Find Cybersecurity Talent - Retain Cybersecurity Team

February 1, 2021

The Cyber Rants Podcast

Episode 14 - Building and Keeping your Cybersecurity Team

How do you find the right cybersecurity talent when other companies can pay them more? How do you retain your cybersecurity team once you find those rockstars? Does it make sense to hire a Senior VP of IT when they will also be handling the help desk function? What about entry-level staff running critical functions?

This week, the guys discuss the importance of finding and hiring the best talent for your company's cybersecurity program, along with sharing best practices to make your team the best in the industry!

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber security criminals and now here's your hosts mike rotondo zach fuller

and lauro chavez hello and welcome to the cyber rants podcast this is your co-host zach fuller

joined by mike rotondo and lauro chavez uh today we are going to kick it off in the usual fashion

a lot of stuff going on in the news for the past well a couple months really basically very very

critical times and interesting stuff happening mike why don't you dive right into it right on

zach thank you uh welcome to the podcast i am going to kick off the news and hopefully i don't

think i don't have any i don't think i have any solarwinds headlines so uh let's keep our fingers

crossed but i do have microsoft headlines windows desktop servers now used to amplify ddos attacks

yep we got another problem with microsoft rdp enabled on udp 3389 has an amplification

ratio of 85.9 to 1 it's just being used by ransomware all over the place and it's it's uh

it's a big problem a password stolen by a phishing campaign available through google search the linux

server hosted on microsoft azure was hacked and they are now delivering out passwords so it's all

good dream bus freak out botnets pose new threat to linux systems i just like saying dream bus

freak out botnets but uh there's another malware out there on linux so if you believe you got linux

you're not safe hackers hijacked cloud accounts of high-tech and aviation firms hidden systems for

years you know we've talked about the cloud before in the security of the cloud before it's something

you definitely have to consider that you have to look at the security of the cloud it doesn't mean

you're safe just because you're in the cloud so anyway these people hacked in and they were in

there for years literally just stealing data fraudsters are using google forms to evade

email filters yet another way around mail as manipulating google forms another ransomware

now uses ddos attacks to force vixen to pay the new the new methodology um from suncrypt and

ragnar locker is to if you don't pay we're going to ddos you new wormable android malware spreading

through whatsapp um i know a lot of people think whatsapp is a great tool that it's available that

it's uh easy to use and it's pretty secure but we got mauler spreading through it so be careful

north korea linked campaign target security experts by social media this is the second time

i've heard about this this week and i know a lot of you brought this up also the north koreans are

attacking security experts we also got an email i think it was from sonic wall or one of those that

a red eye that talked about how google's already been hit up on the stuff so be careful out there

be careful who you talk to targeted phishing attacks strike high-ranking company executives

yep the guy in the corner office is your worst enemy when it comes to security uh because they're

being attacked and they're not paying attention to the fishing training necessarily so be careful

ddos attackers exploit vulnerable microsoft rdp servers this kind of dovetails off the

one i said earlier um again this is becoming a big deal a new attack could lead let remote

attackers target devices on internal networks so this is using nat slip streaming and we always

think that oh it's on the internal network so it has some compensating controls in place but

figuring out a way around it it cve 2020 16043 and cve 2021 23 9 6 1 are the exploits uh ddos

attack surge in 2020 due to covet 19 as if 2020 wasn't bad enough already uh we have this new ddos

continuation dovetailing off uh what we were talking about high level officials fishing scheme

shows ceos maybe most valuable asset and greatest vulnerability make your ceos take the training

and that's all the headlines i got if they don't want to take the training maybe yep all right

i i for one am really tired of listening to the executives

give excuses as to why they can't make time for the awareness training or the phishing training

that's coming out automated yeah i'm talking to you out there you're listening to this

i think you gotta play to their ego and tell them that you know you are so important

that it's so valuable that you get this training done because you are that important and maybe

maybe they'll get there but but dream bus botnet really i kind of like that i'm gonna

name i'm gonna name the dance club that i'm gonna i'm gonna build one day called dreamboat.net

you know what i mean what i wonder if that's a microsoft product

all right so uh i want to talk about two exploits uh this week that i think are really really really

important the first one most everybody in the community uh probably has already heard about

it's a sonic wall ssl vpn um the visual door that was posted uh by uh mr infamous himself and so may

make sure um if you've got ssl vpn version eight running that you're you're following sonicwall's

instructions and you're upgrading that um so that that remote code execution um exploit is available

on exploit database it's the top choice for today um actually so make sure you're patching that and

then the other one i'm talking about is jquery 1.12 um there's a denial of service out for jquery

now jquery is you know application component inside of web um web applications typically and

i always see these web vulnerabilities coming up when i'm doing penetration testing for you

know older jquery libraries and i've been talking about this is going to be a next attack surface

that's focused on because it is highly highly overlooked i see lots of organizations doing

patchings on their systems on linux on windows they're ignoring the components inside their

applications that are actually delivering content and are also vulnerable so no one's going to care

about your microsoft server when they can attack your weak jquery that you've had since 2004

in your website so make sure you're looking at it at those application component plugins and

getting them upgraded to the most current versions because these exploits are out again this jquery

dos available it's uh it's the number 10 hit today on exploit db all right turn it back over to you

all right well thank you both today's topic is really one that is a a major problem i know we

talk about problems a lot here but uh our goal of course with the podcast is to help equip

uh organizational leaders and and people within the cyber security and nit space to just get

stronger at what they're doing you know we just want to share the knowledge that we come across

and and what we learn along the way in this particular case it really comes down

again to the people issue right really uh to be specific building and keeping

the team because we've seen a lot of organizations that just have tremendous amount of turnover

and a very very hard time staffing positions that are empty that need to be filled and

the obvious reason for that is that there's a huge shortage of cyber security professionals out there

which is true um but it's also about it it's not also to say that we keep we have to just

like sit on our hands and do nothing right we have to do something it means because

of the shortage we have to be more competitive as employers and more competitive in the way that we

uh create our company culture and and really build the environment for the cyber security

and tech professionals in general to thrive and so mike you've written a quite a bit on this

uh and not only in the book but blog posts and and you've spoke on it and

at events and such do you want to kind of walk us through the what you see is the the major problems

out there kind of the different phases that people go through throughout their career what they might

be looking for when and i think that'll give a good basis on on how people can better recruit and

and retain the professionals they have yeah sure one of the things that i have discovered excuse me

through our my own personal journey and being in it for well ever is that there are basically four

phases of i.t life and that is newbie beginner mid-level and senior or curmudgeon or however you

want to refer to the seniors one things i like to say about the seniors is it's not that you can't

teach an old i.t person new trick sometimes an i.t person is happy with the tricks they know so keep

that in mind that's also a quote from our book yeah so just taking pieces from my life i look at

my new job or my original job my newbie job i took whatever they gave me right whatever was out there

and uh whatever i could get where i could get experience right i just got in my new mcse back

in the day when well it's it was the 90s so it's a long time ago it was a big deal and i got a lot

of traveling and that was what it worked for me um then i went to my beginner i you know

spent a bunch of time in the bleeding edge of technology learning things working 16 18 hours

a day during the dot-com phase and then you know mid-level hit where i started doing consulting

and senior level hit and i didn't want to travel i don't want to consult i want to work in a job

in an office or actually from home you know be able to influence them influence the direction

of a company's i.t process so um there's different phases now i've kind of high leveled those there's

a lot we could go into on that the reason i call it the phases is because you when you

are looking for an i.t security person you have to design the job for those specific phases a

senior level person is not going to be willing to do the same thing a newbie person is even

though they more than meet the requirements for it a mid-level person maybe and seamless person

may be interchangeable but a mid-level person is not going to do what a newbie or a beginner is

also you can't fit a round peg into a square hole i know that's an old adage but in reality

you're not going to convert someone who is an awesome you know cisco engineer necessarily into a

office 365 engineer or a linux resource it's just not going to happen so you have to understand that

people have different skill sets mindsets and you have to tailor the jobs descriptions especially

when you're looking for a job for that specific person and you tailor the workload so if you

really just need someone to do the scutt work internally reading logs and that sort of thing

don't target a high level person target low level people give them the experience let them grow into

the job and then expand it from there so that's that's kind of my feelings on the different types

of jobs the different kinds of phases of i.t life i mean it's not exhaustive and totally inclusive

but that's the big four buckets that i see so that's we're looking at so you really the key

point here is tailor the job for the person that you're looking for and hire that person because

you hire someone with too much experience for a newbie level position they're going to leave real

quick because they're going to get bored anyway laurel zach comments well no i mean that's all

i mean that's that's all very truthful the other thing i think is that don't don't try to reward

um you know because you know zach and and we always try to emphasize that you know

the these the people that are really important you can have all the cool technologies in the world

without smart individuals that are capable those technologies aren't going to do anything for you

they're not going to manage themselves they're not going to prevent you or present you a pretty

dashboard or any metrics of any kind but it's very intelligent humans to do and so

what i what i like to what i like to think is that um you know there's a there's a job out

there for everybody um to do that they want to do that they they have joy in doing right and so

what i don't like to see and so try to find that person but don't try to reward people

falsely with what i like to call like empty titles like you've got one it guy you're going

to call him the vice president of information technology when they're doing the help desk

they're you know installing microsoft office as well as configuring acls on the firewall

and then you want to expect them to do it security too so maybe you'll give them a cso title or

you know some form of a cto title when they're really just a grunt and those people you're

going to burn them out and they're going to go someplace else and find more meaningful

work that's you know not just title driven and it probably pays more probably best yeah

yeah i mean i think that that and i don't know i mean you have to spend money on good people and um

unfortunately there's no way around that if you especially if you want to keep them

and and you don't have to pay a high dollar for people but i think you need to you need

to staff accordingly right you can't have one person that you pay 140 grand to do

everything it's not sustainable it'd be better to have you know three you know 75 or 80 000

employees so you have some sort of a backup plan if somebody leaves and you have some sort of a

you know tribal knowledge of of of installed devices that is hopefully getting documented

yeah and when you do that you have to have the expectation you're gonna lose at least one of them

eventually if not all of them as they go through the position always because just like in those

phases you're talking about everybody's looking to go from you know into their next phase of of life

and of practice for their discipline and if you're not giving them that capability at their place of

work they will go find it because they're going to try to grow as a professional right especially i.t

security professionals it's a it's a um you can't even if you go to a you know a school for for an

undergraduate in this it's constant learning i mean you're learning new stuff every day and if

you're working in an organization that won't let you do the coolest new stuff you need to you're

going to go find it someplace else well exactly i mean you look at your security stack or your it

stacking and if you're five years behind the times or three years behind the times you're killing the

person's resume which is killing their longevity so you need to keep up with your technology and

that's keep them up keep them trained and keep in mind too that compensation is important but

most technical people were technical before they were paid to do it right i mean lauro you were

well you started flowing around with computers when you were what 10 or younger yeah yeah so

i mean you're right i mean you know nerds are going to be nerds right technicians are going

to be technicians and you know here's the thing is that it doesn't cost a lot of money to give

your security folks a lab where they can you know they can vet software right i mean

because you know let's talk about every var out there is trying to sell you something new demo

it right throw it in the lab and run a demo of it drug you know demo the product for you know

two three weeks um see if anything you know gives you an opportunity to play with stuff

gives your staff well really your staff an opportunity to play with stuff right and then it

it'll out of it you'll have new technologies and capabilities you might not have known about before

by letting them have this this lab right definitely yeah good point i think that's

that's leaps and bounds above a uh a foosball table and and a cake of beer in the office even

i think the cake of beer should be there but i mean that's you're right everybody wants

to put in a and i love table tennis i love playing pool but i would rather have a lab

you know chassis in one in the i.t security room um so that i could do stuff on rather than go play

foosball you know what i mean yeah i think that's an excellent point you know and a differentiator

if you can if you can structure your organization in a way that allows a even a specified amount of

time and all the big you know all the big silicon valley companies do this but but

for those who don't out there you can structure your organization a way that that segments off a

you know specified amount of time for your staff especially your technical staff to mess

around in a lab environment or work on new projects or explore new skill sets all those

types of things i think that's going to help tremendously in your attention because they're

i hate to say it but they're generally not married to the company that they're

they're working for you know they they can be coached by the by the highest bidder somebody that

gives them that opportunity to grow and develop in their careers so especially in those early phases

i mean you going going back to your point mike kind of the newbie and beginner phase if you're

thinking from the shoes of the person that you want to hire what do they want you know they

want opportunity to excel grow in their career um you know play around with new things learn

new skill sets all of that and be in kind of a you know energizing environment right

as they go further into their career those needs are going to change right you're going

to get into more stability they're going to have things like families to think about and

vacation time and all of that so consider what you're instead of just putting a blanket you

know a blanket ad out for hey i need this person um think about what really appeals

to the person in that phase of their career where are they going to be and how can you how

can you tailor the environment exactly and you know keep in mind too is that the environment

the political atmosphere is key most i.t people i would say 99.9 percent can't stand politics

don't worry part of it don't want anything to do with it don't want to hear about your office

intrigue couldn't care less and you immerse your people in that you're going to lose them

and if you have you know good pay in a bad environment may keep them around for a while

not good pay or okay paying a bad environment you're losing resources fast

um the environment that you work in now i'm not saying you know like when i got in the dot

com here i mean we had stocked fridge and power beers and you know pizza on demand and you know

margarita machine that was turned on at four o'clock every day he's played pool with the

ceo and whip his butt um you know that kind of thing but um you know it's about the industry's

evolved since then but you still have to create a good environment that people want to work in

and people will will take a lower paycheck to work in a good environment i think you know we've seen

that in a lot of places so and what are your thoughts on when people are really looking for

let's take the scenario of a company that's looking to bring in uh maybe a senior security

professional for the first time right maybe they have an i.t team but no security professionals in

house what would your advice be to them as far as what is that senior person a person

that's going to run the show for them from a security perspective what are they expecting

what are they going to need in order to take that position well they're going to need some autonomy

uh they're going to need respect for what they've occurred but they've accomplished through their

career right and they don't need to be second guessed by you know someone who's seen the latest

and greatest fad they are solid i.t professionals so the first thing is autonomy the second one is

let them build some of their team um they're going to want to have their people in place so if you've

got holdovers or people that they don't get along with you need to allow them to build their team

properly and definitely a vote for sure i mean not dictatorial control but definitely a vote

in the it gen or the direction of the company from a security perspective or an it perspective and

there needs to be an understanding for that person of what the businesses goals are and what the

security goals are and there needs to be an equal balance of what of the security person's input it

can't just be steamrolled by the business you have to realize that that security person especially at

the senior level has valuable experience is there to protect you not to hurt you not to kill sales

what is there to protect the company to ensure its longevity and and really when it comes down to a

lot of you know is respect i you know i have a soapbox moment that i call out in the book

and it's it comes from actual experience where you know security smes are talking about things

and they're being shouted down or argued with by pm's or you know vps or directors or managers who

have no idea what they're talking about and then they're not backed up by their their management

that can't happen you're going to lose that resource immediately and they're going to find

another place to go in a heartbeat really it's autonomy and respect i think are the top two

and and you have to have them be able to have that level of respect from other people outside

the it organization so well well said you know you know another thing i've i've seen

um too is just a commonality among among those people either stepping into a security

role for their organization and taking over that responsibility or or coming in from the outside

and doing it is they're very much vision driven as well they want to see they have something in mind

for the organization they have things they want to do and accomplish and i think understanding

what that is for that that individual and reinforcing that working with that bringing it up

um on a regular basis can can certainly help right because they they see themselves as maybe going to

eventually gain maybe a cso title or something like that and building out that that security team

uh with them like you mentioned mike that's a great thing and and it's

you know starts with the decision that if you're going to hire somebody you're going to trust them

and you're going to get out of their way a bit and let them do their their work but then also support

that that bigger picture that they have in mind um and uh and and try to reinforce it and help

help turn that into reality and i think i think that can go a long way and i think that regardless

of the level of person you're looking for um they all have a picture in their minds whether they

they articulate it or not they have a picture in their minds of you know where what they're looking

for out of the job what with that that ideal uh work environment uh looks like to them and and

what they want out of it and so if you can kind of get down to the root of that make sure that

that's an alignment with what the the company has in mind and needs and then and then if so

it could be a great fit you know as long as you're you're serious about supporting them not just

because the opposite of course is people hire you know they hire security professionals to

check the block and then they say okay well you know now that you're here this is how it's

going to be and this is what you need to do and that's that's when they move on right away so

yeah you're going to lose that resource almost immediately this is a a fascinating topic i think

we're going to have uh quite a few more episodes on this in the future just various aspects we'll

dive into more detail have some guests on the show and such talking about this this very part

because it is so critical but for now recap put yourself in the shoes of the person that you're

trying to hire understand what that expertise is that you need get some outside support if you

don't understand what you need get a consultant get somebody in there to help you paint that

picture have some clarity get it documented but then put yourself in the shoes what what level

of the uh their career path is this person in that you need are they entry level are they brand new

right out of school right out of certifications uh or are they senior and and in which case

what's going to be important to them at that phase in their life think through that write it down and

uh make sure that you treat this process carefully don't just kind of stick it through the usual hr

protocols because it's just not going to be as effective take take a personal interest in it

for those of you who are our organizational leaders and really show interest in the people

that you're trying to bring on board because it is a competitive hiring market out there

and that's just what what has to be done in this day and age to make it work um so but in doing so

you'll have an asset that will pay large dividends over time and it will cost you a lot less

over time as opposed to having turnover which of course is it's incredibly expensive so any final

thoughts comments smart remarks before we jump off here today i got a smart remark really you

no i had to work really hard for it but um you know back to the trust your people you

know when when my pool guy comes here i'm not out there you know scrutinizing every little

thing he does all i care about is that the pool stays nice and i can swim in it when i want to

so i trust him i don't care what you know what methods he uses they work for him

they work for all of us so you know again you know trust your people absolutely uh one of the things

that i would say is you know i agree with that too laurel but train them allow them to get their cpe

it's mandatory cpe is manual mandatory to maintain those search that you require them to get their

job for if they need a half day to go to a ice hockey meeting or icy square meeting or something

of that nature let them have the half day they need the time they need to get the cpes um

and support it pay for them to get a training class it's it's not that big of a deal

um give them the time keep them trained and yeah you may be promoting or be contributing to them

leaving you and going someplace more expensive however while they're there you're showing you

care about them you care about their career and that you are going to go ahead and support them

and ensure the company is staying ahead of the curve excellent point and to add to that guess

where the best place is to find additional team members right it's through the ones that you

already have and trust and and they're going to meet people and expand their network by going

to these events going to these meetings um even if they are virtual they're still going to

expand their own network of tech professionals and they'll be able to help you grow your team

better than just putting an ad out for uh you know a certain resource so all good stuff well

thank you all for listening reach out with any questions comments we'd love to hear your thoughts

rate us on your your favorite podcast platform and and uh love to get your feedback we're always

working to improve so please just take a moment to do that and we will chat with you again next

week have a great day take care pick up your copy of the cyber rants book on amazon today

and if you're looking to take your cyber security program to the next level visit us

online at www.silentsector.com join us next time for another edition of the cyber rants podcast

Episode 14 - Building and Keeping your Cybersecurity Team

Send Us Your Questions & Rants!

Categories

Archives

Transcript