Leading with Communication - Jose Alvarado, Director of Information Security @ Stax Payments

Leading with Communication - Jose Alvarado, Director of Information Security @ Stax Payments

Leading with Communication - Jose Alvarado, Director of Information Security @ Stax Payments

Sep 29, 2024

Episode Description

In this conversation, Adi interviews Jose Alvarado, the Director of Information Security at Stagg's Payment, about his journey in the field of cybersecurity. Jose shares how his interest in IT and networking led him to specialize in cybersecurity. They discuss the difference between IT and security roles, the importance of collaboration and communication in the security field, and the challenges of creating a security-focused culture within an organization. Jose also shares his experience dealing with a serious incident involving ransomware and emphasizes the need for organizations to assess and validate their security measures. The conversation with Jose focused on the challenges and priorities in cybersecurity, the importance of effective communication, the issue of burnout in the industry, and advice for those starting out in cybersecurity. Jose emphasized the need for organizations to ensure they are actually implementing the security measures they claim to have in place. He also discussed the challenge of balancing technical expertise with business understanding and the importance of concise and effective communication. Jose highlighted the issue of burnout in the tech industry and emphasized the need for leaders to be aware of their team's workload and mental well-being. He advised those starting out in cybersecurity to prioritize gaining experience and knowledge, rather than focusing on money, and to seek out opportunities that provide a wide range of experiences. Jose also discussed the evolution of cybersecurity as a separate field and the satisfaction he finds in completing projects and seeing the results of his team's efforts.

Watch On YouTube

Episode Transcript

Episode Transcript

Episode Transcript

so hi everyone and welcome to the handson ceso podcast my name is AD and today we'll be talking to Jose Alvar if

I'm pronouncing that right Jose is currently the director of information security at Stacks payment after being

in it for over a decade today we'll talk about the changing field of cyber security and about Jose's Journey how

are you today oh I'm fantastic thank you thank you for having me of course so I'm

really excited for this conversation I think especially in your case you have aexceptionally interesting story of like how you got started so like tell us yeah

um so kind of really way back right in high school I think my journey really started

there um didn't really do well in the public schools and things like that never really enjoyed um k212 I mean

whatever yeah k212 uh and getting out of there I worked at a

warehouse for about 5 years and during that time I just didn't like carrying boxes so started looking at schools and

what would take who would take me and what type of Journey that would be um I found the the had software and web

development and then they had uh networking right which at the time I had no idea what it was I didn't want to do

web development because at the time Hayden math wanted to avoid it uh so he told me some netting is the only math

you need I don't know what that was at the time so I was like okay let's just do it so took a dive in there and their

curriculum was really focused on Cisco got introduced to cisos riding and switching um and really my journey

started there started learning what uh how the internet really communicates

that's really what the the basis of that um degree was and then specifically get

the training on on Cisco Technologies uh when I graduated my associates degree

I left there and I took the first job that can take me a really small MSP Mana service provider and say uh they had

like five customers right and it it was it was a terrible work experience but it

was awesome because I was able to finally work on computers and I jumped into

uh firewall troubleshooting DHCP active directory I was just kind of immediately

thrown in that space I was help I was hired as a help desk technician and then immediately was uh they kind of were

were were encouraging me to go on site because I was really good at critical thinking now I know what it was it's

critical thinking troubleshooting uh point A to point B how is it communicating and what the problem is uh

between the two locations so either it's internet or internal file server Etc um

worked on all that stuff uh and that's pretty much how I got there it's good quick sumary so now you're doing a job

that's really based in security and before that you were doing more it so security was sort of baked into it but

it wasn't your main focus how do you see difference yeah and so the the

the so when my title really started becoming insecurity uh things started changing

started getting more in the business side and I really realize I was insec security until uh like later in my

career firewalls were for me I didn't know the difference between a router and a firewall right I thought they were

just I was really green funny it's funny to say it now but it was really green I

thought that a firewall is a router and the router is a firewall which is security features in it and more

enhanced features are different ranges of firewalls and so I started working on my first network was Sonic walls

firewalls and and some uh I don't even think it was Cisco cus I think there were just N Gear switches uh and and and

and in that space while while I was kind of working my way up uh everyorganization I started I deployed a email spam filter Ideployed uh fishing training fishing campaigns uh Ideployed uh endpoint protection M protection um uh image backups filelevel backups all the encrypting the backups all these things that really are

are in the in this security space now in 2024 but back in 2013 they were all just

bundled together it's like everything and do you want more security or less security but there wasn't a uh you only

work on computers but you don't Harden uh endpoint it was always part of I had

a checklist or procedures list where when I deploy a computer make sure that my protections on encryptions on etc etc

and those were security requirements that weren't done by a a director ofsecurity they were done by an IT managerright amazing what does your dayto day look like

currently uh So currently my dayto day is uh team meeting every day of with the

security team um then really it's just diing into tickets and the tickets for

myself is really Project based so these are projects because I'm really focused on compliance right now my current role

so I dive into reviewing projects that impact compliance either it's enhancingsecurity or um uh changing a security control or uh my projects for uhchanging up policies updating them Etc and that's pretty much and then

obviously and then of course the the the the numerous meetings that that we have so which is pretty uh common in the

security space and my meetings are skyrocketed definitely when when it comes to uh really focusing on the the

security side because consequently you're now in the business end and froma from a security perspective you're more you're impacting more Departmentat different levels in the it space it's between one pro one service orapplication or system or the other um but there isn't a lot of uh dealing with

a lot of different department heads because this isn't like a PO Global policy you you don't really um you talk

to you update one application it's likely to affect one or two departments in the workflows but in security it's

like impacting everyone and most cases it's it's for a a compliance reason or a

legal reason so everyone starts getting involved you have numerous meetings Etc so that's pretty much I think team

meeting communication heavy meetings and then tickets which is just keeping track of my

projects amazing could you dive a bit deeper into the how business plays intosecurity and vice versa yeah umso I I wasn't used to theuh when I was first brought into security I wasn't expecting uh to be

included in the the business side of things as or I didn't realize how much of an influence it was where in the it

space you the the there was the the department heads Drive the product for

you or the solution it's likely you already have sponsors when you're trying to upgrade something uh because it's

improving somebody's day always uh insecurity that's not always the case there's times where I have to

go into a meeting or bring up a topic uh for numerous department heads and ask

questions and then say hey we're no longer going to do this and it's because

of these reasons you have to kind of figure out how to explain it without um going too technical or or anything like

that and really uh um majority of time you have to convince people and you

don't really have sponsors you have to acquire sponsors now you have to get a lot of people to be on your side uh in

the it space you just tell the accounting team wants a new software for accounting and you say okay cool I'll

put that together and then they help you drive the product security you got to do all

that interesting I didn't think about it like that you're saying in it there'syou're always helping someone someone specific like someone isgetting help but in security you're helping security so sometimes it's not

as convenient yeah yeah and and major and you have to get a lot of people on your

side right and that's where the politics and business side gets comes into play

and that's where you kind of see a lot of these people in in the communities and cyber security communities Etc they

kind of they get real upset right you know they don't understand we need to do this and that's just because you're

you're having trouble acquiring people to support your venture right if if you're if you're getting um and a lot of

the times you're being the advocate for the organization as a whole not individual departments sales is trying

to make sales because they're trying to get bonuses uh marketing is trying to acquire more clients so they'll send

anything and everything you give them if you if you share a document that's highly sensitive to marketing they will

display it if they think anywh they wouldn't care if if they think it'll get more customers right because their

driver is getting customers sales is closing customers so if if for exampleum we're we need a PCI documentation to confirm that we're PCI Compliant

salesperson marketing or business operation staff hey our clients demanding this we need to give them

XYZ and from a security perspective hey we don't want to disclose more information that we need what exactly

are they asking for right and then that now is the communication right it's it's

five or six emails back and forth but from the business side they're like just give me anything and they'll go and look

try to find it and leak out information right then you get leakage right and they're just trying to capture the

customer but for example in in the that's an example of what you'll deal with in the security side in the it side

it's really I'm fixing your stuff or I'm improving something that you're already

complaining is broken that's it and then they they will M their business will say okay we need

we need to upgrade uh bandwidth because our Wi-Fi is terrible they like yeah that's true this is what we need and you

show them a $30,000 bill and if you have enough department heads complaining about it they will sign off on it uh you

do that with security hey we need MFA No One's Gonna support you w that's a really interesting change

in mindset wow do you ever feel like you have to be the bad cup like saying we

can't do this anymore like you can't do that uh so I I I don't think so because

I don't approach the conversation that way it's hey I want to improve uh our our

way that we do this I know that you're doing it now is extremely efficient or

you believe it's it's meeting our requirement the problem is I need to I need to I'm concerned about this and I'm

being asked to solve this particular risk and if I instead of telling them no we're not

doing it this way let me understand their workflow and accommodate it and and majority of the time when it's not

motivated by outs outside parties which like politics come into play I think politics come like not 5% 10% of the

time but the other percent of the time usually people are open to understanding

hey this is what I'm dealing with and this is why I don't want you to change it and if you're able to really concisely

deter like these are the objectives and we won't touch this other stuff this only thing that's going to change and

you build enough trust it it's it you don't feel like a bad cop it looks like you're really

collaborating and it sounds very like uh like uh I don't want to say it's like

generic thing to say hey be nice to them um there everyone's people you know they don't want to be interrupting their day

if you are are enforcing the law approach everyone's going to push back

and you're not going to make a lot of Headway you'll maybe knock out one or two projects a year but if you get

people around you and convinced that you're trying to enhance it while also

increasing security then they they'll love you for it perfect how do you create a culture

where security is even like a a thought thatexists um that's a difficult one but because

culture is built on there's so many impacts on culture right depending on your organization when you have a 500%

organization staff it's like significantly different to 50 people umbut I boil it down to you have to have policies you have tohave controls and you have to have sign off and you have to haveconsequences and the the the policy is really just

training every month right or um I think I worked at the warehouse I worked for

for five years um this is my my thingthey were so big on safety OSHA Etc right we go 300 days with no no

incidences right crash someone gets hurt we get like Popeyes for whatever a day

and everyone's goes home early Etc um and they were really big on pushing uh

everyone's is is part of safety like you're safe everyone is safe all you got

to do is worry about yourself and you're as long as you're safe and everyone does that we're all safe right um same thing

with security right if you really push that narrative where you can individually impact whether we're going

to be hit with a cyber attack that that affects us for three four weeks

or a part of an organization that has no incidences year after year over year and

you can continue to get bonuses because our organization will grow right you you have and and people don't really and I

and I think it's difficult for end users to really understand that because you I have a personal phone and I have a phone

for example if I if I worked at a uh Medical Supply organization have a personal phone and they give you a work

phone they don't see the difference right the behavior you have here they will mirror it here unless there's

consequences so if you have a laptop at home it's personal and my behavior is there at work I will do the same um it's

hard for people to really differentiate that you're at work and this technology is now you're impacting the whole

organization by your behavior um and and not many or organizations like CEOs Etc

really push that narrative that that you may have a laptop at home but when you

bring it into our office and connect to our Wi-Fi you need to now take dramatic

differences in security don't open every email don't sign up your work email for

Stuff Etc don't respond to those fishing email uh fishing text messages because

now they know that you like it's a valid number like all these things are just like are are in and the organization

from the top down really needs to push that do you think working for a fintech company is different than working in a

company where the data is maybe a little less

sensitive yes because then you have more compliance right so the the more sensitive the more Global impact your

your data is the more regulations are put into itgation really don't care about data leakage but everyone cares aboutoperations so hey we don't care if they're uh stealing our data okay do you

care if they manipulate it like no we don't no no we don't okay well for example we have a there's a cement

organization here uh I live in Las Vegas and they're all over the place here but

in order to mix the right amount of concrete it's a calculation is done by a system if someone hacks that system they

can throw off the mix and now hundreds of thousands of dollars ofa mix could be uh down the drain right uh people don't really view that as a asas a possibility um so data is always important because the data is what isused to operate your business now if your organization is really like pen and

paper and a very little data is transmitted um you really operate over your cell phone it's like you provide a

service then it becomes like hey it's not important at all but organizations that have a multiple staff and there's

multiple departments communicating it's likely that data Integrity is the most

important thing and H and availability right we need to make sure everyone operates and the data doesn't isn't

changed we're confident that the data we're seeing is a real thing wow that's really interesting so

you're saying the thing is not really if the data if someone sees it like the biggest

issue is someone changes it within the company yeah if

you um confidence in technology it's a very fragile thing where Uh something's

like a network stability up as soon as you have a major outage everyone's insecure like are you sure it's going to

work tomorrow are you sure like dude it's been working 99.9% of the time we

had one outage and impact it was a big outage but people's it's like it's like a where's my remote and they're like oh

I'm not are you sitting on the remote no stand up right type A Deal uh same thing with technology you're seeing a piece of

data and you and you're making decisions off of a spreadsheet um uh yeah yeah

Excel actually that's a good example you have formulas in Excel spreadsheet somebody modifies that and you're now

okay well our budget needs to be 50,000 for the year but someone didn't do the

formula correctly it's really triple that your confidence in the Excel spreadsheet will severely diminish right

because now you're not confident in the formula they can do it there's not enough checks and balances there imagine that your whole data all your data

across multiple departments and you're generating I don't know H1 $200,000 a month and you're and

you're really relying on that data could be Word documents Excel whatever um and

if it's wrong then you're i g be dramatic here but smaller organizationsis pretty much bankruptcy um big organizations like MGM Grand here at the

Las Vegas they got hacked they were offline for about a week right um they say $100 million loss

I think it was more but most organizations can can't operate that way with their expenditures Etc

so wow that's interesting have you ever been part of an organization that had a

serious incident where you had to like fix stuff while everything was onfire yeah um I work for an MSP and they had a

customer uh that it was a it was back when um uh was it uh when they locked up

the files it was crypto Locker I forgot what the specific name was was a whileago uh pretty much they they locked up their data right it was an organization

that you just mentioned specific like the same format where like the data isn't that important right um we use a

website that's somewhere else and we use a computer to really kind of deal with it and and there isn't a whole lot to we

print and it's not a big deal uh they they were out for for about two weeks uh we had to the whole accounting F

everyone they couldn't they couldn't do their their operation and they couldn't make money uh so I was there I was one

of the technicians showed up and I had to reimage all their computers and then they had a uh um some of them were very

basic I could just and I it was funny I had a um real small Nas off of a USB and

I shared it across like five or six computers and I pulled the image from there and reimaged it uh off of a little small

little guy so I got the money's worth off of that thing but um yeah it took about two weeks to get them all back in

operational and even then uh they were very um uh hesitant right on because at

the time was like oh we don't know if we got rid of everything we don't know where it Source from we can open

accidentally open up another file and at that point they started putting all security measures in place like anti mware encryption backups everything uh

so that was very um at the time I didn't know how big of a deal it was because I

was at a very I would say low level technical level we have an incident

respond to it I not from a business side but like I said now from a security perspective I understand how heavy

business is hey that was a major driver for them right where they didn't realize the data was important until someone

started modifying and lock them out of their own files it's really important now wow was that attack like ransomware

or what was happening there like why did it happen I don't remember the detail I don't think it was I don't think they

wanted anything I think it just locked it up I I don't remember I I wasn't atat a position where I knew the details uh but the the they they weren'table to operate it was just their files were just locked up um it could havebeen a yeah ransomware like hey send us crypto but this was back in2014 15 for me I don't remember the details I remember it was just like Iworked 15 s 16 hour days something like that to try to uh image all theirstations and and I really didn't I wasn't at a level of of of knowing ofwhat exactly um decision of it or the response did it

communicate to the hackers or anything like that I don't I wasn't involved with that interesting do you think it's common for

companies to think they're more secure than they are say it

again do you think that it's common that companies feel like they're more secure

than they actually are uh yeah so one of the one of the things that uhum yeah I think understanding or coming coming upwith a solution to confirm what you are saying you're doingis what you actually are doing right it is uh I think there is definitely a termuh about this where you um I actually think is a cicp question it's likeconfirming that the logs are actually occurring are you actually ingesting the

logs or alerts or are you just or is there nothing really happening right now um and I think that isn't just a problem

with systems themselves hey we're setting up a Sim we want to grab traffic hey we we set up these controls but

we're not 100% sure that they're actually piping through the Sim and triggering the sore whatever actions you

have it's actual business problem where um we're grabbing example we have 15

users being on boarded various different Technologies and we have a um role based

action control list and that's how everyone's being batched on boarded

based off of that and we write in policy hey it's happening every three months that we're reviewed is it really

happening is there a control to confirm that what you're saying you're doing is you're actually doing it or are you just

adding people um W without having the proper scope of permissions uh we have

security we have A's in place are you monitoring to make surethat when r ACL are being adjusted or opened up or closed or is there an

actual approval process because we say we're having it but are we doing it um and then trusting your staff right you

sometimes you have staff where uh they're not as detail oriented as you would like but they have a detail

oriented role and that comes back into full circle where like you you're shortest staff etc etc um yeah it's it's

I think that's probably the the the biggest thing for me is that uh uh one of the biggest fears and is is really

the concern is are you doing what what we we're saying we're doing and how can we confirm that from a holistic cyber

security program interesting what would you sayis one of your biggest challenges right now biggestchallenges um so I I think that I think one of the

biggest challenges is is definitely balancing I think that that's where the balancing between the technical and the

business side I would say is that you want to be technical enough toshow that you are the person to to make this recommendation right it's like adoctor right you want to be you want to be uh cold really kind of really just

give you the facts and tell you how to approach things so that way you don't want to mix emotions into it on the

other hand you want the business side and understand the drivers and really

concisely communicate with a boardroom or executive leadership that pretty much

that that this is why we need to do it and it's it's something that we need to

like with with urgency right we have we have organizations you can have a department

full of admins admin roles and they're all sales staff right um and then you'relike hey a very this is a very small example hey we need to communicate to

the other the department heads hey these sales staff impact these other four or five workflows that impact other

departments these we need to we need to start winding down the permissions it's likely to affect your sales or your

onboarding process everybody loses their money right it's like okay but we can't continue what we're doing now though

because because if their accounts are compromised we lose all this data or they can manipulate all this sta right

um communicating that in one email that's very concise and very simple and

very business mind that isn't leaning to technical or uh lease principle of lease

privilege defense and layers and all these like slogans that cyber security a

community read communicates are really useless in my opinion you have to keep it in one sensus bullet points otherwise

you kind of lose the room and so that that's my biggest challenge right like figuring out

continuously adjust the way I communicate um while still maintainingmy technical mind so I can develop an architecture or a program right or a

workflow how do you balance your attention between on the one hand communication with management leadership

explaining explaining your decisions actually security and making the decisions and

education like teaching people in the company what they should what they shouldn't how what a threat looks

like um that that's a good question I I think uh from a b like from balancing

from all these like the control policies and all that right that's pretty much what you're asking how do you balance

between what's most priority and what isn'tum I think you start off and it kind of goes

back to originally kind of like the four step process right is it always starts with policy you have to have it

somewhere written down um you have to have and and and whether and I think the

real question here is that you have all those pieces in place you have policies you have sign off you have all these

things right and then you as a person how do you even handle all this work um

you can't the truth is you can't um I think I think that's where my takes

start becoming a little bit more controversial I'm completely open to say that it is absolutely ridiculous for one

person to do everything um or two or three people to do everything at a staffof a thousand uh staffed organization right you can't right you can do all you

can try to hire as many unicorns that you think and they they will probably pass your uh exams your interview exams

but you have to prioritize and at that point and then not everyone's good at everything right I'm good at networking

um some of the people are even better at networking than I am there's probably tons of people who are and then there's

uh other areas that has nothing like there's just other areas you can be a software developer really good at AWS

but not good in AER what if your organization has two you really want that person to do both okay they do both

and then they want them to learn uh fishing campaigns how to capture people and then build policies these are all

different skill sets so the truth is you can't I think you have to focus on what

your organization needs you want to be successful you you do the quick wins that the organization's really looking

for um you have an organization who doesn't have a documentation right or

policies we have no policies and we're telling people what to do but we no ability to hold hold them accountable

dive into GRC right uh if you if you join an organization and they oh we have

policies we have all this stuff but you know we don't we just don't know if we're getting all the logs we're

supposed to if we're actually getting alerts like because I don't see any of that happening then you're a security

engineer building out a Sim and a sore right I think I think really kind of picking where you where the organization

needs they're hiring for something they're interviewing you it's likely going to put they're going to mention

the first pain points to see if you're the right fit don't get lost in too much

stuff don't don't one day work on email fishing campaigns and the next day work

on policies and the next day work on pen testing uh you it's this is a very um

time I guess I don't know how to say it but it takes a lot of out of your time just to learn Concepts at at a level

that is very useful for an organization trying to do everything all at once I think that leads to burnout

right do you see a lot of burnout in the cyber security space Oh say it again you cut off a

little bit do you see a lot of burnout in the cyber securityspace I I see a lot of burnout in the tech space I think that's more accurate

I think as some of these systems become extremely complex you got organizations

with hundreds of thousands of software Integrations apis all these things andyou got developers learning cloud and various different types of cloud onsite

infrastructure um so security and then you got Security in mind and God forbid

you get hacked right and and then like oh we can't have this happen again okay well I need a budget oh never mind um so

I think that kind of Circle learn new technology enhance itwith very little money being put put in uh pushes people kind of toum uh not not really breaking point but just kind of I'm tired of of of doingthe the the wheel right I do this thing it doesn't stop it I do I put tape on it

breaks again put tape on it so I think I think that that's where I see a lot of it it's across everything

software development um security it everything interesting how have you been

able to manage that b for yourself for yourteam um so how was that so I actually read a whole lot of self-help books uh

when when I got into management I read a bunch well I didn't read I listened to them right ADHD so headphones just run

them through uh and during during during covid 20 2020 I listen to a bunch ofthem and really uh like understand remember your why

um what you do every day is what you want to do you have complete control over it uh it's it's not it's not always

your fault but it's your responsibility um if you're burnt out it's likely because you're choosing to

do the action that's causing you to be burnt out if you are mentally exhaust if you can't really fully think even if

it's one o'clock in the afternoon um I've had staff where I tell them hey man um just just clock out early like just

you make it up later uh it's likely they already made it up a couple weeks prior

because they worked on the Saturday Etc but hey just take off early you're done we had I've had staff where I had them

cut off half day right because they worked a whole lot the weeks prior

leading up to the completion of a project and like just just take off your D um and they won't want to leave right

they don't want to leave they want to stay they want to continue working but I already know what's going to happen right you you you're not fully conscious

of how tired you really are until a month or two later then everything happens all at once right every we're

people right it's it's not everyone's self-aware not everyone's um different level of emotional intelligence and as a

leader I try to constantly be have like a thumb on the pulse of of the staff

where they're at mentally what are they doing um how much workload is being put

on them because it's very easy to say uh what is it pen testing

vulnerability analysis access Administration compliance and policies and then I want you to do all of that

and then not check in on them for a month and then come back and say Hey where's all this and oh this is what I

got I'm like this is all you have and then you do it all over again you do that for a year they're going to be burn

out right uh I think it comes from leadership I think it comes from

um understanding the work some people graduate from a real Prestige College

they jump into a ceso or CTO role or CIO role and they have no idea what it'slike to actually do the work right um to troubleshoot a network can take five

minutes or hours right depending on what decision you make and I think having them M

knowing how how much workload it is going down there and seeing okay like

pin the paper fingers the keyboard what is this what does this look like to build this workflow um communicating in

a budet point is easy but understanding on how many hours it takes to do something it really puts things in

perspective which is like the problem right where the managers don't know they

continue to drive the staff because drivers from the business are saying we need XYZ

and and there's not a lot of feedback coming back or I don't understand why this is taking so long right so I think

I think that's the main reason and and how you avoid it really is is from management really understanding getting

getting managers in in leadership I think I think I read um one of mycollege essays Google try to promote the most technicalexperts most senior developers as leaders and they found that the ones

that were media OK developers uh were actually better leaders because they are

they had more different level different type of intelligence they had more emotional intelligence etc etc and then

the leaders that were really really good at The Logical stuff had more of a struggle to to get their team to

accomplish as much as the other team would uh just because they're more used to working individually um and not to

say if you're technical you won't be able to do it it's just you need to be more aware of like hey I can't approach

the problem of of getting my staff to not be burnt out the same way I would approach a problem in uh building a

software building a network or whatever right building a cloud infrastructurecan't approach them the same way wow that's really interesting do you

think do you think that's something that most Security leaders cesos directors

are aware of I think they're um that that's a tough questions I meanI I I don't think so uh some are in myopinion um it's really hard for people to be self-aware right it's really easy

to blame others that person just wasn't the right fit this person ah whatever um

you have to want to build a team right you can't you can't always hire and it'seasier it definitely is easier hiring having an endless budget and hiring a

bunch of self-driven Staff members and you could just give them you do vulnerability analysis you do access

Administration you do compliance you do governance you do risk you just kind of throw all the like individual tasks in

the cyber security program to one person and then it's all gets done but that's

not the real world right you have to build up staff right you can't you don't have quarter million dollars a hire um

one per like quarter million each person right they're not going to do that so you're gonna have to figure out how to

build staff and kind of build them up and build a culture a team culture that encourages you to learn get better do

high quality of work but also not feel like you're failing every day whichcauses burnout not not not an environment that doesn't encourage you

to lie to yourself others about how much experience you have just be honest and Forefront and it bring up to Forefront

and then we could provide a support system to help you get there that's itright uh is it radical cander and I don't think and yeah and I

don't think and I guess to answer your question directly I don't think I there's not many leaders that

really invest their time into doing that what would you say is the

a tip you have for someone who is starting out in cyber security and does want to find a place where that is the

sort of culture in somewhere that he can really grow inse security yeah uh so so they're trying to

get in U my advice would be invest in yourself in a hot take or not hot takecontroversal take in my opinion is don't worry about money uh for the first five

years just double down on I was once given advice uh by a previous CEO that I

were for he said um go to the place thatprovides the most experience for you don't worry about money um and I heldthat true for like five or six years I just I was like it sucks where like oh Iwant to get paid more money and you see all these YouTubers 150 18a year after two years and all this stuff um I've selected roles that werespecifically uh allowed me to work on a lot of technology and own a lot ofprojects uh and that's why I pass that on to everyone is that invest inyourself get go to the places that provide the most um education experience

Etc they allow you to touch more things because that's what's going to matter at the end of the day there in relating to

your career growth if you work at Microsoft and all you touch is like a QA

environment in a very small subsection yeah you're going to get all these job offers because you worked at Microsoft

right but when it comes to execution you're gonna fail in my opinion it is what I've seen actually on the field

people work from Intel Etc and I come in and they compare the two and it's just like oh well he worked from Intel or she

worked from Intel okay cool and then I get called about help hey can you help me sure like it's fine but you're going

to get you're not going to get as much reputation because Google and Microsoft you're gonna have to fight tooth and

nail just to get access to stuff but in smaller companies you get access to

everything right and so you you couple experience with education certifications

degrees whatever you like whatever you prefer whatever suits your thing really just hit the books and use that use

whatever it is you're learning especially the first five years CCNA you want to give your CCNA great grab that

go to a Cisco shop you're you are or any networking try to get into um Spectrum

or these small shops where they have multi-size data centers Etc uh if you'rea p if you want to go uh what was it uh offsec with pentesting ocp okay greatnow take any Ro that allow you to do offensive uh penetration testing or evenvulnerability management just like take anything you can and try to to get

projects appr get projects approved that relate to pentesting do a bunch of that

for five years and you will see opportunities

amazing what do you think looks different in cyber security Now versus the way it was five years ago

uh so cyber security specifically so it became its own thing I don't know whathappened I I really don't know like how that happened uh I mean maybe like Ihave no idea social media maybe like LinkedIn or it had to

be a driver from the business side where organization started like scratching him out I think when legal got involved

right compliances really started getting hit you started seeing the governance

side really ingesting more and more on their side with the risk vulnerability management um all those things were

becoming requirements so now they they're kind of branching into their branching out into their own

entity um but when I started and and it wasn't too long ago right it's 10 yearsum 2013 it was just it and and then

security was a specialization and and even you even saw it on Sears where and even there's still

now ifications is just security specialization right AWS securityspecialist right CCNA had a security specialist role CCN network security

specialist security and now I think they have their own dedicated security certificate um but back in the day it

was just I saw it as it's a it's an enhancement you want to do security you want to do automation you want to do

Cloud but all fundamentals is it I think that's the big difference is that they kind of split up and I don't necessarily

agree with it um for example the the the dold and someone probably going to

correct me but when I was reading the N documentations you see Security administrator and a system administrator

and the Security administrator really just hardens it it it could either check or Harden the system the it keeps it up

time provides access Etc maintenance all these other things and there isn't like 1500 different roles right I am Senior I

am Senior pentester pentester there isn't all these things right security

architect like it's just like dude like this isn't like we're over complicating something right um and and I think I

think that's a huge thing that's happened in the past 10 years fromsecurity interesting okay so we're just out of time first of all I have one more

question but before that thank you so much like I loved hearing your perspective and I love how learning

about leadership was so much of your journey and it like it shows how you came from this background of do I even

get into working with computers and I wish I could just fix a computer to

being a director of a like Security in a company is amazing um my last question would

be well it has two parts what is one thing that keeps you up as a securityprofessional versus what is one thing that gets you excited about yeah

so the keeps me up at night is really are we it goes back to that question right where are we doing what we're say

we're going to do or are we doing exactly what what we said we are doing

right because legal comes into play comp like legal compliance all these things come into play and really confirming

that on a quarterly monthly basis is what keeps me up and I'm like like

please don't tell me that we're not doing that and then I'm like okay thank God okay cool uh it's really and when I

hear workflows I talk I'm like oh come on and I ask a question like please tell me no no no no we're not doing that okay

cool because we said we're not doing that I don't want us to like be caught right so uh because in no consequence

right we communicate talk we can have all meetings in the world but if the right people aren't in the meetings that

we think they're the right people and we don't get the right information hey like we made a mistake right and I want to

reduce that as much as possible right I think that's like the biggest concern for me um right we're getting logs are

we getting logs because we're supposed to be getting them we getting an alert we didn't get an alert so what's going on here right those are all from across

the board workflows logging everything um what gets me excited so reallyproject I'm really Project based uh work right now and there's nothing morefulfilling than than a one-year project ora six-month project coming to like conclusion I work in compliance I loveseeing a beautiful signed PCI report because it's it's really nerdy uh butit's it's really a a cultiv a cultivation of a bunch of people gettinginvolved to accomplish the compliance whether it's gather it from uh

development uh B different individual business units regarding their workflow data management all these things come

into play everyone's work throughout the year whether it's like fishing campaigns

training um reading the handbook was simple as it is getting confirming that

showing that we have historically done the thing like Harden the end points we

out the endpoints all these things really just compiled into that report saying hey they compliant we're good um

after being audited for three to six months is super awesome um getting a abit uh what what gets me really uh excited as well is you got a team ofthree or four and we're building a new workflow we need to start doing this

because of whatever reason and we start kind of piecing everything together until all of a

sudden we're doing it without being told right without them telling me something where I need to approve or do some make

a change or me telling them something that they need to do an action it's just natural now and that's super awesome

sometimes it takes months sometimes it's super simple takes a couple days but sometime it takes a year to do um and

it's super uh fulfilling amazing thank you so much foryour time oh thank you thank you for having me

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel