BSidesSF 2022 - CISO Panel Discussion (Tom Alcock • Caleb Sima • Fermin Serna • Jessica Ferguson)

good morning everyone welcome to b-side san francisco in this next presentation we have uh tom alcock acting as moderator for the ciso panel discussion uh so without further ado uh take it away tom thank you for many of the hiring managers in my network hiring and retaining security talent is by far one of the most challenging parts of their day job on top of this niche skill set we find ourselves one of the most competitive markets we've seen in many years and twins with the great resignation and mass layoffs more recently it's becoming more and increasingly challenging to hire and retain top talent i'm tom alcock and i'm one of the partners at code red and we exist to

bridge the cyber security talent gap i spent the last 12 years of my career helping companies to build technical teams and the last four years working on security hires with a lot of these companies at the table today we've got an incredible panel um today of season security executives and leaders that i'll introduce in a second um and we're going to explore hiring and culture and how to kind of hire and retain talent uh before we get going is there any hiring managers in the room anyone's hide in the last six or twelve months yeah keep your hands up if you find it relatively easy to hide during this period there's no hands up in the room

oh okay find it easy over there nice we'll come back to you we'll make sure we'll come back to you yeah because they think i'm an expert and i'm not so good well um these these folks around me who are introducing in a second may have not completed it but they've done a pretty incredible job of hiring retaining and scaling security teams today we'll be exploring how these folks have approached it and approach talent attraction in general and they'll be sharing some of the wins challenges that they'll face when building teams so without further ado i would like to welcome to the table jessica caleb and furman if you'd like to kind of start with you on the end fermin

introduce yourself where you're at right now give it a little little intro to yourself and then we'll kick off some exciting questions of course for me cerna i currently serve as cso for a company called databricks i've been in the job for the last six months not 10 months i feel like i replaced caleb at databricks so before that i was the ceo for citrix for a couple years and before that uh i was at google for almost eight years uh and in my last years i was uh head of product security at google very very excited to be here thank you tom for inviting the invitation and you know very very excited to be part of

this panel thank you um caleb sima i'm currently the chief security officer at robin hood um prior to that i was at databricks i helped build the team there at databricks and then prior to that capital one and actually most of my career was more on the entrepreneurial side so i've actually been in this hiring operations side of the game for not that long um although it's been very very entertaining my name is jessica ferguson i'm the chief information security officer at docusign i've been at docusign for about two years and three months now started as the deputy ciso and then took over and the cso roll in march um i've been in cyber security for way too long uh

mostly in a lot of tech companies so uh a servicenow f5 networks alaska airlines done a lot of hiring great stuff well thank you for the introductions um as this is a community event i spent the last couple of weeks playing on linkedin and twitter and trying to get people from the community to ask some questions i mean this is an incredible panel that we're very fortunate to have in front of us today so i've had so many kind of questions thrown my way which will kind of start um it's really nice to see that the two keynote speakers which by the way were incredible both asla who maybe in the room and jackie yesterday

a golden thread of their talks was bridging the cyber security talent gap and building culture of cyber security and building a great culture within these companies so i think we'll find some interesting conversations today coming from here so the first question that i did have come through and and thurman we'll start with you if you wanna answer this one when the questions came through what are the key factors and considerations that you have when you're looking to build a security team from from scratch that's a great question um i mean the first thing that i i look i mean let me tell you what i did when i arrived at data rigs and this is

a story that some of you um i i'm looking at travis that he knows his story the first thing is you do an assessment what is what is the what are the needs from the company what is the the current tools you know uh budget the engineers that you have and and i usually do four things the first one is what is your strategy in in the security field it's like how are you going to outpace the attackers right uh the second thing that you do is like what is your security organization that is going to you know help uh fulfill the strategy the third thing is like okay what are the leaders and the that they

are going to help you to build that uh that organization and finally you know you building that organization from an ic level and execution right so um essentially is going back to the the the company that you are in what are the needs what are the tools and bridge the gap between these two things right and the first thing that you need to do is like do i have the tools that i that i need and if not you know i always say this thing is like during my first six months at databricks i was not a cso i was a recruiter essentially right it's like uh uh sourcing you know convincing people building culture for uh the existing

people assisting with people to to to persist in the company through the changes that we're going you know super super important to to bridge the gap between where you want to go where you are always be recruiting always be recruiting always be recruiting you want to go come back yeah i think that's been a goal of going through our professional relationship is you never you're never offline caleb with with hiring same question to you when you come into organizations i know you've worked on startups and now large enterprise customers like robin hood how do you approach that how do you approach it starting from security hiring from scratch so yeah this is a very complex question

um and i think really there's a lot of context that has to be taken into account i think going off of what firm said like what stage of company are you what type of business are you when what's your threat model what where is the existing team where are the gaps in those teams what are the leadership look like there's so much context in terms of i think who you choose to hire so what i'm going to do a little bit of is i'm going to kind of skip over some of the strategy of who you choose because i think it can be very very context driven is maybe talk a little bit about maybe how i hire because i think that

can be just generic across the board um and so when i think about how i hire you know i i do agree with from especially when you walk in and you're building a team you are dedicated to recruiting you have to understand i think you have to take this context that people are number one talent is number one and you cannot do anything without hiring that talent and so you have to have that in your mindset you have to have you have to inflict that into your team and to the people around you that people is number one and how do i hire so that you start really focusing on what is the hiring process what's the

recruiting process how do i choose what things to deal with and let burn versus focusing on the people and the interviewing that's a really really tough part so i think when i first came in that was one of the big things is instill a culture of interviewing people and candidates being number one what's the process how do i make that as efficient as possible and make sure that we do the right thing and focus on hiring and how to hire and i think that in doing that you have to make this decision because i think what the hardest part is hey i've got 50 fires that i've got to go deal with or i go focus on hiring and at the end

of the day hiring is kind of treated as this you know you know manage the corral of herd of sheep coming in and people and it's just a process right like it's a process when that's you have to look at this and say like these fires if i don't get the right people and look at this not just being a process and about herding cattle this is an important critical piece of what we do you get these people the faster you get good quality talent in the faster these fires go away so you have to say these fires are going to burn for now and i'm going to go focus on this stuff around making sure that the hiring process is

just not considered a process it's something you invest in it's something you care about it's something that is the core part and how do i instill that into the teams and the culture of the company i think is important yeah great answer thank you um jessica to kind of dovetail into another question that's come up is building these teams yeah and moving quickly and as caleb says kind of choosing to kind of let fires burn to sacrifice making these investments in highers that can then eventually put out the fires um in such a competitive market right now that we see ourselves in how can you how do you get the edge over the com other companies that are hiring for the

same skill set um and able to build a team of top security talent yeah i think that there's um there's a couple different things that that we have to look at and you know on the on the tactical side i think you know kind of echo with what uh caleb furman said you know when you look at your strategy that kind of sets the direction the north star of where you want to go from a hiring perspective but i think the yeah the first thing i always look at is having very close relationships with my hr business partner folks because they are going to help me with looking at things like paybands and how is comp

benchmarked uh because in a lot of cases comp is benchmarked against i.t positions and we all know that security positions cost more than i.t positions and so so you can go and get all these great candidates but then you're running into roadblocks trying to get them all on board it um so you know i definitely think starting with looking at kind of the fundamentals of what you have what are the factors and metrics that you use to determine headcount ratios for me appsec ratio appsec engineer ratio to developer right there's that's a metric um trust we deal with a lot of business customers that you know we have a whole team called trust services that handles

all of our customer requests and we need to benchmark how many sales people and how many customers and to you know right size and help understand how many people we need to support the to support the mission i think that um in the overall um you know hiring good uh good talent um you know most of the people i i feel like the really great talent that i've have have i either been um you know uh connections um from the past or having my uh my folks tap into their to into their connections we found a lot of some of my best hires have been very kind of just random and then they happen and it's like two weeks later

you're getting this person an offer and they've been at boeing for 25 years and they really thought about leaving until you talked with them right and so i would say there's a definitely a lot of kind of uh having to sort of mine through the uh the large um you know the very large looking uh or maybe the scary dearth of of candidates and then you know being able to find out find those kind of those diamond of the rough folks that you can kind of pull up we also do a lot of uh internal you know recruiting right so some of my best abstract people are former qa folks some of my best you know

uh you know folks in my security engineering team came from you know and services support and you know so looking for the looking at those folks and then those you know places who you know maybe kind of uh you know have kind of a security mindset that you can pull into uh into um security roles you know and i think i think the one thing that sets security folks apart is and the one thing you have to look for whether you're recruiting outsider or or internally is you know i always kind of say i can teach anybody security i cannot teach you an innate level of curiosity that says what's next what's next what's next right and it's

kind of that constant question asking that security professionals do all the time right um you know i can i can take anybody who has that and i can teach them security that's not the hard part the hard part the harder part in a lot of cases that i find is is really finding the folks who have that kind of innate sense of curiosity that innate sense of kind of okay you've given me an answer but i want to know the answer behind the answer and then the answer behind the answer right which is what you know from a security perspective we do all the time whether it's threat modeling or third-party risk assessment or whatever

but i think there's you know uh there there's a definitely a couple different a lot of different factors and areas to look at when it comes to to pulling talent into your team thank you jessica i think another question that has come in that we'll answer in a moment is the transition like people are that are not in security like kind of what is the pathway to move into that so we will address that i guess throw it to both of you kind of i've seen you both scale large teams in the last 12 18 months what's your secret source what's kind of how have you been in this kind of competitive market recently of course

i'm not going to tell you and then you will know right so now my point is um going back to the challenges let's assume that all these you know combines and all these processes they are they are good which uh the norm is that there is work to be done then what is hiring right it's like there is a lot of work that uh goes back to us right it's like you may have an amazing talent acquisition team but you know um in my experience over the last probably three four years around sixty seventy percent of the sourcing is internal sourcing right and it's done by us right these references that we know people from the past or friends or

friends or campaigns that we do internally right so hiring the challenges is to to differentiate yourself from caleb from jessica from others right because at the end of the day you know they are i mean they are csos and css for amazing companies and you need to make sure that the candidate understands why we are better than others or why we are uh different than others let's say this way right and and one thing that i do is like i uh at the end of the process whenever we do an offer um and this is well i'll disclose a secret i do something that i called a champion call right and i talked to the candidates and i

explained them hey now you have an offer and you also have an offer from google you have an offer from robinhood you have an offer from all these places and i told them amazing companies right but let me tell you why databricks is better from my opinion let me tell you why um the culture that we're trying to build here the challenge of the company right uh uh where we're going and all these things let me give you enough information for you to make an informed decision right those champion calls they are amazing right i uh i'll give i'll give all my secrets out so i need a notebook it's it's so here's the thing is i actually find i do a little

bit the opposite um you know what i tend to find is like by and large most interviews are the company vetting the candidate it's basically like hey prove to us that you're good enough to work here and then we'll sell you right so i just reversed it so i just said okay it doesn't matter who you are what we're going to do is i call this the reverse interview and many of you who work maybe at robin hood have probably been been through this with me is the first call and this is what i mean by dedication and time so you understand the level at least when building the team that you have to commit

in the first calls i will sit for 30 minutes and i'll basically say you can ask me the questions you can interview me if i can sell you on me the company the culture the people at the beginning because it's to me it's like let me prove to you why we're good enough for you to come work for us then they get hooked and when they're hooked they're more excited to go through the process and so then it's not at the end where you do the battle you just do it right at the beginning and by the way i've had candidates at the beginning we'll go through that at the beginning the candidate will say

hey i don't think this is probably the right fit and i'd be like that's awesome and we figured it out right right there at the beginning and i found like that to be one of the most amazing things is when people go through that process you know the the culture of us is basically saying how can we tell you that robin hood is a great company to work out how can i tell you that i'm a good leader or person to work with and as soon as that is good i think that opens up the floodgates of the candidate going through and asking the questions and that's helped a lot and by the way i

you know at the beginning when you're building a team i don't care if you're a junior i don't care if you're an intern i don't care if you're senior i will do those calls with you obviously as the comp as the team scales as the company scales it becomes a lot harder for me to do those things but i always offer in across the board one you gotta tell your managers and your leaders can you convey that same culture to them and two i also offer hey if you have candidates that you consider sort of p0 like you know they're coming in this is a the you you definitely like i'll go and do it like i'll come in and say

right at the beginning in the first call reverse interview what can i answer for you and so that's a it's a big secret um so for those of you uh really working hard over there but it's i think it's helped a lot and it helps establish a lot of uh trust i think with the candidates um one thing i want to mention is like um we're talking about the edges of the process yeah it is key the the the interview i mean even in the middle right uh the candidate through the through the the panels through talking to people either interviewing one way or the other ways because remember whenever you interview for a company it's two ways to

interview right is to give them a an amazing experience that's that's uh they are literally going to have four or five hours with with the company uh they you need to sell them and they need to not only to sell them sell certain the reality of how it's going to be them to be working over there right it's not only on the edges it's through the interview everyone through the panel the the interview uh the interviewers you know to to to be able to explain how it's going to be why uh working for this company is is a good thing what are the challenges what is the company where is the company going right and these touches of caleb doing

at the beginning or myself doing it at the end is what what's what help but this through the interview process i can tell you from firsthand experiences that actually from the recruitment process having that kind of level of involvement in investment and communication is is such a golden thread of of how you've been successful in hiring it it adds so much difference and is a big differentiating factor against a lot of other companies out there for sure one other thing i just want to put like a double plus one on is the firm is thinking about transparency right when you go through the interview process um i think it's so key you know i've heard from others where

um people will candidates will go through an interview process and the in the company will just sell how great they are what awesome things that they do um and then when you walk in the door you're surprised at the the the disaster that you've kind of walked into uh which by the way you all know this every company is a disaster behind the scenes so like we all know this um and so but i think being up front about it is really really key and what he was pointing is like talk about the challenges talk about the the disaster that it is because that's the thing i think candidates really like because that shows hey those are things i can

have impact on right like i've done you know sdlc before and if you're telling me your sdlc is super immature and really early you need a lot of help like wow that means i can come in and really add the value that i've learned in my past and so i found you know again that transparency thing is really key yeah you know if you don't do it in six months that person is going to be gone and you're back into you know the first stage so you you lost you essentially waste time for the candidate and yourself that's a great point right i mean i think most folks you know when they're looking at you know uh leaving a company

they're looking for a challenge right most people want a challenge they want a vision of where where is where is this company going where's this organization going you know what am i getting myself into and i think that um you know being able to kind of sell the here's the challenge and here's where you have opportunity to make impact because sell the disaster and have an impact right like i think it's just a fundamental human part of human nature is you want to be able to make a change so make a difference nice you talk about kind of um trust and transparency i think we're talking about kind of hiring and how we get people through the door i think a

nice little segue is around kind of retention right now i think there's a lot of companies that kind of the term great resignation gets overused but has been a thing i've seen a lot of people move and and kind of a lot of churn from a lot of companies so what what do you do to build trust collaboration transparency in a remote workforce like this this is such an amazing time to have so many people in a room right now but it's rare it's it's rare that we have this kind of face time so how do you get how do you build trust and collaboration in a remote workforce um the first thing i do is i block code red

from the email system so you cannot talk to my people at the end of the day i mean same as you are attracting candidates to increase your security team the size of the security team you need to make sure that you spend equal or more time building you know the the qualities of an amazing team right that we operate as a team or psychological safety or where we we got each other's back and things that you need to build a culture where people say you know what you know i could go shop around interview and things like that but why should i i'm happy here i am challenged and doing the amazing things that i i uh that i'm doing right

now that they are up to my expectations why should i risk this right so it's super super important to build that uh to spend that time to build those qualities inside the team and of course blocky [Music] we'll talk after okay i think there's there's a couple um thoughts um so i think that the pandemic did some great things which is it allowed everybody to work remote which means now we started hiring remotely in a company like docusign where we used to hire everybody in san francisco and seattle now i've got a third of my team is probably remote all over the united states right which is you know fantastic because we changed a lot of culture around how the

company thought about things um that you know the downside is is now you know how do you operate in that in that world um you know i would say that the the biggest thing that i learned is over communicate if you think you're communicating enough with people you're not communicating enough with the people i'm going to tell you right now because now all you have all these remote folks and they all feel remote and alone right and so it's really hard for them to feel connected to a building i'll be i'll be really honest i started at docusign april 2020 post everything shutting down i didn't come into an office until i think april of this year and you know when you

go in you're like oh hey there's walls in a building and i feel physically tan i feel tangibly connected to this thing and these people right and that's that's really hard when you have somebody who is remote and it's really easy for them to feel like they're just doing the job and disconnect it from the broader group so i would say you know over communicate you know that if that means that's where i spend i would say so much of my time uh monthly amas one-on-ones with everybody i have 110 people on my team i still try to do one-on-ones with everybody at least you know one supporter it's it's tough but we we get through it usually you do well to be

hit today then right right now with 100. you know forums like we've we've had to like get creative around how do we get these different groups inside of you know the work just to communicate together right and that's been another thing is like again there's all those those uh stop by the desk conversations that don't happen in a remote workforce and so people feel like they struggle with understanding what's happening you know what's happening across the organization who's doing what you know kind of that natural conversation kind of things that would normally happen don't get it happen so you really have to be very intentional about how you make that happen and you know i think as

you know the leader of the organization our respective organizations is up to us to make that happen right because otherwise it's it you know it will happen organically at a maybe a group level but at an org level it it'll struggle sometimes yeah i really don't have a good answer for this that's why i'm learning from these two i'll add these two so i can learn [Music] i would just say this i think that what i've noticed if i were to think about an overall challenge with remote work is it seems to me that remote work there's there's like is really lends itself well for in-depth tunnel focus sort of vision and working hard through deep problems right

like real work as long as you're not on slack um and then the but what really suffers is decision making fast decision making i think suffers um and so it's difficult to figure out well how do you really make up the fast decision making [Music] problem working remotely and i'll be very blunt i don't know of a great answer to that i think there's lots of different thoughts from you know daily stand-ups to you know having a strategy meeting everyone comes in the office once a day or once a week you know what are these whatever these things are but um i don't know i would love if people have good thoughts on that that would be great to

hear i think elon musk uh has recently made a decision on how that works maybe don't take advice from that one um it's a good opportunity i mean i'm for hiring it's a great opportunity no i mean think about this i'm pretty sure some some people are going to be happy because they want to go to the office some people they don't want they feel like okay maybe one or two days some people is like no i don't want to go to the office right so you know he's made the call well one thing to respect is he made the call yeah exactly if you don't like it go if you do you're in and i mean it's

you got to respect the stance he made the call and he's owning it like he is he is present and he is there in the factories every day so yeah cool the last couple of well yesterday i had a lot of people come to to our booth and we talked about this panel today and not to inflate all of your egos but you are very seasoned leaders um a common question that's come through is we fake it well yeah but you're you're at prestigious companies then you've done great work with hiring talent but a common question that's come through that knowing that i had this panel today was i'm a new security hiring manager or i'm

a startup owner or i'm just being pushed into a kind of a leadership opportunity i want to scale a team i know that this is thinking back many moons from when you're kind of just building a team out what advice would you give to somebody that is starting kind of their management career and needs to hire

okay why am i always the first one

um so i would say for for someone who is uh uh moving into management or building a group hiring a team whatever that is um uh congratulations and welcome to the hardest job you will ever do i'm just gonna say this like i i think that you know we talk about resignations and people leaving and you know it hurts right like i hear people give resonations and i'm just like oh my gosh like another one right and so you know you you you feel that you kind of feel very connected to your people hopefully and hopefully you know you you build that investment so when people do leave it's it's tough um i would say that um

you know the from uh the first thing that you'll want to understand kind of moving into a new into a new manager role is it really is about building that investment and that mindshare with um with your team and with the members of the team that you're bringing on board um i think that you know there's there's a saying that you know and i don't know how true it is today but there's a saying that you know people you know uh what's the saying something about people don't leave great managers they leave they leave bad companies um and i think that you know there's uh there there is a big piece and and it gets understated where you know

a great manager can hold a team together right even through a lot of uh adversity as a company and i think that um you know building that mind share and building that relationship with your folks and is going to be you know job number one and i've i'll be honest um i've learned from so many people who have been uh peers of mine on you know how to uh build team cohesion how to uh lift your team up um you know and really kind of make uh you know the folks on your team sort of the front and you know i support them from behind i think the other thing is you know make sure that you are being

intentional about building diverse teams and i know you know we we talk about it all the time but you know it we still haven't done enough and i'm going to be raise a hand docusign hasn't done enough to build diverse teams um you know who are your who who are in your who's in your interview panels is it all white guys because if a black woman walks in the room there's gonna be really tough if any kind of underrepresented minority rocks in the room it's gonna be tough it's gonna be very intimidating right going or it's going to give a real insight into the culture of the company right it's all very monochrome you know i think that you know

hiring diverse candidates you know building diverse teams bringing in different um points of view you know be flexible with who you hire like like i said before like there are people that you will identify in other groups in your company and you will say and i've done this before and it's actually one of the biggest things that's brought me joy is i will take you know somebody who is in desktop support and they're they're like hey i'm interested in the cyber security thing like what should i do and i'm like yeah come on come over here right and building them up and now they're architects at ebay and stuff like that right and you kind of get to see them

you know kind of grow up and move and i think that um you know finding that that diamond and the rough talent and and and being like yes you i want you on my team right and in making that sense of inclusion you know they don't need to be you know the whiz-bang hacker right um some of the best folks on my team were you know in the video editing business right like they had nothing to do with with cyber security or even with technology in general but you know now they're like kind of some of the leads of some of our biggest projects so i think that um it really is key to look outside of kind of just the

normal box of where you would look to hire from so i'm sorry long answer that was a great great answer in fact there's not much i think i can follow on to that because i think these are all phenomenal points around just learning how to be a manager and a leader and what are some great so i'm going to be a little bit more tactical on mine and i'll be very security focused since i think you really covered a lot um i'll say when i think when you're thinking about building your team um you know first if you're a first time leader and manager building a team this probably means you're working at a small

company would be my guess and you're starting from scratch so i would recommend two things in when you're looking for your first team to hire which is going to be really important whoever those first people are that you hire are going to help set your culture of your team first i would probably focus on good general athletes the and second they need to have the attitude to sort of a point made earlier around curiosity um hard work good general athletes when you're small and you're starting a team it's not like oh i need someone really good at dnr oh i need someone really good at pen tests oh i need someone really good at appsec

you need people who have some good diverse experience and just want to dive into they just they're curious they just want to learn and they want to dive so when you think about hiring those the first sort of three or four people around you really look at some good general athletes and how they're going to help you um and also you always need one person that's going to that's going to help tie all the people policy programs compliance you need one of those in your teams to help tie everything together too um i would say those would be the the tactical things i might say when you're a first-time manager okay um yeah i don't know what i can say

after this at least next time i will try it right so you're you're a new manager right so on top of all the new things that you need to do you need to build feature x or you need to mitigate whatever it is right so there's a lot of pressure right and then you you need to build a team and you need maybe you have two or three people four people you need to retain those people right on top of that you need to you know increase the team size to deliver you know the final thing that you work hard for right so there's a lot of pressure right so the the best advice that uh

i can give you to a new uh manager is like don't be a hero you are not alone right so start talking to others start leveraging uh you know the knowledge and expertise from other people get a mentor uh talk to andreas there's actually uh maybe not even in your company there's a people in the industry that uh they do the hey i'm the cso for well i'm going to quote uh someone that i know nico weisman cecil for left he does uh sessions uh with uh you know uh folks from the industry that they want to be a new sis or they want to do these things right so kudos to nico by the way um

what i'm trying to say is that you have your job to to do you have a job to retain the people the good people that you have so you need to invest in you know the good qualities that i was talking about and then you need to hire right and don't be a hero there is multiple things and you will make mistakes it's totally expected i mean i made a ton of mistakes i i probably should not mention them because this is being recorded but uh you know it's okay to make mistakes because by making mistakes you learn for the next one you're going to do better you're going to retain your your team better you're going to hire people

better right and other things that uh that jessica and keleb mentioned is like you know the the i mean hiring only security professionals with security experience that's one way hiring people new grads i'm building them as a security professional that's another one you know going to other fields you know a developer that is an amazing developer and helping them grow into a security professional that's another one right it's it's there is no silver bullet it's like put your uh put your bets in different things right and and and that way you will be able to you know accomplish with mistakes you know hiring retaining and doing your job right but don't be a hero i i mean i

i don't know that you're you're worried about going last but that don't be a hero and use other guys iconic yeah that was amazing that'll be the only quote of this uh whole cso panel because i just want to just re-emphasize this like when you're small you're you're so right for me like working with engineering and the rest of the company getting their help is part of the job as a cso too right and getting that culture and getting them to help and uh doing that that's like that's super critical you know nice thank you folks um i had a question come through from uh twitter the last couple of days and it's kind of related to recruiting but it's

um and maybe we'll start with you further okay

you guys battle between yourselves uh with all the economic uncertainty we're seeing right now especially in the tech space um companies making layoffs um and cuts generally how do you plan to make security a priority your company i mean it depends on the context of the company right so um in in the context of data breaks right because of the product that we sell right to some degree we we deals with other secret sauce right so security is a priority for the company right at the end of the day under any financial situation right you you are going to take a look to what are my priorities uh you know marketing or uh sales or engineering but

for us security is a key pillar because without security um there is no gtm uh focus here right so obviously i mean there i mean we will see this and we i don't have a crystal ball to see if we're going to go into a recession or not and things like that companies are adjusting right for me it's not a challenge it's an opportunity right because uh if companies are adjusting it's like hey uh let me take a look why uh i mean let me go into linkedin and search for all those tesla security engineers that may not want to go back to the office right because there could be good people over there right so again

take advantage of your strengths as exploit the weaknesses of others i'm going to be a little spicy on this one my thoughts are are don't try to make security the top priority in the company i don't think oh well i got one fan on that spicy condom [Music] isn't that your boss over there yeah um yeah i would say you know when you think about like that it doesn't matter what business you're in security is never going to be the top priority even if you're a security vendor uh it's not the top priority um what i would focus on instead is there are spots or areas in your company that you can make security in the top three right or at least in

the top five um and so the way like i think about it i'll be very sort of generic is like you ever heard of sort of like the intel architecture ring zero ring one like there's like in ring zero this is your top critical super paranoia ring one a little bit less ring two ring three you know you can look there are across an organization they're gonna be different levels of where security really needs to be priority versus where it doesn't or where you can be a little more relaxed and i think you need to find the areas that are the most critical for you to have either ring zero or ring one focus on those areas and help the team

do it and ultimately if you really do the job really well security does become a little bit more built in and becomes more invisible to the business and what it does but i think those are the key areas i would focus on hey this team in this specific area what they're doing is super sensitive and super uh super like we got to focus on that help go to them and figure out how to embed security into their processes and make that a priority with that team and you can make a lot of progress that way okay so yeah i think that um you know from a from a from a docusign perspective you know we

uh we consider ourselves a trust brand we use that terminology all the time it's all over the place right um we hold everybody's data right we hold everybody's mortgage documents and loan signings and i'm sure everybody's documented something once it'd be an interesting study on who hasn't but anyway um you know but all that data yeah lives in our cloud right and so um you know from our perspective uh you know we're going to continue to build and grow our team that's that's not really a concern from my perspective you know i think that um you know and we'll take advantage of everybody who's laying off and we'll pull all those people over because it's

good talent i think there's a huge opportunity yeah i agree entirely i think that you can spin out his head and say we're able to reach out to talent and attract talent that we weren't able to do so 12 18 months ago yeah but tom i mean that's if if you have the if you have the opportunity to keep growing right because there is companies that they will not because you know security you know as i agree with caleb right it's like may not be their priority one of their top priorities right so then what do you do you focus on retaining your people right you you going instead of going out out there is

that you try to protect your your your crown you also essentially or or if you think about it if security is not your top priority right which listen at the end of the day every business like will always say hey security is important but it's never the top well why well because the top business the top party is being a business right we all know this like we have to be a business otherwise we security doesn't matter because we won't exist we need to make and that is really ultimately the most secure to be blind um but here's the thing is like we know this then our job is not to go and fight for the top spot and also i feel like as

our job as an expectation as being in this industry is we're not going to be the top priority so how do we make changes and impact in order knowing that and knowing it in a way that enables the teams sets the right context around what they're doing allows them to say hey it's not just hey do this to be secure but hey if you do this it's an easier route of what you're doing today and it also happens to be secure right this is a much better model and allows you to align with the business allows you to make more more progress with the with engineer and the rest of the cross-functional partners and you're not

like i should we should set that expectation like hey as although it's great when the ceo stands up and says hey security is important privacy is important right like for example at robin hood we have a safety first right that's right in our principles it's great when you hear that happen but like let's set the expectations hey at the end of the day it's awesome to hear it but when it comes to execution let's not expect it and let's not rely on it right we can't rely on someone at the top saying it's important for us to adopt what we're doing we've got to assume that they're not and that we're not the top priority

so then how does that change our thinking yeah it's um i'm sorry to hijack this a little bit but it's a it's a question of being more efficient right at the end of the day i'm pretty sure that all of you have a long laundry list of things that they are wrong in in your own companies right um and if you go one by one it probably will take ten years to do all of that right so what are the top three top four top five that if you have resources not infinite ones or maybe less than what you have right now because there may be a recession or whatever right what are those ones that they are going

to be giving you the most bank for the back right so completely agree with you caleb great stuff well i think we've got time for one last question something that you actually kind of indirectly addressed earlier but it's a dying question i've had about from three four different people what skill sets do you think can be learnt on the job for security folks i guess what skill sets can't um you know i i think i'm gonna repeat myself a little bit but you know there is if i look at what makes you know some of the best security folks on my team it's not the background that they have it's not the you know experience that they have although that

helps right but i think fundamentally it is right in and whether it's incident response threat models engineering i'm sitting down with the development team talking about a new feature it's always asking the okay that's great and what else and what else and what else right it's that curiosity of getting to and sort of extracting and pulling apart everything and figuring you know and being able to understand the inputs and outputs and and the of a thing right and and how it works and what are all the things that a development team is not telling you about that or the really really interesting parts when you start asking questions and it's like yeah uh and and so

again i think that is that kind of that curiosity then and that innate um you know uh sort of follow-up is is the thing that you can't teach you know i i can bring folks in from community colleges and put them into a sock and teach them to be a sock analyst and then move them into ir i can put developers who do qa right work into apps teams i can pull you know folks who have done you know desktop support and put them in engineering teams right so there's a lot of transferable skills right pretty much anything that any group in a development slash i.t even legal and you know um finance organization was done has some

translation capability you know uh into uh into a security function whether it's you know audit risk you know appsec secops right in any of those functions so yeah i think that uh it's it's really more about so i would say if you're thinking about going into security and you're hung up on the oh i don't know enough to go into security i'm going to tell you right now you probably there's an opportunity for you there somewhere i'm just saying like there is a security manager that's looking to hire you i promise um so you know i would i would definitely not be hung up on the well i don't know so i can't do this right and

and and really look at the what do you know and what is the skill set that you do bring and then you know a good manager can probably map most skill sets into into what they need and form that person multi person i can do next so i'm going to differ a little bit into this one although i agree but i think there are other type of skills that uh you can learn on the job right um i mean apart from the technical skills i mean if you're on ir you know you will learn how to do forensics how to manage an investigation but at the end of the day security teams usually um we we interact with others so others do

the the changes to mitigate risk and things like that right so the things that i uh think they are super super important are the soft skills how uh how you talk to others how you write an email i mean literally the way that you could write an email you could you could win someone or you could lose them forever right and and then if uh the way that you build the bridge they will the way that you it's totally different for example whenever you send an email to someone asking for hey sorry i'm going to run your friday but can you do this if you have had a coffee or a beer with that person before it's way way easier

right so those soft skills how to build those bridges how do you you talk to a new person how do you understand their their world how do you uh try to you know to be a partner on their world while they win them over to be a partner in your world right so soft skills those are the things that and and they can be used not only in security in other other fields super super important right technical skills yeah you will keep growing but people usually forget about the other ones and they are probably as important as the technical ones yeah um i will say i agree with all of these um i actually will just add a nice to have

um i don't think this is even an essence necessary i think it's just a little bit of passion for the field um you know like we're here on a sunday um you know some people people who are in security sometimes stick in security just because they love it it's just a great thing to be in you love the the the like this is a weird thing i must say but like when i read about the new like if i see a new exploit that's been released that's like pretty innovative it kind of is exciting i'm impressed i'm like wow kudos like this is like a good one um like you know it's just it always

impresses me the way attackers work and the way this field works and it's just something that i'll always be in and you know this isn't nice to have i don't believe this isn't necessary but if you can find people that really just love it for what it is it's it's a great thing yeah flirtation you know you know i'm sorry to hijack the meeting again one thing that i um as a tldr of what i was mentioning to some degree to what you were mentioning uh caleb don't be a jerk that's something that's something very valuable to learn right it's like you know if you're object to someone that will come back later right it doesn't cost you anything

to be nice right if you say please with a smile and and then whenever they do it say thank you you know you're going to win a lot of people over hold on now thank you sincerely you're welcome caleb talked about giving time upon a sunday like it's i feel honored to have shared this stage with firm and caleb and jessica some both um foam and jessica actually flew in today just for this talk keller walked a couple of blocks so thank you but sincerely can we raise a round of applause for these incredible seasons

[Applause] [Music] [Applause] thank you all so much for the discussion and presentation here at b-side san francisco on behalf of the conference and uh our speaker gift sponsor maltego we have gifts of appreciation and so just want to thank you again [Applause]

you