How CISOs Can Raise Their Game Against Cybersecurity Threats
Kitecast - André Tehrani
What organizations seek in terms of experience, certifications, and skillsets when it comes to their next senior cybersecurity leaders reflects their current and future priorities. Today’s CISOs must understand the business and be able to articulate cyber risks in terms of financial and compliance impact. Simply being an expert in network perimeter and workload security is no longer sufficient. In this Kitecast episode, Cybersecurity Recruiter André Tehrani talks about what matters most for his clients when they vet senior cybersecurity candidates. When it comes to CISOs, they must be able to articulate cyber risk through the lens of business impact: operational disruption, damaged brand, negative sales, and compliance fines and penalties.
Patrick Spencer 0:24
Everybody, welcome back to another Kitecast show and we have a real treat for you today. But before we jump into our guests and let him introduce himself. Hey Tim,
Tim Freestone 0:34
Patrick Spencer 0:36
Good. Another podcast. They’re always fun. And we got a real treat today, we’ve been interviewing a bunch of folks who are on the technology side, their actual CISO practitioners, or folks who’ve been working for the US federal government in cybersecurity for a number of years. For today’s show, we want to mix it up. We’re talking to our good friend, Andre to Ronnie who’s up in Toronto. Hey, Andre.
Andre Tehrani 0:59
Hey, my gentleman from United States. Thanks for connecting with me. It’s a beautiful day in Toronto. So hopefully I bring the sunshine to this podcast
Patrick Spencer 1:07
For all the rain in the clouds we have in Seattle today. So
Andre Tehrani 1:12
I’m known for being cold. It’s like, oh, you guys have feats of snow. But today, it’s sunny. So, let’s have a fun autumn day.
Patrick Spencer 1:18
So, Andre, before we jump into the questions for you, and just kind of start talking about your background, I want to introduce the audience to what you do. You’re the principal and founder of a cybersecurity, C-level C-suite recruiting firm called recruitment. That’s been in existence since I think 2019. You’ve been in the cybersecurity field for more than a decade. How in the world did you get into cybersecurity in the first place? You were at York and you applied from what I understand for some kind of internship out of 2000 applicants, you were one of the two who were selected
Andre Tehrani 1:56
Cybersecurity found me. I didn’t find cybersecurity. Now, I know you hear a lot of I hear a lot that like, if you were in, you know, in a professional career path in the technology sector, most likely, like security kind of like touched you or came to you. And that 2007-8 era, you know, when RSA secure keys and DLP and all these things were like, you know, they were being bought, but they were never like highlighted, you know, compared to virtualization. But the way it found me actually was through my mom. She didn’t like that I was playing video games all the time, or I was outside playing hockey, like field street hockey, or soccer or whatever. She wanted me to read a book, she wants to be educated. So, one day, she just threw this book over to me that she picked up at a library. And it was basically a novel about how this woman got victim to like a hacker. But he was like a stalker-hacker. So, it was as you can see, as you read through the pages that got more like terrifying and you know, things of that, like, you know, you’d like realizing that there’s people like this, like there’s a story like this. So that’s when I got introduced to it. But really, it was that EMC experience, where out of 2000 applicants I got hired for an intern inside sales internship with the EMC. But this was the year than the summer that RSA, which was a subsidiary of EMC was hacked. So, this is when I saw the breadth depth of a cybersecurity attack. And living through it seeing how a company responds to a Yeah, I’m an inside sales guy. But like, I was watching how the deals broke how they were handling the calls, you know, where the firehouse where the fires were and why they were there, how they were like, you know, how they continued their business past that. So, it was a so that’s where I kind of got my introduction to cyber from a professional career path, but from a personal career path. I really have to thank my mother. We usually blame them.
Tim Freestone 3:59
We pretty much thank our mothers for everything good that happens to you.
Patrick Spencer 4:04
How did you get into recruiting? So, you were doing sales in the cybersecurity storage space? It was a cybersecurity space. I guess if it’s RSA, how did you get into recruiting C-level executives for Fortune 500 companies?
Andre Tehrani 4:18
Hmm, okay, great question. So how do I get into recruiting well into technology sales, before I even started my technology sales career was already on LinkedIn. Like this is 2006-2007. My marketing professor, she’s like, you guys have to choose these four out of these multiple social media outlets, which was Twitter, Facebook, Meetup, LinkedIn, and all these other ones at the time. And I knew that I was going to go into sales. So, I said LinkedIn is going to be my go-to. So, I started developing my LinkedIn profile from the beginning. And that’s how I got my EMC internship was like before I finished school, EMC messaged me because they saw I think the profile, so then I got that internship. So, I saw the power of LinkedIn. Now getting into the technology sector and then selling these like Sophos UTMs or these McAfee email gateways, right. Also, at that time, cyber was getting a lot prevailing, like Obama came out in 2013, when I wasn’t selling the stuff. And he was basically created that executive order 13636, which was basically saying, our infrastructure needs to be secure from cyber-attacks. So, the whole, like, that whole rush and everything. So, I was selling the security solutions on LinkedIn, at that time, when I when one of my other people that I connected was a recruiting business owner, who then told me, hey, why don’t you? Why don’t we go out for lunch and talk? And at that time, like, I was getting recruiter calls, like, just like, you know, analyst positions when I’m a salesperson, like make no sense for me, right. So I remember, like, I remember one day, I sat like, in my seat, I’m like, Man, if I was a recruiter, and like, I was like, looking for talent on LinkedIn, I would crush it man, like, you know, like, I would crush this thing, because like, I was very personable, I wasn’t logical, like, I wouldn’t be in front, I would get myself in front of the CIO and not be able to explain why he should choose fiber optic cables over copper, or why, you know, Azura is cheaper, and you should go there versus our private cloud, right? Like those. I wasn’t feeling those conversations. But I was more like, how did you become a CIO of this municipality? How did you roll out this bus bro? Like, these were the things like, I was looking at people from a talent perspective, even when I was trying to sell technology. So, when I went for lunch, basically my people skills and the social skills and the sales skills and marketing, combined that with the platform of LinkedIn, and then you have this recruiting business owner who just had a networking practice, and all his clients at that time, were saying, hey, do you have firewall engineers? Right? So, I guess I hit him with the right message at the right time took me out for lunch, we had burgers, we have French fries. And next thing, you know, I have a recruiter desk, I have my own cybersecurity practice. And then like, I just ran with it, and I never looked back.
Patrick Spencer 7:09
So, what gave rise to recruitment? So, you’re doing this working for someone else, and you got tired of that and thought, why am I working for someone, I can work for myself and to start my own company.
Andre Tehrani 7:19
I wasn’t I got tired of working for someone else, the person that I worked for I highly respected and I still respect to this day, because my like, you know, my family members, my friends, like no one gave me this opportunity and not even like, listen to me or believed in me. Like, like that person did. He saw the light in me, or the fire in me or my talent. And he gave me a platform. And so that ended up happening was this, I just, I just ran with it man, like I developed a really, like, I have an eye for talent and cybersecurity, like develop, you know, because one, I knew that people way before this thing got popular, but also at the same time. I was passionate about it. I was studying it, researching it. I knew the talent profile. I know that you know, they drink Coca Cola and not Mountain Dew. I’m just giving an example. Right? Like I knew how they talk how they operated. I knew that you know, some of them were actually very fashionable in it, like fashion is not there’s not everyone’s priority, but for some reason in cybersecurity. They’re pretty well-dressed fashion. And so, I felt that I can relate with this talent pool, you know, so I ran with it. And then I realized I’m like, you know, once two years, three years goes in and you see your like, first round placements, like your first year placements, all of a sudden, there were like a technical account manager, and all sudden, in two years or an RVP of technical account management, you know, and then I didn’t happen once to happen, like 20 times, not for one company, then you go to another company, like you started realizing like, okay, it’s not like recruiting or I’m a recruiter, it’s that I have this AI to scope out this talent and get to them faster than other people. So why am I sharing a percentage of this pie? Building someone else’s dream, when this should when this is now it’s my calling. It’s my dream. God gave me this path, right? Like it started off with my mother giving you the book, then it was the opportunity to work at our EMC when RSA God hack. And then this opportunity came where I can, you know, consolidate everything and just run with it. So, you know, when that person hired me, they said, you got to give me four years. I gave him four years, built a lot of money. I took it from one practice being, you know, standalone desk, laptop phone line, right? To know US business to having all US business and transforming the company where they became a full shop cybersecurity staffing firm, right? And then at that point, after the four years I just said Hey, man, like you know, I’ve met the CISOs. Now through a banter I’ve gone to RSA five times Blackhat, five times DEF CON,
Patrick Spencer 10:04
you got recruitment up and running. And it’s been quite successful you, like many others suffered a bit during COVID, you kept the business afloat. And you know, over the last year, you’ve seen business go way up, you’re seeing a lot of interest in companies wanting to hire CISOs. But other types of cybersecurity professionals, what, what trends are you seeing take place right now.
Andre Tehrani 10:27
CISOs not the most expensive position in cybersecurity. People really need to understand that, like, we’ve glorified the CISO position, and rightfully so, it’s a very important position. It’s a new executive position, that’s, you know, taken a lot of weight. But, you know, when I first started recruitment, I thought to myself, I knew that CISOs at that time, which was like, 2018,2017, like the fortune 50s, they were making up to a million, you know, but 90% of CISOs, were in that quarter million brackets, right? Some CISOs are even at $150,000. Just the base salary with a 20 30% bonus, you know, so it wasn’t like, so when I started recruitment, I said, okay, like CISOs at that quarter million bracket, like that would be my niche, right? My first client was a hedge fund, and their lead was a 250-$300,000 a year position, just their lead level, right? So that was eye opening for me, was that, okay, I’m not going to focus on C. So, like, CISO was a nice way to market and sell like high end security and placement, you know what I mean? But really, like, my focus has been on like, hard to find difficult, good security, people that are worth the money that you want to pay them. Right. So, it’s like on
Tim Freestone 11:51
More of an engineering more on like an engineering tactical kind of level. A mix of leadership and the implementation kind of deal?
Andre Tehrani 12:00
Yes. Yes. Yes. So, you definitely are that
Tim Freestone 12:03
gap is, then because there’s, I noticed there’s a last thing I saw was like, 23% gap in hiring right now. You just you cannot hire fast enough. In the in the market?
Andre Tehrani 12:16
So senior level, like senior security engineer, technology, security lead, you know, these people, application security engineer, or security program manager, right. Like these are these are like, these are very critical positions that have a lot of weight with how a security is how security programs and maturity is developed. So, you know, you would even find, like hack artists or virtual like contractors, right, that, you know, they’re also like, they were also very talented at what they do, you know, and it’s not just, you know, the McDonald’s See, so that is the best use though in the world, you ended up finding out that wow, this like, App Dev SEC engineer, or this, like policy as code engineer that knows, some hash Corp or some guide works, right? That guy is just as more valuable as your one CISO. You know what I mean?
Tim Freestone 13:14
Yeah, well, that’s the it’s the whole skills gap. I mean, sometimes you need less CISOs, I suppose. And leadership skills are one skill area. But you need more of the people with technical skills across a broader, you know, infrastructure. And that’s where you start really seeing the gap increase. I can imagine that right now, you don’t have that much trouble finding business, you have more trouble fulfilling the business with that kind of a gap out there. So, lots of people looking nobody biting sort of a deal.
Andre Tehrani 13:49
Here’s the thing, to me, it’s not like, you want good business, right? That’s the most important thing, especially when it comes to like the recruiting world, like my reputation is on the line every single day. Like if I if I turn off a great talent, right, I might not be able to access that person the second or third or fourth or fifth time, right, and then present the right resume to the to the clients then, you know, I might not even I might get ghosted, right. So, what ended up happening is, is you’ve got a lot of diluted waters in the in the cybersecurity recruiting world, right? Team interviews, you know, you don’t know how much damage they do then good, right, like you’re a hiring manager. You like someone this guy isn’t like or this in this talent. It’s not like the three that I have right now. I really want this person right. And should just send to the team. Teams like yeah, I don’t like the comment they made there or I don’t like that there were six months here and eight months there, but there were eight years that you know what I mean? All these opinions start getting into the mix, and that’s what and then what I call diluted waters, right. So that’s been like the ultimate challenge and I’ve had to deal with it. You know, where, you know, from a contingent side, you can see how stressful that would be. But from a retain side, like imagine you get this money and you want to solve these roles, but you have these internal politics that are taking place that, you know, you get a resume in there, it takes them three weeks to want to interview this person.
Tim Freestone 15:19
Have you seen that get worse over the past, let’s say, seven, eight years or?
Andre Tehrani 15:24
big time that and you know what
Tim Freestone 15:27
Because I don’t think that’s just a cybersecurity challenge. People don’t want to take the risk, or they feel, are we are we moving into a more inclusive business environment in general, where everyone has an opinion and needs to be heard? I mean, what do you think?
Andre Tehrani 15:44
Oh, man, so there’s a lot of variables, right. And we have limited time. And we can definitely continue this discussion. You know, like, if we don’t get to the points that you kind of want to get to. But it’s a mixed bag. Right? So, there’s some like my job, like you mentioned, like you have Miss have a lot of business or whatever like that, right? There is a lot of window shopping, you know, but there is like really, like real roles, real people real hiring, right. So, you got it, you got to get to that noise first. You know what I mean? And I liked the contingent model. Because if I see some red flags in your interview process, and your feedback loops, and the pedigree and the integrity of your interview process, I’m not interested in working with you anymore. Right? So, what I’ve seen is the integrity of the interview process in the last three, four years has been very difficult to get people in come more complex, it’s been more,
Tim Freestone 16:41
You’re asking, I think, for the most part, right? Like, well, if everybody interviewed him, and we hired them, then everybody’s to blame, no risk, you know, all reward, right.
Andre Tehrani 16:51
And that’s the problem with the industry itself. I was on a sub, like I had a really good client in Toronto, got through recruitment for Intercast. It was a APSET consulting company. And the HR manager like this is when I first got into, like, recruiting and stuff, right. And you know, security companies like they have the security mind. So, if like, this recruiter was at that company for three years, so you understood security already. So, when I was like, new into the game, I took them out to a game and build a relationship, thank you for the business. Let’s see what you got on the plate, then I can service you. And on the way back, we were taking the subway, and he’s like, you know, bro, security is just a transfer of liability at the end of the day, right? Like we get business because they just want to transfer that liability over to us, right. And so that’s the that’s also that’s what happening with the interview process is that like, like you said, Tim, if I expose you to like five other people saying no to you, or ghosting you or rejecting you, or not answering your phone calls is much easier. Because who can you go to? Yeah, yeah.
Patrick Spencer 17:54
So, what, you know, you look for candidates, you have folks who will approach you and say, hey, Andre, I’m looking for a CISO role. You look at their background, I suspect you’re turning some of them away. And there’s some reasons why you know, when you do vet them, what makes for a great candidate versus what makes for a candidate that you pass on
Andre Tehrani 18:14
Communication, like the cream of the cream, really know how they can tell you stories that help that that the complexity behind the attacks, and where they’re coming from and why they’re happening, and how do you set up your architecture and these kinds of things? They met, they speak metaphorically, you know, they give you an analogy. Right.
Tim Freestone 18:42
You know, I wonder, I might have a question on that. How much? Because if I look back on my career, not in not in security, but there were points where the pain was so immense, that I didn’t think I’d get through it. But then when you get through it, you’re sort of emotionally set for the next layer of your professional growth, right. So, at like a CISO, or a security, how much does being through a breach showing resilience and it doesn’t have to be a breach but incidents resilience in the stories behind that, I would think that’d be feathers in people’s caps for professional growth versus, you know, something that looks down on
Patrick Spencer 19:23
Or even fired, right? We the average, I think it’s gone up a bit. You know, the average tenure is what 17 months. The reality is they’re CISOs fair number when we’ve gotten fired for various security related incidents
Andre Tehrani 19:35
People need to realize there’s talent gaps in the CISO community. There are talent gaps, like just because you say you CISO so don’t get bought, don’t get don’t buy the flash. You know, like I said, like I went to a conference once Cecil was that $300,000 A year right and he had a big name was in this big sexy brand on his tag, right? But in my head, I’m like, damn, like, you know, a regional sales manager making 330. You know. So, the perspective is important because you know, you need to realize like, we’re not like, just because we’re hot run, recruiting a CSO doesn’t mean that this the best security person or talent, right? Like, you have to you have to match the right person with the right job at the right time. That’s the that’s the number one. That’s my recruiting philosophy from day one. And right now, what I’ve seen is Yeah, you had to be a hand on the keyboard, see, so like that was, that’s what the market was demanding out of you like in that 2015 to 2019 range. Even some clients are still stuck in that head that you need to be hands on the keyboard as a seesaw, right? But we’re evolving, where I feel like it has tried to own security, and it can’t. And as security has tried to be like it because it’s like regrowing up and idolizing it. We’re like the whole the CIO, man, he innovates, he creates, he develops that kind of stuff, right? But now we’re realizing that, like, we’re seeing our worth, we’re seeing our value, right? Like, you want to hire a security person, let’s get your security person, let’s not get you a DevOps person and put them into a dev SEC ops role, right? Because the way that I was I explained it to people is like this, like, if someone gives me a role, I’m exhausting every single case like recruitment capability, I have in my disposal to find a security person, I do not want to go and convert a DevOps person to dev SEC ops, because when I recruited DevOps people in these four dev SEC ops roles, like security’s 10% of what they do, you know, and when you ask them, like, why do you do it? Like, why did you Why would you set this policy? Oh, I was told to, but a security person, the security minds, like, oh, because we had we were we had doors open on our BGP layer on our BGP protocols. So, I definitely had to make sure that that’s because, you know, I don’t want to get brute force.
Tim Freestone 22:05
So, the, the genesis of my question is insecurity is our breaches and the resiliency and getting through those a plus or a minus on your resume? Like, do people if they’ve been in a company that’s been breached? Do they hide it? Or do they put it forward? Is there a perspective that you have on that? Because it’s like, everybody’s going to have it happen at once? You know, once in a career, right?
Andre Tehrani 22:26
I got you Tim. How would I recruit a CISO? Right, so how many vulnerabilities Did you find? 500,000? How many were high critical? 300,000. Okay, how long did it take you to remediate them six months? What you remediated 500,000 vulnerabilities 300,000, of which were high critical in six months. How did you do it? Well, one, this is my current team, right? And everyone and every CISO, every security leader will say it differently, right. And by the way, like, this isn’t just the CISO like, when I was, there was a big vulnerability management vendor client of ours at Intercast. And like, I was hearing this type of speak from security analysts, you know, so it’s not just to see, so diagnosis is the security analyst on that vulnerability management platform, right? And the way I want to know like, what do you what would you know, how would you how would I know that this guy is really good talent, right? I want to Okay, so if you found all these vulnerabilities, how fast did you like, how’s your hygiene, right? And this see, so in particular, which was really fun, it this guy was like a G guy who ran every day, muscular, very well dressed. Okay, very well dressed, very sharp hat style was younger than your normal like than your normal market. CISOs was maybe 10 or 15 years younger, right? Believed in automation believed in coding wasn’t like, the risks you saw, right? Believed in at times being hands on the keyboard, right? So, these are all these are all characteristics, right? Yeah. Sometimes like, oh, are you okay with being hands on the keyboard? No, that’s not a CISO position. This guy? Yeah. Sometimes you have to be hands on the keyboard and show them how to do it. Check mark. How do you like what tools did you use for vulnerability management? Qualis? Oh, great. What do you do with Qualis? I found 500,000 vulnerabilities that the previous CISO didn’t know about, oh, my God, what did you do with it? I hired three security analysts I delegated to the, you know, DXE technology or whatever they were handling our vulnerability scanning. I hired one security program manager to be involved this and I hired one project manager to make sure that these volunteer like we’re hitting, we’re meeting vulnerabilities 1000 A week or whatever, like 10,000 a week, you know, and I was making sure that I was reporting this to the board. So, these are the kinds of things that you will like you want to ask like, what did you What did you like you want to you Want to find out what their return on investment is? That’s really the secret sauce when you’re screening someone you want to know what’s, what’s the return on investment? So as an example.
Andre Tehrani 22:55
Do you ask Andre, do you ask at all if they’ve been through a breach? Yeah. And how they handled?
Andre Tehrani 25:15
Ask, have you gone through a breach? That very that security analyst that I told you about that the vulnerability management? Yeah, he was reporting to the CIO. And at that time, it was he was working at a telecommunications provider, and they got breached. And, you know, like, you’re going to be breached. Like, if like, you’re like, everyone, like, if you don’t think like, if I don’t think that I’m like, there’s some guy watching my emails already. Or if you know, someone hasn’t tried to phish me, you know, like I’m living in I’m living in a fantasy world, right? Like, I mean, I’m driving with my mom, and she got like, three phishing texts. Oh, this is your Amazon package delivery is like at this is that this location click textbook. I didn’t order anything from Amazon, like just delete it, right?
Tim Freestone 25:59
So, it’s not something that hiring managers would look at and say, I can’t bring this guy on because he was at this company, and they got breached. And his job is to make sure they don’t get breached. So, what, why would I.
Andre Tehrani 26:09
and sometimes a breach works in your favor. Sometimes, you know, you remediated Heartbleed or Lock for J, and the other company, you know, they pay you 50% more to find Lock for J and remediate. So, it’s not really like, it’s not really a bad thing. What’s a bad thing? Is that when you’re breached, were you ethical, or are you unethical? Are you going to the regulators and reporting it or are you just and paying off someone or I’ve seen CISOs that like, you know what, I want to hack my company? I want to scare them. Well, guess what? Now with Joe Sullivan, you’re going to do that. But they were thinking like that right now. Do you want like that? That’s the thing, right? Like, do you want to, you know, what kind of person do you like, what kind of like, what kind of talent profile are you looking for? Right? Like, sometimes it’s good to get that. See, so that’s gone through two or four breaches, because they’re experienced with it now, like Jamil Farshchi. He’s known as the incident response, CISO, and guess what, like, he built that reputation, like, like, you can go to the corner of Africa. So here in Toronto and say, Jamil Farshchi. Yeah. And the lawyer the incident response, see, so, right, you got an incident, you need the you need a cleaner called Jamil right. And at that point, Jamil would be like, Yeah, this is my price. Right? Making the best way that I can explain it, right, like it.
Tim Freestone 27:44
Incident response CISO there’s too much stress involved.
Andre Tehrani 27:51
He carved that niche. Right. Nice for himself. But yeah, you know, and then here’s the other thing, like, I really have to thank this guy, Nick, I was trying to do business development, he was the CISO at this BT biotech, some biotech company. And unfortunately, if he was the CISO, today, he would be at that, you know, one and a half to 2 million annual brackets. But at that time, when he was a CISO, he was at that 150 to 225 bracket, right. And he said something like, enlightening to me when I like tried because I thought he was still the CISO. So, there I was trying to get like, you know, like, get his like, really let me recruiter directors, he liked the way I was speaking got on the phone with me, he’s like, you got it man. Like, you’re really like, your content is good. And here’s the one thing that I want to tell you, is with this pandemic, and with this rise of cybersecurity attacks, right? And with hiring freezes, companies are not going to be going out there and recruiting externally. Instead, they’re going to promote internally, right? So, you’re going to have a lot of new hiring managers that were never hiring managers before, right? You’re going to have a new pool of people that aren’t going to be able to speak to board or handle that pressure of being constructive, criticize constructively and that kind of stuff. Right? So, we’ve been dealing with this layer of management that are new managers, new hiring managers, and if you ask them, like, how many security people have you hired before? They’ll say what? Compare that to a security recruiter of 100. Right? It’s different, right? So that’s, that’s really like, you know, like, we really got to focus on this interview processes top down, find out where the gaps are, and tighten it up, you know, because and if the hiring manager like if it’s eight months open and he can’t hire someone, and you exhausted agencies, and so then like that, that’s okay. Don’t be the hiring manager anymore.
Patrick Spencer 29:49
Red flag that we’re looking to use to help provide guidance, I assume, in terms of building some of those policies and workflows so that they are successful.
Andre Tehrani 29:58
That’s my business, Patrick. That’s something I do every single day and when I don’t have a role to work on, or I’m not like, I’m not actively recruiting I’m refining or finding, okay? Where’s the quantum security engineer, you know, oh my God, he’s in Toronto, he’s in Ireland. Okay, let me put this guy in my projects because I know someone’s going to want this for like, that’s me, versus responding to this incident, eight meetings on this day. And then oh, I got an I got an interview from I got a resume from this recruiter; I like let me interview him. Oh, no, let me push that interview one or two weeks, I’ll get back to the incidents. Right. So, this is the this is kind of the type of pedigree of interview process, we’ve been dealing with this last 24 months cycle,
Patrick Spencer 30:40
I assume with the CISOs, five, six years ago, there was sort of a checklist of all the cybersecurity experience skill sets, knowledge and so forth that you needed to have, it’s probably shifted, I assume, in the last year or two years. So, it’s more risk, focus, more risk management focus, we’re looking for individuals who obviously have that checklist, but that’s not enough, or that’s not sufficient. Or if you’re missing some of those things. It’s not near as important if you understand how to measure risk, mitigate risk and manage that and communicate that risk to the board as well as the C-suite
Andre Tehrani 31:14
Oh, big time. So, it’s like, you know, you know, for biz for C suite and business owners and board members, it’s, they really care about three things, money coming in, money going out and who am I going to blame? Right? And I didn’t and that’s not something that I came up with.
Andre Tehrani 31:19
This can be a soundbite for this podcast, right?
Patrick Spencer 31:44
That’s the title of this podcast. Now. Security people need someone to blame.
Andre Tehrani 31:49
So, you have to say like, okay, like, you have to be able to like, this is what they this is their thinking framework. Right? This is their operating framework, right? So how am I going to explain this? There’s risk in this framework, right? So, for example, if I was like Uber, ever since that Uber hack came out, I haven’t I haven’t ordered an Uber Eats, and I haven’t driven in an Uber, right? So hey, I have it. Right. Maybe you got like maybe like 2% of people that equates to, I don’t know, like around the world, like $10 million, just because that one media outlet came out, right? So, you can say, hey, look, this breach happened. And then on top of that, you’ve got the whole like, Joe Sullivan thing going on while they got hacked, right? So, one thing you could say is, hey, that social engineer guy maybe got pissed off at you guys reading about Joe Sullivan, and how you guys treated him? So, he hacked you, he targeted you. Right? And all that if you can be able to quantify that story, and talk about how that disrupts you know, the quarterly revenue you’re getting verses and now the fines and regulations and now you know, like after that breach, Uber now probably like, you know, how to increase their security budget from 11% to 25%. Who knows, all right, bringing these consultants boom, bringing, you know, bringing Deloitte or bringing an Accenture or bringing Mandaean or bringing us forever, like bam, like, how stuff gets ugly now. So, this is what I mean, like money coming in money going out when you go home, who am I going to blame? Right, so once you start letting that sink in whatever Sisco wherever seat you are in. I hope it clicks for you like this is how I got to talk to them.
Tim Freestone 33:40
No, but I liked the framing you have with the money coming in and money going out and who can I blame because you when you frame it, I mean, just in your one example you had money loss from IP that you have money loss from brand you have money loss from the lawyers, you have money loss from the consultants you have to bring in you have money loss from the legal teams, you have to there’s like five
Andre Tehrani 34:02
There’re five positives and fighting the fires. Your people aren’t working, you know what I mean? And imagine like your legal team having to deal with the Joe Sullivan and then having to deal with this, you know, time you know, so it’s thanks to him like I honestly shout out to Jeffrey Whitman. He’s the one that taught me the money coming in money going out. And Jeffrey, if you’re watching this shout out to you
Patrick Spencer 34:33
Actually, on a diversity subject. Are you seeing more women CISOs and cybersecurity professionals, more minorities who are involved in cybersecurity, because that’s been a big gap, as you will know?
Andre Tehrani 34:44
know, that’s my focus. Like, I know how to recruit diverse portfolios, right. So just like just for the audience, just to give them like a nugget, like, if you built a recruiting project and you had 50 applicants that were Caucasian males. Okay, then you need to go and fill up the remaining 50 with diverse candidates, go and find the best 30 Women go and find the best minorities, you know, put them in your project. And you know, like, don’t like, just do it, put them in the project and just message them, just message them and then screen them. You know? And if you like what you hear, and what you see, guess what? You found you you’re near getting a diverse talent pool, right? But many people don’t even message, you know, or they’ll do they’re like, Yeah, this screen call or look, I get it. Like, I made an argument that I don’t want more. I don’t want IT people joining in the security world because the motivation for them. It’s not the right. It’s not the correct. It’s not the correct DNA, right. I want I want security people that want to get into security positions, right. Security is a serious business issue. And it’s not just a serious business issue. But like shout out, Nora. It can cause injuries and fatalities. So, it’s a very serious thing. You can’t settle. You really can’t. You know, I never I never settled in all of my recruiting projects. And guess what, Patrick and Tim, I delivered each and every time hedge fund, you can imagine all the resources they had on their disposal all the money, they had all the recruitment power they had. They told me Yeah, we want to we want to find an offensive reverse engineer. Like how am I going to find an offensive incident responder? I did it, I gave it to them. They’re like, oh my God, would you ask this specifically? Like you find? Yeah, then you can do it. Like it’s not that’s not hard. And I Yes, I’ve been recruiting expertise, hours of doing it. Right. But this is too serious, you know, to settle. Right? It’s too serious to settle. And so, we have to, you know, take it seriously, do it. Right? Do it qualitative, not quantitative. You know, so the diversity thing, like if they’re not good, they’re not good, right? And you have to like, you have to give that transparent feedback. And that’s something that I always give from day one since I’ve since I started recruiting, because I’ve always been in that seat. Whenever recruiters ghosted you or you felt like and I never done, I told myself, I’ll never be that way. And I never was that way. Now, if I like, you know, if you tell me yeah, I’ve got 15 I got like, 15 opportunities, I’m working with five recruiters look at that. Maybe I will level off you a little bit, right. I won’t like if you did a final round interview, and I don’t see you follow up with me, and I followed up and I got the goods to share with you. I’m not going to come to you Hey, right. But if you come to me, I’m never going to go see you. You know, but the so we have to So when it comes to diversity, equity and inclusion game, if you don’t message people, you’re never going to get them hired now? Are they going to get the job? Maybe if I had 30 diverse candidates, right? 29? Didn’t but one did. Maybe he is,
Tim Freestone 38:04
is that a general run rate for you sort of the you know, out of every 30 candidates, you talk to whether or not it’s a diversity model or not?
Andre Tehrani 38:04
I would say percentages, right? Because every country, every city, every job, every geography has the talent pool, talent, makeup, depends on your like HR policies, and how nimble you are and your legal team, how you can hire people, right? Like, I have one vendor, they’re able to hire like across Europe and US and fully remote. But some clients, they can’t do that, you know what I mean? So, the talent pool, like what you want to do is it’s my responsibility. Like if diversity, equity and inclusion is really, like, it’s really listed on your form 10k. And your executives are talking about it on LinkedIn, and they’re sharing it on LinkedIn, and that that’s serious about it. Right? Then it’s my responsibility that even though I have 50 Other Caucasian males, right, that I can reach out to the first project, I’m going to do that 50 and 50. And then the second project, those guys that I didn’t get to, I’m going to put them back in. And then I’m going to do the next safety divers. Just going to keep
Patrick Spencer 39:19
What’s your recommendation to folks who’ve worked with you and you’ve successfully placed them? You know, and they’re CISOs, who are listening to the shortest security professionals in general, you know, how do they work with recruiters like you and maintain that relationship? Because they may, you may give them a great job today, but you might have another great opportunity for them three years down the line, how do they stay in touch with you and maintain that relationship? What are a couple of suggestions that you have for them?
Andre Tehrani 39:46
I found recycling never works for me. So, I’ve tried, it never worked for me, and I don’t like it. I don’t like recycling because I like finding new talent. I like finding undiscovered talent. You know what I mean? I don’t know why, like, you look like 60 70% of the people, maybe like, okay, let’s say let’s be more conserved, let’s say 40% of senior level people and senior level positions in hire, right? 40% of them use their recruiter to get in there. Right? But the perception people have of recruiters, right? It’s like, so bad. It’s so negative, that it’s like, even when I make these stellar placements, like five or 10% of that crop appreciates that, oh, this recruiter made it happen. 90% 95% are thinking, oh, I made this happen. You know, the recruiter got like canned stuff like that, oh, yeah, recruiter got lucky. The recruiters on that project evaluated, you decided to message you share the details, you know, all the all that back-end information, right. So, like, if you like, and here’s the thing, like, executives, your levels, you guys get it and higher. And maybe like, you know, directors, you guys get like a good recruiter that kind of transformation they can do for a company like that one company I worked at Intercast, their stock price when I started working with them was $20 a share. By the time I left Intercast and placing technical account manager like all client facing positions, like they’re dealing with RFPs proof of concepts. upselling, you know, that share went to $120. Right. And they weren’t, they weren’t an expensive company, they weren’t giving out like 200,000 salaries when they’re given like 100,000 salaries right. But they were they valued a good recruiter; they didn’t waste a good recruiters time. The people that got into that organization, they were told you make a good, like sustaining our relationship with this recruiter, right, or this recruiting firm is of the utmost importance, right? The problem is, many people think that like when I got a position to fill, I’m going to spread this thing to like 520 agencies, because they’re all going to get to the end, like and you’re not even shy about it. They can Oh, you know, we worked with like, 20 agencies before we got to you. Right? So, and they’re coming with this, like, negative mentality, you know, what I’m and my job is always like, okay, let me give you a resume that makes you jump you off your feet. And so, the golden nugget, is that recruiting is the new security solution. We had penetration testing, then we had vulnerability scanning. And now it’s recruiting. Right? Because we know that from a military and opposition perspective, shout out to our forces. From an opposition point of a military perspective, it’s people versus people, yeah, no, like if, like, it’s your security team versus that nation state. Now, how healthy they are, how trained they are, how motivated, you know, can thwart those cyber-attacks for you, because, you know, people comes first and process and technology, right. So, you know, from a military perspective, like and as a security solution, security solution, and today’s decade, like recruiting as a new pen testing and vulnerability scanning, in my opinion,
Tim Freestone 43:28
it’s a good point, because you know, they’re just becoming more and more breaches, there’s not going down, it’s going up that but there’s less and less people to do this job. But there’s more and more security technologies to implement. And none of those security technologies get turned on. Right? It’s sort of like, well, here’s the thing you bought for $600,000 Get your team of 70 people to help put it in, to set it up to monitor it, to manage it, you know, and it’s just, it always comes back to the quality of people that are playing with the pool.
Andre Tehrani 44:10
And here’s the thing, right? Like, why do you need 70 people for? Like, why don’t you just like, find a VAR or a booth or an MSSP or something that has like 30 people and tell them to kind of deploy it for you that’s happening and find those killer 10 people, right, right. The other thing that I’d like to see is that now that we’ve got like, you know, now that we’re starting to see recruiting as a true solution, and I honestly view cybersecurity as a sport more than like technology than anything right because of the training and the development and of the skill set like you’re always rapidly evolving, right? Like NBA today seven footers are shooting threes, right? The same thing the cybersecurity people we have to shoot like if you’re seven-footer, you got to shoot three, you know, but I really think Quality is more important than quantity. And I think the organizational design aspect of recruiting so something that I like to see more of, before I even get in recruiting projects as a CISO, or an CHRO, or a Chief Revenue Officer get in contact with me, right? And our discussion on just $25, right? Hey, this is like, this is my team. You know, this is our, this is our team. This is our like G league team. This is our protein. You know, this is our general management. This is our this is our organization, right? Where do you as a recruiter, where do you see gaps, right? And me as a recruiter, like, I know what people are buying. I know, like, you know, I knew like back in 2018, with the LinkedIn article that I posted that application security is going to be the new information security because I saw like nine out of just like I noticed Microsoft stock at nine out of 10 times. I call everyone’s going to zero, like let me get on a zero I knew when everyone was hiring, because I just do security. They’re going to want a static analysis, dynamic analysis, interactive analysis, software composition analysis, right. So, the problem is, is that like, I was doing that 2018 And I’ve been compounding since then. Right? But you have CISOs today that shift left security people, man, I can’t find the development security people, man, I can’t find them. I can’t find them. They’re so expensive. They’re asking for so much that we’re doing it internally. And I’m like, Oh, great, good. And one or two years, and I’ll have a new talent pool word recruit from right. Now, I’m not saying I’m exploiting that. I’m just saying if you talked with me, four years ago, hey, Andre, what’s the beauty of the market? This Are you calling media analysts? Hey, Andre, what’s the beauty of the market bro? Like, what are people hiring? You know, I’m like, have you? Are you have you got anybody that does static or dynamic? Nah, you know, like, no, no, we don’t do that run EDR XDR, I don’t know.
Tim Freestone 46:56
What’s the one now Andre? What’s going to happen?
Andre Tehrani 47:01
Right now, is DSPM and compliance. That’s what’s happening is that right compliance with the SSPM policy as code compliance because you got SEC cracking down hardcore with there you got to fill out form eight Ks, if you get in a breach, and you got to give it within four days or you’re in violation. And legal skills are also going to grow up is also going to grow. Right? I really, you know, what, this whole job solving thing, I can see that right now like the cybersecurity community is going to tap the legal talent pool. And guess what? lawyers make exceptional security people exceptional, secure, because they have that polish? of law, regulation, understanding risks, rewards, right? And when they get into like the security world, like there, it’s like, it’s not that’s not it’s not it’s what do you call when someone you need to train up someone up to speed? Anyway, that period is much shorter. Much shorter. And so, they’re just you know, so I can see the legal pool legal pool get more important for security people, especially for CISOs. Like, they’re going to need legal counsels from now on whether like, and I don’t know, if I want to get a legal counsel from like, from my employer, per se, right? Because it’s like, okay, are you really in favor of me? Are you in favor of, you know, so? But the new thing right now is DSPM and Data Security Posture Management.
Tim Freestone 48:26
We’ve seen the whole because what happened? And maybe you said, Andre, but is the first so long people were buying technology to secure technology. So, buying technology to secure the network buying technology to secure the applications. And then Oh, whoops, it’s all the whole point of this is the data that’s behind it all. Maybe we should spend some money to, and time to secure the data that’s behind all of this stuff, which is that old data security posture management.
Andre Tehrani 48:58
And Tim, like, that was so crazy. The back to that CISO that I interviewed that took the 500,000 vulnerabilities and remediated them in six months, right. Like, while he was doing that, I was having lunch with him at his office. And I’m like, so like, what are you focused on? Like, what’s, like, what’s exciting for you? He’s like, data governance. I’m like, okay, and he’s like, I love data governance. I’m like, what do you love about data governance, like Teach me man, because right now, like, I’m all on like offensive security, and like, all this kind of stuff. He’s like, basically, I’m finding a way where I can store my data and avid move, so that when a hacker comes in, and they access, like, maybe like, out of one page of data, kind of spread it across my network and everything, or my storage and stuff, right? He might access one word in the page as opposed to the whole page. And he was trying to build that data governance type of framework, right? And so that’s the thing You know, like not everyone’s cybersecurity maturity and thought leadership is ahead. Right? I remember through an event universal; she saw he was thinking the same thing. He was thinking also like data governance and like, well, data governance going to be the big thing. And he was just like, like drooling over, like how exciting it is for him to do something like that. So now we’re in data security, posture management. But now those guys lead the pack. And so now we’ve got the, you know, we’ve got the vendors now and the people to come and sell us DSPM
Tim Freestone 50:33
Yeah, it’s a good thing that shameless Kiteworks plug deals with unstructured data governance, and, yeah, Communications Management, we’re in the good stuff. Alright,
Patrick Spencer 50:43
We are out of time. I hate to say, this has been a great conversation. Andre, we appreciate your time and insights that every CISO I’m sure can benefit from whether they’re looking for a job, or they’re looking for talent, or they’re looking for recruiter.
Andre Tehrani 51:02
So, it’s, you know, it’s time to raise your game. Like, you know, you’ve got a lot of, you’ve got a new client, you’ve got a bunch of new CISOs that are going to be heading into the market Generation Y. Yeah, let’s go. So, you know, those people are going to be our new CISOs. So that’s something that you know, the CISOs of today should be wary of is that competition is going to become younger, fiercer more aggressive, more savvy. Right? So, you’re going to have to, if they’re, if they’re better than you, you got to help them you know, like, you don’t want to be in an interview process, something this guy’s going to take my job, you’d really need like, you’re going to be in an interview process. And let me make this person like director level CISO or my head of security or so you’re going to see that you’re going to see this wave come in.
Patrick Spencer 51:51
Makes a lot of sense. Well, we want to thank Andre for his time. It’s always great to talk to you. Regardless what company, what podcast I’m on.
I want to encourage everyone to check out all of our other great Kitecast podcasts at Kiteworks.com/kitecast. Gentlemen. Thanks for joining me today.
Andre Tehrani 51:02
Thank you, Patrick.