Instilling a culture of continuous learning in cybersecurity and the tips for breaking into cybersecurity with Special Guest, Naomi Buckwalter

Show Notes

Have you ever heard these myths about supply chain security, product security, and getting hired in cybersecurity? Myth #1: Supply chain security is not important unless you're a large organization. Myth #2: Product security is solely the responsibility of the manufacturer. Myth #3: Getting hired in cybersecurity requires a technical degree. Stay tuned as our guest, Naomi Buckwalter, reveals the truth behind these myths and offers valuable insights in our upcoming discussion.

Naomi Buckwalter is a cybersecurity professional with a wealth of experience in the industry. With a background in computer engineering and a diverse career spanning roles in application development, security architecture, and leadership, Naomi brings a unique perspective to the field. She gained valuable insights from a challenging experience early in her career, which led her to reevaluate her approach and embrace continuous learning. Naomi's journey has shaped her belief that anyone can succeed in cybersecurity with the right mindset and a willingness to learn. She emphasizes the importance of focusing on fundamental security practices and leveraging data to drive decision-making. Naomi's expertise in product security and supply chain security make her a valuable resource for professionals seeking to enhance their skills and knowledge in these areas.

We're chasing those things that make us feel good, but at the end of the day, not the right things. - Naomi Buckwalter

Connect with Naomi Buckwalter

• LinkedIn: https://www.linkedin.com/in/naomi-buckwalter

Connect with us

Website: securitymasterminds.buzzsprout.com

KnowBe4 Resources:

• KnowBe4 Blog: https://blog.knowbe4.com
• Erich Kron - https://www.linkedin.com/in/erichkron
• Jelle Wieringa - https://www.linkedin.com/in/jellewieringa
• James McQuiggan - https://www.linkedin.com/in/jmcquiggan
• Javvad Malik: https://www.linkedin.com/in/javvad
• Music Composed by: Brian Sanyshyn - https://www.briansanyshynmusic.com
• Announcer: Sarah McQuiggan - https://www.sarahmcquiggan.com

Show Notes created with Capsho - www.capsho.com
Sound Editing - James McQuiggan
Sound Engineering - Matthew Bliss, MB Podcasts.
If you'd like to ask Matt what he can do for your podcast, visit https://www.mbpod.com and schedule a consultation today! 

Chapters

• 0:00: Introduction
• 1:49: Naomi's Cybersecurity Origin Story
• 6:15: Recognizing and Learning from Past Mistakes
• 8:31: Cyber Myths That Need Busting
• 12:30: The Impact of AI on Product Development and Security
• 15:05: SBOM Clearinghouse
• 19:16: The Role of AI in the Future of Cybersecurity
• 21:45: Breaking Down Gates in Cybersecurity for the Next Generation
• 26:05: The Role of HR and Hiring Managers in Cybersecurity
• 28:44: Advice for Candidates Looking to Break into Cybersecurity
• 31:25: Dealing with Imposter Syndrome in Cybersecurity
• 34:15: The Role of Networking and Giving Back in Cybersecurity
• 38:23: Life Lessons Learned
• 40:45: The Biggest Threats to Organizations in the Next Decade
• 42:54: Final Thoughts on the Future of Cybersecurity

Transcript

Naomi Buckwalter: 0:01

And I will say it over and over and over again. It's like people, we can hire folks with no experience. It's okay. We just give them the right sandbox to play in. Hey everyone, I'm Naomi Buckwalter. I'm the director of product security at Contrast Security. Welcome to the Security

VoiceOver: 0:17

Masterminds podcast. Podcast brings you the very best in all things, cybersecurity, taking an in depth look at the most pressing issues and trends across the industry.

Erich Kron: 0:27

In the ever evolving world of cybersecurity, staying updated with the latest trends, techniques and technologies is crucial. Embracing failure as a motivation for improvement. Cybersecurity experts emphasize the need to analyze setbacks to strengthen defenses and enhance security strategies. Often organizations miss out on capable talent due to an over reliance on hiring criteria. Naomi

Jelle Wieringa: 0:51

Buckwalter with over 20 years of experience in cybersecurity and currently the director of product security at Contrast Security. Naomi is an expert in product security, passionate about diversifying cybersecurity hiring. and founder of the Cybersecurity Gatebreakers Foundation. Her journey, marked by resilience and a unique perspective that values curiosity and integrity over formal qualifications, makes her a valuable voice in product cybersecurity and industry inclusion.

VoiceOver: 1:19

This is episode 23, instilling a culture of continuous learning and best practices for breaking into the cybersecurity industry with special guest, Naomi Buckwalter.

Erich Kron: 1:30

Hey everyone. And welcome to this episode of security masterminds this month. We're going to talk to our special guest, Naomi Buckwalter, and this is a fantastic interview. I really enjoyed this. I had a great time listening to what she had to say. And we wanted to start off with our typical questions so you can get to know her as well. What is her cybersecurity origin story?

Naomi Buckwalter: 1:54

Everyone's got to have a good origin story, like even the villains, right? Like if you ever asked a hacker, like, tell me your origin story. It's like, Oh, it started when I was rejected for a job in entry level. So like, imagine that happening. God, let's see. I pretty standard background, tech background, went to school for engineering, computer engineering at Stevens Institute of Technology. And from there I graduated and went to work at Vanguard, which is a huge mutual fund giant. I was there for 12 and a half years. I started as an application developer, moved into application security, did a bunch of other things like architecture, security architecture. At one point I was designing a private cloud environment for Vanguard. It was very crazy. I did a lot of cool stuff there. From there I went into security engineering. different companies. And then I took on my first leadership role at a small startup called Litmus. I think I was the 80th employee, but their first security hire. And I was promptly fired from there about a year and a half later because I was not very, very good. So this is like my origin story from a lot of things. But from there, I learned a ton of stuff, Eric. Like it was crazy. Like I am not good at this thing. Like what, what just happened to my life? It's the first time I actually failed. And up until that point, I was really much a gatekeeper. I would say, I would say like, Oh, only smart people can do this. Or you don't have the technical background than I do. Therefore, you're not going to be good enough. And so I was very much like. If you don't have X, Y, and Z background like me, you are obviously not qualified to do security. And so the second I got fired, I actually had one of those heavens opening up angels kind of singing thing and be like, actually, Naomi, you suck at this. Like you just got fired from a job that you thought you were doing well in. But then I realized I was like, wait, wait, like I am the root cause of all my problems. It's not someone else who just sucks. It's like me. I'm the one who sucks. And so I went to Barnes and Noble the next day and I picked out every single book I can find on the shelf about security leadership. And I read that one book from cover to cover. It's called CISM Security Examination Certificate, whatever you want to call it, certification from ISACA. And it was wonderful because it taught me how to build an information security program. From scratch. And prior to this, I really thought information security programs were just a set of policy documents and maybe a couple of processes here and there. And I wasn't a really good bridge for what the application developers needed at limits with what the business was trying to do, which is like, let's grow this business. Let's actually ship things. And so I was too much of a roadblock for them. I think that's probably why I got fired. In fact, a couple of years later, after I got fired, I actually thanked the person who fired me. I was like, Matt, thank you so much for firing me. He goes, you're welcome. And it was like one of those moments where I'm like, if I can take a book and literally read from cover to cover and figure my life out. And by the way, the next job that I got, I did great. I was there for over two years and I did awesome. Um, if I could do that, I thought. Well, can't everything be learned in cybersecurity? And like, I just had one of those moments where I'm like, okay, if, if this can be learned from somebody who literally knew nothing about leadership and cybersecurity, other people can do this too. And then from there, I just realized a lot of the gates that we put up are just superficial. We don't need them to be there. In fact, if you think about all those very fundamental tasks of asset management, configuration, management, data security, and things that are just really, really basic and fundamental, not easy. They're just wrote. And then there are things that are. Difficult to do because you have to continuously do them. They do not require years of experience at CISSP, a master's degree, but any kind of degree, really, like you just need somebody on that team to be curious, uh, hardworking, high integrity, all these things that I preach today, because I had that realization when I got fired all those years ago.

Jelle Wieringa: 5:26

We've heard a lot of origin stories on this show, but most talk about what experience they have, um, the studies they did,

Naomi Buckwalter: 5:31

colleges, et cetera, et cetera. In

Jelle Wieringa: 5:33

this case. She literally like starts off with, Hey, I did this wrong and I learned from it. Failing is good. Yes, it is. Because it gives you the experience on what not to do. What I

Naomi Buckwalter: 5:42

also like is you

Jelle Wieringa: 5:43

can only change yourself. That's basically in the end what this is about. Pick up that book and go study. That is actually a good one in the CISM one. I tried it way too boring for me, but it is a good one to learn about security leadership. So no, I applaud what she did. It's uh,

Erich Kron: 5:59

it's admirable. No, that's a great point. Yeah. We learn from our failures more than we do our successes. Right. And you know, I wanted to dig into this a little bit more with her. So I asked her now that you're here, when you look back, were there signs that you may have missed? And this is what she said.

Naomi Buckwalter: 6:15

Definitely, definitely. In fact, I was already interviewing at other companies because I knew something was happening. So I don't think I was surprised, but I was sad because I wasn't too sure what I was missing. I was trying to do all the right things. I was answering questions when they were coming in. I was providing as much guidance as I thought. But It wasn't the type of guidance that that company needed at the time. So I wasn't a good fit for where that company was currently and then where they were trying to go, which is, Hey, we just want to ship things without having too much risk in our portfolio. We want to ship things and be aligned with GDPR because at that point GDPR just come down. But yeah, there were signs, there were conversations with my manager. They're like, can you help us with this? I'd be like, no, I don't really want to, or kind of things like that, where I was pretty immature about it now that I look back. So it was a little bit of combination of like character and the ability to. Want to grow. And I absolutely had a fixed mindset where I said, like, no, everything I know, I don't have to know anything more like this is it. And I wasn't open to the fact that I might not know everything. I had very much that Dunning Kruger thing of thinking that I knew all the things that I knew. But since I didn't know all the things that are to know that exists out there where I Didn't have the information at hand to understand what I didn't know. And therefore I thought I knew a hundred percent of the things versus like, I'm missing a thousand percent of everything.

Erich Kron: 7:32

It's interesting looking back that she's able to see those signs that were on the wall. And folks, sometimes this can be one of the greatest things that can happen to you. Have you ever been in that situation where you're like, this is just kind of grown into something it didn't used to be. It's time to move on.

Jelle Wieringa: 7:46

Oh yeah. The last job I spent 12 and a half years while not being bad. Uh, it didn't fit the mindset of that company. People that worked there were still in that scale up phase. Yay. Naomi's whole story is a really good life lesson or career

Naomi Buckwalter: 7:58

lesson. She worked at a startup. That was her first job and working at startups is really hard because it's a company

Jelle Wieringa: 8:06

usually, which consists of a bunch of people that don't have the actual experience yet. You need to be a jack of all trades and be an expert in

Naomi Buckwalter: 8:13

your field just at the same

Jelle Wieringa: 8:14

time. It's really hard to do. And sometimes that just doesn't pan out. Now,

Erich Kron: 8:19

she is a mastermind out here. Now, she is a professional out there and has a lot of experience to share with all of this knowledge and stuff that she's gained since then. I wanted to find out what she thinks about cyber myths. What's a cyber myth that she thought really needs to be busted.

Naomi Buckwalter: 8:37

I've been toying with this idea and maybe it's just me thinking out loud, but it really, really just comes down to whether. Our priorities in cyber security. And if we don't understand the threats are coming in through our door every day, we're not understanding risk for environments in our organizations. And one thing that I would love to see our industry do is really go back down and seeing the data, like go through the data, look at your firewall, the packets that are coming through your firewall and just seeing like what kind of attacks are coming through at your web layer, for example, right? So this is what I do sometimes like I'll go And I'll take a look at some of the blocks that are happening at our firewall, right? And I'm like, Oh, what kind of traffic are we seeing here? What kind of, um, arguments are coming in through the webpage, the, you know, things, the URLs, like what are we, what kind of things are in the header? And then trying to distill it down to what type of attacks are we getting? Who are the threats? What are they trying to do? What kind of vulnerabilities are they trying to exploit? And I use that data to really try as the priorities for my team. If we're seeing attacks that are trying to exploit some of the vulnerabilities in open source projects, for example, or very well known dependencies that are quite possibly used, like think log4j across a bunch of different applications and tools like that's where my focus should be. Am I updating my dependency as well? Do I have patching set up? Do I have CICD security? Do I have pipeline security? These are the things that are a focus of mine now because I'm using the data to drive those decisions. And I would love to see the industry do that versus chasing fires and be like, Oh, I heard there was a new CVE about this thing. We're not prioritizing the fundamentals that could really, really, really impact. in a good way for our organization, reducing risk. Cybersecurity loves chasing those fires because we want to feel like we're doing something important. Like, oh, there's a new attack, there's a new exploit happening. Be like, yes. And, you know, Heartbleed is still a thing. 2014 is when that thing, OpenSSL, what, version 1. 01 to 1. 01 F or whatever, like it's, people still, like I went to show it on the other day. And I was like, I wonder how many unpatched servers are running OpenSSL. And it's literally in the hundreds of thousands. Right. And I'm just like, it's 2023. It's been almost 10 years. Like, can we do the patching? And Heartbleed is still a problem. And yet we're trying to fix flaws that we found about yesterday. We're like, oh, curl has a vulnerability. And by the way, they're like, oh, curl has a new vulnerability. It's October 11th. We're going to come out with this. Did you see that? They're like, oh, there's going to be a big one. And so we're like on edge waiting for that one to drop. Meanwhile, we have like servers running open. That's just like, come on, we can be better. We're chasing those things that make us feel good. But at the end of the day, it's not the right things we should be focusing on.

Erich Kron: 11:11

You know, it's amazing how much this aligns with Roger Grimes book, right? Chasing all these silly little things that are today's big hot fire that Really don't impact you much when you have a bunch of unpatched Java in the background. And like she said, it's just kind of funny how that happens. We're on

Jelle Wieringa: 11:29

stage a lot. And then we get a lot of questions after our talks and we speak to a lot of people and I can't usually tell, but the nature of the questions I get, what's big in the media at the moment. Most people go like, Oh, have you heard about that ransomware attack? Have you heard about this exploit? Security, you don't do that by listening to the media, actually listening to the

Naomi Buckwalter: 11:46

media often tends to get you into trouble. It's not

Jelle Wieringa: 11:49

the best advice I would give to any cybersecurity expert. It is

Naomi Buckwalter: 11:53

figuring

Jelle Wieringa: 11:53

out where your real issues are at, what the root cause of them is and fixing them. Creating priorities based on what's the biggest risk in your organization. And it's also because C level,

Naomi Buckwalter: 12:04

look, they,

Jelle Wieringa: 12:04

they look at the TV, they read the newspaper. If they read something and the whole world seems to explode on that one exploit, they're going to ask their CISO, hey dude, do we need to fix it right now?

Naomi Buckwalter: 12:14

Uh, no, it's no, we don't have to. No, let's focus on a lot of things first. By the way, I need more budget to fix the real issues

Jelle Wieringa: 12:21

that we have in this company. But the data driven approach is awesome. More people should do that because you're basing your security posture on

Erich Kron: 12:28

facts. All right. So the next thing I wanted to know from her was what does she think the security landscape look like in the product security space?

Naomi Buckwalter: 12:39

I do application security or product security for security software companies, so I do security for a security company. It's very, very meta. I would say that I'm sitting in an organization that uses modern frameworks, modern tech stack. There's a lot of things happening all at once. It's really hard to prioritize where we want to put our focus on and I get that it's probably just a general business problem to solve all the time. I don't see that being specific to my domain, which is product security application security. So I would say that's still generally true where we have so much happening at the same time. It's really hard to focus. But I would say out of all the things that I'm working on now, again, I want to mention the CICD security, supply chain security is one of the bigger things that I don't think enough people are focusing on or talking about. Think about how GitHub is now running like software eats the world kind of thing. GitHub is almost in the center of all that building all our code and storing all our code and managing all the dependencies and stuff like that. And It's becoming a thing where you're just like, I need to make sure I know what is exactly in my software. And I don't think companies are doing that very well. They don't know what's in their software. Uh, and honestly, it's going to be a problem for us. Like the log4j, I think was a wake up moment where I'd be like, I wonder what packages are using log4j for their logging tools. Like, I don't even know. And what dependencies of dependencies and all that stuff. Turtles all the way down. But we're not focusing on those things because I don't think it's sexy enough. And it's always been true. I suppose it is hard. It is hard.

Erich Kron: 14:05

The supply chain is definitely an issue that we've been talking about, but we keep seeing it kind of rear. It's ugly head in different ways. This is something I don't think is going to go away in the near future. Yellow. What do you, what do you think? It's never

Jelle Wieringa: 14:16

going to go away, right? You're never going to, if you're writing any software, you can't. Do it all on your own, whether it's, it's a platform that you hosted on, whether it's libraries that you're using from other developers, whether it's services, you can't do it alone. So it's always going to be a headache. We should be having that discussion because it's an integral part of your digital hygiene, your security hygiene. If you build software and yes, it's tough. But not focusing on it doesn't help us all right. It doesn't help any of us. So we need to put more focus on it. We need to talk about it. In the end, the responsibility of a bad software product, especially in the security space, is on you as a vendor. If you build it, Well, you're going to be in trouble if something breaks because of your product. So you need to make sure that that's okay. And we need to spend more time on it as an industry.

Erich Kron: 15:05

And speaking of S bombs, I wanted to talk to her a little bit more about that. So I asked her within the product security world, we see S bombs are a concern with software development, but we wanted to know how that's impacting her environment.

Naomi Buckwalter: 15:19

And there's different types of SBOMs and also it's just a JSON file. They can just delete things that they don't like. Right. It's like, come on. It's like your security questionnaires. Yes. So you answered yes to all these. Like, meanwhile, it's a big old lie. You know what we need is some sort of clearing house for SBOMs. It's like, I think that would be such an amazing thing to have for the industry. It'd be like, does your SBOM hash file match the check for the one that you submitted to the clearing house? Yes, it does. And it should really be just so transparent for be like, all right, I am commercial off the shelf software. This is the hash of the S bomb, you know, that we send over to our customers and, um, here's the unhashed version, right? Here's the plain text version. Here's all the stuff that goes into our software and be proud of that. So the commercial off the shelf software people, they would send over the S bomb to the public and be proud of the fact that they have all their dependencies updated. There is no unpatched, fixable, high critical vulnerabilities in their dependencies or dependencies of dependencies. Everything should be clean, right? And that's the way it should be. If, if instead of just be like, oh yeah, we've patched for that, right? We are a hundred percent sure we are not vulnerable to that. Oh, or even better, it'd be like, uh, we don't know. Like that's like the worst one. It's like, we don't know. At least start there. At least understand what's in your software. And then also here's a plug for the poor folks who maintain open source projects who don't get paid. And I think our organizations can be better to recognize the contributions of the open source. community. And that's the supply chain security that I was talking about. It's, it's all of that. It's like the entire ecosystem. It's, it's the security team working with the developers to understand the risk, but then the developers have to do their side of it too. Like they have to meet us halfway and they're just like, okay, follow the checklist that security has sent over to make sure that this project fulfills all the things in our security checklist. Like it doesn't make our security worse if we were to implement this thing or use this as a dependency or whatever it is. Um, and then the security team has to help them out, like make it reasonable. Be like, Oh, you want to use that project? Um, well, let's see, it's from an unverified publisher and it hasn't been maintained in the past two years. It has a bunch of open pull requests, a bunch of dependencies that need to be updated, stuff like that for a dependent bottler. So at least the security team can help with that for the projects. update the dependencies yourself, close out the pull request. Like those are the kind of things that security team can be doing. And meanwhile, the developer's happy because you're like, Oh, that functionality that we needed. Hey, hey, it works now. Thank you. And that's how you make friends and security is just like, you're helping the developers get their thing done. They want to ship the thing as quickly as possible. And you as a security person needs to understand that and be like, all right, you, you can build this thing. And here's the guidelines to do it. Now it's safe for everyone. And we're good. Build that entire ecosystem so they can go fast. They can build things quickly in a safe environment. Like that's the whole point of security, at least in my mind.

Erich Kron: 17:58

You know, I really like that idea of like an S bomb clearinghouse, right? Where we can keep all that stuff together. So maybe we have an idea of what's going on. Cause right now, wow. It just seems like an impossible task to kind of keep that stuff straight.

Jelle Wieringa: 18:11

The clearinghouse is a really cool idea, especially if you add something like a bug bounty program to it, where you have various people from outside going through your code and figuring out. What you're doing right, what you're doing wrong, uh, figuring out vulnerabilities and helping you out. If you, if you keep it internal, you run the risk that you keep finding issues, have to go back to your deaf team, have to tell them they've done something wrong because that's how they look at it and that just breaks the trust. I love the clearing house. Focus on collaboration on mutual respect. If you, if you base your collaboration on mutual respect internally, give and take, that's basically it, understand each other's worlds, understand where you're coming from, where they're coming from. Then you have a really good chance to get that MVP out on time and have it be safe. And Hey, let's face it where there's code, there's bugs.

Naomi Buckwalter: 18:59

The way it is.

Jelle Wieringa: 18:59

So you have to accept the risk and you have to make sure that both you and the devs understand what risks you're willing to accept and

Erich Kron: 19:07

why. The other thing that I wanted to find out was how do you see AI impacting product development and security development in the coming years?

Naomi Buckwalter: 19:16

Oh, it's already happening, right? Like people are using chatgbt to create scripts and stuff like that. And what's interesting is like chatgbt gets it wrong all the time. It's like pulling in. Libraries that don't exist. It's like, alright, we, this thing doesn't work. And maybe that's a good thing for now, because if the developers think that Java GPT is going to be wrong half the time, then security's got to get some time to get ahead of this whole thing, because in general, we want to still test our code. We want to do a secure code reviews. We want to do all those things that have gotten us here so far and maybe doing a little bit better because AI generated code is either going to work better one day and it's going to introduce security vulnerabilities and we're just not going to know about them. And we can fight fire with fire too. So we can use AI to help find vulnerabilities in code that's created and hopefully it all works out. There's some sort of balance, but it'll be interesting for sure. So it's only going to get better, honestly, with more investment in that field. And that's where all the money is going. And and good for them because I think that's what we want to see and security just traditionally has been a laggard behind technology for everything. So think about any technology security has always followed the technology. It's it doesn't read it. It just says, Okay, we found a problem now we have to fix it. So I think it's gonna be the same way. A. I. Is gonna run so far ahead of us. Security is gonna run to catch up and it's just gonna be the cycle of like A. I. Became better and better and security struggling to keep up. Hopefully I'm wrong.

Erich Kron: 20:39

AI is definitely taken over. It's definitely getting involved and there are definitely issues with chat GPT, as we've heard and seen before.

Jelle Wieringa: 20:47

Everybody's talking about AI, everybody is using AI and everybody is either complaining or loving it, depending on how you view it, how you look at it. My opinion is very simple. AI, like all new things, needs time to properly be developed.

Naomi Buckwalter: 21:03

Because this is it's such a hype everybody

Jelle Wieringa: 21:06

wants it everybody wants to use it right now we love it we want to use it now

Naomi Buckwalter: 21:11

and we need it to be perfect right now that's not

Jelle Wieringa: 21:15

how the world works that's not how new technology works. I just love the spark of creativity that we see with AI. It literally created a whole new industry and that industry is well funded, like Naomi says, and that's a good thing because we need more money, more resources to develop it, but you also need time. You can't buy time, but we also need to realize that. As with anything new, you can't get perfect

Erich Kron: 21:38

straight away. So the other thing that Naomi's very involved in happens to do with getting people into cybersecurity. And I wanted to ask her a little bit here, how do we as cybersecurity professionals need to break down those gates in cybersecurity to build a next generation? And this was her reply.

Naomi Buckwalter: 21:57

Yeah, I have a whole LinkedIn course on this whole entire topic. It was a bear to put together, but it. Pretty much breaks it down on what we have to do to invest in the next generation, how to find the talent, what kind of interview questions to have, what kind of, if we do take home projects, what kind of take home projects, like there's a whole thing. I'm just going to put a plug in. If you go on LinkedIn and just search for attracting cybersecurity talent should be up there on LinkedIn. Learning did make the course free just last week. I can keep doing it for eternity. I don't make any money on this thing, by the way, they just keep making it free for you guys. And the idea is just to learn how do you hire. and train the next generation what to look for, how to see potential in people, what, you know, what kind of tasks to give them on their first day, all that stuff. So it requires a complete mindset shift of what we have now, which is very much gatekeeping mindset. Um, understanding that people can learn cybersecurity as is possible. In fact, we do it every day. Cybersecurity practitioners today don't know everything in order to learn something new. You just go online and you learn about that thing. Either it's going to be some document that that vendor has created, Or it's a new protocol that you have to learn about. People write about this stuff all the time. You're consuming their knowledge. Now you're consuming that thing. So can the people who are trying to enter cybersecurity. They can do the exact same thing that you do. And you don't need those five years of experience or CISP to really understand new technology and how things are going. Because the fundamentals never change. You're thinking fundamentals of confidentiality, integrity, availability, non repudiation, those kind of like the laws of cybersecurity, that will never change. And things like principle of least privilege, principle of least permissions, like all those things, separation of duties, these things don't change. And once you learn that, you can apply that framework and thinking to a bunch of different things. And so having that mindset shift as security leaders. Is very, very critical. If we were to win the war on cybercrime, I can see this whole thing happening. It's absolutely cause and effect. If we were to hire more people to do basic cybersecurity foundational things, we will eventually get to the point where Most of the risks that we've, we have out there will be locked down, will not affect our organizations and the attackers are going to move on to, uh, less patched things.

Erich Kron: 24:02

Interesting points. I mean, she mentioned CISSP and some of those certificates and how sometimes those gatekeep and cause problems. I'm also big on let's try to get rid of some of that if we can and, uh, really look at more specific things. I like what

Jelle Wieringa: 24:18

she's saying. By the way, if you look at on her LinkedIn, one of the posts she made, people with no experience can do cybersecurity. I don't need to hire just anyone. That would be not smart. No experience doesn't necessarily mean no skill or no knowledge. It is the skill and knowledge part. It's about what type of skill, what type of knowledge do you have? What we see happening today is cyber security professionals, if you just have technical skills, you've studied hard and got every

Naomi Buckwalter: 24:46

certification out there, it's also about soft skills, it's about communication, communication is

Jelle Wieringa: 24:52

such an important part of what we do today, maybe even more important because those technical skills are fairly easy to learn, whereas. Communication skills empathy that's a toughie i think that's something what we need to shift our gaze from purely those technical theoretical skills into more life skills and to. I just talking about security leaders and i'm sure security leaders need to be on board but so do HR and all of those old school managers out there they need to understand that it change

Naomi Buckwalter: 25:22

security change.

Jelle Wieringa: 25:23

You can't hire based on the same principles as 10 years ago, simply because it's a different generation. I agree with the addition that HR and old school managers need to change to, and a lot more, we need to focus more on just life

Erich Kron: 25:38

skills. So one of the other things that drives me a little bit crazy here is a lot of these companies, when they advertise, they're asking for an entry level position, but they want like 10 years of experience. I think it's just so wrong, right? Uh, this, this kind of stuff happens all the time, though, because I don't think they know what they're asking for in these job postings. So, Esther, from from your perspective, why do you think this discrepancy exists? And where do you feel the problem lies? Is it H. R. Is it managers or somewhere else?

Naomi Buckwalter: 26:09

There's no simple answer, but organizations are just really bad at interviewing and finding talent. So they what they do is they use C. I. S. S. P. And degrees and certifications as a proxy. To approximate someone's knowledge and ability to do a job. I think organizations could just be a little better. And since we're here in 2023, still following the same heart and practices that we've had ever since I can even imagine this happening when corporate world has started, you're, you're looking for talent by asking the wrong questions. And if we were to understand people at a human level and understand their potential and their growth mindset and the ability to get things done, then we can hire for the right. people. We can put them in the right roles. They can understand what the challenges are for the organization and then fix those problems. So if we were to shift what the normal looks like, then I think we could eventually get there into a place that is more reasonable. And it doesn't affect just cybersecurity. There's a lot of other technology centric careers that have this exact same problem, especially like software engineering. So it's not just a cybersecurity problem. It's more of an understanding of what that role needs. And so I think what I would like to posit is that organizations are focused on the wrong things because they are hiring for the wrong roles. You can tell this complete evidence for this symptom is that you are focused on the wrong things within your organization. Your security programs focus on the wrong things. If you were to go back to the foundations and the basics. And understand that asset management, configuration management, access control, data security, those are the things that really drive impact and reducing risk for an organization. If they were to understand that, then you can start hiring for roles that focus on those things. And you don't need all those years of experience and certifications in order to do those things. And yes, we can start winning the war on cybercrime. I know I'm probably just simplifying it though, but in my mind, it's so clear. Like the solution has always been there. We're just trying to hire the wrong things. We're focusing on the wrong things.

Erich Kron: 27:58

All right. This is something that's, that's been a challenge for quite some time and hopefully we can get our arms around this. What do you think,

Jelle Wieringa: 28:04

Jelle? I've seen good HR people. I've seen bad HR people. The good ones are usually the ones that don't focus on making their number, but focus on actually hiring the right people, not so much for the role, but for the function. It's the bad HR people that just go like, Oh, I need to hire 20 people this month. But the good ones want to understand. What the role is, but they have a hard time doing. So let's face it in cybersecurity, our field is progressing so quickly and the roles and the functions have evolved so quickly that it's really hard for an HR person to stay with it, to stay on it. We all need to chip in and change and evolve. Once we start doing this together. We will

Erich Kron: 28:43

have a good chance. I wanted to also find out for the candidates or the applicants, what kind of hints or tips or advice does she have for the candidates or applicants? And this was her advice.

Naomi Buckwalter: 28:57

I don't want to generalize and say that for the organization's standpoint, like that's not the only thing, obviously, like once you have your X's and O's and all the things that you've done well, like if you've got your foundation. Done well, then you can start building the maturity of your program. Candidates should be able to recognize when an organization isn't doing those fundamentals well. And I would even say, if you are a candidate looking to break into cybersecurity, go up to those companies that have had those posts open for months on end and say, are you sure you actually need? This role to be filled because from my research in your industry, like say, you can even pull vulnerability data for different industries and you can read SEC reports on breaches and things like that. It looks like the casino industry was recently breached with ransomware because it didn't do network segregation, right? Or they had phishing and didn't have great security awareness and stuff like this. Or they had overprivileged admin credentials. Those are the kind of things that I think an entry level person could realize and start making patterns, understanding those patterns and be like, I'm going to go over to the next casino company and I'm going to tell them this is exactly how MGM was hacked. And if you have those same problems, I could help you with that. I understand what overprivileged admin users look like, and I can help you with that, right? Like those are the kind of things that I think a good candidate is going to be able to see and recognize those patterns. Because they have the data in front of them, they just have to put those puzzle pieces together to be like, Oh, the bigger picture is. And then now I can go and offer my services because I understand the struggles that these companies are having. It's the same struggles that everyone else is having.

Erich Kron: 30:21

That's an interesting idea to go out to those ones that have been sitting there and actually try to have a conversation with them and say, Are you sure that's really what you need? Who knows what doors that would open? What do you think, Ella? I've

Jelle Wieringa: 30:31

thought of it that way. It's, it's not a bad one. Usually when I talk to applicants or people that ask me for some advice, they usually tell me how well it pays compared to other roles. That's one of the main reasons they want that job, but you shouldn't be in it for the salary. You're in it for the long run. It's a career choice. That's how you need to look at jobs. Everything, every job you get is a little clog in the bigger machine that's called your career. Do you still want to work there

Naomi Buckwalter: 30:54

in three years? Well, if the answer is yes, go for it. If the answer is, I don't

Jelle Wieringa: 30:59

know, keep on looking, please. I see people as applicants be a little bit complacent and it's so easy to do. Right. Go on LinkedIn. There's one button. Apply. You're done. That's it. And you use the same resume time and time again. No wonder those HR people don't want to look at resumes anymore. Right? I like her advice, but I'd add to that, you need to design your career. That's basically it. Think about it upfront and be smart about it. So

Erich Kron: 31:25

another thing we do talk about here a lot is imposter syndrome. I wanted to see what she thought about how candidates should deal with that, or, or even how she deals with it.

Naomi Buckwalter: 31:36

It's such a human thing. If we could see potential in others, and that's the beauty of it. I'm actually unable to see social hierarchy. It's like one of my characteristics and my traits. I see everyone as equals. Like I really do. And so. When I go up to anybody, I see them for their potential. I see them for what I can learn from them, right? Like, I'm not just saying that because it makes me sound good. Like, I literally will talk to someone with interest and curiosity because I am definitely interested. I am deeply interested in what they can show me, right? And like, in having that mindset in everywhere you go. will open so many worlds for you, so many doors. And you as a candidate could do the same thing. I know I don't know everything. And if I could see you as a teacher, uh, or I could see you as a potential, you know, someone I can learn from like that, that was so beautiful. So candidates that have the imposter syndrome probably don't want to admit that they don't know everything kind of thing. Uh, or, or they do admit it and they're just afraid of learning or something That's what I'm saying. Like overcome that. That's good that you recognize that you don't know everything, but then see other people as your teachers.

Jelle Wieringa: 32:38

Everybody's scared of failing and everybody has an internalized fear of being exposed as a fraud, even though most people are just very competent. That's the thing with the imposter syndrome. When we are on stage, I don't know about you, but I do have that when I'm on stage. Sure. There's part of me that that feels like an imposter and. It just fears that, but I'm pretty sure that the people in the audience have the same thing when they need to come up to me to ask their question. It's an

Naomi Buckwalter: 33:02

equal battle. It is. So if

Jelle Wieringa: 33:05

you understand that everybody has their fears and everybody kind of goes like, I hope I'm not found out.

Naomi Buckwalter: 33:11

Imposter

Jelle Wieringa: 33:12

syndrome is good. If you can control it, it can be a frightening thing to some, but I'm very willing to collaborate, cooperate, talk to you, whatever. And if you put on that smile and be open, you'd be amazed. Yeah. And you

Erich Kron: 33:25

know, a lot of people sell themselves short, Jelle. I think there's a lot of skill with even the new people. They bring their life experience to certain things. They've all experienced things differently and many times can look at things differently. Look at the people that we've talked to on this podcast that come from differing backgrounds that have a very unique experience with that. It doesn't have to be that you're a super technical person, your experience and what you've seen. That can actually add to things. So don't sell yourself short on that kind of stuff. You can be somebody that can be involved in these conversations, even if you're new to the game. So one of the things that's going on out there is, is a lot of people are actually looking at cybersecurity. We're seeing things in schools. We're seeing new programs. That means that there's a lot of other candidates out there, especially candidates without a whole lot of experience. The people are, are fighting for some of these positions. So I wanted to ask her with all of her experience in hiring and looking into this kind of thing, what can candidates do to stand out in the crowd in order to get hired? Oh, there's a

Naomi Buckwalter: 34:27

good answer for this one. I mean, I think the shortcut way is that you gotta know somebody, right? It's like, unfortunately it's who you know, not what you know. I have this in my box up answer. It's like work on your home labs, build up your certifications, do all that stuff. But there's literally hundreds of other people doing the same thing. It's not great, and I wish we lived in a meritocracy, but it really is who you know. If you could showcase your hard work and your ability to get things done in a very functional way. So like if you volunteer for a conference or you volunteer for a working group, show people what you can do. And then people start pitching for you, right? When you're not even in the room. Oh, you know, Eric, he's a wonderful candidate because he's helped me in this other thing. And he actually worked really hard for us and do this thing. We don't need somebody with years of experience because we just need someone to get things, things done. Right. And then you go in there with the organization and be like, yeah, I can do all, do all this stuff and then grow from there. So I think organizations just have to give someone a chance. That's what my nonprofit does, by the way. We believe in the candidates. They're going to be great. It's the hiring managers that need the convincing. So that's what we do. We try to convince the hiring managers it's okay to take a chance on people. A lot of entry level folks, and this is kind of what I see from a lot of them, is they consume a lot of information, but they don't give back to the community. They don't write about their thoughts. They don't share what they know. They don't volunteer at conferences. They just kind of sit in the shadows and they're just waiting for someone to give them a chance. Like I was the annoying, junior level person back in the day, I just said, heck with that, like, I know I want to be security. I knew I wanted to be security, actually. I knew it, like, this is it. And so I just kept going and going and going. I was just so annoying that someone finally gave me a chance. And I think that's kind of what eventually people might have to do, either within their existing organization or their school. Or maybe the organization they're volunteering with, something like that. Like, at least start building your resume that way. Do some security things off to the side. Before the security team, you can ask them, you can be like, Hey, I'm, I know I'm not on the security team, but I'm wondering if you need a security champion to talk about security initiatives within different departments. Like, I'm happy to do that for you. Like, what kind of security initiatives are you working on, right? You can actually build up your resume that way. Give back to the community. That's all I can say.

Erich Kron: 36:35

So I think getting to know people in networking in this industry is important because cybersecurity, there's a lot of trust involved, right? We're given access to a lot of things that we normally wouldn't need to see, right? We can see most of the systems across the board in a lot of our roles. And so we have to trust people. And a lot of that comes from getting to know people and earning their

Jelle Wieringa: 36:59

trust. Everybody can get a certification nowadays. That's not the hard part. Everybody can learn. Everybody can get a degree. So that will make you stand out. What does make you stand out is your personality. And in order for you to make sure that other people see your personality and experience it, you need to do networking. I think it is. It's what I built my career on and it works really well. It is the, it's the most underrated thing. We, our industry is full of people, introverts, and they tell me I can't do networking. It's scary. Guess what? If you're in a room of IT people, everybody's an introvert in some way. So everybody has the same challenge. So again, it's a level playing field. Go for it.

Naomi Buckwalter: 37:38

Networking is so, so really important for

Jelle Wieringa: 37:41

everyone. What I also liked about Naomi's answer is Getting some information or getting some stuff on your resume about giving back charity work. I've learned this lesson way, way too late in life, both from the perspective of my job, my resume, but also just from being a human, you need to start giving back. It's such a good thing. It develops your character. That's the thing that makes you stand out. So start

Erich Kron: 38:03

doing that. There's lots of ways to do it and just get to know some people and let them get to know you. I think that's the most important part. So one of the questions we ask pretty much everybody that comes on this show, and it's one of my favorites to hear, what is your biggest failure? And what did you learn from that experience?

Naomi Buckwalter: 38:23

As a hiring manager, I, I would say I failed to, I was just trying too hard. So. I've definitely had failures as a manager, and what's interesting is my failings always have to do with experienced people. It's not always with the entry level junior folks. And by the way, I've hired a handful of junior folks and trained them up from nothing. It's the people that I struggle with most is like the people who refuse to learn. And, and I think that's the best failures, like the greatest teacher, as long as I didn't hurt anybody or myself, I think the failure is great. It's like, it's such a great teacher. It really is. It's like, oh, I don't want that to happen again. Uh, take responsibilities for my failures and for my actions and do better the next time. Yeah. I think security people could do that a little bit better. Uh, if we took responsibility for some of the failings that we've had in the past, uh, or inability to get things done, I think we just have to have that self reflection, that self awareness of that, uh, meta cognition. We need to be able to see ourselves for who we are just objectively. Um, and we're not great in general. We're not great. Being able to to do something about it. Be like, okay, yeah, like we are the root cause, common denominator of all our problems. How can we solve this? Like, what is the next thing that we do? And then work on ourselves a little bit at a time. It's hard. It's hard. It's a lot of, it's painful. It's painful, but it's worth it. If I could do anything, I've had one wish in the world, it'd be for the people that I work with to see themselves for who they are, right? And it might not be the best thing, but it's really beautiful.

Erich Kron: 39:49

You know, I got to admit, Yela, um, always believe that we learn more from our failures than our successes, right? We feel a little bit more and stepping back and going, okay, what could I have done different or better? Is a very, very powerful thing. So we can't be afraid of that kind of stuff. What do you think? Admitting

Jelle Wieringa: 40:07

a failure isn't admitting defeat, right? I think it's

Naomi Buckwalter: 40:11

people fear failure, but fear the fear

Jelle Wieringa: 40:15

of it more than the actual failure. And that's the thing. They fear repercussions on how other people look at them, which is plain ridiculous because everybody fails. It isn't. About failing it's about what you learn from it how you get up after that what you do after your failure and when we focus on that part that is how great companies are being built that is how careers are being built that is how people are being built

Erich Kron: 40:38

so another question we always ask that's always interesting to hear the different viewpoints is. What do you think the biggest threats are for organizations for the next decade?

Naomi Buckwalter: 40:50

Oh man, it's just understanding risk, understanding assets, or like the things that are out there, no simple answer to this. I think the biggest threat is ourselves. Like the security people who think everything is fine. But it is not. I think the biggest risk to organizations is not understanding risk, understanding priorities, and understanding fundamentals of information security well enough in order to protect our organizations. I think that is the biggest threat to organizations. And it's not just within the next decade. I think it's always been true. I think it's going to come to a head within the next decade or so. I think we will see something massive happening, uh, confluence of AI and just way too many, many public endpoints. Um, too many devices, just. Too many things that could go wrong and not understanding how everything interplays with each other. I think that's the biggest thing is again, not within the next decade. I think it's always been true, but I think it's always gonna be worse. I think it could be worse.

Erich Kron: 41:43

You know, I thought that was interesting, though, that you pointed out security people basically thinking that everything's rosy and wonderful when it's not. And in some cases, I kind of feel like Maybe it's the other way around. I feel like a lot of the people that I know are a little bit more on the, uh, overly concerned side, maybe running around with their hair on fire way too often, but I suppose there are, you know, those things that we just. Look at 'em, we go, nah, nah, that's not a big threat until it happens.

Jelle Wieringa: 42:11

I'm gonna summarize it as the ignorance, our own ignorance. That's probably the biggest threat we have for the next decade. If, if I listen to Naomi, and that's both for the people that that think that everything is okay, or for the people that are those doomed, say, here sir, everything is wrong. Everything. We're gonna die, AI is gonna, well, sky net's here, that sort of thing. Our own ignorance. That's

Erich Kron: 42:31

a good one. No, I agree. And we've gotten some different answers and I don't disagree with any of them. I think we, we have all of these things to be concerned about from all of our past guests, including this, but it is definitely something that makes us think. Last but not least, I wanted to ask her if she had any final thoughts she wanted to share with our listeners. And this is what she said.

Naomi Buckwalter: 42:54

Seeing potential in others and building up the next generation. And I will say it over and over and over again. It's like people. We can hire folks with no experience. It's okay. We just give them the right sandbox to play in. Don't give them pseudo privileges to production. Like you're going to be fine. If you limit them to the damage, the blast radius to what you find acceptable, you could still have them train and it'll be fine. Everything will be fine. And by the way, they can help you focus on the right things, focus on the fundamentals to reduce risk for organizations, always balance. Risk with the priorities of the business, the service for the business, all these things you've heard over and over and over again. You're always going to be true today and forever.

Erich Kron: 43:34

So, yeah, I really enjoyed this conversation with Naomi. I think we have a lot to think about with this. And, and I think there's a lot of things that we touched on here that were very important, especially with respect to people coming into the industry and how the industry is doing some hiring practices.

Jelle Wieringa: 43:50

It's a topic that, that. More people need to be talking about. And I love the fact that if you look on her LinkedIn, she's all about this stuff. She really is. She's passionate about it. And that's what I love. People that are passionate about a specific topic, think about it a lot and they get good ideas. And she obviously thought about it a lot and has great ideas. So I, I really enjoyed this one.

Erich Kron: 44:10

Absolutely. So having said that folks, thanks for joining us here in Security Masterminds. Say goodbye, Jelle.

Jelle Wieringa: 44:16

Well, goodbye, Jelle.

Naomi Buckwalter: 44:19

Coming up on our

VoiceOver: 44:19

next episode of Security Masterminds. We invite you to join us with our special guest, Julie Haney.

Naomi Buckwalter: 44:26

We

VoiceOver: 44:26

have to remember that cyber

Naomi Buckwalter: 44:28

security only exists because of that human, because of people. People built the technology and the services we're trying to protect. Cyber security is for the use and benefit of people. It's to protect us, it's to protect our information. You've been listening to the

VoiceOver: 44:45

Security Masterminds podcast, sponsored by KnowBe4. For more information, please visit KnowBe4. com. This podcast is produced by James McQuiggan and Javad Malek, with music by Brian Sanesha. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another Security Mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.