:00] wing and do the same for someone. You know, I will say that someone did that for me. When I first started off my journey 24 years ago, and his one rule to me was you pay it forward when you get to where I am right now. [00:05:13] And that is something that I’ve been making every effort to do over the last five or six years. [00:05:19] Christophe Foulon: Kerry. Thank you for joining us today on breaking into cybersecurity leadership series and have a great rest. [00:05:26] Kerry Hazelton: I appreciate it.

#Leadership Series - Ricardo Bastos

Link to Episode https://breaking-into-cybersecurity.captivate.fm/episode/leadership-series-ricardo-bastos

[00:00:00] Christophe Foulon: Thank you for coming to another episode of [00:00:03] Cybersecurity, the leadership series, this series is focused on leadership and different leaders within the cybersecurity community, sharing their views and perspectives to help the next generation. Today. We have Ricardo Bastow Bacillus, as I said, all right. [00:00:21] Okay, perfect with us and he’ll be sharing his perspective. Ricardo, why don’t you give us an overview on your background and then we’ll get [00:00:29] Ricardo Bastos: started. Sure. First thank you for having me here. I’m a cybersecurity professional for more than 15 years. Most of my career career was in consulting companies back in Brazil. [00:00:39] My hometown. And I came to Canada in 2018 and I’m a cybersecurity manager at Sierra wireless. [00:00:46] Christophe Foulon: Thank you very much. So, as you evolve in your career, what made you decide to become a leader versus staying as an individual contribute? [00:00:56] Ricardo Bastos: Sure. I thought that I could do more. I could [00:01:00] reach more people. I could develop talent and overall I could deliver more in a leadership position given my background and my experience. [00:01:10] Christophe Foulon: Okay. Speaking about your background and experience, how would you rate yourself on a scale of one to five in delegation, collaboration and communication? [00:01:19] Ricardo Bastos: I would say for that’s something that I learned throughout my career that you need to delegate. We can’t do everything and we need to let people make mistakes and grow. [00:01:32] So it’s important to give the opportunity for everyone to grow and to learn by their mistakes. That’s a natural part of the process. But I think that that’s very important. [00:01:42] Christophe Foulon: Okay. And in regards to collaboration and communication, [00:01:45] Ricardo Bastos: I would say a four as well. Something that I learned throughout my career is that, and especially insecurity. [00:01:52] You need to talk to people. You need to understand their point of views. We going to talk with different stakeholders that often are [00:02:00] not a tech savvy. So you need to explain, you need to try to translate those terms to a language that they can understand. I think communication is key to get engagement and to get let’s say partners to your cybersecurity initiatives. [00:02:13] Christophe Foulon: And as you grew in your leadership role, how has important, how important is influenced within that role? [00:02:22] Ricardo Bastos: I think it’s a key the biggest challenge that I would say for every cybersecurity leader is to change culture. People sometimes are used to do things in their own way that might not be the most secure way. [00:02:33] And you can’t just be the no department. Right? You can just say, no stop. You can’t do that. You need to tell Dan to explain to them why you need to do such things. So it’s important. To influence rather than just be like, stay a forceful kind of leadership. [00:02:47] Christophe Foulon: Okay. And as you grew in your career, how important would you consider networking as a skill? [00:02:53] Yeah. I think [00:02:54] Ricardo Bastos: it’s, it’s very important because it improves your knowledge. It improves our [00:03:00] relationship internally with your company externally with other companies, it increases your, your, your recognition and it also builds your, your reputation. So I think it’s really important. Okay. [00:03:13] Christophe Foulon: So looking at yourself now, Imagine someone listening to this in the future and they’re looking to become a cybersecurity leader. [00:03:21] What advice would you give them? [00:03:22] Ricardo Bastos: I think it’s, it’s very important to listen to be humble. Technology is something that is changing a lot every day, so we can never say that we know everything. Cybersecurity is important. But needs to be aligned with the business, right? We can’t expect that we’re going to create very strict controls that will stop the business from operating. [00:03:45] So you need to have this perspective. You need to listen to different stakeholders, understand the business. So I think that is, is key to, to become a successful, be humble. Listen, talk to people, understand their point of views and, and try [00:04:00] to create a more collaborative effort and a more collaborative security program. [00:04:05] Christophe Foulon: Thank you. Well, thank you so much for sharing your advice with us today, Ricardo and everyone listening. Please feel free to share us with all your friends and family. Thank you. Have a great.

#Leadership Series - Carraig Stanwyck

Link to Episode https://breaking-into-cybersecurity.captivate.fm/episode/breaking-into-cybersecurity-leadership-series-carraig-stanwyck

[00:00:00] Christophe Foulon: Welcome to another episode of breaking into cybersecurity. The leadership edition, where we are asking different leaders about their perspectives on topics so that they could share what you and you can grow as a leader. Today, we have Craig who will be sharing his advice. [00:00:17] Craig, why did you become a leader versus staying an individual contributor? [00:00:22] Carraig Stanwyck: To be honest, it was kind of the natural path. Given that my background coming into cyber was one from human intelligence, from the military and, and contracting world. And my degree is in social psychology, which is the study of human behavior. [00:00:35] And honestly, I don’t have that technical background that so many of people in the cyber community do I also think. Major reason I became a leader is there’s already a void of leaders in the cybersecurity space. There’s a lot of really smart technical people, but there has not been the emphasis on leadership that we really need to see as we move forward in that space. [00:00:53] And for me coming in without the technical background, but with a leadership, it became a natural fit to move into that void. [00:00:59] Christophe Foulon: [00:01:00] And as those. Those individuals looking to come into cybersecurity leadership. What would you say are the critical skills for them to have? [00:01:08] Carraig Stanwyck: Number one is influence also known as sales, because everything you do as a leader in cyber, especially right now is sales. [00:01:15] You have to sell the leadership team on the importance of security on the fact that everybody is responsible for it. It’s not just. One team taking care of it for everybody, you have to be able to sell your team on what they’re the value that they’re providing, maintain that morale. And that that team can go and reach the milestones and the goals and everything else that they are trying to reach as as part of that development process, besides the sales slash influence side is really important to market, which again is another form of sales in a sense, but you have to be able to, to show the value of what you bring to people who aren’t in. [00:01:48] Who don’t necessarily have that it background. And right now, so much of the success around cyber is in the relationship area. Right now you have to be able to build relationships. It’s not about forcing your way on anybody. [00:02:00] If you’re gonna be a leader in this space, you have to learn how to build those relationships accordingly so that you can get work done without having to force. [00:02:07] And ultimately you have to be able to dumb down and dumb down is maybe the wrong word. Cause a lot of people don’t even have the exposure to it, but you have to be able to speak about security in a way that people who aren’t in that area who don’t understand it, who maybe aren’t even it literate can understand. [00:02:22] Christophe Foulon: Okay. And with regards to your personal comfort level, how would you rate yourself on delegation from a scale of one to five? [00:02:31] Carraig Stanwyck: For delegation, probably a four, honestly, it was one of those areas that I struggled with coming into leadership. I think it’s a challenge when, you know, you can do it to trust your team to do it, and they may not do it the way you did it and learning that that’s okay. [00:02:43] Was for me a really big development opportunity that I struggled with for. [00:02:47] Christophe Foulon: Along with delegation comes collaboration. How would you rate yourself on a scale of one through [00:02:52] Carraig Stanwyck: five? I think collaboration is one of my stronger areas. I understand the need for this to be a company wide, [00:03:00] a a business wide even approach. And without that collaboration, you either have, you either have allies or you have enemies by and large, and you have to build those allies to be successful. [00:03:10] So I would say that’s one of my stronger areas. [00:03:11] Christophe Foulon: And finally, when it comes to communication, how would you rate yourself on a scale of one to five, [00:03:16] Carraig Stanwyck: maybe a three or a four? I try it’s, it’s tough, a little bit being on the spectrum. This is one of my huge growth areas is, you know, being neurodiverse. There’s a lot of things that it gives me from an ability to learn things quickly and ability to focus. [00:03:28] But from a communication side, I can be a little bit blunt. Sometimes I can be a little bit direct, more so than people are comfortable with. And so I have to, I have to work on that because the last thing that we need, or we want in this space is to burn bridges. [00:03:41] Christophe Foulon: And earlier you, you mentioned influence when it comes to influence, is it just a sales aspect of influence that’s important? [00:03:49] What other ways are there to influence? [00:03:51] Carraig Stanwyck: I think it’s sales is a, is kind of a catchy word for it, but ultimately influences can be a lot of different things. It can be leading by example. It can be [00:04:00] building a, a cons, a cadre of support for what you are for what you are trying to push out. Right? Some, some companies are having a lot of success with security champion programs, for example, where you are putting people in each team on the business side, on the it. [00:04:14] Who have a responsibility to work with the security team to extend that presence, to have that single paint of glass that everybody across the company knows what the security team’s priorities are, how the security team can help them and vice versa. So I think there’s a lot of different ways to build influence, but ultimately influences the process of getting the rest of the company to believe that you can help them or that what you provide is of value to the company. [00:04:38] Christophe Foulon: Okay. When it comes to networking, networking with people, not necessarily systems how important of a skill is it and why? [00:04:46] Carraig Stanwyck: I think it’s critical. I think honestly, it’s a number one skill. I think a lot of these organizations that say, you need to go get this cert or this degree to get a job are really misleading. [00:04:56] A lot of our next generation of cyber professionals. The reality [00:05:00] is whether good or bad whether right or wrong is. Most of the time it’s who, you know, it’s, who you’ve connected with at some conference. You know, if, if I have an opening it’s, I’m thinking of people that I’ve seen active online, or that I’ve met in person at these different conference types events, but even within myself, right. [00:05:16] I don’t have your typical background. I don’t have all the certs. I don’t have the degrees in cybersecurity specifically. I don’t even have a decade of experience. Insider. So if it wasn’t for the fact that, that, you know, the, my network ultimately by and large, is what has allowed me to transition to all of these awesome opportunities so quickly in this space. [00:05:36] It’s the people and the relationships you build, and those that will remember you and follow you, cuz they may go do a new job. They may go to a new company. And as long as you are creating value for these people that you’re meeting with sharing lessons learned, showing off what you’ve done, that’s awesome. [00:05:51] They’re gonna remember you for that next opportunity. [00:05:53] Christophe Foulon: And as you think of future cybersecurity leaders, what final advice would you give to them? [00:05:59] Carraig Stanwyck: [00:06:00] I think, I think my two biggest pieces of advice is one it’s called cybersecurity leadership and that leadership part is often forgotten. So just as we all invest time in, in learning about the latest technology and the latest coding language or the latest malware, it’s equally important for leaders to craft and work on their skill of leadership itself. [00:06:19] And there isn’t enough of that, frankly. So I think one of my big pieces of advice is if you wanna be a cybersecurity leader, focus on leadership, not just on the cybersecurity part, but I think the other big piece that’s missing in that. Is the fundamentals. So many people leadership and otherwise wanna chase the next shiny thing. [00:06:35] But the reality is if you’re always running from fire to fire, if you’re always chasing the next shiny thing, you’re never going to build the foundation. You need to sustain a program a long time to, to build something that’s going to last. And to create that, you know, the whole rock versus sand mentality, the old analogy. [00:06:50] If you build it on rock, it’s gonna last, you build it on sand, it’ll wash away. And if you’re always chasing the latest, shiny thing without having your, the boring stuff, crossing your Ts, doting your eyes, the policies, the [00:07:00] programs, the, the basics, then it’s not going to be successful in the long run. [00:07:03] Christophe Foulon: And as a leader from the military, what analogies would you share for the civilian side that we could learn and help implement leadership on our side, [00:07:15] Carraig Stanwyck: that it’s viewed as a separate skill in the military you are developed for your MOS is what they call it, right? [00:07:21] Your, your job, they send you to school for your job. And as you advance with the ranks, they send you to school for leader. They’re different schools, different focuses. And I think that’s critical to remember. We have a, a bad habit in the it world in general, that somebody who is technically proficient is assumed to be a proficient leader without necessarily giving them that extra training. [00:07:41] And I think that’s a mistake, but I also think the flip side is also a challenge because I think a lot of people come out of the military assuming they can go straight into leadership because they have that militaryesque leadership without realizing. There’s a huge cultural gap between the military and a lot of these companies. [00:07:55] And honestly, when I look at it, I ended up taking a step back, moving from the [00:08:00] government to the civilian world, to, you know, to the corporate world from a job role or a, a positional perspective. And I think that in hindsight, that was really important because I had a lot of learning to do on the difference between a government culture and a corporate one. [00:08:13] And so I think it works both ways. There’s lessons to be learned on both. [00:08:15] Christophe Foulon: Well, Craig, thank you so much for sharing your advice. We truly appreciate it. And that’s the end. [00:08:22] Carraig Stanwyck: Thanks.

#Breaking into Cybersecurity Leadership Series Carraig Stanwyck 5.27.22

Link to Episode https://breaking-into-cybersecurity.captivate.fm/episode/breaking-into-cybersecurity-leadership-series-carraig-stanwyck

[00:00:00] Carraig Stanwyck: Welcome [00:00:01] Christophe Foulon: to another episode of breaking into cyber security. Today, we have Craig on who will be sharing his story, but first, if you are joining us from LinkedIn, please ensure that you follow myself and Craig on LinkedIn. If you’re joining us on YouTube, hit that subscribe button and that notification button. [00:00:22] And if you’re joining us on Twitter, follow myself and Craig. [00:00:26] Great. Tell us a little bit about yourself and what made you interested in cybersecurity? [00:00:31] Carraig Stanwyck: It’s kinda funny, actually, I grew up really involved in it. I was one of those kids blessed with the computer from the time that I can remember back in the old 2 86 days. [00:00:41] And I’m aging myself here, but Did a lot of kids do and got in trouble as a result in some ways, but the, I was always literate with computers, but it’s interesting, you know, as I grew up, I was determined not to do it. My parents did. And so when I left home and I joined the military, it was, I was not going to be [00:01:00] that computer guy and I wasn’t for the longest time and kind of landed back in it on accident. [00:01:06] So it’s always been there a little bit as an interest growing up. I’ve always been very literate in that sense, but as a career. It was more of a an accident to be honest. [00:01:14] Christophe Foulon: Tell us [00:01:14] about this accident. How did that happen? [00:01:17] Carraig Stanwyck: So my, after, you know, when I joined the military, my background was actually human intelligence. [00:01:20] So I was an interrogator. I ran source operations, did some identity intelligence stuff. And after the military I was a contractor. So I spent another, I don’t know, five years in Iraq and Afghanistan. And the contracting world is really dirty. I think in a five-year period, I only interviewed maybe three times, maybe four, but I ended up working for like 10 different companies with all the different buyouts. [00:01:43] And you know, new company comes in bids, underbids the contract and you move on. Right? So I was actually on a contract here in Kansas, in the Kansas city area. And Northern Grumman came in, underbid the contract and offered us all that we could keep our jobs. If we were willing to take a [00:02:00] 50% pay cut and had a friend. [00:02:02] I’m associate, you know, the guy had worked with who was over at the department of agriculture, which is standing up there, new sock at that point and said, Hey, do you want a job? So it was honestly, it was more of a a rebound from the contracting world, given that undercutting style that the contracting world had. [00:02:20] Christophe Foulon: Let’s talk about that. Suspending up a socket, a federal agency. That must be a fun challenge. [00:02:27] Carraig Stanwyck: Yeah, it was, we had no money at all. So we ended up so we had bodies, but we had no money. So we actually ended up building our entire sock at that point. It’s it’s really matured since then, but back then we built it around a bro. [00:02:40] For those in the call that are familiar with Brolin’s now called Z. But really it was a R that the heart and soul of that sock was broke being pushed into El Camino. And so we, it was a very manual operation, but thankfully being part of the government, we decrypted everything for the most part. If you can see it, you can find it. [00:02:58] Right. [00:02:59] Christophe Foulon: Yeah, [00:03:00] absolutely. And I think that’s one of the interesting challenges of being in cybersecurity is sometimes you get handed tasks that you need to figure out how to do it. Like standing up a software, no resources. [00:03:14] Carraig Stanwyck: You know, we give the industry puts way too much emphasis on things like education, in my opinion, 10 year years of experience certifications, things like that when, when the reality and in my experience is that being able to creativity and creatively think outside the box, you know, try new things, recognize if they’re not working and try something different. [00:03:34] Those are all going to be a far bigger indicator for success in the cyber programs and really in the cyber. I don’t know. I think personally on my teams, we really transitioned probably more like an 80% intangible viewpoint when it comes to talent because it’s moving so quickly. The landscape changes some month over month that’s at times. [00:03:56] I mean, I was just, I just started here at Avnet about six months ago now. And I [00:04:00] was just looking at the day, how much legislation has come out and new regulations just in that last six months. Insane. So I think, you know, when it comes to breaking in having the attitude to learn and try new things, it’s going to be critical. [00:04:13] Christophe Foulon: And how do you go about measuring performance or metering those intangibles to be able to recruit effectively? [00:04:23] Carraig Stanwyck: That’s tough. That’s really tough. I think. When you talk to folks and you see the effort that they’re putting in on doing things on their own. You know, I hired a guy once who had literally self studied for his CSSP and passed. [00:04:37] Having had zero years of experience in cybersecurity to me, I don’t care all that much about the certification, as much as I care that he put that much effort into a field, he didn’t have any familiarity with and was still able to pass the test. Right. To me, that’s it that’s that shows drive. It shows passionate show. [00:04:54] Somebody is going to stick to something. There are those who have really good online communities who, who [00:05:00] spend time on Twitter or LinkedIn on the different levels that communities, whether even, even if they’re more junior right, building that community and sharing the information that they give that helps them out that, you know, you can really tell when you look at somebody, whether they’re doing it because they like. [00:05:16] Or they’re just looking for the paycheck. And honestly, I see a lot of the paycheck looking right now because cyber security pays well, but you’re not going to be good at it. If you’re not passionate about it, [00:05:24] Christophe Foulon: that’s definitely one of those intangible skills that we talk about all the time, but it’s. It’s harder to demonstrate into quantify. [00:05:35] What are some of the ways that you look for that? For example, I separate from the example of passing the CSSP without experience and building communities, what other things do you look for? [00:05:47] Carraig Stanwyck: For me personally? I’m kind of atypical. Like I love a good cover letter, for example. Right. And I think part of what we have to do as leaders. [00:05:56] Now that we’ve all broken on him. And obviously I got really lucky [00:06:00] and we don’t want that to be the standard quo. We don’t want people to get lucky to get, and we want them to be some sort of measured way to come in. But I really like cover letters where I can actually see somebody’s personality. There drive, not like you’re necessarily your cut and paste type cover letters, but the ones where they’re like, Hey, I did this research. [00:06:19] This is why I like this company. Here’s, you know, where they show maybe some indication of their skills for Googling, because let’s be honest. Googling is like one of the top skills out there right now. I know what’s on my resume, but if you can do some Odent right. Even if you don’t know what that word means, but if you can go figure stuff out and do that research. [00:06:34] That tells me, you may be able to draw that bigger picture we’re looking for in the investigation space, right. Or if maybe if you are a really strong marketing person or a, you write really good copy, how can we use you to expand this? The, are they getting rid of the old stereotype of cybersecurity being like this, you know, problematic office to work with? [00:06:55] So I think we have to be creative. Honestly, I look at every resume. Now. I know I don’t [00:07:00] let the ATS screen them anymore because you end up losing a lot of really good folks that way. Okay. [00:07:06] Christophe Foulon: When at a comments from our listeners run old ass, w which is a good sir to get first, to get a foot in the door wise. [00:07:13] Carraig Stanwyck: And that’s, that’s a tough one for me to answer, because I honestly don’t put a lot of credit into most certifications. The challenge is, is the bad apples have kind of ruined it forever. No, you can go online. And with a quick Google search, find brain dumps for the ch sec plus net. Plus all of those basic ones, you don’t even have to know it to pass the test at this point. [00:07:33] And so, because of the amount of people that have abused, that it’s really hard to put a lot of credibility into it. The things that I really like to see. For people coming in is when they’ve done things like the tri Hackney type sites, right. Where they’re going through and saying, I wouldn’t own this many boxes because that tells me that somebody who’s going out and having a good time and you can’t necessarily cheat on too many of those. [00:07:54] There’s good. Write-ups but you still have to do some work. Some of the other certifications that are a little bit more advanced, [00:08:00] like CSSP, PMP, I respect because you can’t really cheat on them and the OFCCP. I like, because it’s an actual hands on. Even if it is really expensive, there’s a muscle like the PM. [00:08:11] Wasn’t the new pin. I forget the name of it now, but there’s another new one. That’s come out. Only delay that I really like for the hands-on nature of it. But honestly, a lot of the sec plus net plus stuff, it’s not gonna be a pro or con necessarily. And in that. You come [00:08:28] Christophe Foulon: from the intelligence space. [00:08:29] What are some of the ways for individuals taking, get in if they like intelligence and they want to bring that into cybersecurity? [00:08:38] Carraig Stanwyck: I think that’s probably one of the fastest growing areas right now. And that’s an area that you need to make clear that that’s your interest. But if you think about, you know, what we’re dealing with with different adversaries and every. [00:08:51] My I, if somebody were to say, Hey, what was the biggest thing that helped you in the cyber world? I would say it was my background and intelligence and understanding that context matters and understanding [00:09:00] that you need to know the whole picture. We can’t just, you know, run, run off and create a like, and I’m in the Intel world. [00:09:07] Right? If you go and create a target package for somebody and you have bad data, you didn’t do all your homework. You didn’t ask the right questions, innocent Alaska. No, it’s not necessarily that drastic and cyber, but those same lessons apply in wanting to needing really to understand that full picture. [00:09:23] So, and if you look at how Microsoft is building out their, their cloud security organization, if you look at a lot of these companies now, cyber third intelligence is. The cyber version of that, whereas, okay. Who are the bad guys? How do they act? What kind of things are we going to look for? What threat landscape is changing and how do we be proactively prepared for that? [00:09:43] I mean, it’s, it’s time for us to stop being so reactive. [00:09:46] Christophe Foulon: It sounds like. Also need to be able to communicate effectively back to your marketing comment, that in order to write that, that threat profile, that background on a threat actor or the [00:10:00] risk profile that an organization might have, you have to be able to both be technical and be community kids have [00:10:08] Carraig Stanwyck: it’s it’s funny, you mentioned that I have literally interviewed people that their resume was otherwise unimpressed. [00:10:14] But their copy and there’ll be a way that they communicated their story was so good that I’d had to talk to them. So there’s a really, that’s a really good point. I mean, how do you take a technical topic like cyber and in this day and age where we’re working more on dev sec ops and really that more of a collaborative approach with the business, how do you communicate that cyber threat in a language that the business understands? [00:10:38] How do you take the technical part out of it? Or at least enough out of it that it’s not overly. [00:10:42] Christophe Foulon: That’s very interesting. How would someone be able to communicate their interest in, in being able to do that for you to see outside of copy on their resume? [00:10:56] Carraig Stanwyck: Yeah, that’s a good question. I don’t know, to be honest, I think that there is a [00:11:00] little bit of bias built in, you know, from somebody like myself who has a military background. [00:11:05] I would lie if I said that, that didn’t matter for me when I view resumes, because I recognize what people like that bring to the table based on my background and working in, and I have a moral, firsthand knowledge of those, you know, how translatable those skills are. But at the same time, I think it’s really important for people who are getting in to translate their current skill sets to the job. [00:11:28] They’re trying to. Right. If you are dealing with customers all day and like a retail position, right. Then why not reword that to show how you can deal with adversity deal with constant complaints, deal with incidents where people are emotional. I mean, there’s so many translatable skills there that are, that need to be sold. [00:11:49] And if you can sell it, the people who are really good on their resumes at selling what you would think of as an unrelated. But selling it in a way that it would be helpful to cyber they’re worth their weight in gold. [00:12:00] I mean, you can tell right off the bat that here’s somebody that can communicate a role that you wouldn’t even think would be applicable, but make it, make it look Appledore right. [00:12:08] Christophe Foulon: Yeah. Some of the ways that I’ve recommended to folks is, is to do like blogs or take a headline that day. And write up three paragraphs on that. And if they do that for a couple of months, not only does it build up their portfolio, but it builds up their analysis skills and keeping up with the changing landscape. [00:12:32] Carraig Stanwyck: It’s funny, you know, I use my mom sometimes I’ll go. She has no slapper. No, it she’s completely technologically illiterate for the most part. Right. So if I can get her to understand the concept would probably okay. [00:12:45] Christophe Foulon: And another question. Do employers actually care where an applicant goes to school or the sites like try hack me or hack the [00:12:53] Carraig Stanwyck: box matter more? I don’t, I’ve heard of some employers that do really believe that the school [00:13:00] matters. I think more and more we’re seeing that it doesn’t. I don’t personally care where you go to school. [00:13:05] To me, getting a degree is great. It shows that you completed something that you stuck with something, but let’s be honest. If you graduated yesterday with a four year degree in cyber, you’re already behind the curve for the law for what’s going on right now. Right? So from that perspective, the school aspect shows me, you can finish. [00:13:24] But the other challenges, you know, Abhijit and comments, none of the P and P T, which was the other one I was talking to you thinking of, but things like that, things like the hack, the box stuff, or try hack me, those show that current constant, like passion that drive to go and learn to go and be better. [00:13:43] You know, some of these folks have had really impressive interviews where they have no experience, but they have a home lab that they have set up and kind of walk me through. In fact, I hired a guy in my last. In part, because he had a home lab that was really well-built. He could walk me through each part of it, what he was doing, how he was collecting [00:14:00] the data. [00:14:00] And so even though he didn’t have really any real world experience or minimal real, real world experience, he had taken the time to hands-on build something of his own and understand it well enough to speak to it. What are your [00:14:13] Christophe Foulon: views on internships and apprenticeships? I think you know, we have two coming on board here at that actually next week, you know, I’ve written about some of the interns that we’ve hosted at H and R block H and R block. [00:14:26] Carraig Stanwyck: When I was, there was, they had one of the better intern programs I’ve ever seen know. We were able to not only leverage college kids, but you know, if you go back on my LinkedIn, we know we had a kid, Alex, who’s already a graduate who had had trouble with some interviews. He was on the spectrum, kind of get in his own way. [00:14:42] So we brought him in as an intern, basically a four month working. And he’s still there and kicking ass. I mean, he turned that into a full-time job and he’s doing great things. So it gives you the ability to be flexible and to find, to find new talent without a lot of risks, right? Someone must be honest. [00:14:57] A lot of managers have trouble with hard [00:15:00] conversations. So when it comes to internships, if I, if something doesn’t work out the internship’s over, but the goal is usually if it does work out and they’re at the right stage of their schooling to convert them into a full-time role. [00:15:14] Christophe Foulon: And what about apprenticeships, where the model is slightly different, where you’re taking someone with zero skills, you’re providing them with on the job learning as well as that requirement where they need a certain amount of continuing education credits. [00:15:32] Say for example, like in electrical trade or in, in the medical fields, what about doing something like that? [00:15:39] Carraig Stanwyck: I think there’s a lot of merit to it. You know, one of our biggest success stories that block was a girl we brought in as an intern. We liked her so much, but she was still, she still has multiple years of school left, so we couldn’t bring her on full-time because she was still going to school. [00:15:53] So we ended up being a part-time and teaching her blocks still main, you know, still maintaining a full-time school [00:16:00] schedule. And ultimately she thrived. So I think that, you know, being creative as the. But I have not done an actual apprenticeship role, but I think that there’s a really in cyber lease, but I think there’s a good case to be made for, especially with our current talent gap right now. [00:16:14] Christophe Foulon: And I’m sure coming out at a military, you might’ve heard of the skill bridge programs that allow our transitioning military vets to take advantage of those. Have you looked into those. [00:16:28] Carraig Stanwyck: Yeah. So actually we do have a, you know, we have a partnership here at Avnet with Microsoft and Microsoft is one of the ones that supports and promotes some of those military transition activities. [00:16:38] When I was at H and R block, we had a partnership. I forget the name of it now. Also look it up that we had another organization. I think they were headquartered out of Colorado that would help with the veterans and placing. And see what roles and giving them, you know, the training ahead of time, or at least providing the resources for that training coming in and obviously being prior service, like I said, I would like to say there is a little bit of a [00:17:00] bias towards us sometimes knowing what, you know, what people get. [00:17:05] There’s a little more of a known quantity, I guess, for those of us comfortable in this. Yeah, cyber [00:17:09] Christophe Foulon: up is when the examples of those programs. And we’ve been a big supporter of them. I think smooth stack is another one that focuses on male spouse and female service members giving them that extra shot as well. [00:17:25] What are your views on remote ways to take on stakeholders, especially if they might be outside the UK. [00:17:33] Carraig Stanwyck: So my personal view on remote global is that as long as your industry slash company can legally support it, it’s silly not to do it. You know, when I was at block, we had to, we were fortunate to really build a first, totally integrated global team where we had people in the U S reporting to international leaders and vice versa. [00:17:55] And you know, there’s a little bit of a learning curve, but one of the cool things you find. The remote part, [00:18:00] we can all handle it. Right. COVID taught us that COVID taught us that remote works just fine. So remote works just fine. And you can leverage different cultures the way different people think about different things, right? [00:18:11] How they approach problem solving. Cause there’s a lot of cultural elements to approaching. How do you solve a problem as a more of a routine base is a more of like the Westlake in America where it’s more of like, we’re all Cowboys, right? It doesn’t matter if I give you like the perfect recipe to build the most amazing cake. [00:18:26] You’re still going to change it because Americans do that. Right. They want to make it their own. So how do you, so, so having a mix gives you that diversity of thought to really create a pretty powerful. Global culture. I think that that truly will benefit the team. So I personally, I’m a huge proponent of it. [00:18:42] The challenge being in some, in some verticals, you can’t necessarily support it, right? Because of us law or European law. It’s, it’s where data where data resides becomes problematic at times for some of those remote efforts. [00:18:55] Christophe Foulon: Thinking about how people think differently, what are some of the ways that we [00:19:00] could potentially improve the way that cyber looks at newer diverse individuals? [00:19:06] Carraig Stanwyck: Well, I think we’re seeing a lot better progress there. In fact, I would wager there’s pretty much every cybersecurity team has people on the spectrum, whether they know her admitted or not. I think, I think we had, I think that the industry naturally attracts a lot of folks, right. Because. Being on the spectrum. [00:19:22] We tend to like puzzles. We tend to be pretty good at solving puzzles and we tend to be able to focus on those thing. And let’s just have the challenges. I think the bigger challenge is how do you take folks who are on the spectrum? And one makes sure that they have a suitable application and interview process that suits right the way that our brains work and two, how do you help folks like me on the spot? [00:19:46] Take less than the decade that it’s taken me to work on my communication enough to assimilate into, you know, to be considered, I guess, more normal, if you will, in my communication style, right? It’s, it’s been a ton of [00:20:00] work. It’s super hard, but we can’t, in my opinion, we can’t treat neurodiversity as as a disability, as much as it is a different way of approaching things. [00:20:09] Right. And if it’s this, and it was just a different way of how you see the world of how you approach things. Helping to coach and iterate with those individuals on how they present themselves on understanding how others perceive them. Shouldn’t be off as off limits as I feel it is right now. [00:20:26] Christophe Foulon: And thinking about coaching individuals to get from the beginning to end, how do you do that with. [00:20:34] Occupation titles. So someone that comes in as a junior and create that continuous path for them from coming in as a junior to rising in the ranks and providing them both with the challenge along the way so that they stay and being able to promote within, [00:20:56] Carraig Stanwyck: I think one of the biggest problems that we have. [00:20:59] It and cyber [00:21:00] together is this assumption that just because you’re technically proficient you’ll, you will be good as a leader. We forget that leadership is a completely different skillset and that a lot of folks, especially a lot of folks on the spectrum have no real desire to be leaders, right. They want to be, they don’t want to have a glass ceiling because they don’t want to be a leader. [00:21:19] Right. So I look back and I, and I think that really the best way we can change that is to have. Growth different growth opportunities, right? If you don’t want to be a people leader fine, but let’s allow you to get up into that senior director or principal level echelon as an individual contributor that just kicks ass, right? [00:21:39] If that’s what you want to be the best at, if you wanna be the best engineer in the world and go be the best engineer in the world, there shouldn’t be a requirement for you to become a people leader. If you don’t have the skills or desire to do so, it’s a different skillset. And I think we fail to recognize. [00:21:51] And the it space. [00:21:53] Christophe Foulon: Yeah. I see it growing in more mature companies where you’re able to develop career [00:22:00] paths like that. But for the smaller organizations, I could see why it becomes a challenge. As you think about. That decision between leadership and technical. How did you make that decision? [00:22:13] Carraig Stanwyck: So for me, the people are what drive me. [00:22:14] I’m not technical. So I didn’t, I kind of went the route that I did more by necessity than by choice. I mean, for me, you know, we have a lot of folks on the team that it’s the, it’s the network problems. It’s the engineering challenges. Right. It’s the cyber specific, you know, use cases and doing the AIML and the user behavior modeling, but that’s the kind of stuff that drives them. [00:22:37] And whereas for me, what drives me is how do we have a cohesive team that the whole company recognizes as a partner that is more collaborative. And then then past, I guess, iterations, if you think 10 years ago, most cybersecurity shops where the office of no. Right. They were like, you know, we were going to have a power trip cause we can stop you. [00:22:57] So we will. And that’s just not effective because [00:23:00] developers can just work around you. I mean, they’re, they’re smarter than we give them credit for. Right. So I think for me, my passion is especially paired paired with my background. My passion is the people problem. And so for me, it, it, it was a natural work. [00:23:13] And so the fact that I wasn’t super technical, but I’m very happy having people that are way smarter than me. Because I see it more as a, as a partnership, less as a tiering thing, right. They’re just different jobs in the same team. And so if you were to look at it from a sports analogy, I like being the coach. [00:23:29] I don’t want to go in the field and be the quarterback or the wide receiver. I’m just not that good of a thrower and I can’t catch. So I’m much better. I’m much better to help strategize and go win the championship. And so I think that’s just, people have to be honest about where their. I think a lot of folks get the leadership because they feel they have to. [00:23:45] And that’s a mistake because it’s not where they want to be. And it’s not where their skills are. Wow. [00:23:50] Christophe Foulon: I, and I love the approach of each person has their role, but being able to be the coach and to grow a team [00:24:00] where you understand that you’ll have people that are smarter than you doing certain things and you’re smarter than them in other areas and blending all those skills together. [00:24:10] Carraig Stanwyck: So it has to be a low ego environment for us. Especially in cyber, right? You have to have an environment where, whether, whether you are the director or whether you are the brand new, you know, junior analyst ideas should be validated or should be, it should be judged on the merit of the idea, not on the merit of the person that that brings it. [00:24:28] And that’s what makes teams powerful. [00:24:29] Christophe Foulon: Absolutely. So w we’ve went through a lot today, as you think about all the advice that you gave and your own journey. If you had to summarize that into one piece of advice for someone listening, someone seeing this in the future, what would that be? [00:24:48] Carraig Stanwyck: When it comes to breaking into cybersecurity? [00:24:50] Networking and getting involved is, is, is the key, you know, when I have openings. And as a leader, I’m thinking like there’s [00:25:00] names that come to mind every time. Those are the names that I’ve met at conferences I’ve met at local get togethers. I’ve seen active on LinkedIn or Twitter, right. Those names come to mind. [00:25:09] And they’re generally the first people that I think of when want to have open roles. So, and you don’t have to be super senior. You don’t have to be super experienced. All you have to do is participate. And I would highly recommend for folks wanting to get in, just be known, let people know that. [00:25:24] Christophe Foulon: Greg, thank you so much for your time today. [00:25:27] Truly appreciate it for all of you following on LinkedIn, follow myself, follow up. Craig followed a podcast for those of you following us on YouTube, hit that subscribe button and that notification button. And for those of you listening to us on podcasts after the fact, give us a 10 star rating or five, if you can, and then share it with as many people as possible. [00:25:49] Truly, we appreciate you joining us today and have a great rest of. [00:25:53] Carraig Stanwyck: Thanks.

#Breaking into Cybersecurity Leadership Series - Alexandre Sieira

Link to episode https://breaking-into-cybersecurity.captivate.fm/episode/leadership-series-alexandre-sieira

[00:00:00] Christophe Foulon: Hello everyone. And welcome to another episode of breaking into cyber security. The leadership series today, we have Alex Sieira [00:00:10] Why did you decide to become a cybersecurity leader versus staying an individual contributor? [00:00:16] Alexandre Sieira: It’s it’s interesting because it’s happened by accident. It was a function of the fact that after doing a few different things, I started my career. [00:00:24] Actually as a researcher slash software developer right after college. And then I did a few things on the business side and then it become, became an entrepreneur at started a consulting company that was doing cyber security. So naturally as the amount of work we needed to do increased and we had to hire more people, I kind of stumbled into. [00:00:46] Transitioning from being an individual contributor to managing teams of people to try to replicate the work. I was doing myself previously and, and try to be able to deliver more by editing more people. And so that was a natural [00:01:00] process and literally on the job learning. Right. And, and what I did to, to help Facilitate that transition. [00:01:08] At some point, I, I, I took an executive MBA at a prestigious institution here in, in Brazil, which really helped I gonna go get back to that point later on at a, another of your questions. And something I always tried to keep in mind in that transition of an individual contributor security consultant in that case to a manager of security consultants is. [00:01:31] I knew some people that were technical tens, right. They were as good as you can be technically. And I I’m in awe of those people. Right. Really respect them. And I felt I could never achieve that myself, especially if I transitioned into a leadership role because you don’t have as much time, it can go as much in depth into the techno technical stuff. [00:01:51] But if I was a six technically, and I was a six in maybe the business aspects of. They would be a 10, but it would still be a 12. Right? So [00:02:00] that’s the, the kind of the, the mental model was trying to follow. Interesting. [00:02:04] Christophe Foulon: As you progressed into this leadership role, what are some of the critical skills that you felt were required to be as successful as. [00:02:14] Alexandre Sieira: The more you transition away from being an individual contributor the more understanding your business and having better soft skills. Becomes important, right? It, it, it starts to de-emphasize the technical knowledge a bit and, and to, to have a greater weight to those two things. So when you start managing people, you need to know how to manage people. [00:02:36] That’s a separate skill, you know, there’s this very well known concept of the halo effect. That people talk about when they talk about project management, just because someone is a great engineer, doesn doesn’t mean that they know how to manage engineers or engineering projects, managing people and managing project. [00:02:52] On themselves, entire bodies of knowledge, entire different expertise that you need to study and, and practice [00:03:00] to get good at. So just acknowledging that from the get go is gonna help you level set your expectations, give you the necessary humility to seek out the resources you need to, to understand that. [00:03:13] And particularly information security we’re talking about risk. Risk is never technology risk. Like the risk of the technology. Itself’s gonna be bad. Risk should always mean a risk to the business. The technology failing confidentiality, integrity and availability being compromised means there’s an impacts to the business. [00:03:33] So understanding not only how your particular business works, but what, how businesses in general. A run, you know, how does marketing work? How do finances work? What are, what is relevant to a company’s finances in general? You know, that, that sort of thing. Again, the more you, you rise up the ranks inside leadership roles, the more this becomes your day to day work, not only because you will be [00:04:00] managing budgets yourself. [00:04:00] So understanding how a company’s finances and processes work just becomes a necessity. Right. But also because you’re gonna be increasingly asked to report to more and more senior executives and interact more and. With business functions. So you need to understand them and how to talk to them, their language, the way they operate, the way they think to be able to do your job properly, because any good. [00:04:23] Information security, professional and leader. What they’re doing is helping businesses, making better informed risk decisions. If you don’t understand the business and what you cannot evaluate, what the risks are to that business, you can’t understand what they prioritize or deprioritize. You’re not gonna be able to do a good job just as a security professional in general. [00:04:44] Right. But then again, as a leader, The increasing part of your job is going to be doing that for your own organization, your own teams. [00:04:53] Christophe Foulon: Yeah, [00:04:53] Alexandre Sieira: I, I I’d agree with that. So as you [00:04:57] Christophe Foulon: grew in leadership, what’s your comfort [00:05:00] level with delegation on a scale of one to five and why? [00:05:03] Alexandre Sieira: I would say. The, the, that one that is missing is still the perfectionist and formal technical person in me saying, but if I did that myself, maybe I could do the artisanal hand woven thing that would be slightly better. [00:05:17] And I still have to contain that instincts, you know, and beat it down, say, no, no, you let the other people do the work, Alex . So that’s what I think that one is, is missing. Still fighting that you. Inner Wolf, you know? That’s trying to do that. Yeah. You mentioned working with others. [00:05:34] Christophe Foulon: How would you rate yourself in collaboration from one to five and why? [00:05:37] Alexandre Sieira: I, I feel like I’m a natural collaborator collaborator but I, I give myself a three on that because I still struggle with dealing with with people that. As we all do. And actually we, we talk about polarization, right? Handling people that think radically differently from you is a big challenge. [00:05:56] Right? I try to avoid that problem a lot [00:06:00] by trying to learn as much as possible about the work that other people do. So I can start to think more like them, but in those rare instances where I actually think, like, if you meet someone that says information, security, scrap, that’s useless. You’re just wasting my time. [00:06:13] I still have a very hard time. Calming down and collaborating with that person. Right. I shouldn’t, it’s my job not to and, and, you know, the first step in solving a problem is acknowledging it exists, but that, that’s still a big challenge for me. So I’d say a three and following on with that, how would [00:06:30] Christophe Foulon: you rate yourself in communication on a scale of one to five and why. [00:06:34] Alexandre Sieira: As far as leadership goes, I, I would say I tend to overcommunicate rather than under communicate as much as my my schedule allows. So I’m, I’m pretty satisfied with my level of communication. So did SMU to say that, but I, I would tentatively give me a, a. 4.7 or something on that scale. I, I feel that that has never been an issue. [00:06:57] The, the, the quality and the amount of [00:07:00] communication, much more, the other two issues we just discussed. Okay. Maybe if you ask the people or report to me, they disagree, but that that’s my self-perception. Anyway, that, [00:07:07] Christophe Foulon: that definitely makes sense. Speaking of the people that report to you, as well as working with the business, how do you rate yourself in influence? [00:07:16] Alexandre Sieira: It’s interesting because the way I think about influence and people have so many negative associations with sales but, but think of. But the ideal good way of doing sales, right. I think that’s what influence is. You’re just selling an idea. You’re selling a project, you’re selling an initiative, right. [00:07:35] And if you look at, we all think about the gimmicky, like used car salesman you know, ignore those people. Think about the best salesperson you. Met that really helped you identify a need designed a solution together with you. And I was able to tell you, this is how much it costs. This is what it takes to deliver it and help you make that happen. [00:07:55] I feel like that’s what you need for, for for instance, right? That’s [00:08:00] the, the, the right mindset you need to find it’s much more about negotiation, I think to think about. What is that that person need, do we align in somehow? Is there anything that we share that is a common need that we can you know work together on? [00:08:15] Right. The other thing I would say is that I understand why there’s an aspect of information security, and it’s interesting. I don’t wanna sound disrespectful, but it’s a very American thing where we have like military terms and the military hierarchy and the military mindset come into play. And maybe it’s just my misunderstanding on how the military works. [00:08:37] But my immediate association with that is a very hierarchical structure where people were issuing orders that you have to follow. Right. And if you question those orders, you could get in trouble. Because you don’t want people questioning stuff too much when they’re under fire, you need to respond, you know, because someone upper above your, you on the, on the chain of [00:09:00] command has better. [00:09:00] Intel has better information. If we stop to discuss everything and make, you know, collegiate decisions, then you know, you get shocked while you’re discussing instead of, you know, killing the enemy. Right. So understand that in a military context, you need this very hierarchical top down structure. But in 99, 90 9% of organizations, that’s exactly the opposite of what you want. [00:09:21] So You need to be able to convince people, sell in a good way. People that what you’re trying to do is in their best interest or in, in the company’s best interest and will be beneficial to everyone it is worth doing because when someone just doing stuff, because they were told to. Their productivity, their motivation just really drops and the way that we are in people can very easily change jobs, information security, even with the current crisis, there are many more open positions than there are, you know, qualified people available. [00:09:56] If you start bossing people around, if that’s your instinct, because you [00:10:00] feel like that’s the right thing to do. You’re gonna be in a world of hurt because those people can very easily migrate away to other companies that are not treating them that way. Right. So it’s much more important to make sure people really agree and understand with the things that they’re being asked to do. [00:10:19] And if they don’t, it’s your job to try to understand. Maybe they’re right. Maybe you’re asking them to do the wrong thing and you need to revise your position as a leader, or maybe you are gonna learn about an objection that you need to overcome. And again, this is a sales language. When a customer has an objection, you need to understand it. [00:10:36] You need to empathize for the customer, and then you need to respond to that objection and show them, you know, give them a different perspective and change their mind. Right. But if the customer objection is real, then you have to change what you’re offering. Right. That’s the only way gonna overcome that. [00:10:52] Objection. It’s the same thing here. Much more than top down hierarchical chain of command style. That’s what [00:11:00] I would recommend. [00:11:00] Christophe Foulon: Like empathy is another critical skill that you would add to the list. [00:11:03] Alexandre Sieira: Absolutely. I mean, there’s, there’s a, not everyone is cut out for the, the, the role of leadership as I, as I mentioned, You’re managing people first and foremost, you’re not, you know, most of us go to it, go to information security because we like computers, applications, you know, automated processes things. [00:11:22] So again, we’re not doctors and nurses who are dealing with people. We’re mostly think about ourselves as dealing with things. Right. And that’s completely different. When you step into the leadership role, you have to switch away to dealing with people. So you need to have a certain level of emotional intelligence and empathy. [00:11:40] Otherwise you’re gonna make your li employers, your, your teams your employees lives help, right? So when an organization is choosing people to promote to leadership positions, that’s a key traits to look for. And those are things that. A little bit innate a little bit, you know, how you [00:12:00] developed throughout your, your life. [00:12:02] It can be improved. People can go to therapy, people can take training, people can work and improve themselves, but it’s a lot slower than learning a new technical skill. Right? So having that empathy and that openness to talk to people about difficult subjects to break bad news to people. Those sorts of skills. [00:12:20] Again goes back to, to the soft skills conversation. Not everyone that is excels at technical positions has that some people do right, but, but not all of them do. And so those people are the ones that are probably more suited to being on a leadership role, in my opinion, [00:12:35] Christophe Foulon: and throughout your career in regards to networking and in this case, networking with people, how important of a skill is it and why. [00:12:43] Alexandre Sieira: It’s critical in my opinion. If you are. Focused on managing people. You need to practice your skill, conversational skills. You need to learn about as, as many different points of view, as possible to view as few people as possible as the other. Right. And, and avoid that flash that we talked about [00:13:00] before. [00:13:00] And just on a practical level, if you are managing a team, even if you are working information security at a, at a company or not like I was working on a consultancy or a vendor, right. Networking means you might be meeting a new employee, a new team member. You’re talking to someone at a conference at a, at an event, right. [00:13:20] That you just met. And maybe you talk to them about your company, about the work you guys do, and they decide to come over. Maybe not today, maybe five years from now when they decide to leave where they are, they’re gonna remember. Hmm. I’ve talked to that person. I kept in touch with them through a mailing list, a slack channel, whatever it was. [00:13:36] They were nice. They said nice things about what they were doing, and I wanna work with them. So on a practical level, networking helps you find good products you can use as a security leader. Team members you could hire you know, business partners. You, you can do partnerships with as a vendor customers. [00:13:54] You can always, you can find out customers as well like that. So that [00:14:00] networking again, broadens your horizon gives you a bigger toolbox of people you can rely on when you need to hire, when you need to find a service provider, when you need to ask for advice. That, that can be a superpower. That can be really interesting. [00:14:15] And if you feel like that’s a lot of work, I find that emotionally taxing, I find this is really hard. You wanna think how happy you’re going to be in a leadership position, because this is exactly the sort of thing you should be doing internally with your team members, the people you’re leaving, you need to be talking to them. [00:14:32] You need to be meeting people on your peers on your larger organization that you need to interact with. And, and, and, and so if that is really taxing for you, maybe what you wanna continue to be like a technic. Either you improve that about yourself somehow, right? Or you decide no, that that’s not, for me. [00:14:50] There’s nothing wrong with that. Both paths are completely valid and can make you a fulfilled, happy, successful person. Right. There’s no better or worse path. Just choose the one [00:15:00] that’s gonna make you happy. Right. And satisfied sounds like, [00:15:02] Christophe Foulon: say your advice, like Sage advice and. Talking about Sage advice. [00:15:05] What advice would you give to a future cybersecurity leader that is now watching this recording and considering this as a path for them [00:15:14] Alexandre Sieira: start studying stuff. That’s not information security as much as you can. So two things that worked for me and that I highly recommend look into doing something like an MBA. [00:15:25] Especially if there’s something that’s, part-time, doesn’t require full-time dedication. That, so that gives you like a generalist view of like how a business is run. Finance marketing sales, operations that gives you a, a, a, a, a inch deep and a mile wide visibility into how, how business strategy is executed and designed, et cetera, HR, because that’s gonna allow you to have much better. [00:15:50] Conversation with less friction with everyone you need to inside your organization. So that’s never going to be the, the wrong move for someone that wants to be a leader and [00:16:00] something that I really enjoyed. And that really helped me bridge that connection. About the human element in information security with studying behavioral economics. [00:16:09] There’s one book in particular that I think is like a must read for every information security profession. That’s not entirely, if you’re all you’re doing is writing exploits. You know, at all day, you don’t need to read this book, but anyone else probably does. It’s a called book called the honest truth about Dishon. [00:16:27] How we like to everyone, especially ourselves by the Israeli researcher, then Ariel, that has published a ton of work on, on behavioral economics, which is kind of a, a, a, an intersection of economics and psychology. And it shows how people don’t behave like 100% rational machines. Right. So to give a short summary, What everyone here being a rational person would probably expect to be the key predictors of fraud and cheating would be what is the payback? [00:16:59] If I’m [00:17:00] successful committing the fraud, how much do I stand to gay as a fraudster? What is the likelihood of getting caught? And what is the punishment? If I do get caught. That’s what you think, right? That, that the, the, the, the intensity and the number of people that commit fraud or cheat is gonna be proportional to those three variables. [00:17:17] Those are nowhere near the three most important variables. Variables are really found. There’s a ton of social context, social cubes and, and other things that influence that decision a lot more. And this is really disruptive in how we think about awareness, training, risk management. Insider threats and things like that. [00:17:36] The, the non obvious thing that came to me after I read this book is, you know what the go-to recommendation I make these days for people to say, how do I reduce the risk of insider threat, most security leaders in professional. I need to buy tool X or Y or Z. No. Now keep your employees satisfied. [00:17:54] Treat them. A satisfied grunt employee. You need to keep your employees as grunt as possible is the [00:18:00] joke I made are that’s the most important thing you can do to avoid insider threat. So that sort of insight is non-technical and it’s something that if you don’t reach out to learn you won’t right. So, so I really recommend everyone read that. [00:18:14] Yeah, [00:18:14] Christophe Foulon: psychological safety is definitely key to having a happy employee. [00:18:19] Alexandre Sieira: Well, [00:18:20] Christophe Foulon: Alex, thank you so much for spending time with us and sharing all this advice. We really appreciate it and thank you very much. [00:18:28] Alexandre Sieira: It was my pleasure. Thank you very much for inviting [00:18:30] me.

#Leadership Series - Ira Winkler

Link to episode - https://breaking-into-cybersecurity.captivate.fm/episode/leadership-series-ira-winkler

[00:00:00] Christophe Foulon: Welcome everyone. To another episode of breaking into cybersecurity, the leadership series today, we have IRA who will be sharing his experiences with us. IRA. Why did you decide to become a cybersecurity leader versus an individual contributor? [00:00:15] Ira Winkler: It’s an interesting question because I never really wanted to be a cyber security leader. [00:00:21] It just kind of worked out that way. I was always an individual contributor. I love doing actual work, you know, you’d lead project teams, but that just cuz you lead a project team doesn’t mean you can can’t necessarily stay technical and then. You know, a fluke. I ended up starting my own company. And from that point, it’s hard to go back almost because it’s, it’s too much where you’re, if well, assuming you’re actually successful at it. [00:00:47] When you’re your own boss, you hate to sometimes go back to an individual, contribute a role. And even if you do, it’s probably gonna be in such a way where you have influence and leadership, [00:01:00] otherwise. [00:01:00] Christophe Foulon: And speaking of those, what would you say are the critical skills in cybersecurity leadership? [00:01:05] Ira Winkler: We phrase it so poorly, but the soft skills are pretty much what really matters most. I mean, fundamentally ,If you’re gonna be in leadership, you have to understand the business context of what you’re doing. You have to understand the functionality. You have to understand that security isn’t necessarily the top priority security should be an enabler. [00:01:28] And that’s probably the most critical. Then when you’re talking about leadership, the implication is that you are. Able to lead people and leading people. I was, you know, every, so often I ask people, why do you wanna work for me? And it’s like, you’re inspiring. You know, you have a vision and stuff like that. [00:01:46] And not every leader has to lead with vision. You know, there, people who lead with encouragement, there are people who, frankly, I, I love the people who. For lack of a better term lead from behind. And what I [00:02:00] mean by that is not push people, but they let people do what they need to do and they trust the people and let them work. [00:02:07] And those are the people that kind of just. You know, nudge people in the right directions. Assuming of course they have a good team, you know, other people are, you know, I mean, I say my success is basically due to the fact that I hired people who I just let them be themselves. And then I look good cuz they look good and that’s the best way to lead if you have the opportunity. [00:02:30] Christophe Foulon: Okay. I’m guessing that would make you very good in the skill of delegation. How do you rate yourself on, on one to five in the skill of delegation? [00:02:38] Ira Winkler: I, I mean, on a scale of one to five in delegation, part of me wants to answer like a negative 10 I’m. So when you think about it, excuse me, as an individual contributor, you are looking at things like, okay, you have to do it and everything. [00:02:53] And at some point there’s a difference between, and, and, and there’s a fine point between [00:03:00] delegating, letting people do what they do best, cuz you hire them for that. And then taking lack of ownership, cuz one part of being a leader I think is you have to have extreme ownership and that means that you. [00:03:14] No matter what happens, you’re ultimately responsible. And you know, it doesn’t mean yes, you program the system or you configured a system that hacked, and therefore you did that, but you have to take responsibility for all the efforts of your team and essentially say, You know what I, if something goes wrong, it’s on my watch. [00:03:35] If something goes wrong, I’m ultimately responsible for it. And I’m responsible for making sure that the situation is fixed. That leads to this little bit of ANGs that if you don’t have complete trust in the people, you’re really. You know, like micromanaging and going down into it, you know, the other extreme as well. [00:03:54] You’re just gonna delegate everything away without taking ultimate responsibility. And that [00:04:00] means that you’re not really, you know, you’re not really engaged as you should be. And there’s a very fine line in when you say. Delegation, what do you mean delegation of responsibility or delegation of roles and you know, and, and when you look at delegation of, you’re never delegating responsibility, you’re delegating tasks, you’re delegating functions, but you’re never delegating responsibility. [00:04:26] And given. The non delegation of responsibility. In my opinion, it just makes me real, have a lot of angst when I do delegate. If that makes any sense at all, [00:04:35] Christophe Foulon: a absolutely. To me, it makes sense. And hopefully to the listeners as well. When you think about collaboration, how would you rate yourself on a scale of one to five and why. [00:04:45] Ira Winkler: I mean that’s, I mean, that’s a, that’s a thing that varies greatly. You know, one of my things is when I trust people, I could collaborate. I could do my function and let it go. You know, if I don’t trust the people I’m working with that could. You know, that could be a disaster. I [00:05:00] must admit, you know, I like to collaborate with other people because I do think that the more people you bring together, you know, it’s like the, you know, it’s a cliche, but one plus one makes three, when you have a good collaboration. [00:05:12] And in that case, when you do, you can really go ahead and have something great. If you have people where the collaboration is unfairly implemented. Unequally implemented that leads to a different story. Now I’m sounding like a lawyer. I guess my answer is it depends. [00:05:30] Christophe Foulon: oh, we love using that term. It depends in cybersecurity. [00:05:34] Ira Winkler: Yeah. I mean, you can’t, it’s hard to collaborate. Well, when things are not working well, I’ll phrase it that way. That [00:05:42] Christophe Foulon: makes sense. And as you think about the term communication, how would you rate yourself on a scale of one to five and. [00:05:48] Ira Winkler: So generally, I mean, I have to say I’m a great communicator. That is one thing I’ve been told. [00:05:53] And that would be like, where I say I’m a minus 10 in delegation, perhaps I’m probably a [00:06:00] plus 10 on a scale of one to five in communication. You know, again, it’s like the vision I can create. I can generate excitement. And so on. That’s not to say I don’t have some major times where I communicate the wrong message. [00:06:15] I have a lot of what they call dry sense of humor. So sometimes I make a joke and. Just is taken the wrong way. And I don’t even realize it. I actually was meeting with a CEO of a company last week and you know, in my current position there theoretically a vendor and like I met him at a party the night before, and then I probably said some joke. [00:06:37] It’s like, ah, I can’t believe he just walked away like that to talk to other people. And somebody went back and told him you offended IRA. And then the first thing he did was when I met with him the next day in a formal meeting, he’s like, oh, I heard, I offended you. I’m I’m I’m like, you offended me. I go. [00:06:53] I go in my wildest dreams. You didn’t offend me. I’m honestly, you know, you’re a public company, [00:07:00] CEO, I’m honored. You took any time. And he is like, no, I thought I was told, I go, no, seriously, if you offended me, I would’ve told you to your face, but it was probably just a bad joke. So when I look at things like that, it’s like, yeah, I have some improvement to do in my communication skills or at least find people who get my sense of humor a lot better. [00:07:20] Christophe Foulon: That makes sense. When you think about influence, how would you consider your skills of influence and why? [00:07:26] Ira Winkler: It, it varies. And it depends on who I’m trying to influence. And you have to be aware of that because you know, in some people where, you know, you have a good relationship with, you know, people where I’m, I’m great friends with and everything, and, you know, we understand each other. [00:07:42] We can be blunt with each other. I have great influence. If I understand going in that I have. I, you know, I can give people a vision and that vision can be influencing in a lot of cases. You know, you also have to understand if you can talk business language to business people [00:08:00] that also is invaluable. [00:08:02] And I have a good way of, you know, translating that, you know, business, or like for example, cybersecurity concerns and how they relate to business value. And that’s critical at the same time though. There’s other, you know, like, depending on. One on one situations I probably need definitely need improvement with regard to, for example, people who are more interpersonal where you, I mean, there’s an expression where you have to show people, you, you, you care before I forgot the there’s something that rhymes, but I forgot, you know, you have to show people you care, you know, before you, you know, show them and influence them. [00:08:39] But to me, You know, I’m more for like a direct, straightforward person, like I mentioned, and those like the people who wanna get to know you as a person, I probably have a little bit more problem influencing, cuz you have to take more time to get to them and show them that you care. And so that’s one of the things I definitely need to work on, but you know, [00:09:00] again, being, yeah, God, I should have went into law today, but yeah, again, the answer is, it depends. [00:09:05] Christophe Foulon: Well, thank you for sharing that and being vulnerable about where your strengths and weaknesses are, as you think about networking, how important is networking with people versus technology to your, your success and why? [00:09:20] Ira Winkler: So I would say probably if I were to look back at my career, Give or take 95% of my career was networking in one way or another. [00:09:30] you know, when I look at the jobs, when I look at how I sold my companies and things like that, most of that was networking. There was a little bit of frankly outreach where people knew me because of my writings or speaking, or, you know, I mean, it’s great when somebody’s interviewing you for a potential job and they have your book on the shelf behind them during the interview, you. [00:09:51] It’s one thing great about zoom, but so that makes it a really, really good thing. But at the end of the day, networking is what tend to open [00:10:00] up the doors. Networking is what really makes or breaks a person’s career. I mean, I shouldn’t, for many people, if you’re gonna have a career where it’s, you know, you just have career progression within a company or within your group of friends, that’s one thing. [00:10:15] But if you’re really gonna have a. You know, a good profession where you’re gonna move around, where you’re gonna explore new things. Networking is probably the way to go. And that’s one of the things the pandemic hasn’t helped with. And for many people, I must admit. [00:10:29] Christophe Foulon: Those make networking a [00:10:30] Ira Winkler: little bit harder. [00:10:31] Yeah. I mean, I’m, I’m lucky in that because when you look at it and, and, you know, thinking back a little bit more detail, my writing and speaking is what really helps me network. So maybe I should adjust that percentage of 95 5 because you know, some of my better friends are people I met because of writing or speaking at events and things like that. [00:10:53] And. You know, a little bit of that take is your technical special specialty that gets [00:11:00] you into those environments. It gets you people reaching out to you. So there’s a combination of give and take attending professional meetings is another thing. So anyway, I think I over answered that question, so I’ll leave it at that. [00:11:14] No [00:11:14] Christophe Foulon: problem. As you think back, and someone is looking at this wanting to become a cybersecurity leader, what one piece of Sage advice would you give them? [00:11:24] Ira Winkler: Sorry, this I’ll I’ll quote, bill and Ted. Just be excellent to people. You know, that’s number one. And really at the end of the day, if you really wanna go into leadership and be effective, you can underwrite, underestimate the business acumen that you need, you know, and this, and then what I mean by that is like, there are probably some leadership positions, if you’re gonna be like technical roles and stuff like that, that’s one thing. [00:11:47] But if you’re actually gonna lead people, if you’re actually gonna communicate and, and really leading. You know, I mean, it’s trying to get the best out of people. The ideal leader, in my opinion, is one who [00:12:00] can easily be replaced. If you can’t be replaced, there’s something fundamentally wrong with your leadership. [00:12:06] And that takes a little bit of guidance, mentorship, finding the right people to work for you, you know, and other sorts of things like that. People who can make you better. So, but at the same time, sorry, I guess there is no one thing I could attribute after going through that answer. but knowing the business skills, because at the end of the day, your whole group, your team is gonna be measured upon how well they serve others. [00:12:33] And maybe that’s in a technology to technology role, maybe it’s into business, but you really need to understand who you serve, how you serve them. And. Your end customer, whoever that happens to be [00:12:47] Christophe Foulon: degree business enablement is at the top of my list of recommendations as well. Well, IRA, thank you very much for joining us today. Really appreciate the time and the advice that [00:13:00] you’ve given us today. [00:13:00] Ira Winkler: Yeah, no, thanks for having me. I really appreciate it.

#Leadership Series - Andy Ellis

Link to episode - https://breaking-into-cybersecurity.captivate.fm/episode/leadership-series-andy-ellis

[00:00:00] Chris Foulon: Welcome to another episode of breaking into cybersecurity. The leadership series today, we have Andy Ellis who will be sharing his experiences in cybersecurity with us. Andy, why did you decide to become a cybersecurity leader versus an [00:00:16] Andy Ellis: individual contributor? I think it comes down to having both more leverage and more control. [00:00:22] I started out as an individual contributor became the principal individual contributor. And, I looked around and said, I had a lot of choices. Like I could do things and I could either take on leadership of the organization or let somebody else do that. Let them go find somebody to do it. But if somebody was really my direct manager, cause I was very independent at the time, I would lose a lot of that, self-control, being able to choose what I did. [00:00:46] And also I liked the leverage of being able to see the bigger picture and try to put people into places to succeed. Where I could get more done through the people who worked for me than I could potentially do myself. And this [00:00:59] Chris Foulon: topic is [00:01:00] gonna be very natural for you. Considering that you’re writing a book on cybersecurity leadership, what would you consider the critical skills of a cybersecurity leader? [00:01:09] Andy Ellis: So I think that there is a whole host of skills. And, in April when my book comes out, I know that’s a long way away people can read like about 54 different skills that I’m, that I talk through. But at a high level, it comes down to technical skills, people skills, and process skills and technical skills you should think of as the ways that you directly change the world through your own. [00:01:32] Sometimes that is writing code or breaking software. Sometimes it is, writing English pros, a lot of times it’s like, how can you help your company market? What they do? There’s a skill in there of communicating and writing things down. So you wanna have a foundational of. [00:01:50] Technical excellence that you can solve problems yourself. The second category is the people skills, which I think of as the ability to change the world through people you directly interact with, can [00:02:00] you identify when somebody is ready for an opportunity? Do you know how to set them up for success while still enticing them with the risk of failure. [00:02:08] And that sounds interesting, like enticing them, people want that rush. They want to know that they’re learning something new and your job is to give them that feeling. But with safeties around them, So that they can learn through that stressful moment, but it’s not being so stressful that they feel that they’re abandoned out there. [00:02:24] But it’s putting people in places to succeed and taking them away from places where success is impossible. There’s a lot of work we do in security. And in frankly, all across the business where if you stopped doing it, it wouldn’t really matter. And if you delegate that work to somebody else, you’re hurting them. [00:02:39] You’re not gonna change the world in a positive way through them. In fact, you’re gonna break their ability to change the world in the. The most important set of skills, all lump under what I call process, changing the world through people you don’t directly interact with, can you set up processes and understand how people will violate process and by violate, I don’t mean [00:03:00] ignore it. [00:03:00] I actually mean actively harm it. Let’s take a process around vulnerability management. For instance, a lot of people wanna move to SLAs. I’m a big fan of it. You should do SLA management and say, oh, we have a seven day SLA. What percentage of the time do we succeed at, seven day patch management? [00:03:15] But if you have an exception process, which you should, because some vulnerabilities are like serious architectural flaws, it’s gonna take months to fix, maybe a year to roll out into your customer base. That sounds, really scary to a lot of people, but I’ve dealt with vulnerabilities that were multi-year critical issues, so you’re gonna, you’re gonna give an exception and say, look, we’re not gonna really, penalize you badly for this one, violating seven. , but what people will start to do is they’ll show up on day six and a half and say, oh, we can’t fix this by the seven day, window, because it’s gonna take us like three days to do this. [00:03:51] Even if we stopped everything else and dumped all of our feature releases. So we’re just gonna defer it for, 30 days and and they say, but look, it’s six and a [00:04:00] half days in, so there’s no way we could hit seven days anyway. So you need to give us an except. and what I found is that if you took that and said what if we had known that four days? [00:04:08] What if at day two and a half, we had said, had made that trade off, would we have said we’re gonna not do it for 30 days or would we have actually in the heat of the crisis decided to actually implement it. And you’ve taken that choice out and people are violating the process because they didn’t want to, they made the choice at a lower level than the company should have allowed. [00:04:27] It should have been made at a, VP of engineer. Rather than manager of engineering level. So understanding the way people will actively violate process, you’ll manipulate it. What are the negative incentives that you put into a process? People often like to say that you can expect what you inspect, which is whatever you look for. [00:04:47] You’re going to get more of it’s the old Dilbert, if you incentivize people for fixing bugs, they will write more bugs. And so a lot of process skills really orient around understanding how humans defeat your process. [00:05:00] And as a security professional, at the very least you have a leg up because odds are your technical skills are all oriented or around defeating other people’s processes. [00:05:08] So just apply them to yourself. [00:05:10] Chris Foulon: As you think about that. How would you rate yourself from delegation in regards to delegation on a scale of one to five [00:05:17] Andy Ellis: and why? Yeah, so it’s funny because when you wrote this question, you asked about my personal comfort with it. And I think I gave the answer that my comfort doesn’t matter, like delegation is really hard, but it is the most important skill. [00:05:30] You need this, you need to be a five at delegation if you want to be a leader, because it is the only way to continue to. And the reason a lot of people don’t want to delegate is because there’s this feeling of, you don’t wanna necessarily say power. Maybe self-actualization when everybody has to come to you, but you don’t want to be irreplaceable. [00:05:50] What you want to be is unclonable nobody should ever be able to truly fill your shoes, but they shouldn’t be able to get the jobs done. And the way that you do that is through delegation. [00:06:00] You find work that would be fitting for someone else and let them do it. And what you have to do is figure out how do you keep people from escalating past them? [00:06:08] Especially in security, where a job is often to say, Hey, that’s a dangerous thing. Maybe you shouldn’t do it. and people don’t like hearing that answer. So they escalate I can always get a better deal if I go to the top. And after a while we learned that it was actually better to do the opposite. [00:06:22] I had to deal with the people who worked for me that I had delegated responsibility to them was they could tell me what deal I should accept. And they would always offer a more generous. So it’s oh, Hey look, if you can get this done collegially and under the covers, and we don’t have to officially take notice of this problem, then you can get away with a lot more. [00:06:41] Oh, you found your own bugs. Great. There’s no SLA on patching a bug that is self discovered. Sounds really wacky. Doesn’t it? But if all of a sudden they’re like, Ooh, there’s no SLA, but this one is really bad. Like you need to get this into your next feature release. And they would tell me, and they’d say, Hey, if this one comes to you, like you need to disrupt their next release. [00:06:59] [00:07:00] Like this doesn’t go into the one that is, not yet future frozen. You need to open up the one that’s code frozen. If they say they don’t want to go to the future frozen one. So any time that they had discretion, they would err on the side of generosity. And I would err on the side of caution, which all of a sudden empowers them because nobody wanted to escalate past. [00:07:18] Because the more you escalated, the worse your problem became, because if it was such a big issue that you had to get the CISO’s attention, then clearly we needed to fix it urgently. [00:07:27] Chris Foulon: And on the opposite, end of delegation, collaboration, how would you rate your comfort level with collaboration and why? [00:07:34] Andy Ellis: Oh, I love collaboration. [00:07:36] I’m much more comfortable with collaboration. I hate confrontation and there’s probably a lot of former colleagues who are like, Andy, you loved confront. And the answer is no. If you make me have a confrontation, I will enjoy going into that confrontation. And I’m gonna do my best in that moment, but I would rather not ever have a confrontation. [00:07:55] How do I head those off in a collaborative fashion? One of the big challenges [00:08:00] you often have as a CISO is, helping people prioritize the most important risks to the business. And there are people who want you to give them a strictly ordered list. This is risk. Number one, it is always worse than risk number two, which is always worse than risk number three. [00:08:14] And at a high level, when you have really bad risks, that is often the case. There is a disaster you’ve just gotta fix right now. Nothing is more important than that disaster. But once you clean things up and hit this steady state, you have a bunch of really bad risks that are not easy to fix, because if they were easy to fix you, would’ve solved them already. [00:08:32] But they’re so they’re there, but they’re not disasters. And you have like maybe 10 to 50 of these that you’re just keeping track of and you wanna make progress, you can’t make progress on 50 at once. So you go to someone, you say, Hey, look, here’s like the four that are relevant to your organization. [00:08:48] Pick one. And they look at you and they’re like, what do you mean? I’m like I would be happy with you fixing any of these. But I, this is, this is the one that I think might be slightly worse and slightly easier to fix, better than I do. What’s easier to fix. [00:09:00] And your system’s better than I do. [00:09:01] Maybe a different one is slightly worse. Pick one. And the reason that I like that collaborative approach, and it sounds like it’s not totally collaborative putting ’em on the spot, but what it’s really doing is it’s making them commit to the most important. now it’s not, the CSO said I have to fix this it’s. [00:09:16] I said, I have to fix this. I am part of the decision making process. And the reason that’s important is a lot of decisions that we make are hard decisions. There is no right choice. People love simple choices where there’s, an obvious solution that is strictly better than every other, thing. [00:09:33] If all decisions were made that way, we would not need sea level executives. Maybe we don’t need sea level executives anyway. But we certainly don’t need people making hard decisions if decisions are easy, but when one person makes a hard decision for a group, most of the group will not actually be bought into the decision. [00:09:50] So what you do by, avoiding collaboration early is you create confrontation later. People will snip at you, they’ll drag their heels. They’re gonna continue to [00:10:00] argue with you and point out the flaws. If instead you let them join you on that journey of choice that they get to navigate and see that there are no good options, it options. [00:10:08] Then they all get bought on. I used to reorg my team a lot. And that sounds scary, cuz people were like, oh my God, why are you reorging? And the answer wasn’t that we were doing like big reorgs. It was like little tactical things. Hey, this became a priority. We wanna put people on it, but that means they have to stop doing their other work. [00:10:23] Like for me, it was actually this admission of there’s work we need to stop doing. So we have to move somebody on an org chart and really they work for the same person, but they’re technically like doing something different now so that we could tell people you’re not allowed to ask them for their old work. [00:10:38] And, at one point we had to do a pretty, Significant one, we needed to, move like 10% of our people onto a new project and eliminate whatever they were doing. We had no new incremental headcount and we were already, I thought running pretty lean, so everybody was gonna be unhappy. [00:10:53] So we put it in front of all the managers in the organization. We said here’s our constraints? Here’s the group we wanna build. Here’s a [00:11:00] sort of the people that we probably think ought to go into that group. How do we reorg the team around this new. and, deal with the constraints. And so we sent off, managers in pairs okay, Hey, this pair go out and try to solve the problem. [00:11:11] And all of you come back and they were all really frustrated cuz they couldn’t come up with a solution that they liked. And the answer was there was never gonna be a solution to anybody liked. So at the end of the day, like I, and my senior leaders, we basically just made a decision, sat down, spent three hours like drew the lines, figured out who was that? [00:11:29] Where. But what was amazing was it was the least amount of pushback from the line managers in the organization, because all of them had seen how hard the problem was [00:11:38] Chris Foulon: That is a very tough decision to do. As you think about sharing those decisions, how do you, what’s your comfort level with communication on a whole [00:11:47] Andy Ellis: and. So I am a huge fan of communication. And I’ve said I’m like a huge fan of everything you’ve asked before here, but you’re nailing the really important leadership skills, you’re gonna make a decision and it’s important to be transparent. [00:11:59] And [00:12:00] so communication, I think of it as it goes three ways, not two ways. So it’s direct from you to your. It’s direct from your team to you, but it’s also indirect from your team to you. There are hard questions that people do not feel comfortable asking because there is no true safe space. [00:12:17] Like you are the leader who can fire them and they will never get over that there’s thing, jokes you can’t make because of it. It took me a long time to learn that one. Yeah. I had a direct report that I had laid off and then hired. and he could make jokes about being laid off by me. But anytime I made a joke about it boom, the room would shut down because like I could always do it again. [00:12:36] And so look, I’m still friends with him but now I can make those jokes cause he doesn’t actually work for me anymore. So you have to recognize that you need to advertise and communicate. Hey, here’s what we’re doing. Here’s what’s going on. You need to give people an opportunity to ask you hard question. [00:12:51] And then you need to give them a way to ask hard questions without attribution. So every time I would do an all hands, which was once a quarter or whenever we had some [00:13:00] significant event, we had an anonymous form for asking questions and upvoting questions. And if you wanted to put your name on it, you could, and then you got to ask your question and if you didn’t want to put your name on it, that was okay. [00:13:12] One of the folks in my chief of staff office would ask the question for you. You would get an answer. And then if we didn’t get a chance to answer all of the questions. We would try really hard in our team chat to, type out answers for everybody and say, sorry, we didn’t get to it, but here’s the answer to this question. [00:13:28] Now sometimes look, you get questions that are not asked in good faith, but do you, you have to treat them like they are and answer them. And it’s easy to say, oh my God, it’s the same person who’s asking this question because they’ve got an ax to grind. It’s yep. But that’s okay, because maybe it’s asked by somebody different this time or, whatever it is, but you have to be communicative and help explain what went on so that they can see and learn. [00:13:55] Like they don’t understand what the decisions you make because they don’t see the world. [00:14:00] You. and communication is your opportunity as a leader to expose people gently to the wider world of the organization so that they can understand the constraints that you’re operating under. [00:14:10] How would you rate [00:14:11] Chris Foulon: influence as a leadership skill [00:14:13] Andy Ellis: and why? So I think that influence is one of the most underrated skills. It is most important for staff functions, which security usually is. There’s a lot of security folks who like to think that they get to tell the business things. I think my favorite answer is like, how many people can you actually fire? [00:14:31] And the answer is a security team is basically your own team. Like you don’t get to fire anybody. So everything that you do is through influence. Nobody does work unless they want to do work. And your job is to make them want to do. Now you could do that by going up over their heads over escalating and, using their management stick to push down on you or onto them. [00:14:52] But the challenge is they will never do things voluntarily for you. They will make you burn political capital going to their management every [00:15:00] single time. Once you’ve abused that, and then their management is gonna push back on you because there’s a lot that you need to get done. That is not that important. [00:15:08] That’s the most important thing I think for anybody to walk away with insecurity, 99% of the things that we get done should never be talked about in front of executives. Like you find a bug in software. That’s literally like a one line code change. A VP should never hear about that. Unless it’s already in the news, go talk to a person, file a change request. [00:15:31] You’re a poll request and say, Hey, here’s the change you need to make, let them deal with it. And that requires influence that you can walk up and say, Hey, could you do this for me? And they’ll say, So it’s critical that you focus on your influence skills and the most important way to do that, I think is by learning what hurts people, what are their pain points? [00:15:50] And you can just ask them, if you go ask developers and say, Hey, what’s your biggest pain point? That’s a hard question to phrase. You might want to take them out for a beer, whatever the zoom [00:16:00] equivalent is and be like, yo, Hey, I wanna understand your job a little bit more. What makes it difficult? [00:16:05] And they’ll probably say. Just to be clear, say let’s talk about not me for a moment, but if you learn the things that hurt them, then you can learn how to attack those things. Before they bring them up. I used to have a peer who worked in our professional services organization and a lot of the ways that we would fix problems in our production network involved making changes to every customer consider. [00:16:26] Because that was the easiest thing for engineering. Like they would just say, oh, we’ll just implement a new feature that is more secure than the old feature. And you’ll go manually migrate everybody. And the first time they did, I’m like, Hey, whatever, like that’s how you wanna fix the problem. Great. My professional services peer would hate every one of those. [00:16:43] They’re really expensive too. And so all of a sudden I started channeling, the professional services concerns. So when someone would say, Hey, let’s just fix it this way. I’d be like, whoa, what does migration look like? How much is this gonna cost us? How easy is this for customers? And now all of a sudden I have more influence into professional services [00:17:00] because they can see that I understand their pain. [00:17:02] So when I would say, Hey, this is the best we’re gonna get. They would under believe that I had actually investigated. And wasn’t just believing that cuz engineering told me. [00:17:11] Chris Foulon: now taking a step away from technology. How would you rate networking as a skill for a leader and why? So [00:17:18] Andy Ellis: networking, I think is a really overrated skill, but at the same time, it is important. But I think that people think of networking as asking other people for do, to do stuff. And networking is actually just helping people because you. [00:17:32] And then one day you get to call that in and reach out to somebody, but you should recognize it in a sense you’re paying it forward in advance. Like you say, oh, Hey look, Christo’s doing this cool cybersecurity series. I’m going to do it because I just want to help Christoff out. Like now it’ll probably be because I have a book on leadership when that book comes. [00:17:51] Like it helps. Hey, Kristoff’s now in my network. He’s somebody that I’ve helped a bunch of times. And when I say, Hey, can I come on your podcast and advertise my book? Like [00:18:00] networking has helped. , but I’m not showing up here today because of that thing in April when the book drops, although I guess I just advertised it there. [00:18:08] I’m doing this just because I can, because it’s helpful. There’s people I’m reaching out to. And so that’s really what networking is giving to people to build your network, not trying to figure out who can help you and trying to suck them into your network. Run into that. A lot. [00:18:24] People on LinkedIn send, knew that invite says, Hey, I want you in my network. I’m like, so like you’re a random person, like the network doesn’t grow, just cuz we create links. It grows because we do things for people. And so that’s what I think is important and don’t, networking up is okay, but it’s hard. [00:18:41] It’s expensive. What are you going to do for somebody more senior than you in the industry? Probably not a lot, but if you do things laterally to people who are more junior in the industry, like there’s a lot of power you have to make people’s lives better. So every time you can do that, take advantage of it. [00:18:58] But don’t think that [00:19:00] networking is the thing you rely on. It’s just, Hey, you’re building these connections and there will be a day. It’s fantastic. Like I have my own podcast and I use my network to get guests. It’s all people who I’ve done stuff for with we’ve done stuff together over a decade. [00:19:15] and, when I first, was interacting with these people, they weren’t like the CISOs of all the social media giants. Now they are. So my social media team is like, how do you get these people? And it’s 10 years ago, I brought a beer on stage to this person cuz he made a joke about, needing a beer. [00:19:33] Cause it was the last talk of the. Like literally, I did that as a conference with Roland Colier who’s ne who at the time was with ADP. Now he’s with TikTok. And, but that was the thing that made me memorable to Roland at the. Was like, he made a joke. He was on stage with Bob Bragden and then they were like or the five o’clock fireside chat, we should have a beer. [00:19:51] So I walked to the beer to the bar at the hotel, got three beers, cuz I wasn’t gonna not drink, handed the mech one, went back to my seat and like we now [00:20:00] had this thing and look at how little that was. It cost me like 15 bucks cuz you know, it’s hotel prices for beers. Wow, [00:20:05] Chris Foulon: That’s a memorable story. [00:20:07] I will always remember that. Now, thinking about a future leader who might be listening to this, what advice would [00:20:13] Andy Ellis: you give them? So I would just start by saying you are not a future leader. You are a leader today. I think people wait to have official power to think of their leadership journey, but the reality is when you show up to work, everybody who sees you is being led by. [00:20:29] Are you leading them to be a better version of themselves or a worse version of themselves? If they see you slacking off, they’re like, Hey, I can totally slack off. Now, if they see you taking care of yourself, they’re like, Ooh, that’s awesome. I should be taking care of myself. So you get to lead every day, recognize that some of the leadership things do require official power. [00:20:50] Like I’m a firm believer that wellness is important and people should take lots of time off to take care of themselves. We used to have a policy when I was at Akamai that anybody in the team could [00:21:00] send anybody else home. You could just be like, Christoff, you’re you look like you’re having a bad day go home. [00:21:04] You’d like, but I got five meetings this afternoon. Are you actually gonna have positive outcomes of your meetings? No, go. But that required me as the head of the function saying, this is our policy. Trust your neighbor. If they tell you, you need to take care of yourself and we will always cover you for an absence, don’t worry about it. [00:21:21] So that took me doing it, but then it empowered everybody to exercise their own leadership and take care of the people around them. So recognize that you’re not a future leader. You are a leader today. And what are you doing? This. To practice skills that will be useful 20 years from now, but that are also helpful and useful and effective today. [00:21:41] Wow, Andy thank [00:21:42] Chris Foulon: you so much for sharing advice, stories and everything with us today. We truly [00:21:48] Andy Ellis: appreciate it. Thanks for having me Kristoff. I appreciate it.