Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 14 - Building and Keeping your Cybersecurity Team

How do you find the right cybersecurity talent when other companies can pay them more? How do you retain your cybersecurity team once you find those rockstars? Does it make sense to hire a Senior VP of IT when they will also be handling the help desk function? What about entry-level staff running critical functions?

This week, the guys discuss the importance of finding and hiring the best talent for your company's cybersecurity program, along with sharing best practices to make your team the best in the industry!

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber security criminals  and now here's your hosts mike rotondo zach fuller  
and lauro chavez hello and welcome to the cyber  rants podcast this is your co-host zach fuller  
joined by mike rotondo and lauro chavez uh today  we are going to kick it off in the usual fashion  
a lot of stuff going on in the news for the past  well a couple months really basically very very  
critical times and interesting stuff happening  mike why don't you dive right into it right on  
zach thank you uh welcome to the podcast i am  going to kick off the news and hopefully i don't  
think i don't have any i don't think i have any  solarwinds headlines so uh let's keep our fingers  
crossed but i do have microsoft headlines windows  desktop servers now used to amplify ddos attacks  
yep we got another problem with microsoft  rdp enabled on udp 3389 has an amplification  
ratio of 85.9 to 1 it's just being used by  ransomware all over the place and it's it's uh  
it's a big problem a password stolen by a phishing  campaign available through google search the linux  
server hosted on microsoft azure was hacked and  they are now delivering out passwords so it's all  
good dream bus freak out botnets pose new threat  to linux systems i just like saying dream bus  
freak out botnets but uh there's another malware  out there on linux so if you believe you got linux  
you're not safe hackers hijacked cloud accounts  of high-tech and aviation firms hidden systems for  
years you know we've talked about the cloud before  in the security of the cloud before it's something  
you definitely have to consider that you have to  look at the security of the cloud it doesn't mean  
you're safe just because you're in the cloud so  anyway these people hacked in and they were in  
there for years literally just stealing data  fraudsters are using google forms to evade  
email filters yet another way around mail as  manipulating google forms another ransomware  
now uses ddos attacks to force vixen to pay the  new the new methodology um from suncrypt and  
ragnar locker is to if you don't pay we're going  to ddos you new wormable android malware spreading  
through whatsapp um i know a lot of people think  whatsapp is a great tool that it's available that  
it's uh easy to use and it's pretty secure but  we got mauler spreading through it so be careful  
north korea linked campaign target security  experts by social media this is the second time  
i've heard about this this week and i know a lot  of you brought this up also the north koreans are  
attacking security experts we also got an email i  think it was from sonic wall or one of those that  
a red eye that talked about how google's already  been hit up on the stuff so be careful out there  
be careful who you talk to targeted phishing  attacks strike high-ranking company executives  
yep the guy in the corner office is your worst  enemy when it comes to security uh because they're  
being attacked and they're not paying attention  to the fishing training necessarily so be careful  
ddos attackers exploit vulnerable microsoft  rdp servers this kind of dovetails off the  
one i said earlier um again this is becoming  a big deal a new attack could lead let remote  
attackers target devices on internal networks so  this is using nat slip streaming and we always  
think that oh it's on the internal network so  it has some compensating controls in place but  
figuring out a way around it it cve 2020 16043  and cve 2021 23 9 6 1 are the exploits uh ddos  
attack surge in 2020 due to covet 19 as if 2020  wasn't bad enough already uh we have this new ddos  
continuation dovetailing off uh what we were  talking about high level officials fishing scheme  
shows ceos maybe most valuable asset and greatest  vulnerability make your ceos take the training  
and that's all the headlines i got if they don't  want to take the training maybe yep all right  
i i for one am really tired  of listening to the executives  
give excuses as to why they can't make time for  the awareness training or the phishing training  
that's coming out automated yeah i'm talking  to you out there you're listening to this  
i think you gotta play to their ego and  tell them that you know you are so important  
that it's so valuable that you get this training  done because you are that important and maybe  
maybe they'll get there but but dream bus  botnet really i kind of like that i'm gonna  
name i'm gonna name the dance club that i'm gonna  i'm gonna build one day called  
you know what i mean what i wonder  if that's a microsoft product  
all right so uh i want to talk about two exploits  uh this week that i think are really really really  
important the first one most everybody in the  community uh probably has already heard about  
it's a sonic wall ssl vpn um the visual door that  was posted uh by uh mr infamous himself and so may  
make sure um if you've got ssl vpn version eight  running that you're you're following sonicwall's  
instructions and you're upgrading that um so that  that remote code execution um exploit is available  
on exploit database it's the top choice for today  um actually so make sure you're patching that and  
then the other one i'm talking about is jquery  1.12 um there's a denial of service out for jquery  
now jquery is you know application component  inside of web um web applications typically and  
i always see these web vulnerabilities coming  up when i'm doing penetration testing for you  
know older jquery libraries and i've been talking  about this is going to be a next attack surface  
that's focused on because it is highly highly  overlooked i see lots of organizations doing  
patchings on their systems on linux on windows  they're ignoring the components inside their  
applications that are actually delivering content  and are also vulnerable so no one's going to care  
about your microsoft server when they can attack  your weak jquery that you've had since 2004  
in your website so make sure you're looking at  it at those application component plugins and  
getting them upgraded to the most current versions  because these exploits are out again this jquery  
dos available it's uh it's the number 10 hit today  on exploit db all right turn it back over to you  
all right well thank you both today's topic is  really one that is a a major problem i know we  
talk about problems a lot here but uh our goal  of course with the podcast is to help equip  
uh organizational leaders and and people within  the cyber security and nit space to just get  
stronger at what they're doing you know we just  want to share the knowledge that we come across  
and and what we learn along the way in  this particular case it really comes down  
again to the people issue right really  uh to be specific building and keeping  
the team because we've seen a lot of organizations  that just have tremendous amount of turnover  
and a very very hard time staffing positions  that are empty that need to be filled and  
the obvious reason for that is that there's a huge  shortage of cyber security professionals out there  
which is true um but it's also about it it's  not also to say that we keep we have to just  
like sit on our hands and do nothing right  we have to do something it means because  
of the shortage we have to be more competitive as  employers and more competitive in the way that we  
uh create our company culture and and really  build the environment for the cyber security  
and tech professionals in general to thrive and  so mike you've written a quite a bit on this  
uh and not only in the book but blog  posts and and you've spoke on it and  
at events and such do you want to kind of walk us  through the what you see is the the major problems  
out there kind of the different phases that people  go through throughout their career what they might  
be looking for when and i think that'll give a  good basis on on how people can better recruit and  
and retain the professionals they have yeah sure  one of the things that i have discovered excuse me  
through our my own personal journey and being in  it for well ever is that there are basically four  
phases of i.t life and that is newbie beginner  mid-level and senior or curmudgeon or however you  
want to refer to the seniors one things i like to  say about the seniors is it's not that you can't  
teach an old i.t person new trick sometimes an i.t  person is happy with the tricks they know so keep  
that in mind that's also a quote from our book  yeah so just taking pieces from my life i look at  
my new job or my original job my newbie job i took  whatever they gave me right whatever was out there  
and uh whatever i could get where i could get  experience right i just got in my new mcse back  
in the day when well it's it was the 90s so it's  a long time ago it was a big deal and i got a lot  
of traveling and that was what it worked for  me um then i went to my beginner i you know  
spent a bunch of time in the bleeding edge of  technology learning things working 16 18 hours  
a day during the dot-com phase and then you know  mid-level hit where i started doing consulting  
and senior level hit and i didn't want to travel  i don't want to consult i want to work in a job  
in an office or actually from home you know be  able to influence them influence the direction  
of a company's i.t process so um there's different  phases now i've kind of high leveled those there's  
a lot we could go into on that the reason i  call it the phases is because you when you  
are looking for an i.t security person you have  to design the job for those specific phases a  
senior level person is not going to be willing  to do the same thing a newbie person is even  
though they more than meet the requirements for  it a mid-level person maybe and seamless person  
may be interchangeable but a mid-level person is  not going to do what a newbie or a beginner is  
also you can't fit a round peg into a square  hole i know that's an old adage but in reality  
you're not going to convert someone who is an  awesome you know cisco engineer necessarily into a  
office 365 engineer or a linux resource it's just  not going to happen so you have to understand that  
people have different skill sets mindsets and you  have to tailor the jobs descriptions especially  
when you're looking for a job for that specific  person and you tailor the workload so if you  
really just need someone to do the scutt work  internally reading logs and that sort of thing  
don't target a high level person target low level  people give them the experience let them grow into  
the job and then expand it from there so that's  that's kind of my feelings on the different types  
of jobs the different kinds of phases of i.t life  i mean it's not exhaustive and totally inclusive  
but that's the big four buckets that i see so  that's we're looking at so you really the key  
point here is tailor the job for the person that  you're looking for and hire that person because  
you hire someone with too much experience for a  newbie level position they're going to leave real  
quick because they're going to get bored anyway  laurel zach comments well no i mean that's all  
i mean that's that's all very truthful the other  thing i think is that don't don't try to reward  
um you know because you know zach and and  we always try to emphasize that you know  
the these the people that are really important you  can have all the cool technologies in the world  
without smart individuals that are capable those  technologies aren't going to do anything for you  
they're not going to manage themselves they're  not going to prevent you or present you a pretty  
dashboard or any metrics of any kind but  it's very intelligent humans to do and so  
what i what i like to what i like to think is  that um you know there's a there's a job out  
there for everybody um to do that they want to  do that they they have joy in doing right and so  
what i don't like to see and so try to find  that person but don't try to reward people  
falsely with what i like to call like empty  titles like you've got one it guy you're going  
to call him the vice president of information  technology when they're doing the help desk  
they're you know installing microsoft office  as well as configuring acls on the firewall  
and then you want to expect them to do it security  too so maybe you'll give them a cso title or  
you know some form of a cto title when they're  really just a grunt and those people you're  
going to burn them out and they're going to  go someplace else and find more meaningful  
work that's you know not just title driven  and it probably pays more probably best yeah  
yeah i mean i think that that and i don't know i  mean you have to spend money on good people and um  
unfortunately there's no way around that  if you especially if you want to keep them  
and and you don't have to pay a high dollar  for people but i think you need to you need  
to staff accordingly right you can't have  one person that you pay 140 grand to do  
everything it's not sustainable it'd be better  to have you know three you know 75 or 80 000  
employees so you have some sort of a backup plan  if somebody leaves and you have some sort of a  
you know tribal knowledge of of of installed  devices that is hopefully getting documented  
yeah and when you do that you have to have the  expectation you're gonna lose at least one of them  
eventually if not all of them as they go through  the position always because just like in those  
phases you're talking about everybody's looking to  go from you know into their next phase of of life  
and of practice for their discipline and if you're  not giving them that capability at their place of  
work they will go find it because they're going to  try to grow as a professional right especially i.t  
security professionals it's a it's a um you can't  even if you go to a you know a school for for an  
undergraduate in this it's constant learning i  mean you're learning new stuff every day and if  
you're working in an organization that won't let  you do the coolest new stuff you need to you're  
going to go find it someplace else well exactly  i mean you look at your security stack or your it  
stacking and if you're five years behind the times  or three years behind the times you're killing the  
person's resume which is killing their longevity  so you need to keep up with your technology and  
that's keep them up keep them trained and keep  in mind too that compensation is important but  
most technical people were technical before they  were paid to do it right i mean lauro you were  
well you started flowing around with computers  when you were what 10 or younger yeah yeah so  
i mean you're right i mean you know nerds are  going to be nerds right technicians are going  
to be technicians and you know here's the thing  is that it doesn't cost a lot of money to give  
your security folks a lab where they can  you know they can vet software right i mean  
because you know let's talk about every var out  there is trying to sell you something new demo  
it right throw it in the lab and run a demo of  it drug you know demo the product for you know  
two three weeks um see if anything you know  gives you an opportunity to play with stuff  
gives your staff well really your staff an  opportunity to play with stuff right and then it  
it'll out of it you'll have new technologies and  capabilities you might not have known about before  
by letting them have this this lab right  definitely yeah good point i think that's  
that's leaps and bounds above a uh a foosball  table and and a cake of beer in the office even  
i think the cake of beer should be there but  i mean that's you're right everybody wants  
to put in a and i love table tennis i love  playing pool but i would rather have a lab  
you know chassis in one in the i.t security room  um so that i could do stuff on rather than go play  
foosball you know what i mean yeah i think that's  an excellent point you know and a differentiator  
if you can if you can structure your organization  in a way that allows a even a specified amount of  
time and all the big you know all the big  silicon valley companies do this but but  
for those who don't out there you can structure  your organization a way that that segments off a  
you know specified amount of time for your  staff especially your technical staff to mess  
around in a lab environment or work on new  projects or explore new skill sets all those  
types of things i think that's going to help  tremendously in your attention because they're  
i hate to say it but they're generally  not married to the company that they're  
they're working for you know they they can be  coached by the by the highest bidder somebody that  
gives them that opportunity to grow and develop in  their careers so especially in those early phases  
i mean you going going back to your point mike  kind of the newbie and beginner phase if you're  
thinking from the shoes of the person that you  want to hire what do they want you know they  
want opportunity to excel grow in their career  um you know play around with new things learn  
new skill sets all of that and be in kind  of a you know energizing environment right  
as they go further into their career those  needs are going to change right you're going  
to get into more stability they're going to  have things like families to think about and  
vacation time and all of that so consider what  you're instead of just putting a blanket you  
know a blanket ad out for hey i need this  person um think about what really appeals  
to the person in that phase of their career  where are they going to be and how can you how  
can you tailor the environment exactly and you  know keep in mind too is that the environment  
the political atmosphere is key most i.t people  i would say 99.9 percent can't stand politics  
don't worry part of it don't want anything to  do with it don't want to hear about your office  
intrigue couldn't care less and you immerse  your people in that you're going to lose them  
and if you have you know good pay in a bad  environment may keep them around for a while  
not good pay or okay paying a bad  environment you're losing resources fast  
um the environment that you work in now i'm  not saying you know like when i got in the dot  
com here i mean we had stocked fridge and power  beers and you know pizza on demand and you know  
margarita machine that was turned on at four  o'clock every day he's played pool with the  
ceo and whip his butt um you know that kind of  thing but um you know it's about the industry's  
evolved since then but you still have to create  a good environment that people want to work in  
and people will will take a lower paycheck to work  in a good environment i think you know we've seen  
that in a lot of places so and what are your  thoughts on when people are really looking for  
let's take the scenario of a company that's  looking to bring in uh maybe a senior security  
professional for the first time right maybe they  have an i.t team but no security professionals in  
house what would your advice be to them as  far as what is that senior person a person  
that's going to run the show for them from a  security perspective what are they expecting  
what are they going to need in order to take that  position well they're going to need some autonomy  
uh they're going to need respect for what they've  occurred but they've accomplished through their  
career right and they don't need to be second  guessed by you know someone who's seen the latest  
and greatest fad they are solid i.t professionals  so the first thing is autonomy the second one is  
let them build some of their team um they're going  to want to have their people in place so if you've  
got holdovers or people that they don't get along  with you need to allow them to build their team  
properly and definitely a vote for sure i mean  not dictatorial control but definitely a vote  
in the it gen or the direction of the company from  a security perspective or an it perspective and  
there needs to be an understanding for that person  of what the businesses goals are and what the  
security goals are and there needs to be an equal  balance of what of the security person's input it  
can't just be steamrolled by the business you have  to realize that that security person especially at  
the senior level has valuable experience is there  to protect you not to hurt you not to kill sales  
what is there to protect the company to ensure its  longevity and and really when it comes down to a  
lot of you know is respect i you know i have  a soapbox moment that i call out in the book  
and it's it comes from actual experience where  you know security smes are talking about things  
and they're being shouted down or argued with by  pm's or you know vps or directors or managers who  
have no idea what they're talking about and then  they're not backed up by their their management  
that can't happen you're going to lose that  resource immediately and they're going to find  
another place to go in a heartbeat really it's  autonomy and respect i think are the top two  
and and you have to have them be able to have  that level of respect from other people outside  
the it organization so well well said you  know you know another thing i've i've seen  
um too is just a commonality among among  those people either stepping into a security  
role for their organization and taking over that  responsibility or or coming in from the outside  
and doing it is they're very much vision driven as  well they want to see they have something in mind  
for the organization they have things they want  to do and accomplish and i think understanding  
what that is for that that individual and  reinforcing that working with that bringing it up  
um on a regular basis can can certainly help right  because they they see themselves as maybe going to  
eventually gain maybe a cso title or something  like that and building out that that security team  
uh with them like you mentioned mike  that's a great thing and and it's  
you know starts with the decision that if you're  going to hire somebody you're going to trust them  
and you're going to get out of their way a bit and  let them do their their work but then also support  
that that bigger picture that they have in mind  um and uh and and try to reinforce it and help  
help turn that into reality and i think i think  that can go a long way and i think that regardless  
of the level of person you're looking for um they  all have a picture in their minds whether they  
they articulate it or not they have a picture in  their minds of you know where what they're looking  
for out of the job what with that that ideal uh  work environment uh looks like to them and and  
what they want out of it and so if you can kind  of get down to the root of that make sure that  
that's an alignment with what the the company  has in mind and needs and then and then if so  
it could be a great fit you know as long as you're  you're serious about supporting them not just  
because the opposite of course is people hire  you know they hire security professionals to  
check the block and then they say okay well  you know now that you're here this is how it's  
going to be and this is what you need to do and  that's that's when they move on right away so  
yeah you're going to lose that resource almost  immediately this is a a fascinating topic i think  
we're going to have uh quite a few more episodes  on this in the future just various aspects we'll  
dive into more detail have some guests on the  show and such talking about this this very part  
because it is so critical but for now recap put  yourself in the shoes of the person that you're  
trying to hire understand what that expertise  is that you need get some outside support if you  
don't understand what you need get a consultant  get somebody in there to help you paint that  
picture have some clarity get it documented but  then put yourself in the shoes what what level  
of the uh their career path is this person in that  you need are they entry level are they brand new  
right out of school right out of certifications  uh or are they senior and and in which case  
what's going to be important to them at that phase  in their life think through that write it down and  
uh make sure that you treat this process carefully  don't just kind of stick it through the usual hr  
protocols because it's just not going to be as  effective take take a personal interest in it  
for those of you who are our organizational  leaders and really show interest in the people  
that you're trying to bring on board because  it is a competitive hiring market out there  
and that's just what what has to be done in this  day and age to make it work um so but in doing so  
you'll have an asset that will pay large dividends  over time and it will cost you a lot less  
over time as opposed to having turnover which of  course is it's incredibly expensive so any final  
thoughts comments smart remarks before we jump  off here today i got a smart remark really you  
no i had to work really hard for it but um  you know back to the trust your people you  
know when when my pool guy comes here i'm not  out there you know scrutinizing every little  
thing he does all i care about is that the pool  stays nice and i can swim in it when i want to  
so i trust him i don't care what you know  what methods he uses they work for him  
they work for all of us so you know again you know  trust your people absolutely uh one of the things  
that i would say is you know i agree with that too  laurel but train them allow them to get their cpe  
it's mandatory cpe is manual mandatory to maintain  those search that you require them to get their  
job for if they need a half day to go to a ice  hockey meeting or icy square meeting or something  
of that nature let them have the half day they  need the time they need to get the cpes um  
and support it pay for them to get a training  class it's it's not that big of a deal  
um give them the time keep them trained and yeah  you may be promoting or be contributing to them  
leaving you and going someplace more expensive  however while they're there you're showing you  
care about them you care about their career and  that you are going to go ahead and support them  
and ensure the company is staying ahead of the  curve excellent point and to add to that guess  
where the best place is to find additional team  members right it's through the ones that you  
already have and trust and and they're going to  meet people and expand their network by going  
to these events going to these meetings um  even if they are virtual they're still going to  
expand their own network of tech professionals  and they'll be able to help you grow your team  
better than just putting an ad out for uh you  know a certain resource so all good stuff well  
thank you all for listening reach out with any  questions comments we'd love to hear your thoughts  
rate us on your your favorite podcast platform  and and uh love to get your feedback we're always  
working to improve so please just take a moment  to do that and we will chat with you again next  
week have a great day take care pick up your  copy of the cyber rants book on amazon today  
and if you're looking to take your cyber  security program to the next level visit us  
online at join us next time  for another edition of the cyber rants podcast