How To Get A Job In Security with Security Recruiter Pete Strouse on risk3sixty's Morning Grind
Episode Interview Description
Pete Strouse has been an information security recruiter for a decade. During that time, he has had the opportunity to work with hundreds of professionals and learn what works and what doesn’t when it comes to rising through the ranks of security org structures. In this episode of Tuesday Morning Grind, Pet and Christian, talk about what it takes to be successful in the security space, how to get hired, how to rise through the ranks, potential career paths, and the attributes of aspiring security leaders.
About Infosec Connect: Infosec Connect helps provide recruiting and placement services for security companies with specialties in Information Security Executives, Information Security Sales & Marketing, Security Audit & Compliance (GRC), Data Privacy, Security Operation s, Offensive Security, Digital Forensics & Incident Response (DFIR), and Cloud Security.
About risk3sixty: risk3sixty is a security, privacy, and compliance consulting firm that helps high growth technology organizations build, manage, and assess security and privacy programs. Offering services related to SOC 2, ISO 27001, PCI DSS, HITRUST, Virtual CISO, Privacy Programs (GDPR, CCPA, etc.), Penetration Testing, and a GRC Platform built for cloud technology companies, Phalanx. You can learn more about risk3sixty at www.risk3sixty.com/.
Episode Transcription
0:00
Welcome, everybody. This is Tuesday morning grind, episode number 22. Today we have Pete Straus. Pete is a Information Security recruiter. He's been in the game for about a decade. And he's going to educate everybody today on how to get into the cybersecurity field. And then once you get in it, how to move up the ladder, how to pick great jobs, how to avoid the bad ones, and everything in between. Pete, thanks for being with us, man. I'm excited about this conversation.
0:21
Awesome. Yeah. Thanks, Christian for having me on.
0:25
Yeah, I think this is timely. I think careers in cybersecurity seem to seem to be the most controversial topic in our space right now. For one reason or another. But I'd love to get your background. How did you get into the recruiting game? And how did you kind of become an entrepreneur? How did you get where you are? Yeah, kind
0:45
of an interesting path, I never thought I would end up in recruiting really of all things, and went to school and got my MBA and wanted to move down to Florida. So I did. And in doing so I interviewed with a recruiting company known as K force down here in Florida, and basically just took the first entry level job I could get, and they had been working on a bunch of technology positions, and it just kind of clicked to me, it just kind of made sense. I understood the terminology, and being able to kind of use patterns on people's resumes and things. And so I worked on a lot of really technical positions that other folks couldn't figure out and kind of parlayed that experience into a position over the line and basically built their HR and recruiting departments from scratch and hired over 100 people in two and a half years. And those are mostly IT auditors, pen testers, security and compliance assessors, and then some back office folks. And, you know, having been on that side of the fence for a consulting firm and building it from the inside out, I think that gave me sort of a pretty unique perspective, what it takes to build a security company. And then for the last four years or so been recruiting in running my own security consulting, recruiting firm, and helping security companies and corporations find good security people and helping those security people also understand how to basically get through all the red tape, but associated with with hiring good security people. So
2:12
right, yes, I thought we could break this conversation up into a few chunks. One, maybe talk about like how to get into cybersecurity, if you have no background and you're trying to transition or you're a new college grad or something like that, too. If you're in the field, like how do you move up the ladder? I'm very curious to see like how you see people move into leadership positions in security. And then lastly, if you're a company, how do you spot good candidates? Or how do you avoid losing good candidates, depending on your perspective? So we start off on like, new new to the field want to get into cybersecurity? What's your recommendation? How do you how do you break in?
2:50
So there's a lot of people looking to break into the field right now. And common complaints I hear is nobody's hiring entry level, you know, nobody's willing to train. It's tough to break into the field. And all that is absolutely true. One common thing that I hear from a lot of security, hiring managers as well, security is not really an entry level field. It's it's a subset of technology. And then you need to have technology experience before you can get into security. And so I think what a lot of people struggle with is they're being fed this line by security, certification companies and degree programs, that, hey, get a degree get X y&z certification, and then you'll get a job in security. And that's not really happening. Hiring managers are looking for a couple of years of experience in technology before somebody, they're willing to hire somebody in no security role. So like the single best, most important thing I think that you can do is gain experience in some sort of technology role, even if it's helpdesk or something pretty entry level, I think what a lot of folks struggle with is they go through all the schooling and they have all these student loans or they spent a fortune on certifications. And now they're, they're not able to get that job without taking, you know, maybe a $15 an hour help desk job to start off. So my advice to folks is always try and start off at the beginning, entry level, try and get some technology experience however you can if you can get an internship while you're in school. That's great. Really, it's about that hands on experience in tech versus certifications and degrees. While those are great to have. It's going to be tougher to get a job if you don't have that hands, quote unquote, hands on experience. Yeah, that managers are looking for.
4:34
Yeah. I think there's certain careers that lend themselves to entry level because I mean, I got I got into security, quote unquote, security, right out of college with with not much of the technology. I wasn't even a technology person, like I could use a computer but outside of that I had never done anything with security. But I got in on the auditing world, you know, I went to one of the big accounting firms, became a sock to auditor and did some PCI work. etc, and then kind of cut my teeth in security frameworks and then kind of moved into security. Are there? Do you for people trying to get into the field? Are there like a few common like career trajectories or places to start? Because if you're trying to get in security people think like pentesting. They think like a network operation center or threat hunting. But then the security is a lot more than that. It's also auditing and stuff like that. Are there careers or entry level points that you see that companies are hiring, you know, fresh college grads? are transitioning people transitioning out of it into security?
5:31
Yeah, I think that's a really good point. When people think of security, they think of those quote unquote, sexier disciplines like pentesting, or in some cases like DFI are, they think sock analysts, they don't necessarily think, Oh, I could become an auditor. But that's actually a really common entry point to get into the field. And then a lot of people will parlay that security compliance experience into a more technical role in some cases. And, you know, like he said, there's a ton of large firms that are hiring people directly out of college programs that have campus recruiting programs, and, you know, that's part of their solution to mitigate the the workforce shortage is bringing a bunch of people through their campus recruiting program, train them up, get them ready to at least become an auditor. And then once you do that, you see a bunch of environments for clients. And that's a great way to break in, in the field. So I think more people ought to consider a career in auditing, at least to start, I think it it takes a certain mindset and a certain attention to detail that maybe some technology people don't have. And that's what a lot of people struggle with, is working for accountants and, and being able to produce error free work, and not so much focus on the tech, but the work product that I think auditing sometimes requires. That's sort of the challenge there. But certainly plenty of demand in auditing right now. I mean, right now, seeing your sock auditor's, it seems like every firm out there is looking for senior sock auditors. Same thing with ISO or high trust or, you know, whatever you
6:58
name your your alphabet soup of compliance framework, there's plenty of job openings. But I mean, we posted a job, we posted a few jobs. So we posted a PCI job post at risk 360, we posted a sock to job, I think each of those got like, over the course of the first three days got like 20, or 25. But then we posted one for secure, like a security consultant, and one for a pen tester. I think between those two, we had like 400 applicants. So like, I think there's I don't know what most of them by the way, were in no way qualified to do that job. There was like 10, like, so it was a bad applicant pool. But there seems to be some phenomena of people that are trying to break into the security world don't know what jobs to look for, you know, they don't like how do you get into this space? What are most of your entry level candidates? Do they do they kind of know when they come? Like I'm looking for this? Are you coaching them through that? Or do they have an idea of what the career is? How do the entry level candidates approach you?
7:59
Well, and really, I'm talking to a lot of entry level people just through speaking engagements like this and referrals and stuff like that I don't generally work with clients that will pay me to find them entry level, folks, because like you've mentioned, you know, there's put up on job posting, and then you get a ton of applicants for those type of jobs. So generally speaking, my clients don't pay me to go find them entry level, folks. But, you know, I think the the best thing that people in that position can do is to reach out to those hiring managers directly. There's a sense, I think that we as recruiters can help you find a job no matter what your situation and no matter what our job openings look like, that's not necessarily true, you know, we pretty much have to have an opening, to present you to versus find a good candidate, and then go find them a job, it doesn't really work that way. It's, you know, push versus pull or pull versus push depending on how you want to look at it. So really your best case scenario as an entry level candidate really is any any candidate I would say is try and get in front of hiring managers directly. Best way to do that network, go to meetup groups, go to meetup.com type in security, cybersecurity, you'll, you'll find groups on there. I Sokka is LSA IC squared, stuff like that, really network with those people that are in your target position, or would be a target hiring manager for you in making those relationships directly, forming those relationships directly versus trying to go through a recruiter at all times. A lot of internal recruiters, they may be great generalist recruiters, but they may not be a great security recruiter, they may not understand the technology well enough to be effective at it. So your best case is just to talk to the decision makers.
9:43
Yeah, I agree. I think networking is key. How the standing out in general because when I'm getting 300 applications, unless it's just a ball in resume, like someone who's just like, wow, like it's hard to even give someone a chance. Because like they all kind of look the same. They're talking points. So but The people who reached out to me directly on LinkedIn in addition to applying the people who send writing samples, so I've gotten a few times I've done a case study or have a portfolio that can point back to just any little thing to stand out, if you're an entry level candidate is to me, like worth taking a shot, because that person did just a little bit extra to stand out and get off the stack of resumes,
10:23
on even being able to describe, you know, a special project that you had in school and how that aligns specifically to a given job or a given company's focus. You know, if you had a master's in digital forensics and you worked on a particular project where you do memory analysis, and you notice their job posting said that, you know, they're looking for for experienced volatility, you can say, well, I did that, you know, XY and Z class or project, just being very specific, in my experience on specifics really sell both, you know, me, as a recruiter, if I'm trying to present a candidate for an open position, I want to make sure that as many specifics as I have to sell that person for that job, I'm presenting those in those very office to the hiring manager, you can do the same thing as a direct applicant, as well. And like you said, being proactive and showing exactly why that specific experience or that specific interest aligns with a given job. That's ideal.
11:19
So moving into like the more experienced candidates, because I imagine where most of your experience is in the placement services. So where, where are the jobs? Are there like, is it across the board? Cybersecurity is just hiring. Is there certain industries or verticals that you're seeing, like really hot right now?
11:37
Yeah. It's it's tough as a recruiter to be in the know, as far as every single subset of information security, you know, I have a few specialties that I see a lot of demand for. Right now in, you know, I can say specifically, IT audit security assessors. DFI are really any of any of those folks with that experience are in demand right now. And I think in general, just the industry is desperately crying out for good people. And I think long term, we need to get more people into the field overall. And the way to do that is through starting in grade school and things like that. But as far as the demand that I'm seeing right now, sock auditors, security assessors, really any type of auditors with any type of compliance background are in demand right now. It's a response folks with consulting experience that are doing reach response and forensic investigations, those are always going to be in demand. Experienced pen testers always going to be in demand. But then there's so many people that want to become a pen tester, but they don't know how to break in to the field. That it, there's still a shortage of experienced pen testers, were folks that are able to get past those HR roadblocks to get those jobs even if the jobs exist, and there's enough people to fill them. Yeah, part of the problem is just there's so many roadblocks between good people and good jobs, that they'd be a fit for people who can't get through the jobs. And I see that all day.
13:06
Yeah, there's like a doughnut, let's call it like, there's people at the bottom that people the top, but like there's no mid level people, because like it's hard to bridge that gap. You know, the other phenomenon I see is, like folks who have jumped jobs, like every year, or every two years, or sometimes less. And I think there's this strong desire in or there's this, there's opportunity in security, where you can get paid to jump ship over and over again, because there's such a demand. And we were talking about this a little bit, but what do you think the when you're advising candidates, and you're looking for like world class companies that just do great and retention versus I'm sure you have some companies you love to poach from that people were just like, you know, jumping out of there leaving like a sinking ship? Are there some trends that you can see like what are the great companies doing to keep people to attract people versus the the bad companies that people are fleeing from?
13:59
I think with, with how much security work there is to be done. And I work with a lot of consulting firms, that seems to be kind of my sweet spot. With how much work there is to be done. There's a tendency, I think, to overwork people, and to have them more utilized than they would like to be. So consulting firms, especially I think, in general are just overworking people. And, and part of the reason that happens is there's just too much work to be done and not enough people to do it. So I think the companies that are really holding on the people, they understand, especially at the executive level, maybe they're a former consultant themselves, so they understand what it's like to be a consultant in what it's like to be fully utilized all the time. And they have to try to balance work life and family life. So I would say really just the one thing that a company can do better than anybody else to hang on to pupils just don't overwork them. And that's easier said than done. I know. You know, especially when you don't have enough people and you're looking for more, and you just can't get people into the interview process. fast enough, but to be able to balance utilization, and in the case of consulting firms well enough to where people aren't just over work, that's the single greatest thing. Another thing would be just listening to people, it's super simple. But people that feel like they're not heard, they're more likely to go leave and work for somebody who will hear them and, and listen to their suggestions. I hear that a lot from people in security operations centers, where there's just this general idea that this is the way things are fit into our culture, do things the way we do it. And that's how it is, you know, so just just hearing your employees listening to suggestions, you might have a good suggestion from somebody who's basically entry level that might not cost anything to implement, in some cases, why wouldn't you want to hear that suggestion? But I think generally, there's this idea that, you know, you're working for us follow the status quo. And that tends to drive a lot of people out.
16:05
Yeah, I think I also think some of the burdens on the candidate, so I'm kind of have mixed feelings here. Because one phenomenon I see is like you have a security person who's trying to bring security recommendations to the fore, and like you said, they just can't get heard. So it's very easy to be disheartened. And, you know, there's a security problem, I bring it up every year, it's always an audit finding, I'm not getting any budget or any resource to actually fix it. And then I also see on the flip side, where as a security practitioner, you need to be able to communicate the business case effectively into why you want that security thing rolled out. And then there's somewhere you know, the truth, somewhere in the middle, you got to the company needs to listen, in the security folks need to learn how to articulate that. Are there, um, are there companies out there that that you can just never get anyone to leave from or that are just known for having great cultures. And you're like, yeah, they have a super high retention that you know, about are just well respected and revered, and community.
17:02
I think in general, if you dig down to it, there's always something as a recruiter that I can unearth, that would make somebody leave any company, I think if I'm an effective recruiter, I can do that. And I can get to the bottom of that. Having said that, I think some some factors that differentiate those companies that tend to have higher retention, or, you know, like, like, we were talking about, just listening to people, good benefits, I'm a big proponent of not making a move every six months for more money, but at the same time, you got to have benefits for your family, you got to have enough pay to support yourself. And I think people in general do leave if they're underpaid, and that is driving a lot of turnover in the industry. You know, but I would say the companies that have the best cultures, they do have weekly meetings or stand ups or something. And they're not just the formality, they're actually something that people look forward to and team building events and stuff like that, as cliche as it is, you know, just just having team building events goes a long way. Some of the best consulting firms I can think of to work for, again, they have a really strong focus on making sure people aren't really utilized, and that they're actually paid for any any above and beyond hours that they may be working. So performance based bonuses. You know, companies that reward people for working super long hours versus just expecting that as the norm. So at least people feel that there's there's some incentive tied to working extra.
18:43
What about like, mission and culture and values? Because I think in consulting, especially like, there's some firms that you hear about that just have strong mission, culture values, and maybe those are like startups. You just hear about, you know, that's a great culture. Some of us consultant, I've had the pleasure of working with them. But then in consulting, you can fall on the track of because everybody's a revenue generating person, you know, their tie, consulting companies make money based on people doing billable work, you can let culture fall to the wayside. Because everyone's overworked. Do you see any Is that ever come up? And maybe a way to ask the question better? Are there companies that you've recruit on behalf of that they always get a yes. Like your candidates come back? And like that was just a different place they're also working for? And if yes, is there reasons beyond like money, or just monetary benefits? They're going there? Yeah.
19:38
One of the DFI our firms that I work with right now actually, I tend to have basically every everybody that comes out of an interview with these guys, they want the job afterwards. And I think that's a pretty powerful statement. And I think the reason that's happening is one, the executives are former consultants, so they understand what it's like to be over utilized on to their benefit structure. Amazing. So people, they, it's not so much a monetary thing, I think it's more about feeling valued, you know, they're gonna give me time off, they're gonna incentivize me to take it. It's not just an unlimited plan where everything's ambiguous and I don't know how much time I can take. Or in some cases, it's you know, I have time off for Christmas and New Year's when it's important for me to have that time off with my family. Yeah, and company culture, mission focused type of stuff where you feel like you have an opportunity to affect change, you're, you're aligned with the company goals, that is important, too. I think that talks speaks more to job satisfaction, that does retention, I think, to retain people, you just need to have very basic things in place, you need to have enough benefits, so so that that's not a point of stress for them, you need to pay them well enough. So it's not a point of stress for them. And they need to not dislike their job enough to stick around. In, you know, keeping people at a reasonable level of work is probably the easiest way to do that. But but as far as actually making sure people like what they do, yeah, being aligned to the company's goals, in really living those values day to day, because I think a lot of companies say they have certain core values, but then they don't necessarily live those values. But if you know, if you have a commitment to quality, for instance, having a strong QA program, if you have a commitment to client service, you know, doing some sort of client service survey or something like that, people like to know that they're working towards a specific goal or with a specific value in mind. That isn't just a phrase that people parrot it's actually something that they can live day to day.
21:50
So we I think one of our secret sauces is a lot of the intangibles, of course, we pay well and offer great benefits and stuff, we can put them on the website. But one of the things that as a company, it's hard to kind of articulate is the intangibles like a tight knit team, or best friend's at work and transparency at management level, and all that kind of stuff. So we talk a lot about that, during the interview cycle to provide some transparency to the candidate. But if you're a candidate, kind of going through the interview cycle with a few firms are there and you've been in the game for a bit. So you probably kind of have an instinct for these things. But are there things that you're you would tell a candidate kind of look out for like, hey, like this is an indicator of the firm's probably pretty solid? Versus based on my experience? Yeah, these are red flags, that maybe the questions they could ask are just like little intangibles that you've noticed.
22:39
So one thing that I saw some posting on this, that I read somewhere where if you're interviewing in person with a company, try and get a feel for the buzz in the office. And that's kind of hard to do, I think now with video and phone interviews being the normal, but if you do get the chance to do an in person interview somewhere in you just kind of hear the office, is there a buzz to it? Is there a murmur? You know, like a hum to it. You want to hear energy there? If it's dead silent, there's just paper shuffling around. Chances are that's probably not a great place to work. Good workplaces have a buzz to them. When you're interviewing, virtually, it's tougher to figure out I like to tell people to kind of ask questions like, how many hours on, on average, do your people work a week? What are expectations as far as when I need to respond to client calls? Or when I need to be online? Do you guys have a set of core working hours you have flexible time, stuff like that? You know, it's important to be able to, you know, take a few hours off if your kid gets sick or something like that. But some companies that's frowned upon. And it's it's good to know that I think going into it to set expectations in the beginning. Yeah, I think a lot of folks, there's a lot of turnover because expectations are not properly set in the beginning. So asking as many revelatory questions as you can in the interview process to really dig in there and understand what it's like to work for a company day to day. That's important because you don't want to get into a position and then want to leave three months in. I think doing as much research as you can looking on Glassdoor asking questions at the hiring manager like you know, what, what's it like to work day to day in your company, not just talking to managers, but also talking to, you know, in the consulting world as senior consultant or consultant, somebody who's doing the actual work and not just in management? I think that's important to understanding what management executives are looking for, but then also what expectations are from the ground level if you're a consultant or senior consultant. You know, how many reports do you put out a week how many hours you working a week? Just try and get as many specifics as you can again, it's it's easy to get caught up in vision and and opportunity and things like that very high level things. I found the devils in the details. Try and get as specific as you can in your questions, I would say,
25:06
yeah, I, I try to encourage candidates to do that. Because I think people want the job. You know, they have some needs. They're in Maslow's they need like food in their mouth, you know. So when we were doing interviewing, I always, like, afford them an opportunity even to talk offline to like a senior consultant or something, someone who's not a boss in the business. And as specifics like, hey, what do you do if you need to request time off? Or what do you think about the vision? Where do you guys think you're going in five years? Because I like them to check. Like, I'll tell them stuff. I'm delivering a vision, like, here's where we're heading in five years, and we do these PTO things and fun events, but I'm also selling this job here, too. So don't take my word for it, you know, ask these guys offline. But we try to be that transparent, because, again, I think it's the secret sauce to getting top candidates when you're small firm like we are. But where do you think there's a lot? Do you think that that kind of thing would be frowned upon? Or do you think that other firms would be receptive to that, like, if you're coaching a candidate, and they're asking the potential firm, hard questions, you think there's any boundaries? They're like, Hey, you shouldn't be that? If you really want the job, be quiet, or do you think hard questions are a good thing?
26:12
I don't know, I'm of the opinion that you should be able to ask those kind of questions. And if it's frowned upon, that's probably not a place you want to work? Because, you know, yeah, it's a balancing act, you don't want to come across as too tough to work with in the questions you asked, but those should be questions that you can ask if it's a good place to work. I'm a big candidate advocate in general, you know, as long as you're not being selfish with the questions you're asking, and you're not coming across as what's in it for me, me me all the time, which is a trap some people fall into specially when they're in demand, like they are in an insecurity. There's a way to phrase things, you know, I think it's all about donation and how you address certain questions if you come across as collaborative and just asking questions, because you're curious. Or if you come across as well, this is what I expect, as long as you're not coming across, as I expect X, Y, and Z. And you're just more so asking, because you're curious, I think you're should be okay.
27:09
Yeah, you get, you need to have the EQ self assess if you can, if you think you can get away with asking those questions, you should ask them, we can have some tact. What about like tips for companies? Are there things like, certain ways that companies are marketing themselves from a candidate recruiting perspective that you seem very effective, like, right now we're in kind of this podcast kick, because we're doing COVID, we're doing some video. I don't know if that helps or not, I speculate maybe some candidates are looking at those. But maybe they're not anything that you're saying just like, companies do a really good job recruiting top performers.
27:46
I think what you're doing the podcast is a good idea of from a long game perspective, it may not get you, you know, a ton of good candidates in the immediate term. But I think long term it is important. And I am a big advocate in general, building an employer brand where eventually word of mouth will get around and people will start talking about you there will be a buzz. I think on the ground level companies that are attracting the best people have the best recruiters working for them, whether that's external or internal to the organization, people that truly understand the terminology and the technology and what it takes to attract good people. Just training your recruiters well enough to understand what security candidates are talking about can go such a long way. I can't count the number of people I talked to that are like, Wow, you really know what you're talking about. I've worked with so many terrible recruiters, you know, it's a breath of fresh air. So having your hiring managers educate those people that are representing your employer brand out there in the marketplace is so important. And there's like I said, so many poorly trained recruiters out there that just and it's not their fault, they just haven't had the training to understand what they need to understand to properly represent the company. So part of that employer brand taking it to market is educating those recruiters and again, the details sell, you know, really helping candidates understand what it's like to work day to day, at your organization. What's great about your group versus another group within the organization. You know, what, what team building events you do, what your benefits look like, all those little details can really help. And so I think, really, it's just the well trained recruiters representing the brain in the best possible way that are doing it best.
29:33
You mentioned you had some thoughts around like what motivates people to stay or leave? Can you talk about that? Like the motivations behind doing things?
29:45
Yeah, I've always been big on the psychology of recruiting and motivation and what keeps people staying in an organization long term or what might motivate them to leave. And there's a motivation theory topic. And I forget what it was who it was. But you mentioned Maslow, there's another philosopher, basically that said, there's hygiene theory. So certain hygiene factors, keep people in jobs and keep them at least baseline satisfied to where that's not a factor to get them to leave. And things like that, or pay or benefits those hygiene factors enough to where they're supporting themselves at a basic level, they don't have to worry about it, that's great. But when it comes to truly being empowered in enjoying your work life, and you know what Maslow would call self actualization, that's talking more about purpose. And that's being aligned to the company goals and objectives being aligned to your personal goals and objectives. Do you have career trajectory? Do you feel like your work matters? You know, do you enjoy your management's management style in the way they treat you? Do you feel like you have an impact on things, especially in a smaller firms, it feels like do a great job of helping people understand that they actually do matter that they're not just a cog in a wheel. So I think a lot of people leave because they don't feel heard, or they just feel like a number. So even large companies can do a great job of making people feel like they're not just a number, if they feel engaged in their own tiny little group within the larger organization, you could work at visa and a large security operations center, and still feel valued if your management feels that way.
31:35
Yeah, have you ever heard of self determination theory, by chance, and that's kind of like what it sounds like you're describing. And they say that motivation is derived from three components from autonomy, competence, and relatedness autonomy being like someone's freedom, like you can, if you need to go to a dentist's appointment, you can, if you need to control the way you work, and you can have some control over deadlines and your breaks, you know, just some basic freedom, that that's a big part of it competence, meaning you have an opportunity to become a craftsman in what you do. Because you can really get down and become expert. And yeah, you know, it's not to surface level and then relatedness kind of what you're just talking about about. Do you feel close to your team? Do you have a good manager? Do you feel like you're on a common mission rowing in the same direction, and some combination of those things derive motivation? And that's exactly kind of what you're talking about here. I've heard it be referred to as like the self determination theory.
32:31
I hadn't heard of that theory, but it sounds correct. In my experience, you know, there's no magic singular factor that gets somebody to stay somewhere, or to be satisfied in the work that they do. It's a combination of things. But those categories, you know, they definitely seem like they would describe pretty well,
32:51
you know, I went through a whole lifecycle. audit work kind of sucks. Like, frankly, like, it just does. It's not fun to do audit work papers day in and day out. But it is fun to see hundreds of different companies assess their security program, you learn a ton. And so for me, I started my career in audit, and then a lot of people do in the assessment and audit space. But I went through this lifecycle where, probably like a year in nine months, and I was like, I can't do this long term, like, you know, I like security, like the buzzword. But I had kind of acquired enough knowledge where I kind of knew what I was doing, but also didn't like the work. And I was also getting delegate a lot of grunt work because I was a year into my career. And then, past that point, I started becoming what we call craftsmen, like, you know, you there's appreciation in the nuance of work, you know, it's like a woodworker. Like once you're in the nuance, and you understand the grains and the type of woods and how they all interact. There's just some enjoyment out of being a hyper expert in almost anything. So you learn to appreciate the grind. And then all of a sudden, you become like a management consultant, you're talking about strategy and deeper security and becomes really fun. And everything you do is fun. And I feel like a lot of folks can't pass, it's difficult to pass that. That little curve, where it really kind of sucks for a while. And I wonder and I always think to myself, when I see these resumes of people jumping every year to, it's like, you haven't even been at one company long enough to see a full lifecycle to like see a program come to full maturity, that kind of thing. Are you seeing are you hearing anything? Are those conversations coming up at all? Like, hey, you need to stick it stick out over two, three years to watch this maturity come to fruition because I think security suffers in that because you leave before the job's done, and you don't get the satisfaction of getting done.
34:39
Well, I think it again, there's a differentiation there between building a corporate security program internal to accompany or being a consultant and working on a different project every two weeks. A common complaint I hear from Consultants is well I'm knocking out a report and then I'm moving on to the next client and I never get to see the impact of Those things that I'm doing. And then you know, people on the corporate side, they may be with a company for a year or two or even five years. And at some point, they become stagnant. And they feel like okay, well, I've done the work now. Now just maintenance mode, I'm not challenged anymore. So I hear that pretty often. So there's an ebb and flow to it. I'm generally an advocate of people sticking it out for as long as they can, unless they absolutely hate their job, they should try and get to that level of mastery that you're talking about, to truly give it a fair shake. And I think folks that are moving every six or 12 months, they aren't necessarily giving it a fair shake at the same time. You know, in the consulting world, if you've been within a company for a year, you pretty much know how things are going, especially if they're, if they have two week projects. Now, if you have six months or a year long project, that's a different story. But, you know, cookie cutter audit firms is a is a term that I hear pretty often. Yeah,
36:03
I like to try to give a you're right, a, it is easy to become a cog in a wheel. And these, these audit firms or consulting firms, where you're just spitting out audits all day, and there's nowhere else to go, you're gonna be an auditor for a while. That's bad. But what I'll tell some consultants is like there's there's craftsmanship and being a consultant. So like, beyond delivering the work, there's a whole ecosystem behind how a consulting firm operates. There's this guy named Mr. David Maister. Think that wrote a whole book about how professional services works, whether it be law firms, audit firms banning consulting. So if you've been an audit firm for years, like maybe you need to start thinking about how the hierarchy at your own firm works, like how do you become a manager? And then how do you become a leader in that organization. In the end, if you can't become a leader there, that's a good insight for the next firm. So maybe like interview the the CEO of a lion or Shellman or coalfire, any of the usual suspects out there for audit firms or me, verse 360. And just figure out like, what is the the economic engine behind that thing? And how do you move up in the ranks, because you'll find out two things, either you definitely don't want to be a leader in the consulting game, because it's terrible. Or you're like, Ooh, interesting. So there's a game behind the game, and that I can potentially rise up through
37:19
or if like you said, you get over that certain hump. And maybe for you that magic role is manually manager or senior manager. And at that point, you start really loving what you're doing, you know, versus being, say, a senior consultant. Yeah, I think it's all about interviewing the folks like you said, that are above you are in that goal, where you think you might want to be in kind of reverse engineering your career from there. And that's the advice that I give a lot of people that maybe don't know what direction they want to go next, is alright, well figure out who's in what you think might be might be your ideal position, talk to them about how they got there, and why they love what they do, what they don't like about it, and what it takes to get there. And you can kind of reverse engineer your career path from there and figure out what steps you need to take to get to that next level. I don't think enough people think about it. And in the long game, kind of they get focused on the day to day and in what they're doing tomorrow, and how stressed they are. And they don't think about okay, well, where could I be in the next five years, if I continue down this path or, or make a strategic change right now in Pivot might be a decrease in salary for the time being, but maybe it's a better solution for me long term, and I'll be happier overall.
38:36
Yeah, I will say one. There's many good things about the security industry. But one thing that has impressed me is there are a lot of people who are willing to be mentors or have conversations. So if you're like a young consultant, or you know, thinking about a pivot, you could probably reach out to about just about any, like security manager or security executive and and they'd probably give you 15 minutes to do that kind of talk you're talking about. They're just kind of investigate the career, how'd you get there? What was your background? Which is really cool. I don't maybe everyone's like that. But I've noticed specifically in security, it seems like people are like that. What about executives? So cybersecurity executives? What is a C? So what the hell is a C? So I don't know, I guess different every organization and my the compliance person in my over application security, my a true leader, my actually a C suite. Have you seen any patterns in terms of individuals who have been able to enter the executive ranks successfully?
39:32
I tend to work more so with the folks at the experienced in management to director level versus, you know, true CISOs. But I would say from from what I've seen, just in the industry, I think to be an effective See, so you really need to have experience across the broad array of disciplines. It helps to have that technical knowledge. But then, you know, like you said, you got to make a business case to the rest of the C suite to get the funding for your initiatives. So It's kind of a delicate, delicate balance. I think if you were to describe in a lot of people's minds what the ideal CISO looks like, it would be somebody who came up through the technical disciplines, whether it be pen testing, or incident response or security operations, and worked in a few different subsets of security within that, say, security operations subset. And then, you know, gained some business knowledge, maybe went and got their MBA, learned how to talk to other C suite members, maybe worked in consulting, that's a great way to gain exposure to a lot of different environments, and a lot of different types of companies. So you know, I think that's kind of the ideal role. And that's something that I tell a lot of people that they should do, even if you're not in consulting right now, he should work in consulting for a while, because you'll, you'll discover pretty quickly what you like and don't like and, you know, maybe discover that you like working with financial services clients, and you can go be a director of security at a bank or something like that. And that gives you an idea of where your career path should go on. Yeah,
41:02
balancing I've heard that there's almost like a, several different seaso archetypes that exist. And I think like there's this kind of idea of like a CFO as a CFO or a CISOs. See, so at least for anyone who's never been an executive, which I've never been a CSO, or CFO, but having talked to them, it's like some organizations are like, I have your strong and engineering with some of these startups see. So there could mean like, you really need to be app security focused, but you're not a real executive, like you're not like the CFO or anything, you're just over security. Whereas if you're the seaso, of, say, Equifax, you're, you're nearly celebrity status. So you've probably got to think about being in front of a camera and damage control and brand, especially post breach. So one exercise is just to decide what kind of see so you're going to be you're going to be the celebrity, Cisco, you're going to be the application security, are you going to be the compliance version of that. And that's kind of a surprise, because they're definitely not the same mold. There's lots of variety, like all the auditors, they might be the compliance version of that see, so whereas I've seen effective chief operating officers, or someone with almost no technical background, become the c sub because like you said, they can communicate with that C suite, they know how to put a budget together, they know how to do organizational change. And then they hire under them enough technical people to make it all make sense. So it's a super interesting type thing. What about, like you mentioned, like, you're kind of working at the director level, like the upper end of top management before the C suite. What's like, what's the most common backgrounds are these typically consultants that are entering those ranks are people making lateral moves,
42:40
depends on the discipline, I think in the super technical subdisciplines of security, usually, it's people that came up through that particular vertical of security. So you know, say you were a pen tester, then you grew your way to be a senior pen tester, from junior to senior to then manager, then to Director, I see pretty often people will switch disciplines. So they'll be like us, specific, like a pen tester, say in in the consulting world, but then they'll move into the corporate side, and all of a sudden, now there'll be more of a generalist, and now they're a manager of information security, and they have other security operations teams reporting to them. So it all depends on what evil what you're able to get experienced with or who you say go to a large corporation, you're able to sometimes switch functional teams within the organization, and manage different teams than you than you were as a, an individual contributor, it just kind of depends on the company. I think the most effective leaders are the people that have lived it. As you know, in the consulting world, a consultant, they work their way up to director in consulting, they tend to understand what it's like to be a consultant. So having lived it is important. But that's not to say that you can't be an effective leader of a technical team that doesn't mirror what your technical experiences, I think there's good managers that are born. And I think there's good managers that are made. But it is important to know if somebody is a good manager or not. And another common complaint I hear is, Well, they were a really good technical person, but they're not a very good manager. And people are being promoted into roles that they shouldn't be necessarily, just because you're an effective consultant does not mean you'll be a good director or manager.
44:34
Like the Peter Principle, you rise to your level of incompetence. That like basically you're promoted into the not effective at some point. But yeah, I've noticed that too. What about um, these are questions that I'm hoping I want to gain some insight here are there Kush industries, or just like either industries or sectors that from your experience once people get there, they're just really happy. So maybe they people hate, you know, one industry or one type of job. But when they move into the security operations center for financial services, like, oh, they love it, and you kind of consistently see that? Or is it kind of just very dependent based on company and other factors?
45:16
Yeah, it all depends on what some of these motivators are. And that's why in the recruiting process, I spend the most time on motivators, I spend less time talking about somebody's qualifications than I do talking about their motivators, because I think that drives turnover or lack of turnover in overall somebody's motivation level, happiness level long term in a position more than anything, I think a lot of people have potential that isn't necessarily realized in the position they're in. And if you can address that potential and show them a position that allows them to take advantage of more of that potential, they're more likely to stay there long term. So it all depends on the individual, really, some people are motivated by money, in which case, financial services is a great spot for them. In You know, there's a lot of those companies in New York that are paying 234 100k a year for technical positions. I don't work on those positions. So I couldn't tell you, but I know some of my competitors do. It all depends again, on on what you really want to do. Do you want to be? Do you want to work in a highly regulated environment? Or not? Do you want to work in a in a flexible environment or not?
46:23
Yeah, I always advise colleagues, and like people I've tried to mentor to be aware of the big paycheck, and is great to make a lot of money for sure. But I've also noticed that someone is someone always had a disaster recently, and suddenly a security job fell out of the sky, that's paying really well. So like, you know, I have a friend who about to become a CISO. And organization came up and the seaso position was like in the 400k range, all in including bonus, which was a lot more than he was expecting. But after a little bit of research, he found out that he was a security organization of one. And they had had turnover like every 12 months prior to that. And they thought it was because they weren't paying enough. So they threw money at the problem to get a CISO when for various political reasons. And I was like, Man, I go in there and get your payday. But you're probably going to be out in 12 months, because that's just what it is. He ultimately didn't take the position. But I've seen that time and time again, someone had a disaster. So you're, you know, they throw that position out there. They try to throw money at the problem. So I say you know, you want to get paid well, but also ask about how much how many resources they're willing to give to the position in terms of Do you have a budget allocated? Do you have staff that you're allocated yet budget for tools and improvement projects? Or are you expected to develop the budget, and they don't know, because this is the first time they've ever even thought about it. So those types of things, especially that executive level are important, but also really fun. Because it's pretty fun to say no to a $40,000 job, if you're, you know, we're a security director.
47:56
I always say Be aware of the kitchen sink job descriptions, you know, if they're looking for a security architect, and a security assessor, and a pen tester and an IR person all in the same job description, that's pretty telling. And I'm a big proponent of having the appropriate amount of staff for what you're trying to accomplish. And you know, you could pay for people less money versus trying to get one person at 400,000 to do everything. I think you'd be better off paying for people less money in because you have the appropriate amount of people for the number of man hours that it's going to take. Yeah, yeah.
48:35
I just love this industry, because you can tell we're at our infancy, like it's exploding, we're getting headlines. But we haven't even figured out like for sure what a good career progression looks like for a security person. We don't have like leadership development and training programs for fledgling CISOs organizations don't even know where to put this person yet. Or like you know, the whole work structure. So it's an exciting time to be in security and there's great career opportunities to be had. And P appreciate your time. And thank you for what you do in the industry man helping place people with good jobs and help them move up the ladder. If people want to reach out to the Find the dream position and make a lot of money. How can they find you?
49:15
LinkedIn, I live and die by LinkedIn. So just Pete Strauss and then PHR MBA, I'm out there should be easy to find. I'm probably the first person that pops up in a search for Pete Strauss so
49:27
awesome. If you're a 360 employee do not reach out to PL find out I have a list. If you like this, like this kind of podcast you want to talk about entrepreneurs, the security industry privacy industry, you can check out Tuesday morning grind on any of the podcast apps, Apple, Google Spotify, whatever. If you want to look at our faces while we talk you can check out YouTube we have a playlist called Tuesday morning Brian, where we post every week. So thanks again, Pete. I appreciate your time. All right. Yeah, appreciate it. Christian. Thanks for having me. Already, okay.