https://cisoseries.com/wrong-answers-to-revealing-interview-questions/
Security leaders will often ask challenging or potentially gotcha questions as barometers to see if you can handle a specific job. They’re looking not necessarily for a specific answer, but rather a kind of answer and they’re also looking to make sure you don’t answer the question a specific way. Don’t get caught in the trap.
This week’s episode is hosted by David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Quincy Castro, CISO, Redis.
Full transcript
[Voiceover] What’s a great approach from a security vendor? Go!
[Quincy Castro] So, I really like somebody who knows my business and who’s able to say, “Hey, I know you sell B2B SaaS software. I have a solution that’s going to help you secure B2b SaaS software.”
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of said CISO Series. My cohost and joining me for this very episode is the one, the only Andy Ellis. He is the operating partner over at YL Ventures. Andy, if people were to recognize you only by your voice, you would sound something like what?
[Andy Ellis] Fantastic.
[David Spark] That’s what I like to hear. That is his voice. You’ll hear more of it through this show. But before we get to Andy’s lovely voice, I just want to mention that we’re available at CISOseries.com, and we’ve got lots of other programs on our network. Please go check them out. They’re a lot of fun. You know, we drop between…depending on whether our fifth show is in season or not, we drop nine to ten episodes of our shows every single week. So, go check them out. They’re lots of fun. And thank you, by the way, for being part of our community. I do also want to mention our sponsor. Our sponsor today is Okta. Many of you know them as an identity platform. They in fact claim to be the world’s number one identity platform. More from Okta later in the show. But first, Andy, this episode is dropping on November 8th, which means it’s just over a week past October, which is known as Cyber Security Awareness Month.
[Andy Ellis] National Cyber Security Awareness Month.
[David Spark] National Cyber Security. We don’t care about anyone outside of the US on this cyber security awareness. But when October is over, does that mean for the next 11 months we should just completely ignore cyber security?
[Andy Ellis] Absolutely. Don’t even pay attention to cyber security. Just pause the subscription on the podcast right now. Come back in 11 months and binge everything.
[David Spark] Bing everything. Yes, if I understand correctly as someone who worked at a major CDM platform, the attackers only come the month of October. Is that correct? And then they ignore the other 11 months.
[Andy Ellis] They show up in the month of September, which is why October is Cyber Security Awareness Month. Because we have all of these examples of how they compromised us the month before.
[David Spark] Oh, so you need something to point.
[Andy Ellis] You need something to talk about.
[David Spark] But they’re very polite. I like this about cyber attackers. Then when the month is over, they realize, “Hey, time to stop.”
[Andy Ellis] They’re just done.
[David Spark] Wouldn’t it be wonderful if it was that easy? If there was some kind of…
[Andy Ellis] It really would be. But unfortunately…
[David Spark] If there was some kind of cybercriminal treaty. Like, “Hey, guys, let’s not attack on a Friday before a long weekend. What do you say?”
[Laughter]
[Andy Ellis] Yeah, please no more attacks on holidays. I don’t like having to call people like on the 4th of July. I once had to deal with that. how do you call a customer that’s under attack during fireworks on the 4th of July?
[David Spark] On the 4th of July. [Laughs]
[Andy Ellis] Where no one can hear their cell phone ring.
[David Spark] That’s a lot of no fun. Well, our guest for today’s episode is also a listener of today’s episode. I’m very excited to bring this person on. It is the CISO of Redis, none other than Quincy Castro. Quincy, thank you so much for joining us.
[Quincy Castro] Thanks for having me.
Are we making the situation better or worse?
3:24.610
[David Spark] What parts of cyber security can you comfortable outsource? What parts of cyber security do you want to outsource but can’t? And how do your answers change depending on the size of your company? Andy, I’m going to throw this to you first. By the way, one of the major arguments that I see again and again online is the reason you want to outsource is, “Finding cyber talent is really tough.” So, Andy, I will ask you first – do you agree with that rationale to outsource?
[Andy Ellis] Oh, that’s an awful rationale to outsource. That certainly might contribute at the edge of your decision. But at the end of the day, the reason to outsource something is there’s somebody else who can deliver the capability to you better and more cost effectively than you can produce the capability yourself. Notice I use the word capability. It’s not about a task. When people think about outsourcing, they’re like, “Oh, somebody has to review my firewall logs. Let me outsource review of my firewall logs.” That’s not a capability to review your firewall logs. What are you doing? If the answer is, “Oh, I need somebody to go through my entire Cloud configuration and figure out what I need to go fix and do my good hygiene,” outsource that. There’s like 18 companies that do that. If you need someone to find all the open source vulnerabilities in your software supply chain, outsource that. Because that’s a capability.
[David Spark] Really just look at what you can do well and what others can do better than you more efficiently. Simple as that.
[Andy Ellis] Yeah, and you should definitely try to keep in house. If you’re going to say, “What are the things I would never outsource?” It’s, “What is core competitive advantage for your business that you can uniquely do and that you do not want to have some vendor holding over your head that like, ‘Oh, you’re delivering a product that relies on my service. I can turn you off. Pay me more money.’” Because those conversations… They happen a little more politely than that, but they do happen.
[David Spark] Not threatening. All right, Quincy, I’m throwing this one to you. Just start with what do you think is comfortable, what you can’t, what you want to. I’m going to assume you agree with this sort of basic theory of do what’s most cost efficient.
[Quincy Castro] Oh, yeah. No, I completely agree with this. As a CISO at the end of the day if you could write a check and demonstrate that you’re reducing risk in a quantifiable way, that’s where you want to be. It doesn’t matter who is on the other end of where that money goes. And so because I’m ex GE, I always think of this as a quad chart. There’s things that I’m going to have a core competency at. I want to keep those in house. There’s things that I don’t have a core competency at, and I want to find someone who can do that. And then you sort of look at that and say, “Okay, of the things that I want to outsource that I don’t have a core competency at, are those things highly idiosyncratic, high quality we want the best of breed, or is this something that looks more like a commodity?” Andy was talking about software supply chain issues. Hey, scanning code for vulnerabilities and open source libraries, that kind of feels like a commodity. Somebody going in and actually looking at very sophisticated capabilities and adding on security features, that’s something where you want to pay a bit more to get someone who really knows what they’re doing.
[David Spark] So, in the times that you have worked with outsourcing and also been a CISO at a company or even just working at a security company, was there a situation you realized, “We should have gotten someone to outsource this a lot earlier.” Like you don’t realize it until you incur the own pain and you’re like, “Oh, let’s just get somebody else to do this.”
[Quincy Castro] Not quite that, but I would go a step further back and say I think where I’ve seen challenges is not having a deliberate strategy around these things and letting circumstances and kind of the needs of the business dictate this. And if I think about what I was talking about with the quad chart, to me coming in deliberately and saying, “Here is our assessment of where we’re at. This is what needs to get outsourced,” and then driving that over time to get you from maybe where you’re at today to that more mature and more capable, more cost efficient way of approaching risk.
[David Spark] What about you, Andy? I’ll throw it to you just quick. Was there a situation like, “Why don’t we just have someone outsource this? Why do we go through this?”
[Andy Ellis] Probably the very first one that comes to mind is crises communications. That’s partly because when you have security incidents that need communications, you do things that are very different than every other type of incident. And somebody has to retrain the whole company that it’s like, “Oh, no, you have to be a little more open about this sort of thing but a little more closed about this.” And that can’t actually come from the security team. Nobody will believe you. It has to come from an expert. And that’s the capability they bring is they understand how to teach your executives about exactly what crises comms will look like.
[David Spark] I would also add to this is one of the advantages of outsourcing crises is that they’re not as close to the problem as you are, and they have a more objective viewpoint than you do.
[Andy Ellis] Right, and it’s going to be blended. It’s not like you get to outsource it and you don’t have to work in the comms at all, but you have an expert guide who they just do this for a living. They’re going to be very dispassionate and keep you on track and make sure that you get the best outcome for your business. But you want to have outsourced it before the crises happens.
What would you do if you were this CISO?
8:43.992
[David Spark] “When building a security program for a startup, how do you establish scope and requirements,” asked a Redditor on the cyber security subreddit who feels overwhelmed and doesn’t know where to start. So, the most popular advice in the post was quite prescriptive, but highlights are start with a simple framework like ISO27001 or NIST, write down policies and standard operating procedures, don’t use a template. Third, don’t worry about the technology in this very beginning stage and make it easy for people to review policy. Now, there’s plenty more, but this seemed like a good starting point for someone who is overwhelmed. We’ve had this question before, and one person argued it doesn’t matter creating a security program early on for a startup because whatever you build at the beginning is going to completely change assuming the startup will grow. So, Quincy, what do you think of this advice and the counter advice of whatever you create is going to completely change?
[Quincy Castro] I would take a little bit of a different approach here. Firstly I’ll say it does matter because if you go in and you do something that’s not suitable and you lose credibility, you’re out of there. They’re going to get somebody else in there to figure it out for them. I would zoom out a little bit from some of these more execution based points here and really think about strategy. So, Peter Drucker, who I really respect, [Inaudible 00:10:07] professor, famously said, “The first priority of an executive is you need to know what needs to be done.” And so if I were to give advice here I’d say your first task, get under the hood of the company. Understand how it makes money, why do people buy this company’s products, why are they going to rip out a competitor’s product and buy your thing and put it in there.
Because when you know that then you go around to your peers in the business, the other executives, and you try to figure out what are the security challenges you’re facing, what are customers saying about the security of our products. Do they like it? Are there problems? Is this interfering with us closing deals? What are the risks that we face? And what you’re trying to figure out is what are the security levers in this organization, in these products that I can pull that are either going to reduce risk for the company and hopefully make it more profitable in the future or influence revenue and cashflow and find those win/wins that are going to support that program. And so once you do all of that work then you should have a sense of what needs to be done. And now you go in and start laying out a strategy for what are the steps you need to take to get that program off the ground and to start generating value for the company.
[David Spark] Andy, I think this question is perfect for you because working at a venture capital firm, you’re working with a ton of startups. I’m sure this comes up often and this whole idea of being overwhelmed early on. What’s your advice?
[Andy Ellis] Yeah, so you’re going to be overwhelmed early on because you’re probably in your head, visualizing, “Oh, I’m going to be the CISO of this giant company. I have this massive security team.” But no, it’s just you. Maybe you have one other person.
[David Spark] Yeah, at the beginning yeah, there’s no team.
[Andy Ellis] And the first question you have to ask is, “Why did they hire me?” Because the answer is probably they needed somebody to hand compliance to because they can’t go to market without a SOC2. That’s your job – get a SOC2. Your first job is that. The build the security program is something you’re actually hiding from the business. You’re not being secretive about it, but you don’t walk in and say, “I’m trying to build a work class security program.” You’re here to say, “I’ve worked with product marketing and product management. They’ve decided the product features are we’re doing SOC2 this year. We’re doing PCI the next year. And we’re going for Fed RAM [Phonetic 00:12:21] over the five years after that,” because it takes forever.
Okay, that’s why you’re here. Now you might start with something like ISO27000 series, 27002. It’s like, “Here’s how I’m going to organize all of the controls we have in one fashion. And it’s nice, and it’s modular. And as I rip things out in two years, I can just rip and replace my security program to talk about why I’m doing it this way.” If I look at when I was at ACIMIO [Phonetic 00:12:47]… 21 years there. I wrote the very first security program document, and it lived and evolved for 22 years. We didn’t ever throw the whole thing away, but I’ll tell you we threw away almost every single piece of it at some point because we were maturing.
And Quincy’s comment about understanding what your business is doing is really important, especially because that’s probably why you’re being paid. Nobody hires security because they want to be more secure. This probably sounds very cynical, but people start hiring security either because they got breached and they don’t want to have that happen again or because they want to go to market with something where they can say that they’re secure, and you’re just a product feature at that point.
Sponsor – Okta
13:30.572
[Steve Prentice] Okta is a company that focuses on identity management. It, along with its product unit, Auth0, have both bee placed as leaders in the Gartner Magic Quadrant for their achievements. I asked Jameeka Aaron, who is CISO of Auth0 why phishing continues to be a constant weakness.
[Jameeka Aaron] I think that people are deeply curious, and so clicking is a part of our curious nature. You see something that looks very interesting to you, you want to know what’s on the other side of it. And so you click to see what’s there. I don’t think people will ever stop doing that. And so we really have to build technology around the people, around who we are as human beings and not necessarily always trying to change the behavior. Because we still understand that it’s still the most successful attack vector. And so that means that behavior is not changing, which means we have to adapt the technology to the behavior.
[Steve Prentice] That’s where the battleground is. It’s around protecting people, and their privacy, and their rights to own their identity exactly as it is. And as Jameeka points out…
[Jameeka Aaron] We are a series of products that are neutral that allow our customers to leverage our products to login everywhere from at their desk, from a workforce perspective to as a CIAM which is customer identity and access management. So, you’ll see… Well, actually I guess you won’t see. We’re behind some of the biggest logins of the biggest brands around the globe. We’re there kind of silently protecting the rights of the user, so that’s kind of what we do.
[Steve Prentice] For more information, visit Okta at okta.com.
It’s time to play, “What’s worse?”
15:05.816
[David Spark] Quincy, you’re familiar with how this game is played, correct?
[Quincy Castro] I am. We actually play this on my team sometimes.
[David Spark] Aw, that’s great to hear.
[Andy Ellis] You pause the podcast and make everybody guess before we give the answers? I love it.
[Quincy Castro] We have an assigned Thursday fun hour, and this is one of the activities that comes up frequently.
[Andy Ellis] David, we are mandatory fun.
[David Spark] I like mandatory fun. Let me tell you – we do a variation of this… I’ve done this with my friends is… Are you familiar with the original Match Game television show from the 1970’s, Andy?
[Andy Ellis] It’s been a while.
[David Spark] Oh my God, I’m a huge, huge fan. But the remake with Alec Baldwin is garbage, but the original with Gene Rayburn is phenomenal. But it’s one of those, “Silly Barry is so silly. Whenever he does this, he blanks.” And so you got to guess what…
[Andy Ellis] Oh, that’s right.
[David Spark] But I would play it with friends. We’d pause the video, and we’d try to fill it out and see who matches the most with Brett Summers, and Charles Nelson Reilly, and all the other celebrity guests as well. All right, just like “what’s worse.” All right, let’s get into this. As you know, Quincy, I make Andy answer first. Then you answer. If you disagree with Andy, I win. If you agree with Andy, he wins.
[Andy Ellis] And those of you who are playing at home or in Quincy’s mandatory fun meeting, you really hope that you agree with Quincy because he pays you.
[David Spark] Exactly. [Laughs] All right, this comes from Jonathan Waldrop of Insight Global, who’s given us many a “what’s worse” scenario. You use a hybrid model, meaning you have both Cloud and on premise resources. All right, here are your two scenarios. One, your Cloud environment experiences a significant incident, exposing all of your company’s customer data, but your workstations and on prem environment are not impacted. Okay? Or essentially the flip of that – your workstations and on prem infrastructure are involved in a security incident. So much so that you can’t trust any end user device on your network, not even to help respond to the incident. But no customer data was involved. What’s worse?
[Andy Ellis] The first one is worse. This one is easy.
[David Spark] Because it’s customer data?
[Andy Ellis] First of all, A, it’s customer data. B, it puts a strategic hiccup in my roadmap. If I have the Cloud breach but not the on premise breach, all of a sudden everybody is going to be like, “Oh, God, why are we in Cloud?” And so we’re moving backwards. If I had the on premise breach, I can’t trust end user devices, great. I’m going to the Apple store. I’ll just buy some more. I have fresh, out of the box devices. Let’s rebuild that entire infrastructure or get rid of most of it and accelerate our migration to the Cloud. I’m a happy camper. Jonathan, thank you for giving me one that I think is easy, and I hope Quincy agrees with me.
[David Spark] Quincy, do you agree or disagree?
[Quincy Castro] I couldn’t agree with that more. I would so much rather have number two…or number one. And being able to demonstrate good Cloud control and say, “Hey, look, we’re mature in here. We know how to run this environment. We have the artifacts to prove that your data has not been compromised. And yeah, we’ll just order everyone new laptops and just start over. Our outsourced response people can deal with the cleanup and stuff like that.” And off we go.
[Andy Ellis] And in fact every one of those on premise applications, our HR application that was on premise, great. We’re getting rid of it. We’re moving to a Cloud based HRIS. Everything is going Cloud based now because that’s the place where we clearly know how to operate as a business. I’m a Cloud native company overnight.
[David Spark] Do you know of any companies that have done that? Become Cloud native overnight just because they couldn’t deal with their devices?
[Andy Ellis] I don’t know anybody who did it that way, but I think we’re seeing people rapidly accelerating in that direction. We really saw it from COVID because you couldn’t deal with your data centers. You couldn’t get in to do basic maintenance, and so companies were like, “Oh, we had this plan to migrate to SAS. I guess we’re doing that now because we don’t know when we’re going to have a critical failure in the data center.”
If you haven’t made this mistake, you’re not in security.
19:07.440
[David Spark] Companies that hire cyber security consultants do so in the effort to create a partnership, but it doesn’t always work out that way. One anonymous listener who is a consultant feels that the companies ruin the opportunity for partnership because they fail to provide the following – timely or any communication, accurate information, goals and objectives, feedback, showing up for meetings, and maintaining timelines. The listener said, “I suspect that failures are often laid at the feet of the consultant who might not be present to defend themselves, and security leaders may not realize how their teams are mismanaging consultant services in a manner that limits any potential for true partnership. How can I as a consultant whose job depends on the good will of my clients get them to treat me like the partner they say they want?” By the way, I’m trying to make this impassioned because it was a long impassioned response. This person is very, very frustrated. I’m going to start with you, Quincy. What would your advice be here?
[Quincy Castro] Sort of two points on this. The first one is I think what consultants miss is sort of the politics behind why they’re being brought in for something. And so…
[David Spark] And they may never see that.
[Quincy Castro] No. I think there’s probably a lot of listeners out there who are thinking through times when, hey, they’ve brought in a pen testing team to go smoke test a product. They’re really gun ho to see this thing get the stuffing kicked out of it, and the team that made it said, “No way. At best we’re going to drag our feet and try to drag this out.” Because at the end of the day they know the results are going to get dumped on them. And so the consultant comes in and kind of says, “Okay, let’s go.” And you’ve got competing interests in there creating this friction around the engagement. The advice here… I think it’s all about organization and about managing your engagement partner. And so going through at the beginning of the engagement saying, “Hey, these are the objectives we think we’re here to satisfy. This is what we think we’re supposed to be doing. Here is our timeline and our roadmap for this engagement, and here is how we’re going to measure success on that.” Then sitting there with the CISO or whoever has brought them in to check that progress. When there’s blockers, say, “Look, I’m not getting people in these meetings. I’m not getting responses to these questions. I’m not getting the data I need here. If you want this to be successful, go unblock this for me and figure this out.”
[David Spark] You need a champion for you. Andy, what’s your advice?
[Andy Ellis] I think Quincy is talking about like tactical consultants. “I hired you to do a task.” But there’s also the consultants who get hired as like come in and tell you how to redo your security program. I think there’s a lot of difficult tensions there. Sometimes they’re not hired by the CISO, and the CISO is like, “What are you doing here?” I’ve seen ones who are like hired by the CIO to talk about the CIO’s program who came in and was like, “Here’s a set of recommendations for how you should change your entire security organization.” Let me tell you, you’re not going to get a lot of engagement where you didn’t talk to the security team at all, and now you have this report that’s going in front of the board that says, “Oh, about the security team, you don’t need them anymore.” A lot of management level consultants pretty much come in, and they’ve already decided what they’re going to tell you to do.
They have their formula. “Here’s how you should build your program. We’re not actually going to look at your program or your company.” All the things Quincy said in the earlier segment you should do like when you’re just starting your security program they don’t even do. They just come in. they do a bunch of interviews to say, “Oh, look, this person agrees with our point 17, so let’s make 17 point 2 instead.” And then they’re just producing a, “Look, we’re a big four firm, and we’re going to tell you here’s the 15 best practices that every security team should do even if they don’t apply to you.” And then they’re going to complain that they’re not getting engagement on the other side of it, but the reality is they’re only there because somebody in management thought you should have a third party tell you what to do.
[David Spark] Does spelling this out in a contract early on help, or is it it’s like nobody pays attention to what the heck they said in the contract and whatever goes goes? Because in contracts I’ve said, “Hey, if you want this to be successful, these are our responsibilities and your responsibilities are these things.” But do you think that holds any water when you really get to work?
[Andy Ellis] Well, I guess the real question is what does both sides think success is. If you’re the consultant, you want to get paid. Success is you got your check.
[David Spark] No, but he makes a point that says my job depends on the goodwill of my clients and the fact that I have happy clients and successful clients. Because I’m sure… Most consultants work off of referrals.
[Andy Ellis] Well, that’s getting to kind of the next job, so that is a piece of continuing to get a check is that your client is happy. But what does happy actually mean for them?
[Quincy Castro] Right, you can’t spell out goodwill in a contract. If you’re at the point when you’re going back to the contract and trying to say, “Did you do this thing?” You’re not getting the value out of that that you wanted to.
Should you hire this person?
24:08.604
[David Spark] This is a great topic that Nick Ryan of Baker Tilly brought up, and that is what are the interview questions that you ask that reveal the most about a candidate. Now, Nick said that his favorite is, “Is it ever okay to tell a lie?” Because cyber security is about trust and integrity, and ideally what he wants to hear is a no. But sometimes there’s a long way to go to get there.
[Andy Ellis] I used to hold the clearance I was required by law to lie on a regular basis, so the answer is yes, it’s okay to tell a lie. Because if I for instance knew about aliens in Area 51, and you asked me about it, I didn’t say, “Oh, that’s classified.” I’d say, “No.” I don’t like that question.
[David Spark] Well, Parker Brisette… Here’s a few other good quotes here. You can tell me which ones you like and which ones you don’t like here. We already know you don’t like the lying one. But Parker Brisette of GRSee Consulting adds a variance to his question, is, “What’s the difference between honesty and not lying?” And Brian Gibbs of Worldwide Technologies said, “What’s the worst mistake you have ever made in your professional career, and what did you learn from it?” And lastly Kathy Kolenko said, “How do you start your day and structure it?” And she argues many don’t. So, I’ll start with you, Andy, here on this. I know you don’t like the first one. Do you like the variance of that one?
[Andy Ellis] I actually like the fourth one. Kathy’s question is fantastic because this is about how do you do the job. And you get a lot of insight into whether people have people skills and process skills from how they’re going to answer that question. And in cyber security, all too often we focus only on technical skills, and you can’t get the job done just with technical skills. I don’t like Parker’s question – the difference between honesty and not lying. Boy, is that a semantic trap waiting to happen. I think I can speak very coherently about integrity, and honesty, and lying. And if somebody asked me that question in an interview, I’m on the defensive already. I hold a lot of personal power. I can’t imagine how that question would feel to somebody who’s junior in the career field.
This is a great conversation to have in career development – “Hey, let’s talk about how we view these things.” If you’re looking for someone who’s going to fit your definition of integrity then you need to define integrity and tell them what it is. Like, “Integrity to us means the following, and that’s one of our core values. Here’s how we hold it up.” Yada, yada, yada. The third question, worst mistake you made and what did you learn from it, I used to use this one all the time until somebody pointed out to me that when you’re hiring somebody who maybe is from an underrepresented minority that they will feel this one again as a trap. Of, “Oh, hey, make yourself extra vulnerable here in this situation you’re already vulnerable.” The, “What did you learn?” Those are great ones. Like, “What was a bad day? What was a bad mistake that your business made, that your team made, and what did you learn,” so that they can externalize. They can be very vulnerable themselves like, “Oh, here’s what I did wrong.” But this one can be very dangerous, so I’d be very careful about where you use that.
[David Spark] I didn’t think about it from that angle. But no, I’m all for just how do you deal with a bad day, period.
[Andy Ellis] How do you deal with things not going the way they were planned, and you’re surprised…
[David Spark] Which happens plenty.
[Andy Ellis] It happens all the time. Like give me an example, and what did you learn from that.
[David Spark] All right, Quincy, I throw this to you. Andy barely had an opinion on any of these, so…
[Andy Ellis] [Laughs]
[David Spark] …unfortunately… I’m hoping that you’re going to bring something.
[Quincy Castro] I like what people are trying to get at here. But, look, no one thinks that they’re a bad person. I’ve had to fire people for lack of integrity, dishonesty, things like that. They don’t think of themselves as bad people. They’re dealing with circumstances, and they’re trying to make the right choices in their mind. So, I don’t know that you get peoples’ actual honesty and integrity by just asking them about it. I’m a big fan of interview questions that involve thinking through a scenario and talking through how they’d approach something. Imagine that you’ve got a bunch of technical debt, and you start reporting it, and the company responds by hammering you on why these vulnerabilities you’re finding aren’t getting closed.
What do you do with that when you face this personal pressure to get results? Again, I don’t think that’s a perfect question, but having someone game out how they’d respond to a scenario I think one, tells you about their critical thinking skills and their ability to kind of think on their feet, but also you’re looking for them to bring in previous experience, stuff that they’ve seen in the news or whatever and say, “Well, hey, here’s how this company dealt with that, so maybe we try something like that.” Or, “Tell me more about this because I’d want to know this before I come up with an informed opinion here.” And to me that ability is a lot more important than just whether someone answers a discreet question the right way or not.
[David Spark] All right, I’m going to close here by asking both of you – give me one question that’s not one we’ve addressed here that you think reveals the most about a candidate. I’ll let you go first, Andy.
[Andy Ellis] So, I actually like to go a little bit outside the bounds and say, “Talk to me about a technology that you find really exciting and why.”
[David Spark] I like that one. And what have you learned from that? I’m assuming you’ve learned about new technologies you didn’t know about.
[Andy Ellis] I’ve learned about new technologies. But often times the best answers, the ones that really gave me deep insight, were about really simple, basic technologies. I had one person once extol the value of a toaster. Like they basically talked about, “Think about the toaster or the toaster oven specifically. Minimal use of energy to maximize how quickly you get food prepared, what a time saver it is. It fits in…” And basically just went on for like ten minutes about the marvel that is the toaster oven. When you think about it, it’s one of the best kitchen appliances ever generated. Best thing since sliced bread probably. They got excited about a technology. And if you can get excited about one technology, you can get excited about any other. The excitement is there. But I’ve had people who just sit there, and they’re like, “Technology just doesn’t excite me.”
I’m like, “Well, I’m a tech company. That’s a problem. You’re not going to show up at work and be excited about our technology if you’re not excited about any technology ever.” Now, it’s not a veto question because I recognize it’s off the wall. It surprises people, so you should recognize that if you’re not paying somebody to think on their feet that if they weren’t able to think on their feet don’t veto them. So, always recognize that any interview question if you’re surprising people with it is one which is potentially you’re going to get a weird false negative answer. A similar one that people who work for me ask that’s become very public is when you type the URL into a browser and hit return, what happens. And what’s fascinating is you’ll get people will talk about keyboard interrupts. You’ll get other people who are going to talk about DNS. There’s a whole spectrum of things people could talk about, and they’re all right answers.
[David Spark] Does anyone talk about the elves that run through the wires?
[Andy Ellis] No, not yet.
[David Spark] Not yet? Oh, well, that would be my answer. [Laughs] Quincy, your best question to ask.
[Quincy Castro] I like asking people how they keep up with what’s going on the field.
[David Spark] Well, obviously listen to the CISO Series and Cyber Security Headlines.
[Quincy Castro] Well, obviously, yeah. But I’m surprised how many times people will say, “Well, I don’t really do that.” Or, “I don’t have a good answer for that.” And you think, “Well, hang on a second. If you’re not keeping up with what’s going on in the field you work in, why would we bring you into the company? You own the expertise on this thing we’re hiring you for. You’re here for a reason. How do you know that you’re up to date on stuff? How do you know what the latest practices are? How do you know what companies like us have been impacted by, the work that you’re supposed to be doing?”
[David Spark] That’s a good point. Now, I will quote… And I’m trying to remember who said it, but one of our past guests said for an interviewee, he said ask the question at the end, “Was there any question you felt I didn’t answer well enough?” And I thought, “That’s a great closing question.” It gives you a second chance. So, if they have a bad answer to the questions you have, well, give them another chance to roll at it.
[Andy Ellis] That’s a great one.
[David Spark] Yeah, I love that.
[Andy Ellis] Actually I want to… On that point if you’re an interviewee, you should recognize that you are interviewing the company as to whether you want to work for them. And you get to ask questions, and you get to promote yourself as well. Like the power relationship is not just in one direction. It is actually in both directions.
[David Spark] We just recorded with Caleb Sima, who is the CISO over at Robin Hood, and he said with his interviews he says, “This interview begins with you interviewing me.” He said it starts that way.
[Quincy Castro] Yep, I like that.
Closing
32:55.909
[David Spark] Now, this brings us to the end of our show. And huge thanks to both Quincy and Andy. Quincy, I will let you have the very last word here. But the question, as you know, I ask all guests is are you hiring, so make sure you have an answer for that one. I do though first want to mention our sponsor, Okta. If you’re listening to the show and you don’t know who Okta is, I believe you entered security yesterday. Possibly. Possibly. And you’re going to learn about Okta eventually. But for those of you who obviously know about Okta would like to probably know more, so go check them out at okta.com. Sometimes I don’t sense that I’m spelling things correctly. I can’t say 2022 correctly because I don’t know how many two’s I’m mentioning when I’m just mentioning the year.
[Andy Ellis] The problem that I have with you spelling out their name is you’re like O-K-T-A-H-O-M…
[David Spark] Sorry, I’m not going to sing that song. But thank you very much, Okta, for being a supporter and sponsor of the CISO Series. All right, Andy, any last words from you? I’m assuming all your portfolio companies are hiring, yes?
[Andy Ellis] Yeah, we’re all hiring, and YL Ventures has a job site, jobs.ylventures.com. So, one place that you can go looking. I’ll do a shameless plug for my book out in five months.
[David Spark] In five months? I’m sorry, what is the title of this book?
[Andy Ellis] “One Percent Leadership – Mastering the Small Daily Habits That Make for Great Leaders.”
[David Spark] And as someone who has got to know Andy even better over just…in our podcasting but I’ve known you for a few years prior because I’ve interviewed you in the past, if you have not heard his wisdom on this show, he’s packed with it. Just packed with wisdom. I’m sure this book is packed with it as well.
[Andy Ellis] Well, in fact one of them, Quincy just talked about in the interview questions when he said people don’t see themselves as being the villain. Chapter seven is don’t borrow evil where it wasn’t intended. All too often people assume that somebody who did something they don’t agree with was a villain, and so there’s a whole lesson about adopting the mindset that Quincy just suggested. So, Quincy, thanks for the plug.
[Quincy Castro] You’re welcome.
[David Spark] Quincy did intend that. All right, let me also remind everybody that our guest today was Quincy Castro, who is the CISO over at Redis. They are redis.com, correct, Quincy?
[Quincy Castro] Correct.
[David Spark] That is correct. So, first of all, are you hiring?
[Quincy Castro] I am. And if you go over to redis.com/careers you’ll see what we’re hiring for.
[David Spark] All right, go check that out. And will it matter, Andy and Quincy, if someone contacts you and says, “I heard you on the CISO Series podcast, and I’m interested in job X.” Does that hold any water?
[Quincy Castro] Yes, it does.
[David Spark] Andy?
[Andy Ellis] I’m just going to refer you to our HR person, but I’ll do it a little more speedily.
[David Spark] You see? So, it does have some value here. All right, Quincy, I’ll let you close. Any plugs for working with you, Redis, the show, any of our topics? Go for it.
[Quincy Castro] Yeah, find me on LinkedIn and hit me up. I’m always happy to talk to people that are coming up in the field and want to speak about what the CISO experience is like.
[David Spark] Well, we appreciate you sharing your great wisdom here on our very show. Thank you, again, Quincy. Thank you, again, Andy. Thank you to all our phenomenal producers. Aaron Diaz is here watching. He’s one of our fantastic producers, and there’s also Andrew Freels and all our editors as well. There’s a lot that goes into making these shows, so we greatly appreciate it.
[Andy Ellis] They’re the reason we sound good.
[David Spark] Yeah.
[Andy Ellis] You should hear what we actually sound like when we’re recording. We don’t sound this coherent.
[David Spark] Our audience should know that the timeline… We use Adobe Audition to edit. Has many, many, many, many cuts in it because it’s all designed to make us sound even better than we normally do. Which you sound…
[Andy Ellis] Not a hard task.
[David Spark] As did you, Quincy. Let’s wrap this sucker up. Thank you very much, everybody. We greatly appreciate your contributions. Keep them coming. What’s worse scenarios – ones that are not so easy for Andy. And no slam against you, Jonathan. No slam. I thought anything that has to do with like you lose the data versus anything else, kind of lose the data always wins in terms of what’s worse. My feeling. Thank you, everybody. Please keep the contributions coming in. And we appreciate you listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meet Up, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.