It's five o'clock somewhere, time for the Security Cocktail Hour. I'm Joe Patti. For over 20 years, I've been working in information security and knocking back martinis all over New York.
I am Adam Rohr from Staten Island. Locksmith, EMT, love to box, and on rare occasions, I've been known to engage in cybersecurity. Let's go!
So, Adam, how are you doing today?
I'm doing fine. Excellent. Am I allowed to disclose my location?
You are in a secret location. You're not in the usual Staten Island studio, are you? It's up to you whether you want to disclose.
I'll let you know where I am. I'm not in New York.
You're not in New York. Oh my God. Do you have to like be back within a certain amount of time or like, I know you start to like wilt or shrivel or something if you don't get back.
Well, it really depends on my parole officer.
Okay.
All right. So Adam is on the road, but still able to podcast with us. So that's cool. So you and I are both long-term experienced information security managers. We've been doing this for quite a while, right?
Yeah, since I used to go to work on the horse-drawn buggy, yeah, sure.
Yeah, there you go. And one of the things people have been talking about since the buggy days are, how do you hire security people?
Wait, wait, I got something more important than that. Hold on, let me take a drink of my martini.
Okay, you ready now?
Yeah, go ahead. I'm sorry.
All right. So, how do you find security people? And, you know, one thing that people get asked constantly, and it's all over the internet is, how do I get into security? We always get asked, how do I get a job with you? How do I get a security job? How do I break in? You know, I mean, we've been hearing this stuff for years, and there's all sorts of stuff on it, on the internet, and all sorts of courses and opinions and everything you can do. But today, We're going to turn it around a little bit and we're going to talk about it from our perspective because we want to do something interesting and we're self-centered, you know, too. But what does a security manager look for and what are our tricks for hiring people?
Yeah. OK, so let's be very honest about that, right? If you ask 100 security managers what they're looking for, you're going to get like 150 answers. Each security manager has their own thoughts and feelings. However, when you get to an enterprise organization, maybe a global organization, we kind of look for the same thing, but it can, it could be, there could be deviations of it. And what I mean by that is, I know Joe, you're, you're one of those that says, Hey, I don't really believe in certifications. but I I do believe in experience and sometimes I say I I believe in the same but I also like to see certifications because that shows me not that they might not be knowledgeable but they made the effort to learn the technology and yes I know some people are paper certified individuals but if I see somebody certified and they can answer the right questions I'm very happy but I don't want to say I'm not going to say that I wouldn't hire somebody who doesn't have certifications because I've seen plenty of experienced people that don't have certs that know their stuff.
Well, Adam, we don't have to agree on everything. If you're comfortable with being wrong when I'm right, that's cool.
OK, that's fine. I'm comfortable with that.
Now, there are a lot of different opinions and these are ours that we're going to go through. But first today, Something that's much more important in terms of opinions are what kind of drinks you like. You know, this is the security cocktail hour. And we have received some feedback, which was great to get, where someone said, are you guys drinking during the show? And we were like, well, you know, usually, yeah. But, you know, they suggested that we have a cocktail for each show, right?
Well, let me give a shout out to Marina for bringing that up also as well, at least on my side.
That's right. That's right. It was your friend Marina who brought it up. So today we are having the first signature cocktail for the podcast here. And for this one, we decided to go with something really simple, really classic. The plain old classic vodka martini. James Bond. I can see on video, you look like you got a dive watch on. Is that a James Bond watch? I can't tell.
I don't want to talk about it. Listen, some things are meant not to be said. I am one of those James Bond type of guys. I won't even tell you exactly what drink I'm having or the location I'm at. This is all about security.
Okay, we'll get back to security. We might have to do like an after party on who's the best Bond because we've had many hallway discussions about that. Oh my god.
By the way, before we go on, who's the best James Bond?
Daniel Craig.
Let's get back to the podcast because we don't agree on anything, do we? But as you're sipping the martini, I'll tell you this. I think it's also equally important not only to discuss what we're looking for, but I just want to give one other aspect of this. If you're looking for a security job, think of it as a marriage because not only do we have to find you as the right culturally fit for our organization and knowledgeable, but you have to be happy where you're going too. And way too often people take jobs that they're not happy about. So yes, us, both Joe and I, who have been hiring managers in our lives, we wanna be comfortable with the individual and see that they have a certain level of passion for what they do. And that passion comes in many different ways. So when we're interviewing you, not only are we looking for the right answers, at least I am, I'm looking also for the wrong answers. And what I mean by that is if I ask you a question, And one of my great friends, Doug, was a witness to this, because that's how I met him, interviewing him. I purposely asked him a question that he couldn't answer. And I wanted to see, I wanted to hear him say, I don't know the answer to that.
That's one of those brutal interview tricks, man. That's a brutal trick or something.
Wow. That shows me that even if you've got 100 answers right, the answer I was looking for, and I know I'm probably We'll probably get some real feedback after this. Like, Adam, you're a jerk. Maybe even Doug will say something. Maybe Doug will say something. But you have to know when to say, I don't know the answer.
Oh, absolutely. I mean, look, you got to... Look, I know there are all these things where you say, this is how you interview, this is how you do this and everything, but I approach it a little differently. This doesn't necessarily have to do with security specifically, but it's very important for security. First of all, you've got to have people who are honest, especially in security, integrity is everything. So yes, if someone doesn't know it, you don't want someone who's going to BS it. I mean, I love an answer like, you know, I don't really know the answer to that, but I could probably weave together a good one if I wanted to. I'd be like, that's fine. You don't have to. You need to be somewhat flexible. But no, you're right. Or this is how I'd figure it out. You know, this is how I'd solve that if that problem came up. That's a great answer. But no, you're right. You know, the honesty and, you know, no one expects. I mean, I know I don't expect people to know everything because it's physically impossible. And security is a big field, too. And a lot of people, you know, no one's an expert in absolutely everything.
Well, that's true, right? And that's when when I was working for you, one of the aspects of the environment was you would pick SMEs. Who's my SME on endpoints? Who's my SME on, and when I say endpoints, I'm talking about endpoint security. Who's my SME on networking security? Who's my SME on the SIM? What you wanna do, I think, is when you're looking for a security job, you wanna polish. You could be a generalist, there's nothing wrong with that, but you should also have a focus on a certain technology. So when you're getting interviewed, You can say, well, yeah, I know about DLP or data loss prevention. Yeah, I know about proxies or how things connect to the internet using a browser. But my main focus might be networking. And that's what I spent a lot of time on. And I think in this day and age, with the lack of amount of good candidates in cybersecurity and the demand is so high, If you can prove being a generalist and also having a specialty, I think you're a shoo-in.
Yeah. Well, by the way, Smee is SME. That's a subject matter expert. Oh, sorry about that.
I was trying to do every other acronym and I missed that one. That's okay. Keep working on it. Yes, sir.
Adam is not our Smee in describing acronyms.
That's true. It's okay with that.
No, but, but you're right. I mean, when I'm interviewing someone, when I'm looking to hire, you know, I'm, I'm looking for a couple of things. I am probably looking for someone with a particular skill set. I need a SME and something, maybe they're going to be a, and maybe they're going to be the, you know, the expert on and on the team. Um, or maybe they're going to be joining a team doing a particular thing, but you know, you want to make sure that they have the right skill set. And obviously, you know, the better the skill set, the better fit there is. That's good. Um, but you, You also need some, they're not even intangible, some other things too. You need someone who has the ability to learn. Because in security, everything changes so fast. You're going to have to learn more stuff. And the other thing too is that even if you're within your field, like Adam talked about endpoints. I mean, the past couple of years, the endpoint technology has changed dramatically. So you gotta have someone who's really gonna be up on it. You know, automation that didn't even, you know, was a small thing a few years ago is now hot. So you need people who, you know, are gonna have the ability to grow and to pick stuff up.
If I could add to that, I don't want to discourage people listening to this where they think, I have to know cybersecurity backwards and forward. People hire entry-level jobs all the time. But with an entry-level job, you should have some basic understanding of how a host or an endpoint works, how the Windows operating system works. Again, you don't have to be an expert. You should have an understanding of how a network works. You know, what's a subnet mask maybe, or what's a gateway and how do they work? Because when you're called at 3 a.m. in the morning, which you probably will be if you're on call, most organizations do have somebody on call, You don't want to be left in that position where you're not sure what to ask and you will have to ask. I consider myself somewhat seasoned and even the people that started with what appears to be less experience than I did, I had to go to them for answers. So just because I might have been a seasoned knowledgeable person doesn't mean I knew everything I went to other individuals on my team who had less experience than me and they guided me And you should never be afraid to ask questions Also, even during the interview if you don't understand something at least I as a hiring manager When you ask questions, i'm really happy. I want to hear you ask them. I want to hear that you have confidence in Asking something that you don't know
Oh, yeah, and you're right, that curiosity. I also say I love people who go, you know what? I mean, what I look for is a spark in someone, especially in someone junior and someone who's young coming in. You can tell the people who are coming to… Collect a paycheck or, you know, fill a suit out, which is fine. Everyone needs to get a living. Not everything is rocket science. But, you know, when I'm building a high-performance team, I mean, I want people who live for this stuff and who are looking forward to that and who are bringing it, who want to do it. Now, the other thing, too, that you bring up is that You know, yeah, you got to remember your people are going to be part of a team. And a little bit of this is general hiring, but it's especially important in security. It's like, because you're not, you're not going to get a team of people who, you know, you're not going to get, regardless of the number of people you're hiring, it's very difficult to get depth because the people are just too scarce, especially in a smaller organization. They're too hard to find. They're too scarce. They're too expensive. You know, if you got, You know, you want to get as much of your areas covered as you can. But, you know, so when you're looking to hire someone or when I'm looking to hire someone, I'm looking to fill, you know, a slot in the team. I'm looking for, you know, not not just someone to be in a particular chair. And yeah, I do probably need a certain skill set. You know, there is a job description. Maybe we need an endpoint person or we need a network person, like Adam said, or we need a a sim person, you know, a monitoring person. But, you know, we also want someone who's going to be part of the team. And it sounds cliche, but someone who's going to step up when they need to step up, maybe stretch themselves out a bit when they get into something where they're uncomfortable, where it is the middle of the night, or someone's not available, and they're going to do their best, but also know when to make the call to get someone or figure it out. But also someone who's going to get along with the rest of the team, especially in security. know, security team, you spend a lot of time together in some stressful situations and you got to get along.
And that's exactly another great point. Right. And let me let me be very transparent and very honest. Let me say something that people might not like. You can be. You could be someone that's not very knowledgeable. And fit along with the team and the team will do everything they can to carry you. and they will train you, and they will teach you, and they will sweat blood and tears to help you. And you could be somebody who's more knowledgeable than the other person, be not right for the team, and you won't do well at all. People want camaraderie. People, you know, look, this is not to take away from anybody who's been in the military. I've never been in the military, and I have so much respect for people in the military, but when you're doing a security incident, It's like being on the battlefield. And when you're all going to war, you want to be able to count on the person to follow through whatever they say they're going to do, which is why it's so important for it to be a great team. So, you know, you got to be battle tough.
Yeah. And, you know, like you're saying, your life's not in danger, but it is still, you know, a very high stress environment. It's a it's a pressure cooker and, you know, it can go on for a while, too. And like I say, you're going to be either stuffed into a room or on, you know, hours and hours and hours or days of Zoom calls with someone. And, you know, you got to get along. And frankly, you need that You know, you need that relationship to where it's like, you know, you can count on each other, you know where, and it's, and that's the mindset, you know, I think that you need to look at when you're when you're hiring for someone is to say look, I want someone who realizes is going to be part of a team, and who you know, wants to get along with us, you know, with his peers, with the team. You know, I want everyone to be comfortable calling anyone else on the team, including me, you know, at three in the morning or on the weekend or whatever, you know.
And that's exactly, again, another point that you're making, which is great. Right. Thank you. You should never be afraid. You know, I know that a lot of us talk about, again, kind of a military type of thing, but chain of command. but you should never be afraid to call the manager up at 4 a.m. and wake him up out of bed if you think there's an issue, if you think there's an issue that's gonna arise from something that you didn't take care of. And believe me, again, I consider myself somewhat seasoned and there were people I didn't wanna call for many reasons. I just didn't like them. And I'm not just talking about one specific job. I'm talking about other places I've worked as well.
There are always people you dread having to reach out to, especially in a sticky situation.
Yeah, but you have to be mature enough to realize it's not about personalities or attitudes. It's about having the integrity to do your job and to ensure that if there is an issue, You have done everything humanly possible to to to to bring the attention to that issue And there's other people like when i've been when i've been a manager Where i've had people come to me say, please don't put me on call with that person Or I don't want to be on call with this person because they never respond And and it's it's not a good feeling but what you need to do is I guess this translates to during the interview These are the things that you should be talking about You should be asking these questions. Hi, I'm really looking forward to getting this opportunity. I've done this, this, and this, but I am a team player. I have no problem waking up before in the morning to do this, because that's one of the aspects of the job. And my goals is to learn this, this, and this in the future. Because if you can demonstrate a certain level of passion and assertiveness, even during the interview, And we've enjoyed me as being on your team. Let's be honest. We've picked people that we felt were more passionate about the job. and they were less knowledgeable than other people.
All the time, yes. And just so everyone knows, I was Adam's manager at one point, but I did not actually hire him. I inherited him. That's true. I used to say Adam was the only person that I didn't hire. But our thoughts are similar on this. And it's interesting when you bring up the military analogy. I also haven't been in the military. And, you know, but in the military I know there's obviously a lot of camaraderie and I know there are a lot of studies and all that say, you know, a lot of people are motivated by, you know, the camaraderie and tightness with their unit and everything. But in the military you also have the mission, you know, and you have a lot of patriotism and, you know, people believe in it. It's like, you know, I've always thought that, you know, in a corporate environment, in a business, you know, there are people who believe in the business and everything, but, you know, it's not life and death. It's not national security. You know, no one's going to expect you to do something. Well, you will get pushed, but at the end of the day, you know, it's like, you know, the good of the company or whatever is not quite at the same level as, you know, saving the country or doing whatever. But what I think it makes it that much more important that people really are motivated. And that's a lot of what I look at the interview. Like I say, people who do this because they love it, because they're into it, because they have passion for it. And that's something that, you know, in an interview, maybe you can fake. We've gotten pretty good at detecting it when someone's faking it. But as soon as when someone's on the job, you pick it up real fast. You can tell when something's not working out. Yeah, you know, and that's a tough spot to get yourself into when you brought someone on who just isn't, isn't meshing.
And I would say this also, right? I mean, and I want to be careful what I say, right? Um, if you're one of those people who just wants to get a job in security, they say they have a job in security, but you're not a very motivated person. Security is probably not the right place for you because certainly not incident response. Yeah. So even though, you know, most organizations won't let you go right away, you're going to end up going, you're going to end up leaving. The manager will get rid of you because no manager wants to rely on somebody they feel does not have the integrity. Now, again, it's not mixed integrity. with competency or passion. Again, you don't have to be the smartest person. I shouldn't say smart. You don't have to be the most knowledgeable person in that field. But if you're eager to learn and eager to perform, you'll do really well on any security team.
Well, if you are, you'll eventually become really knowledgeable. Yes, you will, no matter what. And that's the one that we look for is not necessarily you know, someone who's a finished product, like I, like I say, but someone who's going to grow. Now, of course, when we're looking at someone at the more senior levels, we're going to say like, yes, we do expect them to have that, to have a lot of that together. It depends. Um, but you know, yeah, that's, and, and, you know, the thing is you got to remember to your own motivation as a manager too, is, you know, as Adam was saying, you got to count on this team because you know, this team that you're building, it's not like you're just, filling in a couple of seats or whatever. It's like, you gotta count on them. This is your job on the line. Your team has to perform and you need the right people on. You can't have someone, you know, if you got someone phoning it in or even worse, someone who's a disruptive influence, I know it's a problem in every team, but in a security team, it can be devastating, absolutely devastating, at least in my opinion.
And guess what? I know this is like, a little bit kind of funny, right? Joe says it's not life-threatening. However, I'll tell you this.
Yeah, that is changing these days.
If you work for a place like a hospital or somewhere where that network is not secured and you have a threat actor infiltrate it and gets onto an operating room's ER robotic machine, it could be very dangerous. So even though you might work for maybe a law firm or a financial institution or something that might not have direct real life consequences, you should always treat every organization with the same level of respect that, you know, it might not be your business that you, you don't own it, but you should treat that business in such a way that there'll be financial um losses and people lose their jobs and people You know an organization can go from uh hero to zero very fast if You're not making the best possible effort to protect the organization. So again go into the interview of confidence Go into do some research before you go work for the organization. That's another thing as hiring managers. We want to know that you Took the time to look at the website that you know what this organization does. We're not going to sit there and say, when is this organization formed? But we expect you to understand some of the nuances of what you're protecting, of what you're doing, of what your responsibilities are. And we expect you also to read the job description.
Yeah, well, I'll tell you that's something that drives me crazy. And again, there's a basic thing when someone comes into an interview and they haven't even looked at the website. They're like, so what do you do for, what does this company do again? And it's, it's amazing. It's like, you know, I mean, everyone's got a lot of war stories about hiring, you know, we're talking here about these like, you know, highly motivated, uh, you know, high performers and all this stuff and all these things. And some of these, you know, cliches from management school at all. But, you know, we, we've also interviewed our, uh, you know, our, our, our share of, uh, you know, gum chewers and dudes coming in and shorts and God knows what else, at least on the East coast. That's a weird thing when you're at a, some of the places we've been.
Well, and, and I'm one of those, yes. Watch, I get some negative feedback. I'm one of those that watches your body language. I understand people get scared in interviews. So do I, just because I'm a hiring manager doesn't mean I don't have the same fears that you do. But when you start, you know, fidgeting, or when you start looking down and not making eye contact, I mean, I'm not telling you to stare me down either. I don't want to get into a fight.
But what I'm saying is... Don't be eyeballing Adam. Get into the rig with you.
No. What I'm getting at is, and I know it's hard. I know it's easy to be on a podcast and say these things. But I'm telling you with experience that both Joe and I have seen, try to be as as confident as you can, own the place to a certain extent. I mean, I'm not saying be cocky, but like, hey, you know, cause you're, if you're looking for a job, then you're a valuable commodity. And, and guess what? You're a valuable commodity even more in cybersecurity. There's not enough people to occupy the amount of positions open. So go in there with a level of confidence, but how do you get confidence? Know what the job is asking for. Don't expect to have every single skill. Those job descriptions are wish list.
Yeah, I know. They're they're they're crazy. Some of the things they're just some of them are hilarious.
We need to have 30 years experience in cyber security. What do you mean 30 years? It hasn't even been around. I mean, maybe it has, but I'm getting at some of it's ridiculous.
I know. I actually saw a job description. The other day, it was kind of funny. I read it and I said, you know, there are probably three or four people in the country who have this. I'm like, come on, you know, you got to be you got to be kidding me. But but anyway, yeah, you know, you want to be relaxed and confident when you go into something. But, you know, also, you need to, you know, you know, work the room a bit and You know, as an interviewer, interviewing is a really important skill too, having a bit of empathy, as they say, and understanding where the person's coming from. There have actually been a rare case or two where I've interviewed someone who has been so nervous, I've even gone back to the recruiter or whatever and said, look, please, you know, this candidate, he didn't do great, but I could tell he was terrified. I didn't think I was that scary. You know, we're not monster. It sounds like we're such hard asses here.
Oh, I was a monster with Doug. Monster. Oh, well, Doug deserved it. So for those who don't know, I have a friend named Doug, like I said before, and I interviewed him. I know this is horrible. It wasn't my intent. It just happened like this. I asked him questions He walked out of the interview saying this was the worst interview I've ever had he went back and Within like three minutes of him walking out the door. I said we gotta hire this guy right away so he was getting ready to go call his wife and say hey, this was the worst interview the guy interviewed me was a jerk and Within three minutes, we made him, I think, above the salary offer, because he was that great. And we became lifelong friends since then. But he walked out feeling like there was no way he was even going to call back about this. But what he didn't know was we were so impressed with his performance that he was the one. And that's what I'm trying to instill for those who are listening. Even if you don't get the job, they might be doing you a favor. If you knew the work and you knew the skills, don't feel like everyone has to say yes, because there are people out there that really are not good managers, that really don't know how to treat people, who really don't respect a person's capabilities, and they don't realize some of the inadequacies of themselves. So again, you go into interview, you do your best, you do your research. If you know you did your very best and you don't get the job, then you keep on trying. And I know it's hard sometimes if you lost your job.
But it's also tough sometimes. you know, no one likes to miss out or get rejected. I mean, you know, I've, I've got, I've gone on interviews and you know, I mean my, you know, but like, like so many people, my wife, you know, straightens me out with a lot of things. I'll come back from an interview. I'll be all pissed off. I'll be like, this guy was a jerk that went off or whatever. And I'm, and I'm, and I'm so disappointed. I'm not, I'm not going to get it. And she goes, you are making no sense. She's like, do you realize you would, you would be miserable working there. And,
And that's exactly the point, right? Again, that's the point.
You don't like to lose.
Just because you got a rejection doesn't mean it was something with you. And even if it was, again, so let me, let me just give this description really quick. When you're dating, most likely your significant other that you're going to marry, you've dated more than three hours or four hours. When you interview for a job, you're usually not doing more than four or five hours. And there's an expectation that you're going to work there the rest of your life. But when you're dating, you might have dated for two years or a year, six months, three months. I hope it's not only five hours and you get married. So if you look at the comparison, it's kind of awkward, right? You're, you're, you're interviewing with a manager that you might be kind of married to for the duration of your working relationship. It could be 20 years, but you only interview for maybe three or four or five rounds, five hours at most. Kind of weird, right?
Yeah, it's kind of crazy, you know, talking about the team dynamics. That's why one of the things that I started doing a few years ago was we always do a group interview. I mean, I know, Adam, you've done that. We've done a bunch where it's like, you know, I like to have someone come in kind of as the last thing and say, meet the team. And I've had people say, well, that's that's brutal. That's that's mean. That's so awful. They hate the panel interview, the group interview. And I'm like, look, this is the meeting. This is what I'm about to make an offer to someone and say, like, these are the people you're going to be working with. You're going to spend a lot of your life with these people.
So would you have hired me if that happened?
You know, I don't believe it or not. I probably would have because you are just great in that in that kind of session.
So in five. Oh, yeah, because I paid you off an ice cream.
But well, that that that too.
And all the years I worked for you and you were my manager, you kept on telling everyone that you'd never like you weren't responsible for hiring me as if it was something like Like, you know, like it was like, yeah, I'm sorry. We have Adam and the others that are hired.
Well, that was a bit of a running joke. I'm like, I built this team from the ground up, except for Adam. You inherited me. That's right. And you see, and how lucky was I? OK, so we talked a lot about interviewing and stuff. So one of the things I wanted to get into also was, you know, in this, you know, very challenging environment still, even with all the changes lately, in this challenging environment where it is so hard to find security people. Where do you find them? And we have a few tricks that we wanted to share. The first is the most obvious one. We're talking a lot about at the more junior levels too, where it's notoriously difficult to get people there. There are now people who come out of school, both undergraduate and graduate, with degrees in information security. They did not exist when we went to school.
I have a master's in cybersecurity.
When I was filling out jobs... Yeah, but you got it in the past few years.
That's my point. When I got it recently, in the last two years, and when I go to apply for jobs and they ask me what my graduate degree is in, You can't even down select cyber security. I have to put computer science. It's still not available on forms.
Oh, it still isn't. I'm kind of surprised. I thought that would have made it by now.
No, it's some places I found it very few and far between. But, you know, there's different there's different, you know, like Toledo and Workday and other organizations that they use to do that. Some of them have it, but very few do.
Yeah, mine is never in there. My graduate degree was telecommunications, which I guess never really took off. But anyway.
Oh, is that another degree on how to answer phones?
No, that's telemarketing. Oh, sorry. Very funny.
Joe has a master's degree in cold calling.
Yeah, there you go. And I stink at it still. But No, and so there are people who have degrees, but it's interesting. In the old days, and still today, when people would say to me, so how do I get into security? When there were no programs, how do I do it? I'd say, well, the truth is, before you can learn how to secure stuff, you've got to be an expert in two or three things in IT. I'm a little old-fashioned. I still like people who come out of that. You know, a lot of people come out and they have the, you know, the book learning and they learn about risk and they learn about a lot of formal models and stuff that frankly nobody uses. And they're the people who come in with the hardcore technical skills like the pen testing, which obviously you want to do. But, you know, for someone who's going to be up in that track of being you know, is really going to have a lot of legs and a long career. You know, as Adam was alluding to earlier, I think you got to have a bit of a background and know a lot of how stuff works so you can start figuring out how it breaks and then how to and then how to protect it.
Yeah. And I want to tell you that the world's a perfect place and unicorns are there and rainbows. But unfortunately, getting into security might require some money. And what do I mean by that? Right. You should always throw a couple hundred dollar bills at the person that's interviewing you. No, no, no, that's not what I mean. What I mean with that is you might need a laptop where you can run a virtual machine and then you might want to do exploits. So that's a cheaper way of doing it. Build out your own windows or whatever and try to compromise it. Or you can pay for labs. You know, it might cost you $30 a month for access to um to a range a cyber range what that means is you log on you go into an environment and use tools like Metasploit and Mimikatz or you know or use or get Kali Linux and then take two machines and try to hack it on your own network you should have some hands-on practical experience uh but that being said you don't have to have that level but at least know like I said build out a windows machine yourself you know, play around with it, you know, put a network interface in there, run commands like ping, run commands like netstat or mpstat, or do wireshark captures, whatever you, there's no rhyme or reason to the exact way to do it, but when you start getting engrossed into some of these technologies, you start learning the technology itself, and then when somebody asks you a question, you go, yeah, you know, when I did wireshark one time, I did this, this, and this, And they were like, OK. They have some hands on experience, so that yeah.
Yeah, well, that's the secret word for it for everyone. If you ever, you know, interview with Adam, if you say, you know, Wireshark, that's it, you're hired. That's not true either. You know, but but but no, this kind of gets into let's let's tell them one of our one of our big secrets that I guess is not such a big secret for getting I sleep with a teddy bear. It is a great move to hire people from elsewhere in IT, in particular, poaching people from other parts of the organization, especially the help desk. The help desk is a great place to get talent for security because You know, the help desk, good people don't stay at the help desk forever. They want to move on, they want to learn. And if you've got someone like that who is already in the organization, who you already know maybe, but in particular, like Adam was saying, that he's been coming to you and saying, hey, and I shouldn't say he or she, he or she is coming to you and saying, hey, how do I learn? I want to do some stuff at home. I want to take some, some classes. I want to do things, you know. Like I say, that's kind of what we look for, the people who say, hey, live for this stuff. They're really into it. And it's not about us having our butts kissed or anything like that. It's about seeing someone who you're going to have more interest in, someone who you know who you work with, who, you know, you maybe have some, you know, respect for, it doesn't mean they're the most senior at everything, but, you know, you know them, and you know they have that capacity, and you see them taking the, you know, the initiative there. And not just in, you know, talking about IT, but even around the technical side, even on the even on the risk side, you know, the risk and the data governance and all that stuff. Hey, you know, there are often, you know, great people there who can move up, you know, who just, you know, they may start in IT, they may start in something related, but you can pull them in too. We've had great, great success there with that kind of thing, because people are hard to find. You got to find them where you can. And sometimes, you know, good people, They may not, like Adam was saying, they may not fit every box in the job description right away, but the person you're looking for may be, you know, right in front of you or down the hall, or at least they may turn into the person you're looking for with a little guidance.
So, yeah, and I'm going to tell you, I'm going to tell our audience another thing that I feel. Don't wait for the job to come to you. You go hunt down the job. So what do I mean by that? I don't have any social media really other than LinkedIn. I'm not telling you to add everybody on LinkedIn, but I'm telling you if you want to get in security, exercise a little bit of your skills or develop the skills and being able to do kind of like a, like a reconnaissance. And what I'm, what I mean by that is let's say you want a job and you want a job in, you find a job online, you want a job at, uh, um, I don't know what Patty bank, the bank of Patty. what you would do is go on LinkedIn and start going through that site and find out who works there and maybe add them to your LinkedIn community and then send them a message and say, hey, I'm looking for a job, blah, blah, blah, blah, blah, blah. This is what I have because you have to be a little bit assertive. I'm finding at least and through my colleagues and friends that just Filling out job applications is not the way to go. It might help you. Got a network. Got a network. Exactly. You've got to reach out to people. You've got to add people. And even if you don't add them on LinkedIn, Google, try to find their email address. Try to find the HR person. What are they going to do the most? Say no. Because most likely you'll drop out. Stalk them.
It's cool.
Oh, yeah. Stalking them is fine, too. Find out where they live. Show off their house. Bring some flowers. No, I'm kidding. That's right. I'm kidding. I'm kidding. Be a little bit assertive. Try not only applying for the applications, but also networking. If you know somebody that knows somebody, then maybe reach out to them and say, hey, I know your work over at XYZ Bank. Do you think maybe you can give me a referral link? Or can you ask the person that is responsible for hiring if I can have a 15-minute session? Don't be afraid if they say no, but you should try.
I'll tell you something interesting too. And you know, people think of security and ITs and this is not exactly a secret, but you know, people think of it as being very technical. You got people who are technical, then there are technical geniuses and all this stuff. You know what, there are, and there are great people who do that, but the people who really soar, who really go to go the top, both at the management, but also at the top of consulting and things are the people who have those skills and who are very social, who are gregarious, who are good with people. Don't neglect that, because as we've talked about before, there is a lot of, and we're gonna have an episode on it, there's a lot of culture and psychology, and there's a big people side to security. There's a lot to it. Okay, so here's a place I don't like hiring people from. Let's get a little negative. Craigslist? Yeah, Craigslist, no. Auditors. I am not a fan of hiring auditors into security. Those auditors are generally not practitioners. They don't, they don't understand the nuts and bolts of doing it. You know, they're good at checking things, good at saying what needs to be done and analysis and stuff. But, you know, doing that and actually, you know, doing stuff though, and, you know, putting together a program and all that, it's, it's like the difference between like pitching and batting. You know, it really is. They're two very, very different things that don't translate.
I mean, not, not from, so cybersecurity in that kind of weird ways, like being a doctor, right? You can be a doctor and you can be a general practitioner and you can be, you know, well, you can be a urologist. You could be, um, cardiologist. You have to be a proctologist. Yeah. Proctologist too. But the point I'm making is an auditor doesn't mean You are, you know, an incident response. There's nothing wrong with being an auditor, but it doesn't mean that you're gonna maybe be the right type to start doing, you know, doing tickets and doing research on why somebody is complaining that they think their mouse is moving on its own.
Yeah, it's a different skill set, which you can go from one to the other, but it's not as easy and natural as a lot of people think it is. You know, I personally think from, you know, we've had, like I said, good success with, you know, other people in IT, bringing them into security more so. Your mileage may vary.
All right.
Is that a disclaimer?
A pop-up banner? I suppose.
Another thing is you got to be realistic, unfortunately, is that retention is tough. Keeping people is tough. I know that people are nervous now times are not quite what they used to be. But you know, security people don't stick around for long. When you hire someone, don't expect that they're going to be there forever. It happens. It's rare, I've been very fortunate personally, but eventually good people, someone's gonna come and they're either gonna get the itch and wanna move on when you don't have a place to put them, or someone's just gonna dangle a lot of money in front of them and they're gonna go, and that's just the reality of it.
Yeah, I don't know if I necessarily agree entirely with that.
People don't really... You left me for more money, didn't you, by the way?
Not exactly.
Oh, you left because you didn't like me? I love you. I'm still with you, right? I suppose so.
So we continue our relationship in another manner. Don't tell anybody. Oh, God. Okay. So people either leave bad bosses or bad organizations or leave because they don't feel there's any growth opportunities. Very rarely do people leave based on money. Money is actually an aspect of growth. But if they feel that they're no longer learning, no longer able to grow, unless you're just happy being where you are and you're not looking to do any more, that's fine too. But people leave because they are limited or not happy.
Well, I think you're right. I mean, obviously people, they say they leave. I left because I'm a bad boss, but that's another thing.
I'm kidding, Joe.
No, I mean, sometimes I think you're right. People do leave for growth and insecurity. There is so much because, you know, people want to advance. They want to be doing new things. Sometimes they want to do the cool stuff. And, you know, you know, as as a manager, as a security manager, one of the things that you got to do is, you know, get your people some toys, get you know, one of the reasons you want an advanced environment and to bring new things is also for retention purposes. But there's only so much you can do. Eventually, someone's going to want to move on. And that can be a good thing, because if no one's leaving, that either means you're the best manager in the world and you're paying them a fortune, or they're really not that ambitious. But you know, or they're sleeping 90% of the time you just sleep in 90% of the time in which case you're not gonna be a security manager for long when it when it hits the fan, but no, you know when when people are When people move on if they're moving on for the right reasons, you know, it's like anything else But you know play play the long game say I'll poach him from that place later on or just be happy for them Yeah, but just because you left an organization doesn't mean the organization is bad.
It just means that you might have Forget about bad managers, forget about bad organizations. And let's say you leave based on the fact that you could no longer grow. It doesn't mean that the organization did something wrong. It just means that you reached the plateau of that organization and you have grown to that next level where you want to get to that next point. And that might mean that another organization has that growth opportunity for you.
Yeah. Well, also, you know, sometimes you're the, you know, you're the top shortstop in AAA, you know, but Derek Jeter isn't going anywhere. You know, just say, please trade me. You know, sometimes you just got to move on. There's not, there's not room. Okay. The last subject is the sticky one. What's that? Diversity. Why? All that stuff. Diversity.
I don't know anything about that. In hiring.
You don't know anything about that? Well, it's tough. Yes, true. It is a really significant problem in security that, let's be honest, it is hard to find people at all who are really good. And it's very difficult to find minorities and women too. And I can tell you as a manager, sometimes, unfortunately, you don't even get that many submissions, that many resumes, the field really is that thin. And call it a cop-out, send me hate, but that is an unfortunate reality that we need to deal with. It is a big, big challenge. I agree. Yeah, and it's really weird because there is nothing about security, and frankly IT in general, that would make it, you know, in particular, male-centric. You know, it doesn't matter. I've actually worked for two women CISOs who've been great, who I've learned a lot from. I stole most of their tricks, actually, come to think of it. Security-wise, I mean.
Oh, I'm going to call one of them right now.
You're going to get me in trouble. She will be listening. She's great.
I reported to her once. I ran for the hills. Don't tell her I said that.
But, you know, that is that is a tough one that needs to be solved as an as an industry. And that unfortunately is well, it's one of those things you can do your part, but You know, really on the on the education side and a lot of the larger things needs to needs to be addressed on more of the macro scale. But as with everything else. Do do what you can. Yes, sir. What else is on your mind, Adam?
Not much. I mean, now that I know that you had something to say about a certain CISO that I know, I'm going to have to reach out right after this. Unless you and I'm giving you up.
I know, and even if I edit this out, you've got the raw tape too.
Yeah, I do.
God, I sound old.
Raw tape, yeah. I had the 8-track.
The 8-track.
What I like to do is, you know, as part of being a very robust and very well knowledgeable security manager, I like to save all my data on an 8-track, because nobody's really going to exfiltrate it from there. They don't even have the equipment.
In a sense, that's, that's very secure.
I just lost any future jobs I've ever wanted. Yeah. Um, no, just I'll leave you. I don't think, I don't know if we're at last thoughts, but I'll leave, I'll leave you, I'll leave you, I'll leave all of you with this. Security is a passion. Security is an incredible thing to be a part of. whether it's physical security, whether it's cybersecurity, whether it's network security, or any variation of that. Be yourself, learn all you can, be confident, and go into the interview in a sort of way like you own the place. Don't be cocky, but be confident enough where they want to hire you. And if it doesn't work out, just keep on trying and trying again.
That's right. And you know what? And it's for people who are going to try it because I'll tell you that it's not an easy job. It's not an easy field and you got to love it. And my advice to everyone who hires is only hire people who love it because you know, if not, they're, they're going to struggle. That means you're going to struggle too.
Yes, sir.
All right then, I think that pretty much takes us out. Last call, my martini is just about gone. I hope I'm not slurring my words here. It should be cool.
Well, what I'm going to do is immediately after we finish this podcast, I'm going to Ctrl Alt Delete my laptop, leave my hotel room and go downstairs to the bar and get another drink.
All right, then we are not going to make last call because we're just getting started here.
I just want to say please, as we always say at the end of every episode, send us some feedback. I hope not to get any hate mail, but hey, any mail is good better than none. So looking forward to it.
Please send us email feedback, subscribe, follow. We'd love to hear from you. We'd love to talk to you. We'd love to help you if there's anything we can help you with. And that's it. I think that's it. All right, Adam. Thank you, my friend. Thank you. Always good having a drink with you. Yes, sir. Thank you.