[Voiceover] Best advice for a CISO. Go!
[Jason Witty] Don’t try to prevent everything. I would spend probably about roughly 40 to 45% of your budget on prevention. Probably more like 40 to 50% on detection. And then everything else on response recovery and everything else you need to.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. It’s weird just saying it like that and not that long, sprawling name I used to say. I’m David Spark. I’m the producer of the CISO Series. Joining me as my cohost for this very episode is Andy Ellis. You may also know him as the operating partner over at YL Ventures. Andy, we love the sound of your voice. What does it sound like?
[Andy Ellis] Today it sounds like this.
[David Spark] Oh, a little sultry. I like it. We are available over at CISOseries.com. we got lots more shows. This is not the only one, but I’m glad you’re here listening to this one. Let me mention our sponsor. Our sponsor is CyCognito. They developed a SaaS platform that automates attacker techniques to test and protect your organization. More from CyCognito later in the show. But first, Andy, we were talking about the fact that it is March, and we were saying, “Oh, what happens in March?” First it was Saint Patrick’s Day, which most people know. And also Purim. Which aren’t I would say equal holidays. And then you mentioned Evacuation Day, which is a Boston holiday of which I’m also originally from Boston. What is Evacuation Day, for the people who don’t know?
[Andy Ellis] Evacuation Day technically is to celebrate the day that Bostonians had to evacuate the city because the British were coming. It just happens to be on the same day as Saint Patrick’s Day. So, it’s an official holiday to go get drunk in your favorite Irish bar, but it is totally not Saint Patrick’s Day.
[David Spark] It is totally not Saint Patrick’s Day. Do you know that actually Purim, for me, is a key holiday because it’s the day that I started dating my wife.
[Andy Ellis] Yes.
[David Spark] Every year that Purim came along there was another sort of… I wasn’t dating my wife. She didn’t become my wife at the point of dating her. I was dating her.
[Andy Ellis] [Laughs] It is good to date your wife on Purim though. It is a holiday for drinking.
[David Spark] There you go, yes. But I shouldn’t say that she was my wife and then I started dating her. But I dated her, and then she became my wife.
[Andy Ellis] And my daughter was born on Shushan Purim, which is the second day of Purim, which is the day that you celebrate if you live in a walled city. It’s one of the most fascinating holidays that it has two separate days to celebrate. One if you don’t live in a walled city and one if you do.
[David Spark] Here’s another Purim connection. My sister, Debra, who is a novelist, wrote a novel called “Good for The Jews” that is a modern retelling of the Purim story.
[Andy Ellis] Oh, that must be fascinating. I’ll have to go look that up.
[David Spark] It is a great book, too. I recommend it. Debra Spark, “Good for The Jews,” which is the line that my grandmother used to say all the time. I’m sure you’ve heard that as well. But enough of this, if you will. Let’s bring on our guest, who you know very well because you both have a connection with YL Ventures, the VC firm out of Israel. And I’m sure to have him aboard with us. He’s the CSO over at USAA for which you’re also a member, Andy, correct?
[Andy Ellis] I am. USAA.
[David Spark] Thank you for singing that. We don’t have to pay any rights for him singing that, do we?
[Andy Ellis] It’s always very weird whenever I call USAA. Because I haven’t been in the military now for over two decades, and I’ll get on the phone, and it’s very rare that I need to call. And some customer service rep is like, “Good afternoon, Lieutenant Ellis.” [Laughs] And I’m like, “Wait, wait, what?”
[David Spark] Really?
[Andy Ellis] Yes. You’re always referred to by your rank.
[David Spark] Nobody ever calls you that, Lieutenant Ellis.
[Jason Witty] The cool thing is we know if you got promoted, and we call you by the new one.
[David Spark] That’s even cooler. Well, the voice you just heard is our guest. I didn’t even say his name. It’s Jason Witty. He’s the CSO of USAA. Jason, thank you so much for joining us.
[Jason Witty] It’s great to be here.
It’s time to measure the risk.
[David Spark] What is the board’s risk appetite? Now, we hear this all the time, but how do you figure that out. accurately? At a previous job, Nick Ryan, who currently runs cybersecurity at BakerTilly asked that question of a previous employer and they said that they could be without power for 72 hours. Gulp. Well, they actually had an incident that shut off power for one building for three days. And guess what? Everyone realized they couldn’t be without power for even two hours. It was from that experience they moved their information into a data center. So, what are the questions to ask so you don’t have a situation where they say one thing, but when the incident actually happens the result is far different? Andy?
[Andy Ellis] I think it’s really important to understand that modern corporations are very complex systems, and you can’t ask people simple questions about complex systems and expect them to have the context to answer. Like, “Oh, that building can be without power for 72 hours.” Do you know what’s in it? Probably not. So, whenever I think about complex system safety, I reach to my favorite author on this, which is Professor Nancy Leveson out of MTI, wrote the book “Engineering A Safer World,” which I highly recommend for every security professional. But to distill down, you start by talking about unacceptable losses. Like can the building be down for 72 hours doesn’t matter. What are the unacceptable losses for the business? Then you can talk about the hazards that trigger those losses, and then you can talk about your compensating controls. So, one way to possibly do this is ask people who are responsible for production entities, whether it’s systems or services, and say, “How long can you be down for? Or how bad is it if you go down?”
And one way to sort of answer this is just talk about how quickly is it catastrophic if this thing is down. Does it go to zero? And you can just tie the company to your products. You can be pretty lightweight and loose with This. But what’s interesting is then you say, “Who do you depend on?” And if that fails, how quickly do you fail? What’s your degradation instantly versus over time?” And you could build a dependency chart. And what I suspect this company would have discovered is that building was very deep on a dependency chart, but there was some path to it that was critical that people really relied on. I actually ran into this at a previous employer with our source code repository that every developer said, “Oh, yeah, no big deal if it’s down for a little while. I can write code offline.” The people who managed it were like, “Oh, we’ve got like a 48-hour recovery plan.” But when we built the system dependency diagram we discovered that some enterprising developer didn’t want to write a communications protocol for dynamic configuration that was updating every five minutes in a distributed system, so they just used the source code repository. One system would generate a new config, check it into the source repository, and every other system was reading it in real time. They were like, “No, this can’t be down for 48 hours. What are you talking about?” And highlighting that. you find that connection that now you can tell a simple story about.
[David Spark] All right, Jason, have you ever had a situation where you think someone’s answer might have been a little too flippant in terms of you’re asking about the risk, and you’re like, “Eh, maybe I should ask you a little bit more detail?”
[Jason Witty] I absolutely would have to say that happens pretty frequently. But I did just want to comment on the measurement of risk topic. First off, the board isn’t the one that has the appetite. The board should be challenging the appetite, but management needs to come up with the appetite. And working for large financial institutions for my background, all of the large financial institutions have a pretty structured process for setting risk appetite per business line and ensuring that you’ve got the right measurements for each of those – KRIs, KPIs, sort of warn thresholds versus breach thresholds for all of that.
[David Spark] It’s engrained in the operations of your business.
[Jason Witty] Yeah, it’s literally the active banking is the ability to take in one dollar and give seven dollars away and not worry about the liquidity that you actually don’t have because you have really strong risk management controls. But it is always interesting to the point that you used, that it never really quite works that way when the event actually happens. And so you have to do things like fail over entire data centers to find those connections, or do things like sustained resiliency testing where you’re going to not only fail over data center and fail back but you’re actually going to do that every month and run full production workload out of a different data center every month or… Those types of things really help you understand what is actually going to happen in a real event. And then the other comment that I just wanted to make on that is I cannot overstress the efficacy of tabletop exercises in order to sort of pull those dependencies out and realize where you have undo risk.
What works? What’s not working?
[David Spark] “The things you were concerned about before Blackhat, the conference, are probably the things you should still be concerned about after Blackhat,” said a redditor on the cybersecurity subreddit. He wrote a long post about what he learned in his ten years in cybersecurity, and he claims many of these conferences, especially when they’re announcing new threats, is of little concern to the vast majority of SOCs or security operation centers. So, we’ve heard the need to pay attention to the fundamentals. We talk about this all the time. But what about this argument that these conferences are not helping? I see value in these conferences celebrating the community and the knowledge in general. I’ll start with you, Andy. I think you have a love/hate with the conferences. Yes?
[Andy Ellis] I do. As somebody who was a platform vendor for quite a while, we had to send people to Blackhat not just for their own edification but because every year somebody was going to drop a zero-day on us. And sometimes it was this big, celebratory thing, and you’re like, “What? This little thing?” Sometimes it was really bad. Like you never knew what you were going to get. But I think there’s almost become this fetishization of, “Oh, it has to be new and novel to be a Marquis [Phonetic 00:10:18] talk.” And there isn’t enough celebration of, “Hey, let’s teach people how to do risk management right.” Everybody is out there talking about, “Oh, we’ll do FAIR [Phonetic 00:10:27]. We’ll do this, we’ll do that.” And we’re not having these conversations about, “Here’s how to talk to your board,” or, “Here’s how to talk to your CISO if you’re not the CISO.” Things that will actually be reusable, repeatable. Like get those in front with relatable stories told by very diverse practitioners so you can hear form somebody who’s got my background. You can hear from somebody who has a different background. And I think that we do ourselves a disservice when we only celebrate one. I’m not saying we should get rid of these like really cool, cutting-edge talks. I’m always happy to see that research. I’m a big fan of actually research into vulnerabilities in shared services because what you see is… Like take AWS who recently just had a pair of big vulnerabilities. Superglue and breaking formation that…they fixed them. It’s great. Everybody is safer because of those. Now, whoever did the Log4j research are like, “Well, I’m not sure we’re all actually safer now that that’s out there, but I’m really glad that it’s actually slowly getting fixed.”
[David Spark] All right, Jason, are you an attendee to these conferences – Blackhat and RSA?
[Jason Witty] You had me laughing a little bit there because my first DEVCON was DEVCON 4, so do the math. I actually took about half a decade off from attending the conference and didn’t miss a beat. Came right back in, and it’s still the same DEVCON, and it turned into Blackhat.
[David Spark] Again, I think there’s a weighing here of are they helping or hurting. Because I see value… Even though the bright, shiny thing really isn’t of true value, but it’s just kind of fun and cool to see it. And also just the physical, everyone being there in one place celebrating cybersecurity in general… Where do you see it’s hurting, and where do you see it’s helping?
[Jason Witty] Yes, I think where it’s helping, there is a lot of novel knowledge, and there’s a lot of innovation. There’s a lot of new things that came out. I am certainly more on the it’s helping than it’s hurting scale of things. I would say that the basics are whatever everybody needs to be really good at. It’s the hygiene stuff everybody needs to be really, really, really good at it.
[David Spark] Yeah, we talk about this endlessly on the show.
[Jason Witty] Right. So, there are certainly new techniques, and there are new learnings that you can get out of either of those conferences. But the vast majority of things should cause you to think differently, not that you need to specifically react to that one particular thing that’s in the press.
[David Spark] I like that. The you need to think differently. So, I find myself getting inspired from these conferences, having conversations with people. Do you find that you are thinking differently after going to a DEVCON, a Blackhat, what not?
[Jason Witty] Absolutely. Absolutely. Especially after doing it for a couple of decades.
[Andy Ellis] I think the one drawback you see out of the conferences is they do sort of promote a view of the security community that is narrower than the entire community. You mentioned…David, you said Blackhat, RSA, and it’s like two completely different sets of attendees, neither of whom considers the other one part of the security community. But they’re both part of the security community.
[Jason Witty] Totally agree.
[Andy Ellis] To me that’s the most harm that some of these do is they say “Oh, those people that are just practitioners, they’re not hackers, they’re not really security professionals.” No, they are. They’re actually doing a harder job with zero celebrity, but you’re all security professionals.
[Steve Prentice] Jim Wachhaus is a risk intelligence evangelist at CyCognito – a company that specializes in external attack surface management. His company is highly aware that attackers always seem to have the advantage, so I asked him what he means by that.
[Jim Wachhaus] I think The Rolling Stones said it best – time is on my side. The attackers have time on their side. We have to be 100% correct all of the time. Attackers can be opportunistic. They can check in, check out. They can wait for their automated systems to tell them when there is something tasty that they can go breach. And then they can go be creative with it for an extended period of time. You talk about digital transformation, and dev ops environments can be spun up and spun down. Well, if they’re not spun down that dev ops environment becomes essentially a QA lab or a test lab for attackers to do something on assets that probably aren’t monitored right.
[Steve Prentice] CyCognito helps resolve these challenges by doing external attack surface management for their customers. They use what they call risk intelligence to combine threat intelligence with the risks that they find in the attack surface. For more information, visit CyCognito.com.
It’s time to play, “What’s worse?!”
[David Spark] Jason, are you familiar with this game?
[Jason Witty] Oh, no, I am not.
[David Spark] All right. Well, here’s how it works. It’s very simple. And I make Andy play first, so it’ll be easy for you. I give you two scenarios. They’re usually both horrible, but in this case actually they’re both good but have a slight negative bend to them. And what you have to do is pick of these two scenarios which is the worst scenario. I always make Andy go first. You can agree or disagree with Andy on this one. And, Andy, this comes from Jonathan Waldrop. He is with Insight Global. He gives us lots of phenomenal “what’s worse” scenarios.
[Andy Ellis] And just so you know, Jason, I win if you agree with me, and David wins if you disagree with me.
[David Spark] Yeah, so decide who you want to win.
[Andy Ellis] So, you have to decide whether or not you’re taking care of one of your USAA members or not.
[David Spark] We do have the power to edit the show, Andy.
[Jason Witty] I’m doomed.
[David Spark] Just pointing this out. So, this is a debate that is not new. This is a classic, classic debate, Andy. And I know a lot of this answer is it depends because I know how…
[Andy Ellis] Always it depends.
[David Spark] Yes, all right. But here we go. Classic debate, you’ve heard it before. Taking a best of platform approach to buying security tools with excellent integration out of the box, but some of the tools are not the best. Not bad, just not great. Or taking a best of breed approach to buying security tools. You get lots of great tools, but integration is not the best. So, your team does a lot of cross platform analysis work manually. Which one is worse?
[Andy Ellis] This I actually love. This is not a bad choice. And sometimes I think our questioners make it a little too easy on us. Just so you know, Jason, we’re not allowed to say, “Oh, but here’s how I would work around it.” Because normally what we get is you get like, “Oh, you get everything is integrated, but it all sucks,” or, “It’s all great, but it’s not integrated.” That would be a hard choice. But if I can something…everything is integrated, and it generally works pretty well, I’d totally want to take that. So, I do not want to then go best of breed where I’ve got to integrate and do all of the cross-platform APIs and build my own things because that’s a ton of work compared to I’ll just buy it off the shelf, and it gets me like 80% comprehensiveness but 100% coverage. So, I think I’m going to go that way if I’m constrained by these two choices.
[David Spark] So, the worse scenario is the second, the best of breed approach?
[Andy Ellis] Yeah. But just to be clear for the listeners, in general I would prefer the best of breed approach because my experience is that most platforms start to not give you even merely good stuff. You get a lot of things that don’t work at all inside that integrated platform.
[David Spark] So, personally you don’t agree, but for the game you do?
[Andy Ellis] Because I don’t think that this question is mirroring reality. The reality that we’re seeing today is a lot of best of breed things have really great APIs, so your integration work is actually pretty easy. And a lot of the platforms that are out there sort of accumulate stuff that doesn’t quite work and doesn’t get innovation, and over time degrades. And so he’s…this question, I think, has tipped the scales to make this easier to say, “Oh, don’t go best of breed. Go with the platform.” When in reality you’re probably doing a mix. You’re doing platform for a bunch of core commodity security and best of breed for everything else.
[David Spark] Well, as you know on the “what’s worse” game everything is black and white. It only can be all one way or all…
[Andy Ellis] Right. But so in the black and white, the best of breed is the worst approach. But I’m just saying…
[David Spark] Okay.
[Andy Ellis] …I don’t think it’s reality.
[David Spark] Jason, do you agree or disagree with Andy here?
[Jason Witty] Both, so you both win.
[David Spark] [Laughs]
[Jason Witty] I would answer this question very differently ten years ago, and I would have gone more towards the, “Hey, we should have really, really, really solid cyber hygiene controls, and a platform can deliver the vast majority of those. And I’ll kind of sprinkle in best of breed around it where it doesn’t do those things well.” Now I would actually be on kind of on the side to say if you don’t have an API I’m not purchasing your solution at all. Because I do have pretty robust platforms that can integrate with your APIs, and I want that rich information to be enriched with other vendors and other suppliers’ data feeds, or platforms, or AI, or whatever it is.
[David Spark] So, you’re taking the flip. You’re saying best of breed is better and that the best of platform is worse? Is that what you’re saying?
[Jason Witty] No, what I’m saying is you’re going to need both, much like Andy was saying.
[David Spark] Well, you can’t pick both.
[Jason Witty] But if I’m…
[Jason Witty] I don’t care.
[David Spark] I don’t care? You’re not playing the game right.
[Andy Ellis] Jason is the first person to just say, “I don’t care, David. I’m not going to play…”
[David Spark] This is mutiny of the game. [Laughs]
[Andy Ellis] But imagine, Jason, you got teleported to an alternate fantasy world in which there were no APIs for anything, and so either you could have best of breed things with no APIs, and you’re copying and pasting data around between, or you can buy a platform that does like 80% of what the best of breed do. Now what do you pick ten years ago?
[Jason Witty] I don’t live in a fantasy world.
[David Spark] Jason, you’re killing…
[Andy Ellis] …financial services CISO onto the show.
[Jason Witty] No, I’ll play just a little.
[David Spark] Thank you.
[Jason Witty] So, I would still be mostly on the platform side, and I would have some aspect of things that I know that platform is going to degrade from an efficacy standpoint over time, and so I’m going to have some additional thinking.
[Andy Ellis] You have to pick one. You don’t get to do the middle.
[Jason Witty] I think it’s worse to need to do a hundred things and get a hundred different ways of doing them.
[Andy Ellis] So, he’s going best of breed is worse.
[David Spark] Best of breed is worse. All right, there we go. We finally got it out of you. By the way…
[Andy Ellis] That was the hardest answer.
[David Spark] …first guess who essentially just refused to play. Go, “No, I’m going to do it my way.”
[Andy Ellis] I love it.
[Jason Witty] Well, with a last name like Witty, I get this all the time.
[Andy Ellis] Aaron, who is our producer, who’s sitting in who’s not saying anything is grinning joyously because he got his first win.
How a security vendor helped me this week.
[David Spark] Cohost of Defense in Depth, Steve Zalewski, who is the former CISO over at Levi Strauss, used to say to security vendors, “How does your product help me sell more jeans?” It was a great way to get vendors to start thinking more about the customers and figure out how a security tool can be an asset in an organization’s actual process of doing whatever it is they do. But I want to take this one step further. Repeatedly I am seeing and hearing from the CISO’s role is less technical and more about communications with other business leaders. So, security vendors are very eager to get the attention of CISOs. Instead of selling the specifics of their product, what could…and I’ll start with you, Jason…what could security vendors to help you with that C-level and even possibly board-level communications?
[Jason Witty] Yeah, that’s an excellent question, and I think we don’t focus on that enough. I would say the best thing is to understand what the problems are that CISOs are facing and ensure you don’t come in with,. “Hey, my solution does this, this, and this, and it has Cloud, and AI, and ML, and NLP. And by the way, 5G also thrown in sideways.”
[David Spark] By the way, I believe all security products have that already.
[Jason Witty] I think so. According to what I read. But what I see a lot is suppliers coming in and telling me what their products does, not asking me what I need and not understanding even at their product’s level what all of those futures and functionality and everything else are actually going to help a CISO solve from a risk standpoint. They’re just overfocused on the solution that they provide. So, as a result…
[David Spark] Could you actually give me some dialogue that would ring to you if you heard it? Like, “Hey, I looked at this, and I understood…” You don’t have to delve what you’re doing specifically. But there is a lot of open-source intelligence they can do to understand basic things that are happening in your environment. One of the classic things we’ve heard in the past is like if it’s some kind of ecommerce site, click through and see how the ecommerce site actually works. Simple things like that you can figure out. What would ring true to you? Because we know that they really push their products.
[Jason Witty] Yeah, no. And some suppliers are really good at this. I want to kind of give credit where credit is due as well. But really understanding what are the big issues that CISOs are confronting right now. The world is really changing to a software defined everything, and so CISOs really not only have to be a CISO these days. You also have to be a CIO these days, and you have to understand the nuances of any particular Cloud platform, or anything else that’s going on in development, or opinionating a software tool chain, or all those sorts of things that are very germane now that really weren’t about ten years ago. So, there is this transformation that’s going on – understanding that CISOs are being required to both be conversant in the board room and be conversant with technologists at the same time is a really big deal. That should then allow for a conversation around risk. So, open with, “What is the risk you are actually solving with this solution? What other risks can it also help you with?” And then you can go into the details of how you actually do that.
[David Spark] That I like, right there. Andy, how do you deal with this?
[Andy Ellis] I think a lot of vendors over pivot on this one. They walk in the door, and they say, “Tell me about your problems.” I don’t know any…
[David Spark] “What keeps you up at night?”
[Andy Ellis] Right, and I don’t know any CISO who wants to answer that cold. I think Jason is right. I like to do a little nuance. I like to say, “Look, you should walk in and tell what your product does.” No buzz words, just, “Here is what we do,” in one sentence. Because you want to set the CISO’s mind into the right framework. Like, “We are an X.” Like, “We are a podcast that will tell you about what CISOs think.” Boom. That’s what this podcast is. “And here is how we think that will help you. Here is what business impact we think that will have. Here’s the risks that we solve. Here’s how we think this might help you.” And then you can ask the question, “Are we right? What am I missing? What are you worried about, or what do you see that I don’t” And now a CISO is much more likely to answer… I often call this the red ink rule. If you ask somebody to write something down, don’t hand them a black pen and a blank sheet of paper. Write something down and hand them a red pan and the sheet of paper with something you wrote on it because they will happily tell you you’re wrong before they will give you a piece of their mind cold.
[David Spark] Yes, people are happy to edit rather than write the first draft.
There’s got to be a better way to handle this.
[David Spark] “Don’t set it and forget it,” said Bob Zinga, aka BZ of Directly, who wrote about diversity and inclusion in cybersecurity on LinkedIn. And he said that multiple diversity issues are the result of stagnant diversity thinking such as, “There are no good diverse candidates,” or we’re often just not aware of the unconscious bias, and no one is leading the diversity and inclusion effort. So, diversity issues are constantly changing, and I want to start with you, Jason, on this. How does the issue become an ongoing issue you’re managing rather than a static policy that never gets updated?
[Jason Witty] I’d first open that question by saying that the cyber threat landscape is incredibly diverse, and it is incredibly global with a very high degree of difference between how one adversary thinks and another adversary thinks. Along with a highly collaborative network that they’re all sharing and building upon each other’s ideas with. And if cybersecurity teams are not acting that same way there is a big problem. We have got to have a diversity of thought. We have got to have a diversity of location. And we have got to have a diversity of people to come up with the right solutions in order to handle the threat landscape that is in and of itself so diverse. So, I would say that that starts with ensuring that you have the right skills, that you’ve got the right type of people, that you’ve got the right diversity in thought. And you’re certainly thinking about the workforce and how you are going to attract, and retain, and build, and upscale, and do all of that sort of at the same time to make sure that you have an overall diverse and inclusive workforce.
[David Spark] You know what? I really like the way you began that answer because we talk a lot about the need for diverse staff for diversity of thought. But you set it up by saying the attacks are diverse. That just got me to thinking is that just think about travel. We go to other countries. We don’t know the customs in other countries because we don’t live and understand that, and we have to have someone else explain to us what are the customers of the country. I’m feeling that attacks are the same way. It’s a custom you’re not familiar with. And if you don’t have…essentially you don’t have a translator with you, you’re going to get blindsided and look like a fool.
[Jason Witty] That’s a really interesting analogy because a lot of times I open up when you’re trying to get to know me a little bit that I’ve been to 33 countries, and I have seen a lot of different customs. And as a result of that, I’ve realized that I actually love talking to people that think like I don’t. And so from that standpoint, it does cause you to think differently having a very diverse team of people with a very diverse set of backgrounds, and geographies, and cultures, and everything else.
[David Spark] Excellent point. Andy, how do you make diversity an ongoing issue rather than static?
[Andy Ellis] This is a really big soapbox for me.
[David Spark] Get up on it.
[Andy Ellis] And I’m going to get up on it, and I’m going to do a little bit of a rant. We’re recording this the day after Brian Flores has sued the NFL for its discriminatory practices around hiring of black coaches. And so obviously there will be developments between when I say this and when this airs. I actually do agree with everything Jason said about the values of diversity, of experience and thought. I completely agree. But I actually want to step back for just a second and say if you look around your security team and you do not see a lot of minorities and black faces, and you do not see a lot of women, you can make an argument about why you need them for diversity of background and experience. But I think there’s a better argument that says you might be actively discriminating against people, and that’s just wrong. That’s a thing we need to fix, and we need to stop coloring it, no pun intended, and saying, “Oh, look, we would be better if we weren’t discriminatory.” No, you would just be better by not being discriminatory. Now, there’s a lot of things wrong in our HR pipelines. The way that we write job descriptions if awful. Go look at the job descriptions that you actually post and see how many requirements are on there. If somebody actually met the requirements, they would be more than capable for two jobs above the one you’ve actually posted.
[David Spark] That’s a good point right there.
[Andy Ellis] Look at how your recruiters interact with candidates. Look at where you’re advertising. Look at how you develop talent. Look at how you retain talent. Every organization has these problems. And let me put it really bluntly in case any HR professionals are listening. You should sit down. But HR is the organization that screwed this up, and so why do you think that we’re putting HR in charge of fixing it? The people who made the problem are not the people who are going to fix the problem. You, the person listening to this, if you are a hiring manager or a leader of people, if this is not one of your personal top priorities that you are regularly and actively managing then it is not going to get better, and that is your fault.
[David Spark] Doesn’t get better on its own. That’s the key thing today.
[Andy Ellis] Not going to get better on its own. And the HR diversity initiative are not actually going to make it any better. If you’d like some guides, I’ve got a blog post on this. Just Google, “CSO Andy, leading to representation.” It’ll give you some hints at what I did when I managed a large team and how I looked at it. You’re going to have to track this over years. You are not going to get it better tomorrow. You actually will do more harm trying to fix your stats tomorrow than if you commit that, “It’s going to take me five, ten years. But I’m going to build a program that is going to nurture people all along the way. And at every step, I’m going to make sure I’m not getting worse. And therefore I will continue to get better.” But if you just said, “Oh, look, I don’t have any black people on my team, so I’m gonna hire 12 of them tomorrow…” I cannot imagine that going well for you. It might. It is entirely possible you could succeed at that one. But more likely than not, you’re going to hurt your organization more than help it by…
[David Spark] Fast hiring in general of any…
[Andy Ellis] All fast hiring is problematic, but fast hiring where everybody who walks in the door is going to feel like they only got hired for the color of their skin… And that’s what all their colleagues will as well. And if even one of them doesn’t perform it’s going to justify in peoples’ minds, “Oh, this is why we didn’t have minorities.” No. The problem is that you screwed up trying to fix a very real problem. You’re going to have to fix it, and it’s going to take you some time, and it is possible to do. But it’s by going and looking in at the actual discriminatory practices. I’m not talking unconscious bias. I’m talking about you advertise a job that requires you to have the appropriate credentialed experience. You just dropped out a bunch of qualified candidates. Fix that.
[David Spark] The simplest thing… They said some… If you put a college requirement in, that knocks out 50% of candidates alone.
[Andy Ellis] Oh, do you know why there’s a college requirement in there? This is my favorite. Two reasons. One is H-1B visas. If you want to bring in somebody on an H-1B visa, you have to have a college requirement on the job they’re coming in for, so you have to put a college requirement on everything in that paygrade. And as a result of the New Haven case that went to the Supreme Court around discriminatory practices, HR rules are all aimed at creating more neutral tests. And a degree is a neutral test that is technically not discriminatory on the company’s part even though in effect it has a discriminatory impact.
[David Spark] And he comes down off of his soapbox.
[Andy Ellis] Oh, no. I’m still on it. We’re just going to move to another conversation.
[David Spark] Excellent job, Andy. Excellent job, Jason. That is going to wrap up our show. Thank you very much Now, Jason, hold tight. I’m going to want you to have the last word here. If you have any plugs for USAA, that’s great. But what we always love to hear is if you are hiring, so make sure you have an answer to that question as well. I want to thank our sponsor, CyCognito. If you do not know how to spell that, let me spell it for you. And remember, they has a SaaS platform that automates attacker techniques to test and protect your organization. Thank you, CyCognito, for sponsoring this episode of the podcast. Andy, any last words?
[Andy Ellis] Well, I think I just got an awful lot of words in there. But I will share that if you are a CISO and you have no idea what to do about your hiring, and your diversity, and inclusion efforts, I am available, and I will talk to you.
[David Spark] He has proven that. Jason, any last words? And by the way, my first question though, are you hiring?
[Jason Witty] We are absolutely hiring. Anybody with a particularly good set of modern software engineering and security skillsets, we’re really, really hiring. So, thank you very much for that.
[David Spark] Where would they go to find jobs?
[Jason Witty] They would go to USAA.com/careers.
[David Spark] And is there a way to get in contact with you in particular?
[Jason Witty] There is. You an always reach me at email@example.com.
[David Spark] Okay, excellent. I’m sorry, any last words you wanted to say about the show or USAA?
[Jason Witty] You know what, this has been a lot of fun. I will give you one fun fact about USAA, and that is I came there because of the mission to support the military and military families. That is absolutely what drives everyone at our company. So, I just wanted to thank you again for having me on the show.
[David Spark] That is awesome. Well, thank you very much, Jason. Thank you very much, Andy. And thank you, CyCognito, our sponsor. And thank you to our audience. We love your contributions! Keep them coming in. Keep them coming in. If you go to our site, CISOseries.com, there’s a button that said participate. It gives you kind of the different ways you can participate. But if you listen to the show, send us a question and a comment. If there’s a great discussion going on, whatever it is, you can ping me directly at David@CISOseries.com or just go through our website form and do it that way as well. Thank you, everybody, for listening and supporting the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and cybersecurity headlines week in review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.