We Need to Hire a Unicorn But We Only Have Budget for a Donkey
Everyone wants to nail their first cybersecurity hire. But it's an incredibly daunting task. You likely don't have the budget for the perfect employee who can do everything you need. So how do you find someone who can do the most good?
This week’s episode is hosted by me, David Spark , producer of CISO Series and Andy Ellis , partner, YL Ventures . Joining us is Jason Shockey , CISO, Cenlar FSB .
Ground the SOC in communication
Communication remains a significant challenge in cybersecurity. A recent study found that 18% of SOC practitioners find communication the least enjoyable part of their job, as Thomas Kinsella of Tines cited. While this statistic might seem small, it should be much smaller. One in five of your employees struggle with communications? That’s a recipe for disaster. The SOC would benefit from hiring communication professionals and project managers to create templates and norms that streamline interactions between engineers and other teams. CISOs must be able to translate technical language empathetically for both engineers and executives. Tell compelling stories that resonate with the listener if you want successful communication.
Training and mentoring talent
Are unnecessarily high barriers creating our talent problem in cybersecurity? SideChannel CEO Brian Haugli pointed out that ransomware groups have low thresholds for participation, which begs the question: why are we disqualifying so many candidates with stringent degree and certification requirements? Both HR and security leaders share responsibility for setting these restrictive job criteria. Training and mentoring employees are critical to retention and helping them grow into the positions you need the most. The corporate world has built a rigid system where certifications and degrees are often required, partly due to legal and visa issues. But these can be subverted with parallel job tracks. Training and development should be central to management, and the best leaders help their teams grow, not just those with technical prowess.
Nailing a first security hire
A startup's first security hire is a big decision . You have a lot of needs but limited resources. Hadas Cassorla, JD, MBA, CISSP , fractional CISO, Scale Security Group, argues for the efficiency of hiring a fractional CISO to build out a security strategy, manage risk, and establish board relationships without the cost of a full-time role. Generally, a fractional CISO is more suitable for short-term consulting, like writing policies, but not as a long-term solution. The first hire should be hands-on, solving immediate security issues and delivering day-to-day results. Having someone internal is vital for focusing on the company's needs and satisfying regulatory requirements. While a fractional CISO can help with setup, an internal security manager or director is crucial for ongoing, practical work, with the option to bring in a fractional CISO later for specific tasks or board engagements.
A case for optimism
Considering the rise of ransomware, state-sponsored attacks, and AI-related risks, finding cybersecurity optimism can be complex. Ross Haleliuk took that challenge head-on in a recent blog, offering reasons for optimism, such as the increasing prominence of the CISO role, improved security practices like bug bounties, and greater international collaboration. Strong villains make stronger heroes, and we have a new generation of AI tools that can fill gaps in cybersecurity defenses and help elevate the role of CISOs. The growing risk profile for CISOs is a positive sign, indicating a thriving, more connected economy. When handling pessimistic employees, try to channel that negativity constructively—whether by assigning them to focus on worst-case scenarios or leading them to develop rational, solution-oriented perspectives to improve cybersecurity defenses.
Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.
Thanks to Jordan Vint of United States Marine Corps for providing our “What’s Worse” scenario. Thanks 比特梵德 .
Huge thanks to our sponsors, Bitdefender
Subscribe to CISO Series Podcast
Please subscribe via Apple Podcasts , Spotify , YouTube Music , Amazon Music , Pocket Casts , RSS , or just type "CISO Series Podcast" into your favorite podcast app.
Best advice for a CISO…
"Form follows function. If you create a properly functioning information security program, it can actually adapt to the emerging threats and integrate with the business landscape." - Jason Shockey, CISO, Cenlar FSB
Listen to the full episode of "We Need to Hire a Unicorn But We Only Have Budget for a Donkey."
Defending Against What Criminals Know About You
"You're not going to be able to respond to the needs of your business, you're not going to be able to respond to the inputs, whether it's from threat intel or from a change in the org structure. And so I love this idea that in order to shift left, you have to respond to things as they happen, and the best way to do that is automated." - Damon Fleury , chief product officer, SpyCloud
领英推荐
Listen to the full episode of "Defending Against What Criminals Know About You."
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube ?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be David B. Cross , SVP/CISO, 甲骨文 . Thanks Dropzone AI .
Thanks to our Cyber Security Headlines?sponsor, Dropzone AI
Join us TOMORROW [11-01-24], for "Hacking Your Cyber Brand"
Join us this Friday, November 1, 2024, for?“Hacking Your Cyber Brand: An hour of critical thinking about building how people see your company in this industry.”
It all begins at 1 PM ET/10 AM PT on Friday, November 1, 2024, with guests Gianna Whitver , co-founder and CEO, Cybersecurity Marketing Society ?and Andy Ellis , partner, YL Ventures . We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com .
Interested in sponsorship, contact me, David Spark .
CEO @ SideChannel | Protecting SMBs & Enterprises with Enclave & RealCISO | Wiley Published Author on NIST CSF
3 周Thanks for shoutout. Credit goes to vx-underground on Twitter
Great dad | Inspired Risk Management and Security Profesional | Cybersecurity | Leveraging Data Science & Analytics My posts and comments are my personal views and perspectives but not those of my employer
3 周Always, donkeys are more reliable than the unicorns ?? The issue often occurs when cybersecurity leaders focus on finding a superstar instead of developing the people they already have or hiring someone to tackle a specific challenge/issue effectively.
Great conversation! You can only imagine my surprise as I was half way through my first cappuccino and finishing off a few morning emails, when suddenly I hear David Spark mentioning my name in my ears! Here's what I wrote about fractional CISO hiring: https://www.dhirubhai.net/pulse/youre-screw-up-your-first-security-hire-cassorla-jd-mba-cissp-zww1e/?trackingId=R%2BEjb2ZzR1G99wI1UIbtUg%3D%3D While I think Andy Ellis is right, a newer company doesn't need to focus on security—their focus should be growth—I think his model of a vCISO is outdated. It's predominantly why I use the term Fractional CISO. If all you need is a policy set you don't need a CISO. If you need a security strategy that aligns and supports your company growth, you probably could use more than just a really smart security engineer. It does help in those stages to bring in a fractional CISO, with CISO experience to set you up for success as you build out your program. I also think it can be true, as Jason Shockey stated, that companies prefer to have someone who is a part of the company. But, as a fractional CISO, I consider myself exactly that. And, as I state in my article, the benefit is getting the expertise I have at a cost that is affordable.
Fixing your business resiliency before it hits your bottom line.
3 周And in hiring that donkey the business winds up flat on its ass having learned nothing in the process.
An experienced contracts, risk, and compliance leader. As a conscientious risk professional, I keep public profiles intentionally vague to minimize the risk of phishing attacks.
3 周Interesting and insightful article David. I'd like to add that the utilization of AI in sorting resumes and applications may also be a hinderance to finding the elusive unicorn in a donkey world. There are those out there that have amazing soft and hard skills that are being auto-sorted out of the marketplace. Where a internal recruiter may be able to parse nuances of a candidate to better determine their fit, these algorithms are placing bullet points over those nuanced differences. If you need a robot, hire a robot to sort your resumes.