Apr 17, 2024

Building Cybersecurity Teams and Virtuous Circle With Clients ft. Jesse Miller

Host: Hi everyone, this is Purushottam and thanks for tuning into the ScaletoZero podcast. Today's episode is with Jesse Miller. Jesse is the founder of PowerPSA Consulting, a boutique firm that helps manage service providers build full stack operations for deploying cyber services at scale.

Jesse is recognized in the industry as an innovative thought leader, strategist and operational powerhouse with an extensive information, security and compliance background. His passion is helping organizations realize their maximum potential by providing them best-in-class cybersecurity and risk advisory services.

Welcome to the show, Jesse. For our audience, we want to briefly share about your journey. What interests you about getting into cybersecurity?

Jesse: Yeah. Well, first of all, thanks for having me. I'm happy to be here and chat with you today. And I think what we're going to get into is going to be really interesting for a lot of folks, because we might touch on some topics that don't get talked about as much.

But yeah, for me, people ask me that question all the time, and it's kind of a strange answer. I say my journey into cybersecurity was not a planned one. It was I would probably describe it more as a tumble down the stairs than anything else.

I started my career in carrier service operations and did that for many years. When the U S went through the economic downturn in 2008, that work dried up. So I went back to school and I had learned the Cisco command line and became very passionate about network engineering at the time. So went to school for that and then came out of school and got a job with a managed service provider as a network engineer. Quickly helped build that startup, became the director of infrastructure, was building cloud services, network as a service, doing logical software-defined networks and all those kinds of things, and defending all of those services as a byproduct, because as you build these things, you have to defend them.

So I was doing cybersecurity just more as, it needs to get done type of a thing, right? So in 2014, the ownership came to me and said, hey, we want to start a managed security service provider.

Can you help us do that? You've been doing it. And so I kind of begrudgingly, to be honest said, yeah, I guess we can, we can kind of do it, we can do that. I really love network engineering, but we can do that. And, uh, started building out of managed security practice and got into security full time and just loved it.

So it was interesting because I did it begrudgingly, but actually it turned out to be the passion of my career, which is, like I said, very strange and providential the way those things came together, but Brings us to today, helped grow that MSP to an eight figure company, and then transitioned out of there and started my own company, helping other MSPs, managed service providers, VC so firms build out these extremely detailed operational blueprints to help them scale and deliver really profitable, but yet virtuous cybersecurity services to their clients.

Host: Love it. I love your journey because you did not plan for it, right? You stumbled onto it and as you got into the cybersecurity, you started learning and you loved it as well. So that is that is amazing. So if not a follow up, like a similar question is, what does a day in your life look like today? Like we I often ask this question to guests and I get like very different answers. So I'm curious, how does your day look like?

Jesse: Yeah. Yeah, so it can vary. I try to work in kind of blocks to just spread my time evenly. But you know what a day typically looks like is get up early. Another interesting fact about me is we own a small farm. So I get up early, do my farm chores, feed the cattle, feed the chickens.

And then head in for my hour of networking on LinkedIn. I do a post, I interact with people and get the kids off to school. And then by that time, my day actually starts.

And so that can be a couple of different things depending on what I'm working on. So I have a couple, we do have a VC. So practice as part of Power PSA that we allow our partners to resell. So it could be working with the VC. So team to work through customer security requirements, risk assessments, things of that nature.

There's also then the piece working with MSPs to do operational building of their programs. So it can include a range of different meetings with different client teams, vulnerability management, building a SOC, building out a VC, so practice consulting services. So operational meetings to advise and strategize with my partners on those types of activities.

And then there's the podcast that I'm recording with you today. So there could be some of that thrown in there as well. And then you know, just some basic strategic discussions with executive leadership at different clients of mine. So those are, it could be one, two, or all of those in any given day.

Host: I can understand, like as a founder, you would have to wear multiple hats throughout the day, right? So I can appreciate that. And thank you for doing the podcast. I'm interested to learn from your experience throughout the through today's recording.

One of the things that you highlighted that you work with multiple teams, right? You have a VC source team, you have your consulting practice and all of that. And which means you are… you have either hired or you're working with them closely, you have built that bond with them over time. And that is one of the topics that we want to talk about today.

How do you build your cybersecurity team or how do you build that virtual circle with your clients? So let's get started.

So hiring cybersecurity professionals is tough. And with the right set of qualities and skills is very crucial for building like a comprehensive protection against cybersecurity threats.

So when you are hiring, let's say, what key qualities or skills that you look for, and maybe any suggestion you have for organizations. And I would love if you can separate them between technical and non-technical qualities.

Jesse: Yeah. Well, I'll start high level and say that I always want to hire for aptitude and attitude. Um, you know, so you don't have to know everything. And I think if you want to be successful in growing a team and scaling a business, you have to be creative in the way that you're looking for cyber professionals.

Yeah. It's great to find the unicorn that has all the technical knowledge in the world is good in front of customers and works well on a team, but you know, those people don't exist in large numbers.

I find that if you can find somebody that can communicate well and is good on a team and has the right attitude, you can train technical skills. So I think that'll feed into some of the discussion we're having later on in the broadcast here. But in terms of looking for the right people, I think, yeah, it's interesting.

So I waited tables through college, and it's where I really learned how to get out of my shell and talk to people, right? Because I'm an introvert by nature, but I realized very quickly that if I wasn't able to talk to people, I didn't make money.

As a waiter and a bartender, right? So I think it's always interesting when I find someone who says yeah I waited tables through college or something like that. I think hey There's somebody that can get out and talk to people but I think so number one personality tests making sure people have empathy and are able to Read into other people that way is important. But then on the technical side of things, I want to see problem solvers It's interesting. I just was working with a woman who I was trying to get started in the industry

And she was a recording artist and ran a studio in LA for many years and was transitioning into cybersecurity. Well, you know, I've dabbled in music myself. And so I knew that somebody who knows how to run studio, uh, routing, audio routing and build and use those applications has a lot of transferable skills for cybersecurity.

So in any case, um, finally got her hooked up with, uh, a peer in the industry and managed service provider. And she got the job. And so I have. I'm really excited for her because I know that she's going to do very well in a compliance field because she's able to, as a studio and audio engineer, take client requirements and translate those into technical solutions.

And so that's a transferable skill that you probably might not think about hiring for a cybersecurity compliance role. But if you think outside the box, you can find these diamonds in the rough and then really build them into a rock star for your team.

Host: Mm-hmm. And one thing that I liked about your responses, you did not start with technical skills. You started with sort of non-technical skills, right? Because as you rightly highlighted, technical skills, you can train someone to learn about networking or learn about infrastructure or cloud. But if you do not have the right attitude, then it doesn't help anyone, right?

Jesse: Well, that's exactly right. And now, you know, I don't want to, I don't want to just throw the baby out with the bathwater, right. And say that, you know, you don't need any technical skills and you can decide. But no, if you're, if you're hiring for a, for a high level, you know, senior cloud engineer, you're going to need some, that was Microsoft and AWS. Right.

But that is, uh, that's almost a commodity. Like you, if you're going for this job, you should know that stuff. What I want to see are people that have, uh, problem solving skills and teamwork skills, right.

Host: Yeah, I also want to highlight that I'm not saying that technical skills are not needed, but I'm saying in terms of priority, like the non-technical skills often are more important than the technical skills. So yeah, I just want to clarify that as well. So thank you for doing that.

Now a follow-up question to that is,

how do you attract the right set of people so that they, let's say, look at your organization? are interested in joining your organization. And another question, a similar question is, let's say you have hired some cybersecurity experts, how do you retain them?

Jesse: Yeah. So I almost would say that those are the same question. And let me explain why. I think the way that you attract people is you create a culture of knowledge and of learning and of improvement, right? And that's the way you retain those same people. Because if you're attracting people that are go-getters, people that are, um, want to learn, want to be part of a team, want to be part of a culture of success and innovation, those people aren't going to be very happy if they get in the door and it's stagnant.

Right. So I think the way to attract top talent is number one. I have a culture that's about forward progress for the employee. I don't know if you know, uh, radical candor, but I love the radical candor concepts and I'm building those into call. I think building, using those to build a culture is really important. Uh, I think they say, uh, what is, what is the word they say? Um, care personally and address directly. I might be getting that wrong, but

Yeah, the, and then investing in your employees, right? So I always say, if I'm talking about a security analyst, I have kind of a track that I've used that works really well to keep people sticky and it's, you know, get your CompTIA SecurityPlus to show us that you're serious about security and we'll pay for you to get your comptia CISA Plus, your CASP, you know, do a Linux course, and then we'll pay for your SANS GCIH, right?

So if a cyber, if an analyst goes through all those things, they're going to be pretty ready to rock in the sock at that point. And you're going to have spent some money, but then you also need to be giving them bumps when they get those things.

So you may spend 10, 20, even $30,000 to get that employee up to a level that is really executing well at a top level for your organization. However, I think doing that is going to really create stickiness with their employees because where are they going to go and get that somewhere else? They're not. And if they do, I mean, you, you are going to have some attrition, right?

But at the end of the day, the large majority of employees are going to be grateful and are going to want to stick around because they know that there's more where that came from. Right.

Host: Yeah, I like how you connected both the worlds, right? Like pre-hiring and post-hiring. And you're right that they are the same in a way, right? The way you attract, you keep the same way. Like you build that culture where folks can learn and share and grow together as well. So my next question is, let's say I'm running a startup.

If I'm an enterprise, then I have the budget. I have many people already there and stuff like that. Our process is in place. If I'm a growing startup, what security rules should I hire first and why?

Jesse: I'm probably biased, but I'm going to say you should hire probably a managed service provider. So I think outsourcing or hiring a company that can bring a lot of that team to you for a single price. I'm just going to go off on a little tangent here. I have a 15 person SaaS company, who one of my partners brought on and they were small, but they were a startup and were selling into fortune 500 and fortune 100 companies.

And it came to light that they had lost a million dollars in deals that year because they couldn't meet security standards for some of these larger clients. So for them to bring in and pay an MSP, you know, about one employee's salary, then they get a VC. So they get a security team, they get all the tools and they're able to actually build out an entire program and then go win those deals. Now, all that aside, my bias aside, right.

I think the first role you want to make is you probably want to hire a generalist who's business focused because you need somebody to own those relationships on the other side of the house, but you need someone who can kind of herd the cats, so to speak, right? Take your vendors, take all those people and start and align them with the business and then look to strategically hire roles as you grow. Right?

So again, another client I'm working with doing VCsauce services. We're looking to start hiring. They have an internal IT team that has been doing a lot of security, but we're looking now to start hiring security analysts, but they're using our services. We're using our services for the BC. So strategic part of that, right? Because they're, they're blending those. And then that we're hiring, I'm helping them hire security professionals who can actually execute some of the day-to-day technical items. And so I think you didn't then just stack on that as you grow. And what I always tell clients is I hope that you grow so much that but the last thing I help you do as your VC. So it's higher your full-time CISO, right?

Host: Hmm. Makes sense. I must say that your recommendation is slightly different than what we have heard. Like the generalist that you highlighted, right? Because you need to build relationship with other parts of the organization and since you are small and growing fast, often there is disconnect. So having that generalist who can do not just security but also build relationship and then later on you hire very dedicated roles makes a lot of sense.

So now the question is, let's say you hire someone, right? What KPIs would you set for them that which helps you understand that they are successful, let's say for three months, or six months, or 12 months, or even 24 months?

Jesse: Yeah. So, you know, I'm not a huge fan of KPIs and that might come as somewhat of a surprise, being that I've worked for a, for managed security or managed service providers, right? They're all about KPIs, right?

So, but if we're talking about an internal team and an internal organization, it's a little bit different. If I'm working, if I'm talking about a SOC, I want to say, you know, is this, is this analyst contributing and solving tickets against the average mean time of everybody else? What is their, you know, What does the rate look like for how much billable time they're billing? That's all, that's all managed services side of the house things, right?

Now for an employee though, I internal employees, I like the idea of an OKRs much better. So rather than KPI, I mean, you might have KPIs associated with your OKRs, but I like taking an okay hour and saying, here's the, here's the problems that I want to solve are the things that I want to do with this employee and that goes to that culture piece again, that link to the organizational goals, right? We're getting everyone rolling in the same direction. And so. I think an OKR structure is a much better way to measure employee effectiveness over KPIs.

Host: Mm-hmm. OK. So one of the things that you highlighted in the earlier response, like in terms of hiring the first role in a startup, is a generalist who can build relationships and stuff like that. And you have been helping businesses for years to build the robust cybersecurity teams. So how can security teams engage with different business units so that they can understand their risks and tailor their security strategy.

Let's stay with that secure startup scenario, right? In a startup, you hired a generalist now, how would the security team engage with others?

Jesse: Yeah, I think well first and foremost, you need to learn to get out of your lingo and speak to the lingo of the people you're talking to. So understand understanding that when people say things that when you say cyber risk, that's not really going to resonate. But when you talk about cash flow, that's going to make a lot more sense. So if we say, hey, we want to do we want to put these controls in place because We could have issues with cashflow if these systems are down for more than two or three days, people say, oh, that makes a lot of sense, rather than, oh, your cyber risk is high.

What does that mean? So that's one piece, but then that's the negative piece of it. I think there's also a positive piece of risk is saying, again, speaking in the language of the business, we want to be agile and we want to be innovative. And so we want to position ourselves that when we come across an opportunity, we're able to take advantage of it. And the way we do that is putting XYZ controls in place, right?

So I think those are two frames to keep in mind when you're talking with the other parts of the business. And then finally, just try to be helpful. So the old adage of the security department as the department of no, it should be, hey, how can I help you win deals? Would it be helpful for me to, we're going after a target vertical or a target industry or a target consumer. Well, how can I? look at the regulations and the things that they worry about and then position our security program to answer some of those questions.

You know, I can tell you from being on both sides of the vendor DDQ discussion, due diligence discussion, right? When you go in and you start asking a vendor questions and they don't have good answers and you're like, oh brother, here we go. They're a mess, but the business wants to use them. Well, if you can be that breath of fresh air on the other side of that and be like, yeah, here's what we're doing. Here's how we're protecting ourselves. Here's where we have some risk. Here's how we're mitigating it.

If you can do that and enable your business to be that breath of fresh air to their clients, you're going to position yourself as a business addition rather than detraction, right, in the eyes of the organization.

Host: Yeah, and it was funny that when you mentioned that when security is often perceived as a team of No, right, is often seen as a roadblock. And I have seen in some meetings when you have invited a security engineer, and the moment they join the whole atmosphere changes, everybody starts looking at the security person as yeah, they will say no to whatever we say. So changing that is very important.

Jesse: Yep. Yeah, it's don't be don't be dogmatic, especially that's why I like the idea of a generalist or that's why you need a vCICSOs need to be business enablers. So if you go in with a plan and the business says, no, we can't do that because of XYZ. Don't be like, wow, pound your fist on the table. They're not being serious about security. Well, it's more of like, let's look at it from a different perspective.

Okay, they why don't they want to do that? How can we create? How can we creatively get around some of these impasses and maybe come at things from a different angle to try and enable the business while doing what I call good enough security, right? So that type of attitude will go a long way with leadership and with the business.

Host: Makes sense. So a follow-up question to that is, often when it comes to organizations, they implement security practices. They triage security things and stuff like that. But when we speak with organizations, we still see that they make the basic mistakes. I'm pretty sure you must have seen that as well, like MFA is not enabled for root accounts or something like that.

So what are the top things that you have seen that organizations are still doing wrong?

Let me put them into different buckets, right?

One thing that organizations are doing wrong and they don't know, they're not aware of it.

One thing organizations are doing and maybe they're aware but are not fixing it. And then last one, which is a little controversial,

Which is one thing they know can go wrong, but they think that they will not get caught and they will get away with it.

Jesse: Yeah. Let me, let me try and, and parse those three out. So let's take the first one. What are they doing that they don't know that, what are they doing wrong? They don't know is wrong. Right. Um, I think, I think not taking a risk centric approach from the start. And that's why I say, you know, again, this is rampant in the, in business and in the industry in general is they want to buy a tool or they want to buy, they want to hit the easy button and they. So they go out and say, well, if I get this, then I'll be secure. But there's no holistic view of why we're doing what we're doing.

So I think where I see them going wrong is like, yeah, like people, we want to do security. So we go out and we buy so sock as a service, or we go out and we buy vulnerability scanning, but we didn't think about having a vulnerability management team to actually fix the vulnerabilities. Right? So buying these tools and not having a strategic plan in place for how they actually reduce the risk in the business aligned with the strategies of the business.

So I think that's still a mistake I see made a lot on both the customer side and the service provider side.

Yeah, the second one, what do we know is wrong, but we're still doing anyway? Yeah, I think that's an interesting one. What do we know is wrong? I think maybe is doing things the same old way. So bear with me on this because I think it goes back to being dogmatic about, hey, you have to do things this way.

OK, let's take vulnerability management as an example. So I see vulnerability management, oh, we've got to solve all highs and mediums. And that's what we do for our vulnerability management program. But are we using the EPSS to actually look at exploitability? Are we factoring in? Are these assets exposed to the internet? Do they have high value assets? Do we have a data study done to understand we might have assets out in the environment with tons of highs and mediums, but they don't actually have any super important data on them.

So why are we focusing on those? Yeah, the context is huge for that. So I think we know that, everyone knows that, but it's hard in the sea, in the whirlwind of the day-to-day to actually make those changes because it's kind of like turning an aircraft carrier. So it can seem insurmountable to make these changes. But again what I'll say to that is slow steady and consistent and small steps in the right direction will get you there. Um, and the last one, what was the last one again?

Host: The last one was one thing organizations are doing wrong, and they think they won't get caught or can get away with it anyway.

Jesse: Oh, yeah. Yeah. Well, I think overstating their security posture, but with the SEC new rules, with the SEC new rules, we're seeing that that's kind of coming to an end. And I think we're going to see more regulation. Unfortunately, you know, a regulation comes with its own set of problems. But yeah, but I think overstating or kind of puffing up our chests, thinking we're not going to get caught and using flowery language is still a real problem from vendors and customers in the industry, right?

Host: So I like the second answer, when you said, right, like the approach to security. Like I can relate to folks who are working, let's say in the data center world and moving to cloud. So if you look at cloud in the same way as you look at data center, then you are not doing justice to your security program, right? So you have to change the perspective when you come to cloud. So similarly that makes a lot of sense

So one of the things at the beginning you said, that you work with many VC SOS, or you have a VC SOS group, you have the consulting, you work with many customers. And one of the terms that you used is you build that virtuous circle with your clients. So I'm curious, can you explain what that means, and particularly in cybersecurity?

Jesse: Yeah. So let's talk about what I see as a problem. So I see that, and this is coming from managed service providers and VC. So providers, organizations that are doing managed security for other clients. Typically, there can be a disconnect where they're not focused on the right ideal client profile, the right vertical.

And so they're, instead of value positioning their services, they're becoming price commodities. So clients line them all up next to each other and say, who's the cheapest? And they pick that one. So it's a race to the bottom at that point. So what is that? What happens there that is the opposite of a virtuous circle, right? Price price and margin is getting squeezed. So the, the idea is that let's try to do the least we can while still meeting the requirements of the contract, because we've got to keep the business profitable. Right?

So that the client is we're doing just enough to keep the client not mad at us, right? And I'm sure if you're listening to this on both sides, you may have experienced this, right? And then morale goes down culturally, we're not innovative, we're not keeping the client's best interest in mind, it becomes a spiral. I call it the spiral of silos, right? So, but what a virtuous circle is, is when we are focused on our ideal client profile, we're speaking to them, we're providing services that provide huge value for them helping them be secure and we're charging enough that we're getting paid well to do it.

So I don't think anyone would say that you shouldn't get paid well if you're providing a valuable service. So the idea of a virtuous circle is that we get paid well, and that's actually above average market value. We might be in the higher end of market value, but we get paid well and we provide premium services to our clients that helps protect them and helps position their organizations as leaders innovators and makes them overall sustainable and agile, we talked about that term, right, to weather the business storms and capitalize on market opportunities. And so we're enabling our clients to be better than they were yesterday while getting paid a fair wage to do it so we can hire the best talent and have the best systems and have the best tools. And that is the virtuous circle.

Host: And this sort of is very similar to what you highlighted earlier, right? That instead of taking like a tool-centric approach that you just bought a tool and you're secure, you should look at more of a risk-centric approach. Similarly, here instead of buying the cheapest tool available, you should see which is adding the most value.

And even if you have to pay more, if you are getting more value, your security posture is better, your security program is better you should opt for that rather than the cheapest available.

Jesse:

Right. What's the actual ROI of the investment? Not how much does it cost? All right.

Host: Exactly. Yeah. So you talked about it is important and from a organization perspective, if I'm a security vendor or I'm building a tool, how would that help me in my business outcomes? Building a virtual circle, let's say, with your customers or your clients or other CISOs also.

Jesse: Yeah, let's put it this way. Would you rather have 10 clients paying you a thousand dollars or 50 clients paying you $200, right? You're going to be just as busy. Make, you're going to be five times as busy making the same amount of money or be able to really focus on providing high value for your clients. And so I think anyone is going to choose the first. Right. So that's, so that's the way I think you have to think about it now.

Again, we can't look at this in a vacuum, right? We have to try and be profitable. We can't be careless in the way that we structure our organization. We want to do things to build internal efficiencies, build scale, and be able to take advantage of some of those economies of scale. That's why the SAS model, the service provider model works. But we also don't want to be penny wise and pound foolish, right?

Host: Makes sense. So my last question on security topics is you are helping businesses in many different ways, in building teams, and building and maintaining relationships.

What strategies would you recommend as CISO so that they can educate and empower their clients to make informed decisions when it comes to cybersecurity investment?

Jesse: Yeah, yeah, I think you have to have a, it's like the scientific method. You have to have a control. So let's talk about the technical and the personal part of it. Right. So having a control. So whether that's a framework or some set of requirements, business requirements, or a combination of the two is probably the best way to go about it. That you evaluate, uh, let services, technology, everything through that lens and do it the same across the board.

That's how you're going to be able to start creating differentiators between different products and services and make more educated choices. Now, on the other side of things, I think, I heard this a long time ago. I can't remember who said it to me, but they said, if you want to be successful as a CISO, invest in sneaker wear. So it goes back to that concept of reaching out and seeing how we can enable other business units and just trying to be helpful. I think.

It's a simple personal, it's a simple relational skill. It's to try and be a good listener and try and be helpful. And if you can do that, I think you're gonna be miles ahead of your competitors or your peers and separate organizations.

Host: And I think that applies to not just security, like to any and every field, right? You have to be a good listener to sort of understand the pain that the other person is going through or they understand their requirements. And I think you touched on the word empathy, right? Early on. And that is also a key, key attribute. Now, what are so see? So is in like the, I think, newest Sea level position now, right? Like, so like CIOs and CEOs and stuff like that

What advice would you give to let's aspiring CISOs or security professionals who want to build their career and build those relationships?

Jesse: Well, I would first say make sure that you don't that you want to be a CSO and you actually know what that means. Right. So I actually I own the domain. I plan to do something with it at some point, but I own the domain. Don't be a CSO.com right and It's so it's my, my long term plan is to list out all the things that you're going to have to deal with as a CSO kind of in a joking manner. Don't be a CISO.com If you know you want to, you don't want to deal with this, but

So I think identifying what your skillset is and what your goals are for your career, because I think you can be a top individual contributor as like a senior architect or something like that. And you might, for the person, it might be a much better fit for what they want to do and what they really want out of their business career. So first identifying what you want to do, but then I think you have to focus.

So picking a type, I think if you, you pick it, pick an industry or, you know, maybe a type of, of company that you would aspire to be the CSO for and really start to learn about the business. Understand their world, understand how they make money, understand all those different pieces, those non-technical, they are technical, but those non-security pieces that feed into the business because you're as an executive, and that's why I think the CISO role still has a long way to go to really be considered equal in the executive realm of things. Until we start acting like… grownups who are going to still be put at the kids' table, right?

But that means understanding the business and enabling the business and thinking about how the business makes money first, not how do we have the best security controls, but how do we have the good enough security controls to be able to allow us to be agile, effective, and safe on not breaking the bank and allowing the business to do what they need to do.

Host: Yeah, so that makes a lot of sense, because often what happens is when you just want to be called as a particular title, but you don't want to put in the hard work. And I'm glad that you made it clear that it's not that you just want to be called. See, so you have to put in the hard work as well. And I would love to see whenever you build that website where you can list out why you should not be a CISO.

Jesse: Hahaha Yeah, when I get some free time, whenever that is.

Host: Yeah, so thank you so much for sharing your security knowledge and insights. That's the end of the security question section.

Summary:

Thanks Jesse for the lovely conversation. Here are a few important points I gathered:

Create and Practice a Culture of Knowledge, Learnings and Growth. This not only helps you in hiring new Security Roles but also helps in Retaining them.
For a Startup, hire a generalist as a First Role. This helps in Building the Trust and relationship foundation between Security and other Teams for Longer Term.
Follow a Risk Centric vs a Tool Centric Approach for building Security Practice in the Organization. Unless you have a solid security program, tools can’t make you meet your security goals.

Let's go to the second section, which is around rating security practices.

Rating Security Practice

So the way it works is I'll share a security practice, and you should rate from 1 to 5, 1 being the worst and 5 being the best. And if you want to add some context why you are giving a particular rating, that would you can Absolutely, I provide that context also.

So let me go to the first one. Conduct periodic security audits to identify vulnerabilities, threats, and weaknesses in your systems and applications.

Jesse: Yeah, I would probably rate, although I don't know what else you're going to ask. I'm going to rate that as a four or a five for sure. Because like I said, I, you know, the, the whole piece of why I founded power PSA and why I truly believe that we need to take a risk centric approach to the way we think about security, that's exactly what we're talking about.

Doing a risk assessment, having a framework, having a way that we identify and view and have a control group for what technologies and what things we wanna do for our organization is huge and it's an integral part of that. So I would rate that a four or five for sure.

Host: Okay, the next one is provide training and awareness programs to employees to help them identify and respond to potential security threats.

Jesse: So I'm probably gonna cause some problems with this answer, but I'm gonna rate that low. I'm gonna say like two or three even. So yeah, so I don't think, that doesn't mean it's not important, right? Yeah, I'm sure there's some people that are not gonna be happy with that answer that I gave, but I do see it as something that has diminishing returns. So I think training, this goes back to culture.

Host: Okay, I'm curious.

Jesse: You know, so if we don't have an organization, I think it's Maslow's hierarchy, where it talks about people need to feel protected and feel safe before they ever think about innovation and things like that. I think if we don't have a culture that enables our employees to be innovators and they're worried about other things, just regular job anxiety, we're never going to have security no matter how much training we do.

Now, if we have a culture that's focused on protecting the organization and likes the organization, likes where they work security training is going to go a lot further. And so while I say, I think security training should be done, I'm not saying it shouldn't be. I think that it's important in the grand scheme of things, I would rate it lower than at least what you mentioned.

Host: Okay, and I agree that it goes back to the culture, right? How your organization is set up. If you are a security centric organization or security focused organization, these things provide you a lot of ROI versus a non-security focused organization. So yeah, it makes sense. The last one is, develop and regularly test an incident response plan to help quickly detect, respond to, and recover from security incidents.

Jesse: Yeah. Well, I think that's, that would be some, a piece of training that I would think is very important, right? So that it's kind of like security training, but I think, yeah, I'll rate that, uh, I'll rate that higher. I would say a four because yeah, I think there's, that is not a day one thing. Uh, you need to develop an incident response plan, right? But to test it and all those things, you need to first have a framework. You need to understand what your risks are so that you can test against those scenarios. And you need to have some controls in place that you can actually test that control plan again. So

Jesse: Yeah, I think that's really important. But I think developing the plan is one thing, testing it's another. And so yeah, I rate that a four, very important to have, but you have to understand that that's going to be a day two kind of thing where you have to first get your initial risk plan and your initial roadmap off the ground before you can test it.

Host: That's very valuable. Thank you for sharing your insights there. And that's a great way to end the episode.

But before we end, I have one last recommendation to ask. So if you want to give a recommendation for a book or a blog or a podcast or anything to our audience, what would it be?

Jesse: Oh, yeah. So I'm gonna give a couple, I guess, because it's hard to decide on just one. So I'm gonna give one business and one personal. I think if you haven't read it yet, you should read the Phoenix Project. I feel like everybody in technology has read that already, but I would say read the Phoenix Project and go back and then actually listen to the Goal. So a lot of people in technology have… that read the Phoenix project, which is based on the goal, but they haven't actually gone back to the source, which is the goal. There's a lot of good stuff to get there. And so again, being operationally focused, I think it's security can a lot of times be a by-product of just good operations and good sound business and technology practices.

So I think showing up your operations is a great way to help security. So I think for anyone looking to… help scale and be more efficient in their security programs and technology programs, it's a great book.

Personally, I would recommend Anna Karenina. I don't know if anyone here is reading Tolstoy or has read that, but I just read it this last year and it really is just first book that I couldn't put down in many, many years. So great novel, some timeless truths in there and yeah, Tolstoy is a great writer. How can you go wrong with that? So those would be my recommendations.

Host: Okay, thank you so much for sharing too. So what we'll do is when we publish the episode, we'll tag these as well so that our audience can go there and either buy the book or download the ebook and stuff like that and read. Yeah, thank you so much, Jesse, for joining. And it was lovely to speak with you and learn about more about hiring, more about the culture, more about keeping security, talent and helping them grow as well. So yeah, thank you so much for your insights.

Jesse: Yeah, you've been as a pleasure. It's great speaking with you today. Really enjoyed it.

Host: Yeah, absolutely. Thank you. And to our audience, thank you so much for watching. See you in our next episode. Thank you.

Summary:

Rating Security Practice

Get the latest episodes directly in your inbox