Gatekeeping in Cybersecurity, Part 2 – Naomi Buckwalter – #SCW83

SPONSOR 0:01
We’re proud to announce CISO stories, a new podcast series in partnership with cybersecurity collaborative and cyber reason. CISO stories features the candid perspectives and experiences of frontline senior security executives and dive deep, timely security topics CISO stories is hosted by Todd Fitzgerald, VP of cybersecurity strategy at cybersecurity collaborative and Sam curry Chief Product and security officer at Cybereason. Listen weekly as they speak with extraordinary CISOs by visiting securityweekly.com/CSP

Jeff Man 0:34
Welcome back to Security and Compliance Weekly. Hey infosec World 2021 is proud to announce its keynote lineup for this year’s in-person event. hear from I looked up this name pronunciation earlier and I forgot about ready Robert Herjavec plus heads of perch avec whoever he is. I can’t guy yeah, yeah, I don’t watch Shark Tank. I don’t know who it is. Also heads of security at the NFL heard of it. TikTok heard of it. US Department of Homeless Homeland Security. have heard of it. Stanford University heard of it and more plus security weekly listeners save 20% on world pass and main conference registration. How do you take advantage of that discount visit securityweekly.com/sw2021 and registered now also case you haven’t heard security weekly unlocked will be held in person this December fifth through seventh at the Hilton Lake Buena Vista that’s in Florida By the way, bring your masks and bring your vaccination cards even though nobody will ask you for him. We’re excited to announce our first round of speakers who will include Leslie Carhart, David Kennedy, Alyssa Miller O’Shea. Bowens Marina Shibata Did I say that right? Patrick Coble, Chris Eng, Erik Escobar, Nick Leghorn, Michael slat. Kevin Johnson, and can you believe it Justin Kohler want to be part of the action, go to securityweekly.com/unlocked to register and check out more about our lineup of speakers.

Alright, want to jump back into the discussion? Fascinating picture that you’ve been painting. So far, Naomi. And I wanted to share very briefly, something that I’ve been thinking about, I’m giving a talk in a month, at a conference in person live. So exciting. It’s been so long. But my topic is sort of on the topic of you know, how do you become a professional but more finely tuned towards? I think what Scott alluded to earlier is you know, security, you mean you’re a pen, tester, hackers, all that kind of thing. I am often asked, How did I get my start in this profession? And I got my start working at NSA, the national security agencies. So the question really is how did I get a job at NSA. And what I’ve been thinking about lately, and hopefully this will help spark the discussion for this segment is, I was hired at NSA back in the big 25. I’m sorry, it was 35 years ago. In a month, in a time when NSA was hiring computer scientists, mathematicians and engineers, that’s all they wanted to hire. If you had those degrees, they recruited all the major colleges and universities throughout the country graduate with that degree boom, you had a job higher-paying PayScale than the regular rank and file. I actually went through a different route, I heard that they were hiring filled out an application was invited to force me to take a couple days worth of aptitude tests, a battery of kind of skills tests, and based on my scores, they hired me. So I was none of those mid-level, if we can extend the analogy, mid-level experience, I didn’t have a CISSP I didn’t have this degree that certification that training all that I simply scored well on a test and what I’ve been trying to do a little bit of research on or think about, and I think this is, I hope this is what you’re getting at with your foundation is how do you recognize the potential, the aptitude, the talent in people, without them having necessarily a degree or a training or a cert, but just the raw potential if I’m trying to figure that out, because NSA clearly had to figure it out. It’s why they hired me and went on and had a somewhat successful career did some things, yada yada, it’s not about me, but what I’m doing What I what I’m trying to figure out is how did NSA do it? How did they know? To know what skills test to give what things that they see? What I do know, anecdotally is NSA always liked to hire people with liberal arts degrees. They liked to hire. And I think this is more from a national security perspective, they like to hire people from Utah, of a particular religion, because they were good and wholesome and less likely to do the bad things that they could be compromised over. But that’s not really relevant to the conversation. But so what are to kick off the discussion for this segment? What are some of the things that we need to look for? Are you are trying to train the trainer’s the ones that are trying to hire people? What are the things we need to be looking out for to recognize people as having the aptitude or the potential for succeeding in careers? Whether they’re technical or non-technical? Or if there is such a thing? so on and so forth? Go?

Naomi Buckwalter 6:08
I love this question. And I’ll turn it right back around to you, Jeff, because the NSA certainly didn’t knock on your door in the middle of the night asking you to apply to this thing. You self-selected yourself, did you not? Did you not go up and say, Hey, I’d like to join. So at some point, you had an interest, right? Or literally, did they find you fishing? Or whatever you were doing? Like just chilling out on a Saturday? Right? Did you self-selector?

Jeff Man 6:31
No, that’s an interesting, correct question. I grew up in Maryland, and assays in Maryland, I never heard of it. Back in the day, it was a very clandestine, low profile organization. So frankly, when I applied to it, I really didn’t know what they did. I didn’t know that they had something to do with code breaking. And if it was self selecting, and I and I’ve only figured this out in the last couple years, as I tried to answer this question, how did you end up there? I grew up in a family that likes to do puzzles. And, you know, crossword puzzles, crypto quizzes, everything that used to be in the Dell crossword puzzle magazine, if anybody’s ever heard of that. And in particular, those books had logic problems. And in a in a cosmic karmic event. My first job at the NSA was in a cryptologic shop on the infosec side, so we were creating crypto systems rather than breaking them. And my mentor was a very well established brilliant man to this day probably is still the smartest person I’ve ever met. cryptologists he was a cryptographer. He did work on he did the code breaking stuff, but he moonlighted on the infosec side of the house. And this is the karmic event. He as a side job used to write the logic problems for Dell crossword puzzle magazine. So it was full circle for me right from the very beginning.

Well, perhaps,

Naomi Buckwalter 8:04
well, this is it was a leading question, because you know, honestly, Jeff, I like you as a human. I think you’re extremely amazing. But are you that unique? Are you the only person within your Maryland suburb or wherever you grew up? doing those crossword puzzles and logic puzzles? Are you unique, where somebody just like you down the street could not have also done the same job as you, uh, you are given a mentor, you’re given training, you’re working alongside amazing people? Could somebody else just like you, with your background experiences and your life? Do the same thing? Question? Yes or no?

Jeff Man 8:37
No, I am, I am that unique, but I’m the exception to the rule.

Naomi Buckwalter 8:42
So if you are that unique, I would say in cybersecurity, I don’t think somebody can’t do the same thing where you can take somebody like me, I just whatever background you want to give me. suburb, you know, fairly intelligent, I wouldn’t say I’m like massively genius or anything like that. But I do puzzles as well. You know, I went to college before I graduated high school. It’s like those kinds of things where other people do the same thing. I’m not that special. And so I will say, if you take if you self, if you take the people of self-selected, who are already interested in cybersecurity, you give them training and mentoring, they’re already going to be good enough, what you’re kind of assuming by like, how do we find the right people, you’re assuming that people can’t be found or, or the people don’t have the potential already? Your question, I think, is a false assumption of saying, how do we find the people with the right potential? I think everyone has potential. I think everyone is able to grow. They’re not fixed in their intelligence, they’re not fixed in their emotional intelligence, they can grow and improve. You just need the right environment, the right teacher and you want to find somebody with that right level of passion and the right ability to think critically in those soft skills that are harder to teach.

Jeff Man 9:46
So I challenge I am open to that thought but I don’t agree with it is simply for the notion and, you know, doesn’t have to be this field, but any career field that requires special And let’s say, Does everybody have the one level? I agree with you, everybody has the potential to be anything. But I think there’s also, the idea of some people are better at some things than others, or some people are driven or steered or motivated or attracted to things more than others. It doesn’t necessarily have to be a skill or a talent. Maybe it’s just an interest. But I know, people that are brilliant at accounting and finance, not me. I’m not a brain surgeon, maybe I could have been one, maybe I could have been an excellent one. But it wasn’t me. So I think there’s room for and I would categorize it is people finding what they like to do what they enjoy doing. things that excite them and, and hold their interest. You know, as a layer on top of Yes, everybody has the potential to be anything. I mean, you know, I could have grown up and been president that we all have that possibility as American citizens. And yet, very few of us are stupid enough to go that route.

Flee 11:13
I hear I hear you, Jeff. And I partially agree with you. But then I think you’re also wrong. But you know, uh, do you hear your girl just like, everybody has, like, you know, potential and, and, but there are some people we’re gonna have natural talent, natural aptitude, that influences your velocity of gaining skills, right? Like, how quickly Are you going to, you know, gain these new skills, going back to come up Naomi’s question. In our point, though, when I think about this problem, I think about it more by hiring manager problem of where we are, and it sounds like the NSA actually did their homework that he spent some time in this. And it sounds like when they reached out to you, Jeff, they were looking at really understood the problem they were trying to solve. So they knew the right criteria, deki select for inside of infosec now, especially as this, you know, corporate entity, and people can make money. And oftentimes, we’re just, you know, being lazy for lack of a better word. So we’re saying like, Oh, well, hey, somebody has to have a certification, as opposed to really understanding from a first principle standpoint, what does that certification mean? Like, what is it you actually need somebody to do on a day to day basis? Do you need somebody to understand anomalies inside of a data set? Well, it turns out it understanding anomalies inside of a data set isn’t something that’s specific to an infosec person, that’s actually something that you find people doing in a lot of other areas is out of a company. So you could be a business intelligence analyst, and part of your job is understanding anomalies inside of data, well, wow, holy shit, you could actually be a SOC analyst, you could actually be somewhere else in the security spectrum. When it comes to things like hey, you know, understanding how humans interact with systems. That’s like a classic problem that you find with somebody operating an IT help desk understanding that connection between technology, and humans, holy shit, you can be a security person. But I don’t think a lot of hiring managers are doing the necessary work because we as an industry, one, we have this massive ego problem, we want everybody to think what we do is magic and secret and take all these years. You know, like the stuff that I learned as a kid that was like, he just, it really was so super simple. I mean, obviously, I know now, like, you know, exploits, etc, are much more complex, because systems become more complex. But a lot of those things aren’t unreasonable or unapproachable for anybody to actually get into and learn from. And we see this all the time, especially, you know, you follow like some of the other communities, we actually go to some place like DEF CON, you see people from all kinds of backgrounds that have an interest in security, they had some aptitude, etc. But they didn’t necessarily need to be a math graduate, they didn’t have to, you know, be a CS grad, or anything like that. It literally is people from all walks of life. But the hiring challenge there is making hiring managers less shitty and less lazy. And for us, as hiring managers actually do a better job of making sure that we’re looking for the actual capabilities that are necessary to be successful in security as opposed to certifications or pedigrees that are necessary to be successful in security.

Scott Lyons 14:06
So you say let’s make the hiring managers less shitty and less.

Naomi Buckwalter 14:12
That’s my new tagline. Yeah, I got it.

Josh Marpet 14:14
Make the hiring manager less shitty that’s awesome tagline, well done.

Scott Lyons 14:19
I want to throw that back at you Flee and say, is it that we’re making hiring managers less shitty? Or is we as tech people are actually communicating our needs?

Flee 14:27
Oh, maybe it’s a little bit of both. But I don’t think that that burden should be placed on the people applying for these jobs or ICS, etc. All right. The only good team,

Scott Lyons 14:40
It’s all like spun, mutilated, spindled. I don’t care how you do it – into these esoteric arcane requirements that we have candidates trying to fill.

Flee 14:51
I know, we’re not just can’t talk to..

Josh Marpet 14:54
It’s not just this industry. Here’s the point. It’s not just this industry, you got to understand and i believe The fifth brought it up. I was about to do in law. But in this is in Discord. By the way, if you’re not in the discord, please join the discord. We have a great discussions in there all through the show. But here’s my point that I have knowledge of is that in law in the legal profession, it used to be that lawyers get out of law school not knowing how to be a lawyer, they understand the law, but they don’t have to be a lawyer, there’s actually two different things. And so they go through the first year or two of being with a firm and everybody knew this. You were built to clients while you were being taught how to be a lawyer. Okay, so you were helpful, you were useful, but you were about as useful as a paralegal who comes in at a much lower billing level, let’s be clear. And then after a year or two, you become useful as a lawyer. So that was sort of the apprenticeship years if you know what I’m saying. And it’s not as formal or official, but we’ll call it that for ease of use. And then the cup clients are going Wait, why am I paying for these first-year lawyers? They’re not doing anything for me. And so law firms stopped doing it. And so lawyers stopped getting hired right out of hospital. It was you want to come work for us? Show us your years at law firms like well, I just out of law school, what do I do? And it’s the same kind of quandary. And then you’ve got a military people come out, and this is what I plead the fifth set, great, great point, I believe they milk Can people come out of military and they may be fantastic, and they be suck. You know, there’s people in the military, they’re like, Hey, you know, you can train me, but I’m gonna have the contractor do the work somebody else. I think Dmitri said that. But I mean, it’s, a tough thing, when you’re not allowed to charge for the entry level people to learn as well as do the work that they can do. Okay, you trained Naomi, you trained your opera singer. Jessica, I think her name was forgive me if I’ve mangled that as an intern. And once you trained her as an intern, which presumably she was no offense, fairly cheap as an intern, you hired her. So but what we need to do is have a way for people to get that experience so they can be hired, or just change the culture. So that can be hired directly out of school, and I’m trying to come back to you forgive me, go ahead.

Naomi Buckwalter 17:03
You’re exactly right. I mean, like now that we know what the problem is, and it’s pervasive throughout different industries, like you’re saying, like, let’s do something about it. And this is what my chances like, I think me and this my whole story in my entire life was supposed to be in the FBI. Like, my entire life was built around being in the FBI. And the reason why I wanted to be in the FBI was to fight cyber criminals and specifically, get people you know, cyber child porn and stuff like, you know, capturing those guys like I wanted to be a good guy fighting a bad guy. And now I realize I think my purpose in life is to still fight against cybercrime. Even though I might not be in the FBI, I could still fight against cybercrime. And I think that’s what my mission on earth is to do. And I’m, I’m totally grateful for the opportunity is is super scary. And am I putting myself out there? Yes. But I think it’s worth the risk. I think if we’re going to have a future that has negligible impact of cybercrime, I think it’s worth the effort that we’re putting in. And, you know, tell that to the 800 volunteers that have signed up to help me with this cause I think a lot of us have the same vision, we not only do we want jobs, yes, that’s great. But we want to see a future that’s free of cybercrime.

Flee 18:07
Naomi, you have you have convinced me, I need to be member 801 of this organization. So I’m so here for what you’re trying to do at cyber breakers. And oh, we hear you, Josh. And my perspective is that we need to change the culture, we have a shitty culture and security and this whole gatekeeping thing is just bullshit. Everybody insecurity what they knew at one point, and also I do understand your point with the guards that like, Hey, you know, it takes time for you to uplevel and train, etc. But the reality is, especially within our industry of security, you have to do that anyway. Right? You know, there, there wasn’t Kubernetes, you know, 12 years ago, but now you have to learn it. And the idea is like, if you’re in this industry, you are constantly learning, and I think it’s unfair. And yeah, just literally just unjustified to penalize people earlier in their career for knowledge they don’t have because we’re all in that same position today. I definitely AWS and yeah, I got job security practioner.

Josh Marpet 19:05
My favorite joke about this, and it’s not a joke, this is a true story is I forget that specific technology, but a guy put it on Twitter, he goes, You know, I applied for a job and they didn’t get it, because they didn’t have four years experience with this certain technology. He goes, but you know, I only created it two years ago. Yeah. I mean, we have a bad culture, both in HR and hiring managers and and hiring requisitions. You know, how many of us talk about the HR filter, you got to get past the HR filter to get to people that can understand you and talk to you in the language that you understand and can actually decide whether you’re gonna fit there. They’re there to the technology there.

Scott Lyons 19:43
I say we don’t we don’t have a bad culture at all. What we have is a culture that’s grown with the needs that businesses have told them. So if we’re telling that we’re telling these people the wrong thing, aren’t we like perpetrating or perpetuating Sorry, not perpetrating, perpetuating that culture.

Jeff Man 20:04
Could be both.

Flee 20:05
I believe so. And I think we’re both perpetuating and perpetrating. I love that there’s a lot of perpetrators of insecurity, man, don’t get me started on that. There’s a lot of perks that here insecurity.

Scott Lyons 20:15
So how do you feel about perpetrators and security Flee? I just, you know, I figured we got some talk No, nevermind.

Flee 20:22
no, but you know, like, I think the whole HR filter is a cop out. And the reason why I say that is, at least for anybody else, that’s like a security leader, you know, like Naomi, etc. If you’re a CISO. It’s your job, like, you knock those things out of the way. You don’t have to sit there and just say like, Oh, well, the HR person says that if I hire security folks, that type of CISSP? No, you’re the CISO, you get to determine what roles should be there, what those job wrecks should look like, what are the actual requirements you’re looking for. And it’s upon us as people who at least claim to know how to do risk management actually make good risk calculations, and place good bets on people. And if you really are somebody who’s supposed to be a risk expert, you should be correctly recognized that talent and understand what is going to be suitable in these roles. recomputed be successful, if your company, not your HR department, if you’re putting this on your HR department, you fall into that category of city managers that we want to get rid of,

Scott Lyons 21:20
you know Flee, we, as security people often joke about the different C level roles. And in fact, one of the prevailing jokes that keeps going around is that the CISO is the chief scapegoat officer.

Flee 21:32
Oh, right.

Scott Lyons 21:33
Everything rolls into the CISO. So could the first thing that you do as a CISO, when you step into a new organization is sit down with HR and say, Okay, what are your hiring requirements? How can I help you to help me be more effective? You know, I mean, it there’s a lot going on when you step in, but you’re right that it does fall on the CISO shoulders. However, where does that fall? like where in the chain?

Flee 21:58
Yeah, so at the end of the day, the CISO owns all of it. And that’s full stock, because you own the outcome of your organization. So you have to own what that hiring looks like. And I love that question. Just because there are so many people in HR or recruiting or however you want to phrase it, who wouldn’t love for see CISO’s to actually work with them better Nike, give more specific guidance, give more details?

Jeff Man 22:21
If only we had a CISO who could weigh in on the show that could weigh in on that.

Naomi Buckwalter 22:25
Yeah, keep letting me talk. Sorry. I do have to leave in a few seconds here. But I’ll just say like, I agree with Lee here like it is on the CISO to make the change. But I also want to challenge the people who are not CISOs, you have a voice here that your system is going to listen to you if they’re a security leader at all, if they’re a leader at all, they will be listening to their direct reports. So I constantly try to give feedback from my drag reports, Hey, is this a kind of a role that we need? Or can Can we talk about this person? What do you think of this person, right? And so I listened to my people use them as input into my decision, and you have a voice as an individual contributor, you can say, Can we get some shadows on our team? Can we build a security champions program? Can we get some interns, you individual contributor who does not have any managerial responsibilities, you can actually do something about this job gap, this whole gap thing, but you have a responsibility, we all do. And so I challenge you to really focus on what you can do as a person and not just put blame on HR or put blame on your sister who’s not doing anything, or put blame on your C suite for not giving you headcount. You can do something you can mentor somebody you can pay for someone security certifications, you can do something to help.

Scott Lyons 23:38
Right, but if the CISO ultimately owns it, wouldn’t that be seen as passing the buck?

Naomi Buckwalter 23:43
Yeah, no, no, no, you can do something, you can do something yourself. It doesn’t have to be within your organization. But you can still mentor somebody, you could still help somebody out with a conversation, you could still talk to somebody talk to a school, right? There’s like little things that you can do. You don’t have to be like, Oh, I’m going to talk to the board today to get budget for my people like that. Right?

Scott Lyons 24:01
But not everybody. That’s no, that’s not what I’m saying. What I’m saying is as the CISO, doesn’t that fall on your shoulders?

Naomi Buckwalter 24:07
Yeah, that’s what I’m saying. Yes.

Scott Lyons 24:09
If you choose to delegate, that’s, that’s fine. But wouldn’t that be seen as a passing of the buck? Like, you know, I’m too busy to CISO don’t bother me with these things?

Jeff Man 24:19
Because depends on whether it works out right.

Scott Lyons 24:21
It is, a lot of times it is, you know.

Naomi Buckwalter 24:25
I can see that for sure.

Scott Lyons 24:27
We sit back as tech people and we say, well, we don’t understand business decisions, we don’t understand why we’re being why our budgets being pulled or why we can’t bring people in or why we can’t have the tools that we need to do our job. Or if we had this one thing would make our life so much easier, let alone being able to go out and talk with HR and have these discussions about risk when ultimately that falls directly on the CISOs shoulders. So wouldn’t that be seen as a as either a denial of risk, you know, it’s not just a river, or not as a transfer of mitigation, like, walk us through that process.

Naomi Buckwalter 25:05
Well, seconds and then after, right?

Jeff Man 25:08
Yes, yeah, make it make this the last word please.

Naomi Buckwalter 25:11
Okay, I don’t condone passing the buck. Now, I will say again, it is a cisos responsibility to hire and train the next generation. But I also believe the individual contributors have a role to play in this also. So everyone has a responsibility. Stop blaming everyone else. Again, you are the common denominator to all of your problems, including your work problems. So take responsibility, take accountability, do some self reflection and see what you can do to improve what we’re doing here. Thanks, everyone. I gotta run.

Jeff Man 25:39
Thanks for joining us today. If you guys want to follow Naomi, she’s you can find her on LinkedIn Naomi Buckwalters, she’s also on Twitter. Hashtag at I need not hashtag I’m sorry, ampersand. Or at for you millennials. @Ineedmorecyber Sorry, I come from the days of typewriters.

Scott Lyons 26:02
Did we just get typewritersplainED.

Jeff Man 26:04
We did got… Every time I opened my mouth. I’m mansplaining. Naomi had to go because she’s a virtual CISO and she had work to do. But really appreciated the conversation today in spite in spite of the fact that I think we talked over top of her and she was very polite to let us ramble. Our bad. Tune in next week, we will be back we will be talking to Tim Callahan. He’s one of the speakers at infosec world and I suspect we’ll be talking about his topic. But anything goes.

Scott Lyons 26:41
Do we do we want to start teasing about what we’re working on in the background? Something dealing with like Priyas area? Do we want to start teasing that?

Jeff Man 26:52
Not yet. Well, that that I think that effectively was a tease. But we’ve got a lot of the fun episodes coming up in the next couple months that we’re working on. We’re trying to, to change things up a little bit and change our change our format, but just do some fun, exciting different things. So that’s enough of a tease for now. Gentlemen, always good to talk to you. Josh. Get back to your kid and your vacation, Scott. I’ll see you in two weeks after quarantine for a while. Yeah, and we need to do we need to catch up with a cigar and Flee. I don’t know when we’re gonna see each other but I hope to see you sometime.

Flee 27:36
Yeah, yeah, you know what this whole COVID thing is done. I will you know, escape the bunker and actually see humans in person again.

Jeff Man 27:43
Well, worst comes to worse. I’m sure I’ll be out. Well, assuming worst comes to work. Worst will be on lockdown again. But assuming that there’s a live RSA event next February. Hopefully, we’ll all hang out. Then. I will give one teaser for you, Scott. We’re thinking about somewhere around Episode 100. If we can pull it off, trying to get all of our co-hosts together in person in studio. Some of us never met in person. But we would love to just get together and celebrate 100 episodes which, you know, coincidentally is somewhere probably in January, which is a horrible time to go to Rhode Island based on the 500 Paul security weekly episode, but…

Scott Lyons 28:31
Oh man that episode was epic. We literally walked in. It was clear, nothing was going on. We walk out of the studio, and there’s like a foot and a half to two feet of snow on the ground.

Jeff Man 28:42
It’s like it was like two feet of snow.

Scott Lyons 28:44
It was crazy. It was absolutely crazy.

Jeff Man 28:48
Well, that’s it. We should let everybody get back to their lives. Thank you much. I’ve got a day job. We’ve all got day jobs get back to but we’ll we’ll sign off for now. Stay safe, stay secure. Let’s keep building bridges tearing down silos and breaking gates on security and compliance weekly.