Servant leadership and maintaining a healthy team culture

Video Block
Double-click here to add a video by URL or embed code. Learn more

James is a hands-on CISO with an incredible servant-leadership style. We discuss the importance of building and maintaining a team culture, how and why to prioritize hiring, and how to set expectations for security hiring with the rest of the business. We also talk about the importance of eliminating ghosting, employment hierarchies, and broadening one’s talent pool in the recruiting process.

Notes:

  • Possibility that the talent gap consists of mid-level leadership roles. No junior pipeline to become leaders.

  • Importance of curiosity in hiring

  • Automated rejection emails

  • HR bureaucracy & differences between hiring in security and hiring in other fields like legal

  • Importance or lack thereof for degrees & certs for security hiring* 

  • Importance of diversity of thought and importance of not teaching a school of thought for certifications

  • Importance of hiring teams staying close to recruiters and HR when hiring and how to do it with small time investment

  • How to set expectations for security hiring with the rest of the business

  • Broadening the talent pool with the business in removing cert/degree requirements or going remote

  • Selecting must-haves vs. nice-to-haves on job descriptions

  • How narrow talent pools can be and how to broaden those pools

  • Startups and wearing many hats

  • Importance of hiring the right people up front

  • Prioritizing hiring to save time in the long-run

  • Importance of not ghosting people and the larger implications of ghosting

  • Importance of outbound activity in recruiting

  • James’s preference for including arguments in the interview process

  • Servant leadership and employment hierarchies

  • Practicing cybersecurity

  • The effects of fatigue in security, burnout, and the importance of breaks 

  • Preparing your teams for changes in responsibilities and staffing

  • Limiting meetings in time and frequency to keep people productive

  • How KPIs drive behaviors

  • Importance of hiring smart people so you don’t have to micromanage people. Spend the right time up front.

  • Building trust and rapport with candidates and future team members

  • Knowing about employees’ lives and how that impacts management tactics day-to-day – best practices/1 on 1s

  • When to make the tough decision to let someone go.

  • Importance of setting expectations in recruiting process and in day-to-day management

  • How to judge performance quantitatively and qualitatively, KPIs and KRI “key risk indicators”, judging alertness 

  • How to improve your emotional intelligence as a manager

  • Maintaining a healthy team culture

  • Importance of retention

Transcript

Peter Strouse 0:02

Hello, everyone and welcome to the talent gap Fireside Chat, where we discuss causes of and solutions to the talent gap. I'm your house, your host, Pete Straus. And joining me today is James Azar. He is an accomplished security professional, free agency CIO and founder of the cyber hub podcast. James, welcome. Hey, thanks

James Azar 0:20

for having me on, man. Congratulations on starting the podcasting journey and joining the brotherhood of podcasters.

Peter Strouse 0:26

Thank you, sir. I'm excited.

James Azar 0:29

Though, whenever you make a mistake, just know it's very human. When you say, you know, stuff. Wrong, I say it all the time on my podcast, it's okay. It's just the beauty and the authenticity of you being an amazing host.

Peter Strouse 0:44

Awesome. Well, could you give our guests or I'm sorry, our, our listeners, just a little bit bit of background on yourself?

James Azar 0:52

Sure. So so I've been in security for as long as I can remember now, a little over 20 years, my entire career has been based around the idea that, you know, I'm trying to solve problems, and kind of align security with everything else I do. From a business perspective, over the last five or six years, I've been doing a lot of Cisco work. Before that I was doing founder work in the FinTech space around FinTech security. Now, I've been a been a system most recently, so for a startup that raised $90 million, unfortunately failed within, you know, six weeks of launching, and not from a lack of good news. It wasn't from a lack of customer interest. We had a long wait list of people that wanted to be part of the part of the company. But fortunately, like in a lot of startups and and a lot of business, sometimes you just don't get to do everything you want to do. And time and money are a significant factor in everything that goes on. So now I find myself as a free agent, kind of seeing what's out there.

Peter Strouse 2:00

Awesome. Well, to any listeners, I know, we're going to have a lot of CISOs and hiring managers, and a lot of high level folks watching this. So definitely hit James up. He's on LinkedIn, and you can find them via the podcast as well. And at the end to all I'll have you tell the audience how to find you and stuff like that. Thank you. Awesome, we'll appreciate you being on James. You know, you've been in hiring positions multiple times throughout your career. How do you view the talent gap? As is, you know, the the title of the show? Is it real? Is it imaginary? And how do you you think of it?

James Azar 2:41

So don't know that I see a talent gap. Let me start with that. So when you look at entry level roles, you and I have a lot of people that we connect with and connect with us on LinkedIn that are trying to break in the security and can't catch a break to get there. So that to me is I'm not getting hit, I'm not getting the talent gap. To me the the definition of a gap, right, is when someone's contact contacting someone overly qualified for an entry level role. That doesn't exist. And when it does happen, it's probably because someone just overlooked at the delta or just mass spamming everyone offering an entry level role. But you're not getting I'm not getting contacted by recruiters going, Hey, we're looking for a security architect. Do you want to be a security architect? Right, that's just not something that's happening to me that's that would be the definition of we have a security talent gap, because we're we don't have enough entry level people go in an entry level, where we have where we have a challenge filling roles is the thing predominantly in that mid level HR leadership roles, right? So the manager to director level, I feel like there's a gap there. And the gap exists there because of one or two things. Either we're not building our junior pipeline and developing them to become leaders. So then when we're trying to hire leaders to expand our teams, we're not finding the right people with the right set of experiences with the right set of experience in order to become leaders. Or there's just a general lack of knowledge on a specific topic. Prime example, chat JpT AI, right now, right? Like, that's all the hype. Well, I'm seeing positions out there in the market where people like I'm looking for a director of chat GBT with two years of experience in AI and you're like, yes, realize this came out like two months ago. Three months ago, like, no one's got two years of experience messing with the tool. Everyone's learning on the fly. So why don't just say we're looking for someone extremely curious. Who's been playing around with chat GBT since it came out and has some leadership experience that can come and be hands on and build out a team around On our desire to utilize Chad JBT

Peter Strouse 5:04

I think that kind of comes from a lot of companies looking to somehow quantify what they're looking for, you know, so the only thing they can think to put out there is, well, we need somebody who's done it for x, y, and z number of years. But for me, that doesn't necessarily speak to ability and doing something, you know, you could have somebody that's, you know, fresh out of high school that's been messing with AI, as you know, as long as he's been out of high school, and hasn't been that long, but he just, you know, super sharp and can pick it up very quickly. And that person may be more effective at utilizing AI than somebody who's been in it for 20 years. So how do you? How do you measure that, I guess? Or how do you make sure that you're not filtering out that person, if that's, you know, the type of role that you're looking to hire for,

James Azar 5:53

I can tell you that in the last two months have either applied for a bunch of roles where you get the automatic email, right, that says, you don't qualify? And you're like, Are you sure? Like, has any of you looked at this? Or is it just, we're looking for two things. And if you don't have those two things, we're not going to have that conversation? Right? I think this comes down to what I like to call HR be accuracy. And the HR bureaucracy is the justification of why I'm why I have a job in HR, right, and setting some sort of standard that could apply if you're in finance, or law or legal. Where I think you want to have that experience, and you got to come with those certifications. And those degrees, because, you know, while you can teach yourself to be a lawyer, you've got to be bar certified in order to practice law. And that's very different from cybersecurity, and technology. In general, I don't need a degree to be in tech or cyber, I don't, the whole idea of a degree to me is asinine. It's, what it's doing is its funding, the sort of lack of creativity that comes from going into one of those degree programs where you're really learning the basics that you can learn all on your own. But then it's shutting down any sort of diversified school of thought around solving problems. That was my issue with certifications, two to three years ago, and it's stuff where I was speaking to, you know, SCA, a CSA, sorry, or ICS, IC squared or another's. And, you know, there was some real feedback into the idea of, let's kind of cover the basics, let's not teach a school of thought. Let's teach the traditional way that we've solved these problems. But let's not make that the only way you can solve a problem because otherwise, we're never going to solve problems. Everyone thinks the same way. So diversity of thought is really critical. And that's, that's the HR bureaucracy, the HR bureaucracy is you've got to have a degree in assert. If you don't have a degree in assert for specific roles, especially in leadership, then they're not interested in speaking to you. Right now, I don't have a college degree. I don't have gone to college never finished. You know why cuz I started businesses, been successful with some solo, been less successful with others failed. You know? And I'll take that too. And I know that currently, I'm telling you about a personal experience and my current search, right? I've had I've had recruiters and HR people tell me, well, they're really big on a bachelor's and I was like, well, for what? What beats 20 years of starting businesses and selling them and running technology teams from scratch. For four year degree from a college, what am I going to learn there that I haven't learned in the last 20 years doing this?

Peter Strouse 9:02

I think a lot of the disconnect is people that aren't insecurity, they don't realize how different security is from other fields, like I used to recruit in it. And this is a good example. Even going from it to security. It was a huge learning curve for me, because I didn't understand how different security was it was a newer field. People weren't as seasoned. There weren't as many well defined job titles and roles and things like that. So I had to kind of learn all this stuff on the fly. And, you know, especially HR and recruiters that don't specialize in security, they they just don't know how different security is. So that I guess the question for me is like, how to how to hiring managers stay close enough without having to micromanage the HR people, to make them effective at filtering people. filtering out to people that aren't fits without filtering out the people that could be fits based on some arbitrary criteria in And how do you get your lack of degree requirement approved by HR, if that's, you know, corporate policy, that sort of thing.

James Azar 10:08

So So Pete, you and I've had the opportunity to professionally work together in my last role. And you worked with one of our internal recruiters at the company at the time and the awesome human being by the name of Maddie Madison and Maddy from from a lot of HR people, I worked with our entire HR team. And my last firm was unbelievable, right? Because what we did is we went out and we kind of set it to where we don't, we're not looking for. Education mattered for our founder, right? We had a lot of people that were Stanford and Harvard educated Ivy League school folks, we had a lot of those as well. But then we looked everywhere else across the Oregon I said, Well, I get that we want to have that. And we want to have those alma mater's because of the index. They also come with when you're a Stanford grad and a Harvard grad. Right. And that alumni access that you get there, that's predominantly white, white, you know, a lot of companies go for those grads. In our scenario, we, Manny and I kind of went about hiring very differently. We said, we're looking for hands on experience, we're not looking for college degrees, or certs, it's nice if they have them. And those were under the nice to have category. If you remember, in our job description, not required to have a degree, you're not required to have a cert. But if you've got a passion for security, if you've got a if you've been doing it and practicing security for the last, you know, 234 years, you're someone we want to speak with. And you're someone we're going to give a chance to. And that opened up our pool significantly to a whole lot of talent and being the fact that we were willing to be hybrid, that we were looking, you know, that we weren't looking to have people be in one geographical location or another, also helped our talent pool. And so one that was my work with our HR team as a CFO. And I think that's the responsible of every, you know, see, so head of information security director of InfoSec, or VP of InfoSec, right? To explain that to HR, and say, I get why we need this for finance and legal and not dismiss it. Because yeah, those are having a college degree to become a lawyer is critical to becoming a lawyer, you can't become a lawyer any other way, you've got to pass the bar exam, the only way to prep to a bar exam is to go and study in law school, because if you want to practice any type of law, you got to do that. You want to be a doctor, you got to go to medical school, I don't think you and I would go see a doctor who didn't go to medical school. So this isn't a dismissal of college degrees. It's the dismissal, that saying a college degree is the only way for you to learn how to practice cyber, because it's not the only way. You got to try hack me and you find 1000s 10s of 1000s, of passionate, young and old folks in the middle of their lives, or starting their lives looking to get into cyber and going about and completing challenges. And they're willing to come with a whole lot more. You know, one of the things that I had a struggle with was those mid career transitions. Because those are the people who are really wanted to hire for my manager and director role, someone who could have potentially been an IT or finance and decided to switch to cyber. But then at the same time, they didn't have that hands on experience that I needed from a leader, meaning I wasn't sure that that person could really effectively manage a team. So as a Cisco, that was one of my bigger challenges. Now, going back to your question around, you know, what do you do when you speak to HR and you kind of change the criteria as you go, I get that you want to have a roll with a college degree. But can we say instead of required nice to have, we can leave it on there because I don't want to change the template of the job descriptions the company uses with the requirements that the company has that have been set as a baseline. But instead of required, keep it on there and saying it's an advantage. But it doesn't mean that we won't talk to you if you don't have it. Because if you've got the experience, we'll take it and insecurity. Now you're starting to see that a bit more where you're seeing in the job experience side of it, you'll see a bachelor degree degree or equivalent time, you know, doing the general job description and you're like, Okay, that's cool. The question is, is the algorithm picking that up?

Peter Strouse 14:28

Yeah, I think folks really don't realize how narrow some talent pools can be. If they're not spending if they're not on the front lines, kind of as a recruiter like I am, like I've worked on positions where there was literally only a handful of people in the entire US that would fit for that job. So if that's the situation, you pretty much have to widen the candidate pool, because if you don't, you're gonna rely on like a 20% success rate, which which is really unheard of, you know, I think It's all about the numbers, when it comes to recruiting and hiring, you have to reach out to, you know, say 100 people to get one person hired. But if your candidate pool is 15, people, you're probably not going to get somebody hired. And that's how these positions go unfilled for nine months. But if you, for instance, dropped the degree requirement as a must have, you could broaden that that 15 person candidate pool from 15 to 250, you know, for some disciplines, and a lot of school security folks came up through it, and not through degree programs and stuff. So

James Azar 15:34

so the question is, do you want to have 250 people apply for a position? Right, because that creates, you know, I've been part of, I've seen it in my own companies, right, where you get, you know, 20 really good people applying for a position, and you don't know how to fill it. Because your your hiring criteria, changes based on your excitement over a candidate and the potential of that candidate. And I think that that's, that's a, that's a challenge as well, right? Like, there's no, there's no, there's no middle of the line, like, you know, you as a recruiter say, Hey, I'd love to have joined or 50 people apply for a position that are, you know, great instead of 20. But then, am I gonna get confused by 250? Or am I gonna miss a whole bunch of people because 250 people applied? And then not 20? And vice versa? I mean, the same kind of goes through is, you know, it's one of the bigger challenges, I think, in terms of hiring. And it's really one of the biggest decisions we make as leaders. And I think that's so underrated in a lot of places, right? The biggest decision you make when I was building a security program, were the first employees I hired Barnatan. Because I was looking for unicorns, all the way across, all the way across. Right? I wanted someone right, I wanted someone who could do, I knew how to do two things very good. And had the had the fortitude and curiosity to go and learn how to do for other things. Good enough. You know, and it was funny, because in my last role, I was so hands on, right? That, you know, we used to laugh and be like, Yeah, I'm your seaso. And I'm your security architect, and one of your security engineers, and your I Am analyst, and one of your sock, you know, analysts and so forth, because that's what you've got to do. And I think in leadership, right in like in anything, hiring the right people is going to be either how you succeed or how you fail. And it's not something that you can just outsource to HR. You know, Maddie and I worked. When we were hiring, it was twice a day that we'd get on a phone call and look at CVS twice a day that we would talk about which candidates she pre screened, and what she thought of them. And you know, what were kind of some of those answers and then her and I would go through it, and then I would potentially pre screen, someone call him for five minutes just to kind of, she'd be like, I really liked this person, but I'm not sure about X, maybe you get on a quick call. And I get on a quick call, not an official interview, but kind of just had just wanted to get to know you a little bit I heard you spoke to Maddie, before we go through actual process. And in five minutes, you'd be like, alright, definitely I want this person going through a more thorough interview process. Rather than just dismissing them. There's got to be that partnership. If you don't have that partnership with HR with your recruiters, then there's no point of you doing that. Because you're not going to be successful, because you're going to hire wrong people, because you're relying on someone else to fill it out.

Peter Strouse 18:42

Makes sense? So what do you say to the person that, you know, say they're their seaso? That's understaffed. And they're already working 7080 hour weeks? How would you recommend to them to allocate the time necessary to actually be able to stay as as close as you were to HR to recruiting and make sure that the right people are getting on board.

James Azar 19:04

So this idea that phone calls need to be an hour long is a mundane and old idea. Maddie and I could speak for three minutes, and then three minutes get what most people do in 30. I was working 7080 hours a week, 7080 hours a week, like many of my peers. And I think this comes to managing your time and then understanding your priorities. If I want to cut down my hours, I got to hire the right people so that I can go from 80 hours a week to 50 or 60. Right. But I can't keep doing 80 hours a week hiring people that I don't train or don't invest enough time and understanding their qualification. So open HR gets it right when HR doesn't go get mad at HR for not getting it right. And play with someone's life. Because that's what we are as hiring managers. We are going to someone and we're saying, Put your trust in us not Only to be paid and provide for your, you know, your family, your loved ones or yourself, but also for your career sake. And then a few weeks later, say you're not a good fit, we're sorry, but we're gonna go ahead and shake the ground that just solidified under your feet. So you can go out and do a job. And that's so dismissed. So my my recommendation would be, this is a priority, if you're working 80 hours a week, and you can't find right people because you're understaffed, you've got to invest some time and staffing your team and hiring the right people. And that means that you've got to be in touch with HR, you've got to take some time to review some of those CVs, yourself, take really good ones, take stuff that really stands out for you. And at least send that to HR and say, These are the kinds of talents, these are the kinds of people and talent we're looking for. If you see this in someone's CV, make sure you set up a first interview. Right.

Peter Strouse 21:01

And I would highlight the importance of doing all that quickly. You know, when you want to make hiring a priority, like you said, but I think what a lot of folks don't realize is how quick you can be to lose people, if you don't get back to them. So if there's somebody that's top of their game, top of their fields, if they're highly in demand, like, for instance, in the surge of ransomware, when all the DFI our consultants were super in demand, they're getting four or five offers at once. And if you spend an extra week, you could leave, you could lose on that person that would otherwise accept an offer for you. I'd estimate I'd love to see some actual data on this. But I'd estimate for every week that goes by where the candidate has not heard from you, I'd expect their interest level drops by at least 50%. It's, it's, it's, what's the word? Exponential. Basically, you know, the longer the time goes, the less interested they get, and the more quickly they get less interested. Because they feel like they're not a priority. And so a best practice I would say is if you do value, your people value their time before they become employees. And they'll notice because not everybody does. And that goes back to to trusting your HR and your recruiters make sure that they are getting back to people in a timely manner, make sure that they are reviewing every applicant that actually applies. Had a good example of this actually today, Director candidate I had been working with I worked with him as a as a candidate and passed and I prodded one of the salespeople at this organization he had applied to four weeks ago. So he applied four weeks ago didn't hear anything. And then I just prod one of their sales guys. And that prompted them to get him in the interview process. And now they're super excited about them. But they didn't get back to him at all, and he had applied four weeks ago. So you know, just base level bare minimum, make sure your recruiters are reviewing every application. And and that'll pay off for your employer brand long term, people aren't going to get ghosted, they're not going to feel like you're not valuing their time or their effort and applying. And it's something you don't really think about, but maybe should. Because if word gets around that, you know, you're ghosting peoples and organization, it can quickly make sure those top performers that you want to hire aren't going to consider you so

James Azar 23:29

well. And they're also not not going to not work for you, they're probably not going to want to do business with you. If you ghost an applicant, what are you going to do to customers. And I don't think that really resonates with HR, with with a lot of HR and hiring managers. You can't ghost candidates. Because at one point, especially if you're interviewing, so if especially if someone's going through the interview process, you can go see them. I can tell you that taking time while I was at the airport, once because I was at the airport twice a week flying in my last role. That's you know, sitting at the gate waiting for my flight is when I typically send emails to candidates who didn't hire just go into my phone. I love their CV people I've interviewed spend time with and just send them a two line email saying like, hey, I really appreciate you thinking and considering to be part of our team just wasn't the right fit right now for us, but wish you best of luck. And you know, if you're in the market again and you see another opening, you feel like you'd be a good candidate for let us know. And I'm a resource to help you in anything you want to do in your career. You know, good luck. Thanks. Bye, takes 35 seconds to type that up. 35 seconds, maybe sitting at the airport, listening to music, writing these out on the plane after I sit down, keep doing it. So until the captain says we're about you know, turn off your phones, put them on airplane mode and even then if I'm writing it I'm still keep writing it until we're ready for takeoff. When I feel the engine spool I'm like all right I'm gonna go on airplane mode. And I'll go ahead and put it in airplane mode. But it's so critical to not go most people because to me, if I go someone, why would they want to do business with me or my company? If that's the experience they have from your brand, trying to be a part of it, wanting to contribute to the success of your brand. You take their time you interview them, and then you go see them? Why would they want to be part of your company thereafter? Why would they want to be a customer of your company or be associated with your company in any sort of way thereafter. And I don't think anyone's in HR has ever given that any real thought that in fact that we should be replying to every single person, we decide not to hire with just a simple email that says, Thank you for your time. We really appreciate it, we've decided to go another route.

Peter Strouse 25:51

That's awesome. Yeah. And that brings up another good point. So we talked about applicants. As an external recruiter, I don't spend time fielding applications, I don't even bother with putting up job postings. As I found most of the time, I end up getting people that are completely unqualified or completely in a different field. And there's a lot of time wasted sifting through those hundreds of applications. Yet, I still, if I do put one up, make sure to get back to every single person, because I do recognize the importance of that. But I think far too few recruiting teams are actually doing the outbound activity that they need to do to find the right person, a lot of times that person isn't going to come just apply to your job, you can put up a job posting, and you may get a few decent applicants, but you may not get the most ideal applicant. So I spend my time searching the market for the people that are the best fit and not the ones that are applying my jobs. And the flip side and benefit of that is I don't have to worry about getting back to hundreds or 1000s of people that have applied that aren't fits. I'm just instead focusing my time on the people that I know are more likely to be fits based on their experience.

James Azar 27:01

See, I see recruiters people like you as having the insight for the applicants. Right, you're you're kind of getting feedback after every interview. And I think one thing that makes that's a differentiator between a good recruiter and a great recruiter is the feedback. Are you going back to your candidate giving them honest feedback about the interview process about how they interviewed for a job potential about some of their answers? And are you coaching them to be able to win that next job, even if they lose the one that you just put them out for?

Peter Strouse 27:35

That's fine. I've been burned by that before actually giving candid feedback. I still believe in it. But you have to be cognizant as a recruiter of liability and potential legal implications. I had a situation once where I vouched for a guy I had an interview, he didn't do so well, I think the situation was he was like cursing in the interview, or he brought up politics or something like that. And so really left a bad taste in their mouth. And I gave him that feedback. And, you know, trying to help the guy out. And he ended up like finding the hiring managers emails, and complaining to them and throwing me under the bus. So I've seen the flip side of that. So I think as a recruiter or hiring organization, you want to you want to both limit legal liability, while at the same time providing as much actionable feedback as you can. And that's a pretty tight, that's,

James Azar 28:31

that's a rope. You're dancing very elegantly as you do that, right? To me, it's fascinating how people who you're trying to help, right? Hey, I'm here to help you. I just want to tell you where you potentially missed in this job interview that could potentially impact the fact that you're, you know, they loved everything about you. But this one thing but this one thing if you keep doing it is not gonna get you a job anywhere. And you're trying to be honest with someone and then they take it that way. That's That to me is just I don't know, man. That's it's sour on me. That's It's really sour on me. That's just you want that feedback. I think we all yearn for feedback. After interviews, we all want to know what we did well, what we need to improve on so that next time we're able to become better at what we're doing. No one's saying change your personality, but tone it down sometimes.

Peter Strouse 29:23

Yeah, I think just pure objectivity is tough for most people, because we have all of our biases. And, you know, we, for instance, in the interview process, we have to like meet bias. There's a bunch of different biases that we don't think about, that we're looking for people like us or we tend to give ourselves more slack than and I disagree

James Azar 29:44

with you on that because I want people that argue with me. And Job interviews, I will intentionally throw out the dumbest question on planet earth that you can't agree with me on that you can't agree on what I'm A like you can't agree. It's just not an agreeable topic, right? Like no one should ever do MFA in security. Like it clearly at that point, I'm asking you to really make an argument and see how you stand up to a really dumb idea someone throws out because it's critical. Practicing security is like being a pilot or being a doctor. There's two things that go in a cockpit, you know. And in an operating room, where title no longer matters. Because you want to get the best result, the best result? Is that right? The early on plane crashes when the NTSB used to investigate plane crashes. And it always fell in human error, you could tell that the captain or the copilot was trying to warn the captain of a risk. But the captain wasn't listening. They were pulling rank. And so the NTSB updated their their manual to say that there's no rank, there's a pilot and a co pilot, there's one who's in charge of flying the plane and another one who's assisting in different stages of the flight. You can have the copilot take off in the pilot land, the plane, and cetera. But but if there's a risk, then the other person can really take over and address that risk. The same applies in an operating room for doctors, right? Just because you're the chief surgeon doesn't mean that the other surgeon assisting can't stop you from making a mistake. Well, insecurity. That same principle applies CISOs aren't all knowing no one is all knowing every discipline. No one's all knowing, and all discipline.

Peter Strouse 31:40

Yeah, I think I have an ego problem insecurity, though. So that that pulling rank thing is a pretty regular thing.

James Azar 31:48

Yeah, I wish, I wish I refuse to accept that. I know a lot of people in security that don't have egos. I know a lot of people in security, and a lot of CISOs and security, who want to have good debate around solving significant challenges that exist for your organization. And, and what I see is that there's a, a culture that needs to happen a cultural shift that needs to happen within security to go, we practice security, keyword practice, it's a practice, it's never perfect. What we do that works today may not work a year from now, because a new strain of malware is going to come out a new strain of code is going to come out a new persistence module model is going to come out and everything we've done for the last year goes out the door no different than how it happens in medical, no different how it happens in law, and no different how it happens in in flight school. Right, the technology that flies a Cessna 152 is in the same that operates a Boeing 737 There are similarities, but they're not the same. Right? They're very, very different. And it's a different set of skills. Right, you need 40 hours to fly Cessna 152, to become a certified pilot, but you need like, I think 400 hours on a Boeing or 1700 hours sorry, on a passenger plane, it's 1700 hours on a passenger plane, to be able to fly a big passenger plane 1700 hours. That's no joke. That's no small feature. Right. And so that's that's six months of flying eight hours a day. For for anyone trying to make do the math six months, flying eight hours a day, and no one flies eight hours a day. Right? Regulation states that you got to have, you know, even if you're doing a transatlantic flight, like you can only fly for three, four hours for someone else's got to replace you. Because they know that alertness goes down. So we insecurity, expect our junior analyst to sit at a screen for nine hours a day, and miss nothing and be perfect every single time. Because if they're not perfect, there's dire consequences, no different than the pilots. So if we as leaders, don't start addressing these issues now. And go, I'm probably going to have to change the way my analysts operate, are we gonna have to put them in front of the screen for three hours, give them a one hour break? Right where they're not on screen. They're doing something else. They're taking a break, they're resting, they're reading, they're watching a education video about something and bring them back to complete another three hours or three and a half hours or four hours, however you want to do it. Right dictate what works for your team and their stamina, and continuously rotate them in and out. And you're going to lose people often. And we're not going to be very good at security. And we're going to have a bunch of mistakes. And there's going to be egos in the way and there's going to be dark consequences for leadership and your organization. In your brand, we got to look at security the way, you know, a doctor in an operating room, there's, during, if you're doing an emergency surgery that takes nine hours to do, right? You've got stamina for that surgery, the whole team is built for it. So you know, your team is ready for a day of an incident where you've got to work four or five days to contain the issue, or fix it or get something back up and running. But then on the day to day when there aren't these issues, it's got to give your people room to breathe. You've got to understand burnout, you've got to understand when they're practicing security, what kind of breaks do they need to get in the middle? And that was critical. By the way, when we selected MSSP partners. That was one of the things that was one of my questions. So how do you manage your sock team? How often is someone sitting on a chair? How often do they get breaks?

Peter Strouse 35:52

That's awesome. Or how understaffed Are you? I mean, yeah, but it's probably a pretty hard question to answer I'd imagine for the,

James Azar 36:00

I don't think anyone would ever be honest about how understaffed they are when they're trying to sell you services. You realize they're understaffed when you're speaking to the same person around for different things. Because you realize that one person is doing four different things. And if that person got hit by a bus tomorrow, God forbid, right? You're screwed, they're screwed, we're all screwed, because that person probably managed 10 different accounts and did five different things. And they were paying them dirt cheap. Right? And now they've got to have five people replaced that one person. And that's no longer a doable service. And then you've come to expect some one level of service, and now you're getting a whole different one. That's the problem with unicorns.

Peter Strouse 36:45

Yeah, yeah. And you're more likely to have egos with unicorns as well. You know,

James Azar 36:51

they're more or less there. I'm gonna push back on you there. Pete, I don't think you've got an ego problem with a unicorn. I think people want are protective of their territory, at work and at home. Right? Like, it's just your nature to want to protect the area you're responsible for. So if you're responsible for five areas, and you've been given that responsibility, and all of a sudden they're trying to take away one of those areas. Is that ego? Or is it the fact that you think you know how to do it best? You've become so routined in doing all of these five things, that seeing one thing getting taken away from you, shakes the ground you stand on? And that's so often missed in leadership and in hiring and in kind of growing your teams, right, is, are you setting the ground up to the fact that you're bringing someone new in to take over one part of what someone is doing? And are you making sure that the ground under them isn't being lifted? Do they know that they're still installed solid ground? Do they understand that they're still a valued team member? Do they understand that the people that you're bringing in is to help them not replace them?

Peter Strouse 38:00

Yeah, don't put a meeting on their calendar for 15 minutes on a Friday afternoon. That's the best practice.

James Azar 38:07

You I believe in no meeting Fridays. strong believer, no meeting Fridays. I actually don't think we should have meetings on Monday mornings either.

Think you should do meetings from Monday afternoon to Thursday morning, lunchtime. From there on out, you shouldn't have any more meetings. You should let the people work. Get the stuff that they need to get done, done. Work on the projects they need to finish, give them enough time in between, to really study, think through an idea. So that they're confident when they go into a meeting that they've had enough time and enough knowledge to come up with a solid either solution or recommendation to the team. And we don't do that because we do a Friday morning meeting. And then we do a Monday morning meeting and what's changed between Friday morning and Monday morning outside of the fact that you are off Saturday, Sunday, I

Peter Strouse 39:06

always found that kind of very common in sales, I think in recruiting to have those Monday and Friday meetings to kind of recap the week and I guess to talk about the week coming up, but yeah, you're right. I want you

James Azar 39:18

to do that on Friday. Like, hey, we had a slow week this week. Let's pick it up next week. Okay, great. get right on it on Monday. Well, last week, we had a slow week and that's Monday mornings call, right? We need to really pick it up this weekend. Like we have this conversation on Friday. I feel like I could have use this time to actually get to where you want me to be.

Peter Strouse 39:37

One of the biggest things I couldn't stand was micromanagement back when I used to work for a huge corporate staffing firm. It was all about the metrics and we had to hit our numbers and it inspired a lot of bad behaviors. Because I believe what you track what metrics you follow incentivizes certain types of behaviors and in that case, it wasn't good. How do you kind of, I guess, walk the tightrope between micromanagement, versus staying close enough to your employees versus, you know, giving them space to do what they need to do.

James Azar 40:16

I hire smart people to do smart work, so I don't have to micromanage the work they do. Not saying I don't have to micromanage, but if I have to micromanage you, then we're on a path. That's not a good one. That my

Peter Strouse 40:29

horse, I'm sorry, how do you adjust course in that scenario, if you start to get off,

James Azar 40:35

so. So one, this kind of goes back to what we were talking about a little bit ago, right, with being part of the hiring process, making sure you're investing enough time with HR to hire the right people, you only have to micromanage people is if you didn't hire the people you hire to do the job, then you're unsure of the quality of the work they're doing. Because you weren't really a part of it, you didn't make that decision, you didn't trust that person, you didn't build rapport, what's the interview process, if nothing more than building rapport with the person who could potentially be your coworker, and partner in your journey to do the work that you're trying to do? Right. So you bring people in, as a leader, you've got to have a pulse over things that are going on in people's lives, you can have very good people all of a sudden, lose track, because something's going on in their life, someone got ill, there's personal relationship issues that go on their kids are getting bullied at school, there's 500 reasons why someone's performance drops that has nothing to do with the company, or the management, and it has everything to do with the outside world. That's cruel. The outside world is cruel, and it's cruel on people. And different people handle that very differently. Different people handle handle challenges in their personal lives very differently than what they handle it in their professional lives. Right, a challenge in your professional lives. Some people dig deep, some people give up a challenge in your personal life, the same actions happen and not one is associated with the other. So as a leader, one, you've got to make sure, and you've got to keep a pulse on your employees. And that also becomes part of like internal HR. Right? You someone you know, you're having I used to do one on one conversations with my team every week, right? 1015 minutes. Hey, how's how's everything going? Is there anything we need to do better? Or do you have all the tools you need to do your job? What are you struggling with? How are things at home? You know, how are things going? You know? Are you happy? Are you do you feel challenged? Are you overly worked Are you underworked? Like, where are you at 10 minute call, literally, it's a 10 minute call, someone will tell you right then and there. You know what, my kid, we just switched schools because we moved and my kids getting bullied. And you know, my wife and I are, you know what? Perfect. Right? When I finished that, I pick up a phone to HR. And I'm like, So and so I was having some issues. And now we've got some resources to help, can you please email them the resources that they need to make sure that gets done ASAP, so that they have that. And then I'm gonna take it easy on them. I'm gonna take some stuff away from them to give them time to focus on that because as long as that's happening, they're not going to focus on their work. So I'll go and I'll ask someone else to take a bigger load to help the team while that a bigger workload, so that that person can have a shorter, smaller workload, so that they can focus on solving that problem, because once they solve that problem, they'll be ready to take that workload back on. And there'll be 100% focused on it. So this is servant leadership. This is what servant leadership is all about. And this is what understanding kind of the new way we need to work with our team members is all about in this hybrid workplace where you're a lot of people are working from home, right? So they're sitting at home, so they're more likely to be sucked into the drama that they weren't getting sucked into when they worked remote, right when they were in the office, because in the office, you'd get a phone call from your wife or your kid and be like so and so I'd be like, Alright, cool, I get it. I'll call you back, go talk to you know, so and so go solve it yourself. But when you're at home, you don't have that opportunity to disconnect because they stand right there. They're right by your desk, they're pulling out your shirt, they're right behind you. They're not allowing you to vote and you're in it because you're hearing the conversations in the house, you're hearing the noise, and you've got to step away from it. So this goes to servant leadership, number one. Number two, when you go down the path where you realize that there's nothing that you can do within the capabilities of the company to help that person, performance continues to deteriorate. There comes a time where you do one of two things either have the come to Jesus conversation, right? Like, Hey, your performance is getting to a point where I can no longer cover for you. The team's been overworked. It's just not very good. Letting you know. This isn't looking very promising. We're going to start to really have to seriously evaluate your contract. You should go to the team and see if you're still the right fit for the role you're filling. And if after that conversation, nothing changes, then there's that conversation with HR. There's the job posting that will go up, obviously, to compliment that person. And that person's already has been on a bunch of, you know, pips and, and, and forms will, will likely be be walking out, you know, unfortunately, we'd have to dismiss that person, the end of the day, we work with humans, and we're understanding but then that understanding has a capacity. It's not because we're mean, it's not because we're all after capital or money. It's because we're all judged by our performance. And at the end of the day, you're only as strong as your weakest link. And if your weakest link is getting everyone else on your team sucked into a vortex, you've got to cut that off. Because otherwise, your whole team's going down that same vortex are being overworked, they're making up for that one person slack. And especially in small teams, it's very quickly felt, and you've got to cut that almost immediately. And move on. And it's not the fun part of being in a leadership position. It's not something you look forward to. That's something you wake up for in the morning, and you go, Alright, I'm going to do so and so but it's part of the job. The job has goods and Bad's and this is the bad when something happens to someone and they no longer, you know, can become a team member and you're close. Everyone's close with people they work with. It's just the nature of it, you spend more time with them sometimes in your own family.

Peter Strouse 46:39

Yep. So how do you I guess, set expectations, say you're having that performance improvement discussion? I think it's really important in the stress, that tangible expectations need to be set, not just you need to get better, but like, how exactly do you get better, or, you know, if you get better in this area, here's what that would look like, you know, this is the goal we're trying to hit. If you hit this goal we're talking about, then, you know, we don't need to have another one of these conversations kind of thing. Same thing with setting expectations. In the beginning, I think when you're hiring somebody, I hear a lot from people that are looking to move jobs, well, I really don't know what I need to do to get promoted. Or, you know, I feel like my head's on the chopping block, but I don't know what I'm doing wrong. There's so much of that out there, just lack of communication and lack of setting expectations. I like to set expectations in the very beginning in the recruiting process, like, you know, this is how many interviews you're gonna go through, here's what the hiring managers like, you know, there's gonna be a technical round, there's going to be a personality round. Once you get on board, your onboarding is xy and z amount of days. And really setting that path. You know, where somebody feels like they're they have milestones to hit. And they're not just kind of wandering through the desert and not knowing what they're doing. That little bit of guidance goes a long way, I'd say.

James Azar 48:08

Yeah, I mean, again, setting proper expectations that hiring is critical. The conversation where you're, you know, how you judge someone's performance is typically by by their personal KPIs and KR eyes. Right, and I judge, my employees have a balance of insecurity of key performance indicators. And then key risk indicators. What are you responsible? And what's the risk for the tool? Or part of the business you're responsible for? And is that risk becoming to a point where it's unacceptable? And we're what where do we want our risk zones to be at in order for you to be doing well in your role? Right. And, and that's one way, that's one thing I use in that conversation to set really proper goals. And then the other one is just alertness. And attentiveness. And some of that stuff you can't measure. Some of that stuff is just, hey, you know, in meetings, when we do brainstorming is used to be a major participant, for the last month, you've been just a listener, start like you would love to see a participant more in those meetings, add value to the conversation devalue, that we've become accustomed to.

Peter Strouse 49:34

Not everybody, I think would pick up on that sort of thing though. So you know, if you're somebody who's not naturally emotionally intelligent, like how would you go about working on that? Do you think?

James Azar 49:45

A few different ways one is get rid of distractions when you're going into those meetings? Right. One of the things I used to coach and really talk to a lot of people about is when she Short, effective meetings do a whole lot more than long drawn out meetings, long drawn out meetings, people end up worn down, they need time to recover from them. And typically, there's very little action, actionable items that come out of it. I have a policy as a leader 30 minute meetings, nothing exceeds 30 minutes unless something really needs to exceed 30 minutes, right. So if we're trying to solve a problem, we'll do a 30 minute meeting just on that problem alone, nothing else. Don't get distracted by it. I give everyone two minutes to talk. And then we problem solve for the rest of the time. So if there's five people in the meeting, everyone gets two minutes to talk. There's no titles in those meetings. Right. So when you come into that meeting, I'm not James to Cisco, and you're not, you know, Pete, the director, where James P mark, you know, Rachel and, and, and Michael, and we're all trying to solve a problem together. And there's no right or wrong, there is no authority in that meeting at all, at all. And typically, I'm the last person to speak. Because whoever's leading the problem, whoever's dealing with the challenge is the person that's presenting it, presenting some of the options to teams and goes through those options together, everyone kind of speaks for a few minutes, uninterrupted, so that they can present their ideas without being thrown off base. And then, you know, we go into the whiteboarding problem solutions session, and I come in towards the very end, or I'll help keep the conversation on key. But I try to stay out of it, I try to let the people really excel. So that's one way where you can go to someone and say, you know, I'm having an, there's a lot of dead space coming from you where there wasn't before. So maybe get rid of distractions, maybe try to be a bit more active listener, maybe tune something out for a little bit to be part of that. There is no perfect way to measure that type of performance, right. And it's not something that because of that you'd lose your job, right. But it's something that would be for me a red flag in terms of someone who would be an active voice and participant in something that all of a sudden isn't. And it could be that they don't understand about the topic. And even then we're just like, Alright, cool. You don't need to be in the meeting.

Peter Strouse 52:12

Right? Yes, symptom of something else, excuse me, and not necessarily the, you know, the main thing that you're worried about.

James Azar 52:20

So if you hear the same two voices in every meeting, you realize you have a problem. And I think any leader knows that. If the same two people, or three people are always the people that are talking, in every single meeting, you have a cultural issue within your team where some people dominate all the others. And this isn't a jungle, right? This isn't, you know, someone needs to nominate someone else. This is a teamwork. This is a group effort. And practicing security requires a whole different set of opinions, and a whole bunch of diversity school of thought and diverse knowledge. So when the same people are all coming in the same people talking, you're only getting one side of a story. And they're shutting everyone else up. So typically, we start to cut those teams apart. One of my tactics as a leader is, if I see that happening, I've had that happen to me before I start to split up, I don't invite all of the same people that have same meetings, I start to do micro meetings, shorter meetings with smaller amount of people. And I'll get more ideas. And slowly, I start to separate it without really having to have the conversation about separating the three that are ganging up on everyone else, or the two that are ganging up on everyone, you just split them. And by split that each one is shine, because they're alphas trying to dominate everyone else. So so by by nature, then you put them in a different room, where everyone else just realizes they're evil, and they can no longer feed each other, they've now got to work with the rest. And you tend to minimize the damage they do and eventually have those conversations during progress reviews or monthly one on ones where you're going like, Hey, I know you and so and so are very good friends, and you guys see a lot alike. But in those meetings, you know, you guys can't be the only two voices you can't dismiss others against who already thought about it and not let someone finish their sentence. That's just not the way we do these meetings. If you can't respect that, then will just not have you in these meetings anymore.

Peter Strouse 54:17

That's awesome. Some great hands on management tips there for sure. I think if you do all of these hands on things, you're going to, you know, bring it back to dollars and cents and what it looks like, you know, so your overall talent strategy is retention is so huge. They say it cost six months of somebody's salary to replace them. But I think it's probably a lot more than that for security people, given the demand for those Oh, the

James Azar 54:47

depth of knowledge. The depth of knowledge is like that's one thing that people don't understand insecurity, right is if I lose an engineer that was working on two projects, and I lose that engineer Well, by the time I hire another engineer, let's say a month goes by, because engineers are, if you've got a talent pipeline that's constantly developing, right? It should be pretty easy to promote from within if your team is large enough to get someone in there. But if even if you're hiring from outside, let's say it takes six to eight weeks to get a new engineer, it's another two weeks to get them on boarded, kind of understanding what the hell they're doing, it's gonna take him another 90 days to understand what they're working on six months, not only pretty straightforward, it's minimum complexity of what they're replacing. Because if they're replacing something extremely complex, it could take nine months to a year. fact that say that a CISO, in the first 90 days, in a new role is doing nothing. But speaking of listening, like in the first 90 days in the job, you shouldn't be doing 80% listening 20% speaking,

Peter Strouse 55:57

Pareto principle,

James Azar 56:01

you should be listening to everything going on one because as a CISO, you need to understand the internal organizational political structure of you know, who really has a say in what and who can really be an advocate for security? Number two, you want to see and identify? How does the business operate? How does you know internal? How does security vulnerability management and patching of IT side operate? Well, you can't do that by speaking you got to listen. So you jump in meetings and go, I'm a fly on the wall. I'm listening, you're taking notes. You're making note of people, you're then reaching out to people who stood out to you in that meeting, and you're having conversations with them. And you're trying to build bridges? Because that's what you're doing in the first 90 days, you're building bridges. Right? How can I, what did you love about the previous security chief here? Or the person who was in charge of security? Or if it's your first security role? Like what would you love to see security be a better partner for you? How can security help you do your job better? What are some of the challenges you're encountering? Tell me about your career progress. Where do you see yourself? How long you've been with the company for having those conversations, even with, you know, not just with the C suite, but the directors and the managers and the people who are going to be partners to your security program across an organization? So for 90 days, you should shut the hell up. listen more than you speak. Yeah, well take that all in

Peter Strouse 57:36

superpower, I'd say for sure. That's something people don't utilize as much as they should. I think

James Azar 57:42

there's a reason we have one math in two years. Yeah.

Peter Strouse 57:47

Who, well, who is that quote from?

James Azar 57:49

I can't remember at this point, but someone will someone listening will know, attribution and put it in the comments at some point.

Peter Strouse 57:56

Awesome. Well, I think that's a good place to wrap up. We're coming up on an hour here. So appreciate you being on James, great talking to you. I think we could talk for another three hours. But this is our time. And you know, you've mentioned you are a free agent right now. So how should people reach out to you if they want to either listen to the podcast or? Yeah, hiring.

James Azar 58:16

So So LinkedIn, James J Azar, obviously, the Jays there for a reason. And if you spam me, you'll figure out why. My podcast is several podcast.com. That's the website and we've got four different podcasts there, obviously, breaking into cybersecurity that's hosted by Chris flown stuff alone. And Renee, the cyber a podcast that I do daily at 9am. Eastern that's live on every single social media platform. And then the Cisco talk podcast that season and weekly, and so forth, and so people can see that there. And obviously the websites the easiest way or LinkedIn, to get in touch with me and be so happy you've joined the podcasting family, and I can't tell you how happy I am. To see you finally launched this and drop your wealth of knowledge across the airwaves.

Peter Strouse 59:06

Yeah, appreciate it. We'll be doing one a week, so keep an eye out for more episodes. We'll publish them on LinkedIn and all the platforms. Well, thanks, James. Thanks, everybody. Thanks, Pete.

Law @ Tocoba.ga