BSidesSF 2023 - First Security Hire: Building a sec... (Loden, Alcock, McBryde, Coolidge, Hanaford)

well first and foremost it's great to be here at another uh fantastically run beside San Francisco thank you root he just did something pretty baller which was came off his microphone and went uh uh speaker I'm about to my speaker engagement uh read out which is pretty cool um but yeah great to be here and great to see so many familiar faces uh in the crowd so thanks for coming uh Dan to listen to us on a Sunday afternoon uh my name is Tom Alcock and I'm one of the partners at code red which is a cyber security Staffing firm and I get a great opportunity today to moderate this incredible group of panelists uh where

we'll be discussing the First Security hire we'll be discussing how each of the panelists thinks about scaling a security program roadmap and team from scratch with more all uh companies and early stage companies looking to invest in security and building a culture of cyber security we get to hear from industry leaders that have already been on this professional Journey um before I get started I'm sure a lot the audience would love to hear from some of our panelists and the experience that they have as First Security hires so probably go from the end Mike if you want to kick us off with the introduction a little bit of your experience that would be great rock on

uh hi I'm Mike um I run Security in it for temporal Technologies a nice little b-stage startup uh yeah I've been there for about two years and uh getting the team a little bit bigger and hiling hiring people away from Colleen so that's fun [Laughter] hi I'm Kevin I laid security Discord I've been there for about two years security for about too many uh six or seven something like that Incident Management knocks before that but interesting career hey everyone Colleen Coolidge I was formerly at twilio and segment as the CSO but I've been in security since like 2005 so do some math and figure some things out too long um I haven't actually been the first

Security hire sometimes I've been the second or third hire um so I'm not the first person in but I I do have some advice which might be helpful hi everybody I'm Reid loading I'm the VP of security for teleport I also lead in beside San Francisco um but I've been at teleport a little bit over a year now uh previously was head of security for hacker one and uh several other companies as well so cool thank you not a bad lineup for this afternoon is it pretty impressive great stuff so we're going to explore some questions um about their experience and hopefully share with everybody in the room some wisdom um and hopefully people can take away

that into their different roles is there anybody in the room that is on this journey um where they're maybe a First Security hire a early stage company and looking forward to to get some helpful hints and tips this afternoon yep a couple of hands around that I can see one at the back great stuff good stuff we'll we'll jump straight it's just um some of the questions and I think a question that comes up very commonly for me um with maybe some of the VC intros that we get or early stage companies that are really interested on where to start is I guess the first question to you all is when is the right time for a Founder CEO

CTO to start thinking about making their first security higher yeah go ahead I would say that uh I mean definitely security is unless you were building something that is like actually a security product at heart you want to get a product Market fit first you want to make sure that you know whatever you're you're doing uh is actually going to work now once you get to that point then like okay now let's make sure we can actually secure it and everything else like that no you shouldn't just ignore security obviously but like it generally you know you're not seeing a full security team being built out at a seed or a series a company um and so I I think that make sure you

have a product and that it's something that is is going to sell um and then you're like okay how can I make sure to based off what I've already been doing uh to actually build on that and make sure that everything I'm doing is secure a lot of times you have security then can also include things like compliance selling SAS especially nowadays is going to require you to basically be sock 2 or ISO 27001 certified um and so it's kind of like a you know a day one kind of thing there so that's where the security person will gonna help you out on that so I I mean I think that if your tiny company if it's 15 people or 10 people

you know I'm not really sure you want to go out and like I feel like I'm betraying the whole security industry but I'm not sure you want to go out and hire a large security team um because you know as he was mentioning like you need to make sure that there's product Market fit and that there's a chance that people are going to pay you otherwise the company's just not going to be around six to nine months from now ideally um the company that's small even if you don't have a security person or you're the only security person I think the best use of your time is educating the rest of the 15 people in the company to

think the way that you do maybe you teach them how to threat model you curse slash gift them with some of the paranoia that we all have and so that they develop eyes in the back of their head so it's not just you trying to chase after 15 people to make sure that they set up everything perfectly but you give them that little curse um and then they will make your life a little easier and your future security team's life so I say put it off until you're pretty sure the company is going to survive yeah the uh the the way I've explained in the past it's like when you're a series B companies here's a company like

the biggest risk for you is not making a sale right you can't make the sale you can't get the revenue you can't make your board happy your next funding around is worse like that's the biggest risk uh and so it's it's you know when you're talking to customers when you're talking to stuff like are you getting blocked on security are you starting to get to the point where they're like hey you need to start getting good at sock 2 or you need to start getting better communicating with us or you know hey let me introduce you to your security architect and now you have like the CTO like talking to a security architect and that's sometimes goes horrifically so

like when you get to that point that's a really good time to be like okay now we need to hire someone full-time to come in and like start getting a handle on this yeah I think to add to that there's some amount of it where security can be a shared responsibility for some some lifespan of a company early on and then at the point at which it becomes like additively some full-time employees worth of of time that's probably a good time to start thinking about it yep I think for me um what we see commonly is a lot of intros to series a companies the um the the board or some the VC that have

recently invested them are saying you need to make a First Security hire and there's a recruitment agency it's nice nice search to work up um and actually when you start meeting with the CEO CTO whoever it might be you you do a kickoff call and very early on in that discussion it's uh we want a security person and actually by the end of the call they're a sales person they're like they're there to like support on some GRC but really it's sales enablement and it's not building a culture of cyber security or growing out engineering working with engineering to build big sdlc into the development life cycle and that's kind of it's a necessary evil but I'd much prefer for a

company to maybe use a tool to support on the earlier areas of that and then maybe raised get to series B and then invest in their engineering function so is that something that you've seen throughout throughout your career yeah and I just to add on that piece too um if you are in need if like you if you're bored or somebody's coming to you say hey we absolutely have to do these things it still may not be the right call to to hire a security person immediately at that point there are firms that are due like outsourced security as a service um it can be your like CSO For Hire kind of thing CSO as a service kind of thing

and like that's not a bad thing for a very small company that's still trying to get it like hey you need to check some boxes in order to sell some stuff like that's not a bad thing and then obviously as you get bigger should 100 hire at least one security engineer um to actually uh do this stuff but yeah to be honest I think leveraging companies like that actually make the first but being the first Security hire a lot easier because you come in and somebody kind of already understands what's going on or there's an infosec policy or some some something you can follow as opposed to just getting plopped in the middle of this product

and they're like all right discover everything in 90 days like oh that's not happening yeah good stuff um this could be a bit of a spicy take depending on people's different career paths um but typically what would you say individually you think is the I guess the right type of profile for a series b2c technology company so SAS technology company and I'm sure there's going to be a lot of Depends here um but yeah the first typical hire the profile or the background that they would have had and kind of the experience that they have to take on that first security role head of security whatever that looks like um I would just I would always go for a

I would call them a standard security engineer and so when I say engineer this is somebody who codes and has a lot of developer and Engineering empathy um you know it it depends um I think it depends on the space that you're operating in and where most of your problems are but if I had to pick without knowing anything I'd probably like maybe get yourself a cloud security engineer who has um talent and appsec as well so they can do dual um if you know if your company's 15 people there's no room for somebody to just say I only do Cloud security and I don't do anything else I never on call I can't help with closing deals you should

fire that person or just not hire them in the first place but I'm thinking that their Cloud security is probably a mess and then start working up the the abstract pieces of it yeah 100 degree some type of security generalist is needed as kind of your first hire somebody who's not afraid of getting their hands dirty you know you want somebody who's definitely way more of an icy individual contributor than like a manager type stuff you want somebody who is not afraid to work very closely with the engineering in fact I'd say it's very critical that the better the relationship that you build with your engineering team now when you're small it's going to make your life so much

better in the future because you know you don't you always hear of the like oh security maybe do that or security said no type stuff well if you if it's a a partnership you know collaboration from day one then like that makes things so much easier because in the end they learn this and then they just do the right thing from uh without you having to say anything it's magical and I'm gonna Echo again something that the concept Colleen said is that uh technical chops are awesome and being able to dive deep into technical things and doing things are awesome but the communication skills are also incredibly important especially early on because you're going to be building

relationships you're going to talk the customers you're going to be doing all sorts of other things and if you're just like you know the security troll under the bridge right nobody you're not going to be successful right you're not going to be able to to to be valuable to the business you're in so security control uh troll can be your second higher third third all right third because you need the second hire to communicate for the third diplomat good stuff well pretty consistently engineering right yeah that's what I'm hearing uh there's a really great panel conversation I uh came into earlier uh today actually in this room and um it was pretty consistently talking around

the reporting line which we could spend a lot of time doing that so we'll we'll move away from that question but it was pretty consistently saying that it should report into the the office of the CTO VP of engineering and I think that I think each and every one of you feel the same way based on kind of a reporting line good stuff well um ahead of today um I asked I asked everybody a question um which was um what would what would you advise your first four hires to be so you've got the hot seat you just started a security program you're excited you're kind of uh thinking about what those four four hires look like as you're bullying out

the road map and um I got them to DM me individually so I thought we'd have a little bit of fun um this afternoon if you've worked with people on this panel uh please get involved and think how they would think about those first four hires but I'm going to open up a couple of envelopes and we'll we'll see I'd also like for you all to try and get each other a little bit so if that's okay yeah so I'll open what's under envelope one well that one's read [Laughter] I think the answer is it depends yeah I did write that ahead yeah it definitely depends as a variance um so there's going to be a kind of a little

bit of nuance to each of these but who is this um first hire this is a little bit of a spicy one but I I get why um so a senior staff level engineer infra or back end with a little bit of cloud experience second hire a staff level application security engineer or appsec lead third hire infrasac or appsec it's probably better than our faces isn't it and then fourth hire a security manager supporting on the it security um perspective they put in Brackets I'd be looking for a bias for security software Engineers over anything else oh no [Laughter] yeah that was me going to talk about it yeah I hear your thought process right yeah

um I mean we kind of talked about this a little bit earlier but uh somebody who just comes in and focus is purely on like I'm just going to look at the code nothing else is probably not going to be super useful as this first hire in my experience having somebody who has enough experience or like exposure to cloud and infrastructure can help with most of the back end stuff if they're a software engineer they can help with some of the code if not the majority of it and then typically the tool sets in like Cloud management and whatnot are very similar to like the I.T security side of things so you can get kind of that generalist

out there while having deeper experience in like the cloud and infrastructure where things can like really really go wrong I think especially if you have a product that's out there you already probably have people hacking on the front end so people are emailing security at if they found books anyways we have a bug Bounty program maybe they're doing that but um most of the time you're not getting a lot of exposure to what kind of flaws you can have in the back end thanks Kevin Tristan all right no let's keep let's keep going I want to see where people go and then we'll get spicy yeah if we get spicy dollars this is good um so first hire Cloud security engineer

second appsec engineer third cert engineer and then fourth higher depending on the need um you'd start based on one two and three wherever the gaps are um then I had to quote some of this because it was great I would expect a lot of uh working collaboratively and a lot of crossover across different functions non and this is a great line none of that it's my department uh a little bit of a spicy take they don't need a GRC person but to have your engineers that can support on different tools like drata or vanta who do we think that is

was it the BS that gave it away I guess I don't play poker with you all because I'll just lose um okay yeah so then you know um I do think you know your Cloud second appsec that's an that's a dynamic duo um and at some point there have already been incidents maybe nobody knew about them and so a certain person does need to come in there but I would say as a caveat like that if it's a very small company like please have your cert person um be able to code like they should be a combo of like detection engineer slash cert um and should be figuring out ways like how do I not make myself crazy

um I need to make this so that it's everyone's responsibility when they build something and it causes a problem I have to take care of it like they should get tired of that quickly um and then imbue knowledge on the rest of the folks um and then when it comes to person number four it would be time for maybe even the team itself to evaluate like do we need more help when it comes to appsec um how's our education like could we benefit from having another like person four being you know abstract person number two and really making sure that everybody understands what secure coding is like and maybe even getting to your sales engineering organization and

putting them through secure coding um just get everybody just again it's push the curse of security person onto as many people as possible if they're already fairly aware I was fortunate enough to work at a company segment where before we came in they had done some stuff they already preconditioned themselves to hear what we had to say and we're looking for our approval constantly which was bizarre it was a great experience to have but I'd never had that before and so we we decided that doubling down on education would be really helpful because people wanted to sit in those classes they got mad if they missed something if they you know went the CTF was over too soon

again bizarre but I hope each one of you gets one of those experiences where people love the security team and everything that's being taught so much because it validates you you'll want to come back for more and as far as the the GRC I'm I'm mixed on this because I do see the need for it but uh I I would shake my head at a team that's like 40 50 GRC that's what they do and the rest are like your security Engineers because there are some great tools out there as I mentioned in the note vanta and andrata which will allow the existing security Engineers to go through like if you know your sales team

is putting pressure and saying we need to get sock 2 type 2 how do we do that you don't go paper the certification it's not about the check boxes and it's not about looking compliant and like looking secure it's actually about being secure and I think your security Engineers are going to do a better job overall than us than a GRC team you do have to check the boxes but it has to mean something it actually has to be it can't be performative and so I'd say hold off and maybe you don't need to have 50 of your team beat GRC so sorry GRC people but that's how I feel what I liked about that answer as well

and we touched on it earlier today as well in a conversation but it was um it was whilst kind of the the different roles or in different skill sets just having the crossover and having the kind of the startup mindset of where multiple hats like ideally you'll have a generalist but in if you if you don't you're trying to get different disciplines that it's not just about the skill set but it's the attitude kind of the willing to take on extra responsibilities wear multiple hats and have that kind of startup move fast break things kind of mindset cool down to two more people all right uh this one is first first hire I mean this is exactly what the person's done

very recently so just look at this link to this person's LinkedIn you'll see it uh so staff security engineer generalist that's what we just discussed um second hire security engineer senior um third detection response security engineer fourth interesting one operations analyst um and then the side note is I want system thinkers excellent communicators and people that have strong operational skills any guesses who said Mike yeah that's right yeah it's Mike yeah the sum up for that is like especially when you get down on the bottom it really depends on what your company needs right um like you might need someone to go communicate out to customers right you might need someone to sit down and do it

operations or to do some other type of operational work you might need more vulnerability management it's just it really really depends uh the key thing for me though is like that that first hire um you need someone to bounce ideas off of you need someone who is enough of a generalist who's senior enough where you can be like hey I think this is a problem or I think this is a crazy idea what do you think and be able to have those conversations right not someone you can detect down to you need someone who's going to dictate back right back at you that I think is really important

[Laughter] I did technically I didn't steal them technically Tom stole them for me so Tom this got real awkward real quick she just all worked with code red uh good stuff any guesses until the fourth person could be right so Reed went with a strong security generalist his first hire application project engineer third hire clouds Sac infra engineer fourth I.T security and if he had a fifth it would be on the GRC side of things so you want to walk us through that yeah I mean I think that uh a generalist is the number one person that you need um and so somebody can wear lots of hats because as we've talked about earlier like the you won't just be just doing

the engineering stuff it is very common that you're gonna be put on sales calls to talk about the security of the product and so you need to be able to communicate you need to be able to do lots of things across the organization um but then you need you know once you have that person then it's like okay now there's certain key areas that you really need to focus on um do you know this the appsec pride sec uh type of things looking at the application itself and then also you know the cloud Tech infrasex so looking at your infrastructure and sometimes those things can very much overlap sometimes they're very different depends on the

company and what your the product or Services uh that are um and then I would say once you kind of have those three and and the order kind of again can vary matter but uh but like the kind of Corp it says I include like DNR kind of stuff in that uh wheelbarrow as well um just to focus on like okay what's the back of the house thing like what is your actual corporate infrastructure you know how are you just keeping all your employees actually secure how are you detecting if there's an issue and such from there and again on the the fifth bonus uh would be like okay if you get to that point and like say that it's

it's becoming an issue where you're spending a lot of time dealing with like customer security questionnaires or dealing with compliance things or your sales team is saying like hey we have to get XYZ thing to sell type stuff it is nice to have a GRC person to help out with that thanks thank you cool so um we've got uh we've put our request into management and they've signed off all four hires can you believe that crazy um and now you've got to go to market I'd love for each of you to walk through your kind of like General philosophy you're all experienced hiring managers you've hired at multiple places now and you have hired pretty much all that all

those different skill sets so what is your general philosophy and how do you go about um recruiting experience security hires maybe start with start with Mike oh cool all right um yeah so I roll the roll depends um in terms of the technical experience uh you look at what they've done where they've worked what scale they've worked out um what their what their capabilities are what they bring to the table but especially early on I filter pretty hard on uh personality types uh you know people who can just sit down roll up their sleeves go go and get to work people who don't like causing drama people are good communicators people who can work together well

and essentially building that that structure where their psychological safety inside the team so people can feel and able to go out and get awesome work done um and early on like when you're making first higher secondary third higher right like every single person has such an outsized impact on that as the team grows you got to get it right yeah plus one to all that and I think one of the things that a lot of people as the first or even second or third or fourth or whatever higher don't realize is they have fairly outsized impact on how the rest of the organization views and interacts with security they've kind of all worked on a team where people

like oh I don't I'm going to avoid security I don't really want to talk to them they just tell me no all the time like all these things that you don't want like well I would be my friend you know like these people you bring in if they're not good communicators they'll set up the department to know right if they're not uh empathetic and approachable like you'll end up with a team where you know whenever you have a senior leader comes in who's just gonna have to undo all that culture and it's really really hard to undo like a negative culture and they persist kind of all over the place and so focusing on that a lot you know technical ability

aside and things I think makes a lot of sense such that you set up the rest of the lifespan of your company for success in the security space yeah uh I think that so I'll talk about somebody who you all probably know who this person is I think this person was my first hire at segment um there was someone who came in before me but um like very very very carefully pick your early crew because they are like the DNA which the rest of the crew is going to sort of inherit and the person who I ended up hiring is you know was a self-starter um wanted to get good in all aspects of security engineering was willing to work

hard did work hard but more importantly was like you know what security people want they want to work with a bunch of other security people who don't suck they were out of work at a company that doesn't suck they want Executives to support they and so the only way you can advertise if you have that situation is the security team actually has to go tell other security people we actually do have a great situation let me tell you about our CEO let me tell you about you know our relationship with the sres they love us um and this person uh who is famous for wearing Hawaiian shirts who could it be I don't know and at one

time was a dead ringer for was it Tom sell like in the 80s so this person was yes like partnered with all of us to um you found out a thing you struggled with a thing we have you know in sort of internal or external message write about it get up on stage um let's tell the rest of the company about it let's tell the rest of the community about it and so we were able to create this culture where um all the stuff we were working on even though we may have had imposter syndrome like yeah every security person goes through this why would anybody care about this people do want to hear from

you and your team and what's your experience working with one another what interesting problems you have and what support you have from the rest of the company because everyone's worked at a terrible company where there are terrible Executives and terrible engineers and a terrible relationship and you get up every day to fight this fight and you know you're losing um so we we decided to advertise the situation that we had which was we had a great situation everybody was pre-sold and how many times does a security get to work at a company where um you know maybe you are able to get your appsec to optimizing level five you know it's something we dream about and

having the team go out and talk about that attracted excellent people and so we had excellent people attracting excellent people attracting excellent people and before we knew it it's like okay this is the best team I've ever worked on I'm feeling insecure so um so yeah pick that pick that small family really really carefully plus one to all of that the only thing I would add is that referrals are key um I just like you know use your network um besides is a great place for this you you meet people here and and other conferences too um and that that is key otherwise you get tons of resumes sent into all your things filtering that people can sound

good in a resume it can mean nothing it is a a referral just means so much yes yeah especially within your network um I think to add one more thing and for each actually all of you um individually is just the kind of all these leaders that have built great teams is because of everything they've just mentioned but each of them go above and beyond to give back pay forward whatever term you kind of want to use and just a little plug or a thank you to each of you um Kevin's been on the careers Village all weekend just spending time doing interviews back to back and uh both uh Mike and Colleen have just effortlessly

given their time and that isn't today it's it's every event it's given their time all the time um to help others out and redoes this whole event every year which is pretty freaking cool so yeah it's it's it's it's doing all those things but also kind of just continue to part the community and the reason why referrals are so key is because you're part of this community people want to reach out and and they're friends and friends want to reach out as well um the other thing I wanted to I like just to tag on to the question around hiring um is throughout this whole weekend there's a lot of experienced people with great stories and incredible talks and

that we've seen over the weekend but there seems to be a lot of people um that because of riffs and layoffs and all that kind of fun stuff there's a lot of people that maybe are graduates or coming from unconventional backgrounds they're struggling to get that kind of foot in the door I guess and land their first security role or maybe they've been in a more kind of devops role and trying to transition have any of you hired kind of unconventionally on that path and if so could you give us um some examples of that I love hiring unconventionally um I actually think that a lot of these skill sets that are in other areas of

engineering translate really well into security like devops and SRE are really really great for uh incident response teams quite frequently and so one of the things I say quite frequently is like if you have like years of experience doing that I can teach you how to think like an which is basically what security people do right put on the hat and fix whatever problem that's going to be like that's not that hard as long as you're still nice while you're doing it but uh like so converting folks uh security Engineers from devops and SRE I think is great uh I've worked with several Engineers who are like full stack developers or just kind of core

Developers for a majority of their career and then over time they develop an interest in things like authentication and authorization just by by way of being in close proxy needs some of these things and then you pull those folks in too same sort of deal like I can teach you to think like an attacker you already have this deep experience in some other area and the reality is is like most of us are just working on the same stuff anyways and slap some security on it so having skill sets and experience in other areas then coming in and bringing that experience and your exposure to other engineering teams and how we do things at X company

or Y company really really helps you build kind of a well-rounded uh General's team about like how do we approach security for this company and the way they make sense for us not necessarily what everybody else is doing I'll just add on to that so if for the folks that are still in students or in Academia or something like that uh something that I think a couple of things that I think are really good that you can do one uh contribute to open source um make a name for yourself in that uh there's so many different projects out there it doesn't even have to be security specific but just starting to figure out that out and

especially since nowadays everybody lives in some type of git-like environment like you get uh you learn very early on about kind of like good practices you know getting peer review poor doing pull requests flows or whatever you know your your tool is doing there I think is very valuable and then also like Capture the Flag type events um and there's tons out there that you can do including here at besides um that kind of help you build that kind of security mindset that you can do from very early on and cost you nothing um so that's those are ways that you know if you're trying to learn Security on a budget um that free ways that you can do that

on your own time yeah just I mean I think all has already been said but um the one Craig caveat is this the Market's not really great right now so people who are just graduating and maybe they're an accounting major and they're like give me a security job that's not going to happen um they need to do some work um again like ctfs uh there's plenty of like learn to code online if they can afford it coding bootcamp would be great but I don't think that you can just show up and say I am a human and you have you know a job opening for a senior engineer will you hire me it's not going to

happen like that so I think nowadays a new grad or someone who's completely changing um needs to show that they put in some work first because companies are not that desperate to hire anymore so that means the level of work needs to go up on the side of the person who's looking the the last thing I'd say that I say to like everybody who asked me this question is uh go out and make friends a network like it's the Go I mean like it doesn't even have to be the good ones like they're like San Francisco was awesome right but like go to your local isaka right whatever right no no y'all are terrible don't know uh no I'm sorry

um but no like there's some groups like I live in South Texas and our local uh issm and Issa and and whatever professional groups they're like they're they're kind of buttoned up right the race stay the right whatever but go to them anyway right go meet the people see what interests them figure out the lingo talk to people be out there be present um and start figuring out what people are looking for what they're interested in what they want um and that is what is going to make your career thank you um we saw I asked to start this conversation today if there's any kind of new hire managers or people kind of starting their Journey as a first head

of security or something along those lines um you've all kind of built out Security Programs and teams I guess for new hire managers and I think I will believe there's many in the room today that are excited to hear kind of see you feedback what advice would you give to people that are starting to to hire and thinking about building a team high or slow like take take your time to make that call be very intentional about it and then also focus on doing hiringly if you get head count you're like yeah yeah I just got problems to solve a higher later that's going to backfire on you or if you feel it really fast that will

probably also backfire on you to be very intentional about hiring and you do it in a slow way such that you can get all the things you're looking for right communication style and empathy and everything else then you can start to build that core set of folks in a very intentional way but um higher slow just to add on that point I mean recruiting is probably the most important thing that you do it's actually more important than actually solving the security problems yes um and so I agree entirely with hiring slow um take your time make sure that again back to the early conversation uh these initial hires that you're you're hiring have such an outsized influence on the

organization if they are not right it hurts things could be for the for the life of the company really um so you really want to make sure you're doing that hiring the right people to start with that's a it's a privilege to be able to hire everybody from scratch if you if your head count is zero and you show a plan to whoever is going to fund you and they're like yeah go ahead and do it again high or slow that's the DNA pool that you care about um and if it turns out poorly then you have only yourself to blame because you didn't have high standards consistent standards um but uh it's it's a great position to

be in so don't squander that opportunity as opposed to you go to a company and there's already you know hundreds or whatever of people there who work for you um that's a very different type of situation because a lot of Performance Management that has to happen right out the gate but if you are given that privilege to hire from scratch take it very seriously make sure that early on you have job ladders for your security people so if you happen to be really good and pick the best people out there a year later how do they get promoted how do you ensure consistency um how closely related are your job ladders to the rest of engineering

um you know what do 360 reviews look like between engineering and security um but uh but yeah don't squander that opportunity at some point don't just hire somebody who's breathing and says the word security but will regret it I wouldn't sit there like Dad that oh sorry no go go does that recruiting will take a lot of your time um and so expect that like you're not going to get other things done so when you're doing like your quarterly planning like recruiting is a large chunk of that and so like yeah you may not get the actual Tech or security stuff done because you're spending all your time reviewing things doing phone screens doing coding challenges whatever

with people that is going to take up a very large chunk of your time more than half your week yeah yeah yeah the only thing I will say is if you're doing this for the very first time please for the love of God have people that aren't on the security team on your interview Loop and a diverse interview Loop that too absolutely good stuff um I guess one more question that I have which is kind of related is um I did a panel actually besides last year which was a very different Market where you just couldn't hire great stuff because everyone was moving a million miles an hour we do find ourselves uh Colleen mentioned it earlier I found

ourselves in a slightly different market so I think there's a lot of people right now that are hurt and grateful to be in roles but top performers how how do each of you retain top performers um within the business well I mean I'll just dovetail off my own answer which is make sure that performance is taken into consideration because those top performers won't hang around if you don't have your crap together when it comes to how do I evaluate an ic3 versus ic4 or five um yeah they we were big Believers in creating Career Development plans that were based off of those letters so a person could see exactly where their gaps were how much work they needed to

do and if there were other people in the company that needed to validate that those behaviors had changed or that impact was there we tried to be as crystal clear as possible we didn't get to it as often as we wanted but we had to put something down because if if you if your answer to those folks is like I don't feel like you're ready for promotion that's a huge mistake I never had to fix it work a weekend to get something um like put together for that because you will lose good people if they don't get good feedback um and then also don't be afraid to give people tough feedback I think on a

regular basis you need to be telling them how am I doing how do other teams react to you how they how are they receiving you what's the actual impact of the work that you're doing and so everyone can start viewing themselves as a product as well as an employee because the stuff that I do I'm putting it out here for evaluation and if somebody criticizes this product that I put out there I shouldn't feel personally criticized but if my manager never has these conversations with me the very first time that happens after a year it's going to feel like an attack so create this culture of feedback based off of the career development plans that

you create basically having no surprises policy is the way I think about it and I think during your 101s don't just have them solely project focused like you actually need to talk about and dedicate time to to the career aspect as well and like hey how are you doing how can we get you to the next level what is what does that look like um how do we you know again as managers the goal is not to actually make the manager looks good make the IC looks good um like you want to see the manager wants to support the IC and help them along that path because in the end it'll make everybody look good if if people

are getting work done and that everybody's happy with them again the best thing that you can have in a company is that people love working with your security team like that's what you want and that is a lot of companies don't have that so cool well we've got a bit of time left and I would love to open up to the floor for some questions if anybody would like to kicks off over that

didn't work out as a nurse for those that didn't hear the question uh we're looking for a bit of tea uh here which is um uh is was there any hires that we that you've made for any of the panelists that didn't quite work out or is it is cool yeah and what do you do to correct that spilled vertique I'm gonna I'm gonna just go out here for here for that's that has never for me it's not because I'm the best at hiring it's because you know we we've who've like you know we know um higher slow have the bar Super High um and then the right people will sort of self-select into your process and

when you have that cross-functional panel um and then all around the company like you maybe have some room for sales you have someone from legal you have people from engineering teams and product teams and they're all like this is the most amazing person um and then you're like they're okay and then you bring them on those people have already sold themselves on this person who you brought in which means their chance of success and working well with these folks has already gone up and so I think that you you de-risk it that way um there have been situations where you know if you go into a situation and you've inherited some folks um the the thing is like if you can't what you

can't have as a security leader is you can't have consistent top performers who have high impact who when people think of the security team they think of like this handful of people and then not 43 other people because those 43 other people um that weighs on your top performers because they're very aware that why is it that I hold myself to this high standard and I can deliver it and these people aren't doing anything or they're actively making things worse so that's the uncomfortable position for you is that then you have to go back to that the ladders you have to go back to like performance reviews peer reviews and you have to hold that group of 43

accountable and you have to do it quickly because chances are when you come into that situation this situation has been as the word fomenting for a while there's like lots of resentment on the team and so if you're in the position to do something about it and you don't then you're allowing um either like I wouldn't even say mediocre you're allowing full Behavior to erode all the progress that the handful of good people are doing and you cannot do that that's the hardest thing about the job I'd say right yeah it's hard to inherit people that don't quite work it's it's hard but it'll happen to all Security leaders at some point the other half of higher slow is fire

fast I agree I mean yeah 100 yeah promote quickest uh who's next

great question uh for those that are at the back uh what makes a great performance review I like the 360 model of like you know you have uh your do some kind of self-review reflection of yourself um getting peers that you can select and maybe your manager may make sure that other people are included in that but at least have you know some peers there and then I think a key part of every 360 review is also the um you're reviewing your manager as well because people don't leave companies people leave managers yeah um so I think that's a critical bar sound yeah and for what Colleen said also like you have to get your ladders

you have to get your expectations set so you can even if you don't like refer to them and like open up the document and be like look this is the thing and you do like checklisting at least you have that reference and you know where you can say this area you're doing good this area you're doing not good this area you're doing absolutely fantastic right you have to have that kind of reference point uh so you can you really have reasonable discussions across the whole range of skill sets and the and the person writing the self review has the same information yeah yeah and it makes it way easier for them to write their self review yeah

I think kind of a cop-out answer is like no surprises uh but the reality is if you're doing if you have like a process or a cycle of like continuous feedback people always know when they're doing well when they're not doing so well by the time you get around to performance review you're like all right here's your five minute performance review for the last whatever period all right great we've already been talking about the things that need to improve things I can should keep doing like what your expectations are of me you know I see the manager or manager manager right it's you end up in this world where like great thanks to review but we've already

been talking about all these things continuously the whole entire time so I have active real-time feedback as to how I'm performing always and this is just an encapsulation of that feedback stuff at the back that's you

know

I think we all heard that yeah or do you want do you need it repeated okay sorry yes please repeat that it was a really long question planning yeah uh say that um and I just lost my turn Okay so just um one one thing that I rely on is it's like a cookie formula with three ingredients so it's probably not a very good cookie but um one one of those is I'm not a baker I'm more of a cook um you know where wherever you happen to be working your the company's risk profile is going to be different from the last company you were at and so you're going to come in with some like I know I need

to hire these types of people because whatever problem we'll encounter will be able to handle it but then you're like what do we work on um the the things that I've done I mean you can do this if it makes sense to you but you need to do some sort of full-on risk assessment and I don't mean like one that would be this giant weird template that you copy from the Internet it's if again it's 20 people 25 people in your company go talk to all of them and like they all have an opinion on security they all have an opinion on the way they think that the that their world is going to end that the company is

going to be gone and they're sitting on this information and they can't wait for you to just free them from it because then they can be like oh I could go about my life and now it's your problem um so really accumulating that information and then sharing it with as many people as you can who are decision makers and like hey we can't work on everything but um but the 25 people who work in this company are really scared to death of these things and let's get really specific what that is and you can come up with your own little customized risk lists and then you know if something is very scary but it's very

unlikely to happen and then you're very articulate about why it's unlikely to happen you know that will help you like with what do I work on first or how much effort do I put in on it but that's the custom piece that you're going to need is like what keeps up everyone at night and then that goes into your roadmap and because people have confessed it to you when you're like okay I'm going to repeat back this is what our roadmap is they're not going to be surprised they're like hey I told you that and I'm so grateful that we're going to be solving that I'm grateful I can lend you some resources so this nightmare can

disappear for me so yeah I you you have to look at what your problems are and then decide what you're going to be terrible at solving and just say I don't care like we're going to be bad at this for the next three years and I don't care right and keep yourself honest and check in like every year to a few years or however often you need to do it but like commit to being bad at something so you can have the time to be good at the things that matter we all have the same problems like every company you go to you're going to have the exact same things to do with yes that may be customized for that company

but like the every company I've gone to like there's a few key things that I'm like focused on that are like okay gotta get these areas right and yeah again I want to make sure that whatever the product or service is is dealt with but like there's some key areas they're just the same in every company you go to yep unless they solved it before that's true unless they saw them because sometimes they do yeah unlikely and you'll take a day to just reflect on is this reality or my truth do I not have to deal with this this time yeah good stuff well thank you all so much for sharing some of your time your

experience and your wisdom with all of us this afternoon can we please be a round of applause for the fantastic panelists