Webinar Transcript

Simone 0:06
Good afternoon, everyone. Thank you so much for joining us this afternoon. I am Simone Petrella, founder and CEO of N2K. And this is very exciting because N2K is launching a new webinar series starting today that features conversations with security leaders and industry partners to discuss some of the biggest topics and trends impacting their cybersecurity workforce. Today, I have the pleasure and honor of being joined by Jim Routh. For those of you who do not know Jim, Jim is an honored and respected cybersecurity innovator and industry leader offering keen insights on the alignment of business strategy with digital transformation. He has more than 30 years of experience having served as both CSO and CISO of some of the most recognized organizations in the US, including MassMutual, CVS Health, Aetna, JPMorgan Chase, and American Express. So quite the list of accolades there. Jim and N2K have drafted and we’ve released a white paper on non-traditional ways to think about growing cybersecurity talent. And so that’s going to be the topic that we focus on here today. So just to tee up the state of the industry. And Jim, thank you so much for joining us. We know that cybersecurity supply has been a massive gap while demand continues to grow with approximately 400 or four over 400,000 jobs according to (ISC)2 in the US going unfilled each year in cybersecurity. What do you think, as a security leader, we can do to address those shortages and still find the talent needed to do a lot of this critical work?

Jim 1:48
Well, thanks so much, and thanks for inviting me to participate. And to answer your question. First thing we have to recognize as cybersecurity leaders is that the market conditions aren’t getting better in terms of the talent level in terms of supply and demand. So according to (ISC)2, there about over 400,000 cybersecurity jobs in the US that are going unfilled each year, primarily due to a lack of experienced talent. And if you look globally, it’s estimated that the global cyber talent supply has to grow by 145% annually to meet the projected demand from enterprises over the next few years. So we have to come to grips with the fact that cybersecurity leaders have to adjust their tactics and fundamentally make a commitment to serving as educators to surround themselves with educational curriculum design and delivery capabilities to really proactively manage the talent development process for employees that ultimately will attract more employees for mix external candidates based on that commitment for Talent Development, but it’s time to change many of our traditional conventional practices. And I think that’s what we’ll talk about today.

Simone 3:16
Yeah, thank you. And, you know, as a training provider and a workforce development company, I know one thing we see a lot or that organizations make, they do make substantial investments in talent, talent development, workforce development. And it’s often for a variety of reasons, it is around retention, it’s around upskilling, if there’s a gap in the need for jobs, but sometimes it’s also a reward incentive and kind of another component of a retention tool. So, you know, in the landscape of all of that, and knowing how many stakeholders are involved, when we think about talent development, why is it so important for security leaders specifically, to drive the growth of their cybersecurity talent? There are so many other stakeholders, right, that have a seat at this table, but why security leaders in particular?

Jim 4:04
Yeah, well, fundamentally, security leaders have to deal with the talent shortage. So that’s certainly one construct here that’s not going to change. But the second is that I remember, you know, when I started as a CISO, over two decades ago, basically, cyber education was Cyber Security Awareness. That was a one size fits all model where every employee took a mandatory cybersecurity class. And that was it. That was the extent of the education. And today just in the cybersecurity organization itself, there are so many diverse requirements. Security engineers have one set of skills and competencies that are essential in their development paths and are aligned accordingly, and then you have the cybersecurity analysts and you have the threat intel teams, you have the software security professionals, you have the third-party governance professionals, and each one of them essentially has talent development requirements and needs that have differences. So the diversity of the requirements from an educational standpoint is fundamentally different today. And that makes the case for the cybersecurity leader, to be an educator. And that commitment to talent development is it really has two components to it. One is to take care of your employees, ensuring that they learn marketable skills that benefit them from a professional standpoint. And the second is, it actually makes the organization more attractive to external candidates, because of that demonstrated commitment to talent development. You mentioned retention programs, which are pretty much established across most major enterprises today and initiated by HR leadership. And I just, have a visceral reaction to the term “retention”. Because to me, it’s kind of after the fact, and employees don’t really want to be retained, employees want their talent developed. And so I encourage all cybersecurity leaders never to use the term employee “retention”. It’s not attractive to the employee. Focus on a commitment to talent development. And that’s actually a more sustainable approach over the long term, as opposed to throwing money into retention programs that are spread kind of across the entire enterprise.

Simone 6:55
Yeah. And that resonates with me quite a bit. I know in my career in cybersecurity and some of the teams that I’ve led, and I know that we’re very aligned, since my backgrounds in cyber threat analysis and intelligence. My philosophy was always with my team to figure out how you could foster their future in their career, even if in some cases that led them outside the organization that they were supporting with me. But that often would pay dividends because, at some point, that wheel comes back around, right?

Jim 7:28
Yep, that’s exactly right.

Simone 7:30
Quick follow on question, though. Because one of the things that you touched on when you talk about the diversity of roles, and frankly, that diversity of roles is expanding in the landscape of corporate enterprises today, and frankly, any organization. And each of those career paths, as you mentioned, is distinct. And they’re unique to those roles. But how important do you think it is for security leaders to also understand and what can they do to kind of create a pathway, create programs, or create people initiatives within security teams to give those diverse roles a well-rounded experience? And what is well-rounded? Should it be very role specific? Should it be actually exposure to those kinds of ancillary, you know, to threat intel analysts, all the learning what it means to be in the SOC? And vice versa?

Jim 8:18
Yeah. Yeah. So to answer your question, well, again, when I started in cybersecurity, there was pretty much a standard practice to fit employees into specific and well-defined roles. And that every cybersecurity program needed those specific, well-defined roles attached, often to regulatory constructs or risk frameworks. And I think what I’ve learned is that it makes a lot more sense to create the role to satisfy the needs of the individual, as opposed to fitting individuals into a pre-established well-defined role. And so what I started to do is, and I started this about eight or nine years ago, in the interviewing process for external candidates, I’d asked the person interviewing, what are the two skills that you want to invest in and master for whatever reason that you wish, and that started the dialogue where they fundamentally told me what they were interested in terms of skill development. I could then take those skills and make sure that that was embedded in the role that we’re asking them to play. And if that meant changing the role, I changed the role. So basically, roles evolve based on the professional development needs of employees. So whether it’s a new employee or a candidate coming in from an external source, or whether it’s an existing employee, start with asking the employee to make the definition of what skills they wish to invest their time in, which, you know, has a fixed amount, there’s just so much they can invest. So how are they going to use that investment, for meeting whatever personal goals they have? Our job as leaders is not to tell them what they should invest in. That was, you know, 30 years ago, that’s what the employee-employer relationship was, like, the employer said, you’re going to learn these things, and then these things and these skills that will give you the just in time training, and you know, you know, if you continue to perform, you’ll accelerate, and you’ll be an employee for your working life. And that’s the way the model works, right? And a lot of our HR practices have evolved from that paradigm, which is no longer the case today. The employee-employer relationship today is very different, in that the employee actually has accountability and responsibility for their own development. And the employer has to be supportive of their own development of what they want to do and give them choices and options and, and services and capabilities, from an educational perspective that allow them to make the investment that’s ultimately they’re choosing.

Simone 11:31
Now, I’m gonna go a little off script here, but I want to key in on one thing here, which is, that’s phenomenal, right? That employees should be the ones dictating their careers, and when they’re in an opportunity to create when an employer is willing to change the role. Is that realistic in a world of having to have nots? Where if you’re at a JPMorgan Chase, or American Express, where they’re fairly robust and you’re an employer, who, frankly, is one of the more coveted. You’re not at a dearth of external candidates coming in the door? What do you do if you’re not in that class of employers who have that, you know, invested cybersecurity program? And you’re just trying to say, I can’t get candidates in the door, let alone ones that need to do the basics that I do? Like, what do you do in that instance?

Jim 12:18
Yeah, it’s a good question, Simone. I’m glad you asked, because there’s a ying and a yang, yours or theirs, there are two sides of the coin. One is, and I’m asking every leader, and I’ve done this again, for the last couple of decades, I ask every leader to commit 30% of their time to talent development activities, and that’s over a given week. And that’s pretty extensive, and a bit of a stretch in certainly in some organizations. But that’s what I asked. So you spend 30% of your time on talent development for your employees. So now you’re gonna ask the question, what does that have to do with attracting external candidates into the organization, right? And it turns out that the commitment that you demonstrate to all employees to help them learn the marketable skills that they choose, translates into candidates, external candidates that actually will seek out your organization, even if it’s not a name brand industry leader like JP Morgan Chase, or American Express. Who, by the way, had wonderful educational curriculum and capabilities and delivery when I was there, and that was, you know, many, many years ago. And they certainly have robust capabilities today. But any organization can actually thrive in the scarcity of cybersecurity talent in the marketplace. If they as leaders demonstrate a commitment to talent development, education for their employees, and when external employees or candidates get exposed to that and see that level of commitment, it attracts them to that organization. So really, I never ever paid a recruiting fee for any cybersecurity resource, I didn’t have to. And I had a pipeline of talent that I didn’t necessarily go recruit. They basically said, we’d like to know what opportunities exist in your organization because you have a demonstrated track record of committing to talent development. So it turns out, what you do for your employees translates into making your program and your organization a lot more attractive to external candidates.

Simone 15:00
Would you say just the fact that you were able to demonstrate and frankly tout the fact that you had a talent developer program, did that attract external candidates that may not in other scenarios, think that they would necessarily apply for some of the jobs that you were looking for? Like, do you have any examples of when you took someone where maybe on paper, they didn’t necessarily have the credentials of being an off-the-street cybersecurity professional, but there was something about not only the kind of raw interest, passion, aptitude they had, but then you couple that with the talent development program that you have in place, you know, that’s kind of where the magic happens. But they have to know that. How do they know that, that you’re the employer to make that happen, right? Is that just a roadshow?

Jim 15:44
Well, one of the things that we did, one of the activities was called exploratory interviews. And I did about five a week, on average, some weeks more, some less, basically about five a week, and I told all my leaders to do the same thing. Now, what’s an exploratory interview? Well, an exploratory interview is one that’s initiated by a candidate for whatever purpose they wish, and it has nothing to do with any posted open positions that you have at any point in time. It’s basically just a professional reaching out and saying, “Hey, gee, are there any opportunities for me in your organization? And how could I learn a little bit more about that.” And “I may or may not have cybersecurity expertise” and “I may or may not have this specific expertise that you might match up to open positions but I’m interested and I’d like to talk to you.” And so, during the exploratory interview process, we talk to a whole bunch of candidates that had the raw material that could be successful but didn’t necessarily have the specific expertise or the mastery of the skills required for particular roles. Well, it turns out, you can teach that. What you can’t teach is intellectual curiosity. And so that has to be ferreted out in an interview process. And sometimes there’s quirky behavior that goes along with intellectual curiosity. And we tolerate quirky behavior. For instance, if somebody shows up in the interview, and they have 20 questions that they’re asking of the person that they’re interviewing with, that’s a pretty good indication that they have an intellectual curiosity and there’s a real passion, you know, to learn. And that’s something we can’t teach. And so we have to understand that level of intellectual curiosity that exists as raw material. And then frankly, every other skill we can teach. Now, we have to be patient and take some time to do that. It certainly takes some investment. But the way to discover whether somebody has that interest is if they approach you, and chances are, they’re gonna have a pretty strong interest if they’re approaching you. And this is a way of basically saying anybody at any time can apply for an exploratory interview, regardless of what positions may or may not be posted at that point in time. It also lends itself to a philosophical view on talent development, which is that I always hired talent when I found it. Not when I needed it. This man, I reckon I really needed it. That was usually the time when the cupboard might be bare, right? So I’d always look for talent, I never stopped, I never did hiring freezes, I’d never held off on posting a job because we didn’t have a budget, and I never worried about any of that. I always recruited I always spent time and effort doing exploratory interviews with talent. And as a result, we usually had a pretty deep pipeline with lots of choices that we can make.

Simone 18:58
Yeah, what you’re saying really resonates with me, there’s often an adage that you should always be recruiting regardless of what your position or role or what you’re doing is. But what also strikes me, and it’s amazing to hear that this was something that you adopted both in your own leadership, as well as your own hiring managers was this commitment and dedication to spending 30% of your time on talent. I know one thing that I often criticize a lot of our colleagues in the community around is the trifecta of people, process, and technology, especially in cybersecurity. We spend an inordinate amount of time on technology, a semi-ordinate time on process, and usually very little time on people. And what you’re really saying is you dedicated equal, I mean, a third of that time to the people strategy. So I’m curious what advice you would have to other leaders who, you know, there are a lot of other stakeholders who have to get involved when you’re talking about the people side of that equation, and not just the security leaders. But what is that dynamic? How can you be successful? If you’re going to take that approach that we should always be recruiting, we should have a mechanism or a door where people can have unsolicited interviews. Who else do you need to bring into the fold in order to make that successful?

Jim 20:15
Yeah, that’s a great question. So I think there are two sets of resources, I’ll say that you have to contend with. The first is that in any organization that has any kind of size and scale, there are resources available to you that are educational resources that you can tap into. So a good place to start is with your human resource department. And if they have an educational group, work with them just to understand what’s available today. And a lot of times specific around leadership development, there’s a wealth of resources that’s available from a curriculum perspective and professionals that have curriculum design expertise, and curriculum delivery capability. You’ve got to surround yourself with them, because the diversity of skill requirements today is far more significant than several decades ago. And so just within your own cybersecurity team, the range of technical skill requirements is really different and unique and specialized. And it requires us to wrap a broad set of educational delivery capabilities around the individual needs of our cybersecurity team. But there’s another side of this, which is the stakeholders, and think of a stakeholder as anybody who’s a stakeholder in the cybersecurity program. So you can start with senior executives, and you know, how to teach them how to do verbal authorization of treasury, electronic transactions, or funds transfer transactions. And how to manage their social network activity, and the risks associated with that, combined with their professional positions. So that’s just one stakeholder group. Auditors, specifically, IT auditors have to understand how to use data science to test the efficacy of specific controls designed using data science. And so that’s an example where the cybersecurity leaders really have an obligation to help train and develop the auditors and the folks in the second-level security organization to help them be more successful based on the evolution of control designing your own program. So privacy professionals have a responsibility to understand the dependencies on cybersecurity, cybersecurity control effectiveness, and how that impacts privacy implications. So there’s a broad set of stakeholders that are outside of the cybersecurity organization that the cybersecurity leader has accountability for. So they have to take advantage of educational resources within the enterprise. And then every time I was a CISO, I used external resources and diverse external resources for educational content to satisfy the needs of all of the stakeholders.

Simone 23:53
Yeah, and I think one of the things that I know that this comes up, and I’m going a little off script here again, but I know one thing that comes up in a lot of when security leaders in lots of positions, get together is around the political capital that it requires to build a business case. In some cases, because if you have a diverse set of stakeholders that you’re responsible for, inevitably, the question is well, whose budget is it coming out of? How are you going to actually influence or kind of exert the authority to actually have that other group listen? And who do you need to bring into the fold internally within the organization to make that business case and make it successful? So I’m just curious if you have any thoughts for anyone out there who’s in that position, who’s saying, I believe everything you’re saying, Jim, it makes all the sense of the world but how do I do it like I’m in the seat?

Jim 24:44
Yeah. Well, first and foremost, you got to have strong partnerships with your HR colleagues. And there is a bit of a contradiction here. I’m suggesting that you use unconventional techniques that are not established HR practices all right. And that’s on the one hand. On the other hand, I’m saying partner with your HR colleagues, right. And there seems to be something that’s misaligned there because they’re the ones that typically advocate using standardized, you know, central practices that apply across the entire enterprise. Um, I think you just have to come to grips with the fact that the marketplace conditions do not allow you to do that. So you’ve got to use some different fundamentally different techniques. And you have to convince your HR colleagues to help you and specialize that and sometimes that may mean, going up to the head of HR and explaining that in cybersecurity, there are some different requirements specifically, because the conditions are different. And it’s not a temporary phenomenon. It’s something that staying with us. So that’s kind of there’s two sides of that: partner with your HR leadership team, but also use unconventional techniques in how you do that. There’s nothing easy about this, but it is, and will, build a sustainable model. In other words, it’s repeatable, it’s something you can do over time. And it just more than anything else means making a strong commitment to being an educator. And I found and this is the case across three different enterprises, that HR leaders embrace that. That they like the idea of professional leaders taking on this role and responsibility for being educators. And so they’ll adjust in most cases and support your unique needs for the requirement. At least that’s been my experience.

Simone 26:57
That’s great. No, thank you. Appreciate those insights, because I know that that’s often sometimes just building the case. And getting the buy-in is the hardest part to start this kind of initiative. One thing you also mentioned when you talk about looking to internal resources, and a lot of times this exists within HR, or in the education or learning and development component of HR is around the curriculum itself. Once you’ve established that you’re an educator, and now you have to go out and kind of deploy this training program. And I, you know, when you want to make that a comprehensive program across this diverse of roles, that itself can be a massive undertaking, because now you’re also trying to make heads or tails out of what have we developed internally in-house? Where are we going to a third-party vendor? Where are we looking to multiple third-party vendors? How do we actually then tie this all together in a way that we’re filling all the gaps in the holes, but not necessarily being redundant? Because that takes time, effort, and money? So what are some of the things to consider when you think about putting together that ecosystem? And that combination of in-house vendors, where do you partner, where do you build? Where do you buy that kind of thing?

Jim 28:05
Yeah, it’s a great question. So the first point of resistance that I typically get from really HR leadership is that the way that the leadership team in HR thinks about the allocation of an educational resource for employees is based on need, and based on capacity or budget. And so typically, if there’s a need that’s across a diverse group of employees, the allocation of the resource, the educational resource to support that need will be done on a per-employee basis. In other words, if I have 100 employees in my organization, I may say that 50 of them will qualify for this educational component. And maybe we’ll do 50 this year and 50 next year. That’s one way of allocating it because, obviously, the more diverse the educational curriculum, the more expensive the educational experiences from an enterprise perspective. And that’s a fundamental job of HR’s to manage that expense. Now, I’m going to turn that on its ear for a second. And I’m going to say, never allocate any training or education expense on a per-headcount basis across an organization. Now, when I say never, I mean that philosophically, they’re probably really good exceptions to the rule there. But generally speaking, I’m saying don’t do that. It turns out that if you use a governance tool that’s tied to the individual’s professional development, you don’t have to constrain a budget across an enterprise for education. Here’s what I mean. I have a development plan identified to skills I want to invest in and in that investment are development activities that have been approved by my leader and approved by HR, and some educational experts. And that becomes the basis for my development plan. Now, it turns out that, and I did this successfully, I told my organization in the three companies, the last three enterprises that I worked in, I told anybody in cybersecurity, I said, there’s no budget or budget constraint for education. Now, my HR colleagues cringe when I said that, but I made it specific to the cybersecurity organization. So, you know, relatively speaking, talking about a couple 100 people, it’s not, not the hugest organization. And I basically said, we’ll spend whatever money we need based on what your development plans are. It turns out that there’s about 30% of the employees that really embrace the development plan and the leadership, or sorry, the educational activities of development activities that are built into that. There is another 30%, that go along, and do it based on compliance, right. And they’re kind of going with the flow, but they’re really taking advantage of every investment opportunity that they necessarily could or should. And then there’s another 30% that really fill out the form. And it’s a reminder to them to go find a job somewhere else, because they’re not too comfortable with this whole, you know, massive development need because they’re at a point in their career where they’re trying to look for cruise control. They’re not trying to accelerate their education. So and that’s for some legitimate reasons. But my point is that if you use the governor of the development plan, you’ll never be over budget, I was under budget every year in terms of education. And I gave, basically, anybody who did a development plan, and then went through the development activities with their leader got full funding for whatever was required. So it doesn’t necessarily make sense out of the gate, to think about, because the easiest way to do is say, Alright, there’s only going to be this number of people that take this educational resource and the cost of that. But it turns out that if you just use the enforcement of the development plan, you can manage your budgets, quite effectively. And still, tell your employees, whatever you need, we’ll do it for him.

Simone 32:43
Yeah. And I think it’s so interesting to hear you say that, and so refreshing, because the default is, in so many cases, well, we have this much allotment. And so here’s where we can send people’s training. So not only, yes, training funds might be available, and it’s not that individuals can’t necessarily select, but it’s not necessarily directed. Meaning it’s not a benefit to them, because maybe it’s of interest, but it’s not going to propel them in their own professional path. And then it’s not all that beneficial to the employer for you as the leader, because what are you getting measurably back in their work performance? So it sounds like so much is just so contingent on having development plans and thinking and being very thoughtful about what does it mean to actually develop this talent, beyond just hey, we’re going to invest in education and use that as kind of a blanket term.

Jim 33:38
I think across large organizations is more predominant, but there’s this view that we’ll have one set of educational content delivered to many. And that’s economical. An economical way of allocating scarce resource to the highest needs no question about it. Except it’s totally counter to this notion of everyone has an individual development plan that’s unique. And so we have to, we the enterprise, we have to figure out a way of scaling diverse educational resources down to the individual level, not across the message. And that’s the development plan initiated by the employee. The employee makes that choice. And it’s almost similar to a charitable giving program in a large organization where the organization says, Yeah, we support charitable giving if you choose an organization or a cause, and it’s a legitimate 501 C, and it meets these criteria will match your gift, right? And in this case, it’s the individual employee that saying, Yes, I want to learn these two skills. And the organization is saying, well, we’ll match your investment of your time, by providing you resource in terms of access to education or funding to support that educational, you know, whatever the development activities are, and it’s a matching gift, but you have to initiate it. And if you initiate it based on a personal need, go for it all for it. From our perspective, we’ll match whatever that is within a certain parameter.

Simone 35:27
I know one of the things that is often difficult is, as you’re talking about this thoughtful, very deliberate approaches, how would you measure how that’s working over time in the analogy you use on gift matching, but an individual selects a charity, you can track those dollars, right? You can say, Okay, you wanted to put $100, we kind of put it in these buckets. And this is where the money went over across the board. You can do that on the spend side, but at what point does that actually get translated into how you think about demonstrating? Because at some point, as a CSO as a CISO, you’re accountable to leadership in your own company. So how do you continue to use those programs and say, here’s how it’s working, look at what my program is doing? And here’s how I’m moving the needle.

Jim 36:14
That’s an excellent question. And it kind of gets into that, do you fit people into roles? Or do you adjust roles for people? If you adjust roles for people, well, then how do you know you have the right roles for that enterprise at that point in time? And so I kind of recognize that what we did is we kept a journal of, really a log of, every educational offering, and who took advantage of that educational offering. And then we gave a roadmap to each of the individuals in their professional development plan that was also tracked, and then map that to the actual, the delivery platform. And we had several LSM type delivery platforms, and gave us across the entire organization, kind of where individuals before spending time and effort on which skills, and then we’d step back as a leadership team and look at that across and say, All right, where are there gaps? Like, one thing we discovered is that we did organizational change more frequently, than was probably the norm before that. And that change was triggered by professional development needs. So we’d say, you know, Jane has been in this role for 18 months, she’s moving to a new role over here. And the reason she’s moving to a new role in this group is she chose that path. And she was part of our development plan. And so she mastered the skills necessary to equip her to do that. So now we’re giving her opportunity to do that, because that’s what she wanted, then that creates an opening and Jane’s former role. So you know, Sally is going to move into Jane’s role, not because Sally is uniquely qualified, but Sally wanted that opportunity and wanted to master the skills associated with that role. So now that we’ve moved that, and that creates an opportunity over here for Sally. And is anybody have any interest in Sally’s previous role? Let us know because we need to fill that you know, and we’ll if we can’t find somebody internal will look external. So that kind of, you know, an organizational design triggered by the movement, from a professional development standpoint, takes a little getting used to, and, frankly, you have to give some context for that. So in one organization after I think it was 18 months, 70% of the people surveyed in this cybersecurity organization had a new job at a different role than they had, you know, the year previously. So that gives you pretty much sense of everybody was in kind of constant flux. Now, the question is, well, how do you run a cybersecurity function with consistent KPIs and practices, you know, and solid controls with that kind of churn? And that’s where the individual career path and individual choices made in the professional development plan were kind of fed into a system that allows a look across the entire organization and say, Hey, there’s a trend. A lot of people are moving here doing this. It turns out that we used the SOC, the security operations center, as basically the talent development engine for the rest of the enterprise. And so when somebody would say I need somebody in third party governance, who’s got cybersecurity expertise in third party governance? We’d say, well, we don’t have anybody that has that but we have this person that wants to learn it. And so we’d say, we’re going to put that person in it. And we’re going to teach them what they need, and do some sort of overlap with an existing resource. And they’re going to fill that role. Well, that person came from the SOC. Now, it turns out that we thought maybe they’d go into Security Intelligence, but they instead opted for a third party. So we just let them do what they want and then backfill accordingly. And as long as you have people choosing new roles and opportunities, and the investment and the education themselves, it turns out that they’ll do a better job of it, than leaders will. It’s almost like leaders, we just have to be educators. And then to get out of the way, because the talent drive for marketable skills, it’ll take care of itself.

Simone 41:05
Yeah, so it’s really a self-empowerment function. You know, you’re saying we want, but the job of a leader from what I’ve heard is, to create the foundation and the infrastructure for that individual to have that empowerment. And that strikes me is one of the hardest parts, because you know, you’re tracking a log, that is, that’s time intensive I would imagine.

Jim 41:28
So we had key performance indicators for every major sub-program within the cybersecurity program. And they evolved over time. But essentially, that’s how we measured the health of the underlying control that’s embedded in a process or a function. So those key performance indicators were stable, or relatively stable. And so when one person would move into a different role, and we backfill, someone that may not have the skill, but has the will, the key performance indicators were the indicator of consistent health. And the entire leadership team was committed to making adjustments when those KPIs indicated that we had weakness. We had a control that wasn’t effective, we immediately take action, if that took, you know, three or four people to help that one person, then that’s what we did. And we all surrounded around that. So the consistency was in the key performance indicators, which is measuring the health of the control. And that’s what everybody responded to. But the input of that is basically someone’s desire to learn a marketable skill.

Simone 42:42
Yeah, yeah, it’s just incredibly impactful. And I think a wonderful model for everyone joined today. We only have a couple of minutes left so the last question I want to ask you is, as you think about leaving some nuggets of advice for security leaders that are coming up through the ranks and having to grapple with these issues themselves and have been in multiple hot seats. And inevitably, you touched on it before there’s, you know, a resistance that might be met in trying to put these ecosystems or this infrastructure in place. What advice do you have for emerging leaders around how they can turn the resistance around to support and build out this infrastructure for themselves? If they’re going to really invest in kind of a talent development mindset and this unconventional approach?

Jim 43:28
Yeah, I think first and foremost, you got to start with the data. So that starts with understanding the market conditions, the way they’re in the data driving that and historical data and kind of forecast data. So, you can make a very compelling case to change or just practices, simply because established practices aren’t going to work given the constraints in the marketplace. So that’s kind of where it starts. And then I think, a data-driven approach to the actual skills inventory, where you can start to identify, here’s what the needs are of the program, but here’s what the individual needs are of the individual and here’s a path, you know, for them. And then recognizing that there are going to be people that are attracted to the cybersecurity program from inside the company in other parts of the enterprise. And oh, by the way, they make really good candidates because they know other parts of the enterprise and so then a recognition that if you’re really proactive from a leadership standpoint, in the professional development commitment to individuals, they’re going to have opportunities in other parts of the enterprise. And that’s great actually, because then they go with the cybersecurity expertise as well. So the enterprise as a whole is far better as a result of that. So, you know, our job as leaders isn’t just to, you know, support an existing function that we’re accountable for. Our job as leaders is to develop talent based on what that talent wants. And that may seem kind of that’s pie in the sky kind of thinking, but I fundamentally believe that and I’ve had many situations of where people have really excelled and reached levels of leadership in cybersecurity that they never thought was attainable. And frankly, it wouldn’t happen if they didn’t move to different organizations to take advantage of the opportunities to do that. So I still have relationships with them today, where I mentor and support them. Today, I probably have 15 CISOs that are acting in currency. So roles today that I’ve worked with over the years that I continue to mentor because it’s a tough job. It’s really, it’s a challenging field for all cybersecurity professionals. But education and a commitment to education, it’s a foundational component from my standpoint.

Simone 46:00
Well, thank you, again, Jim, for sending so many of your insights. I know it’s just been such an impressive career. And from the very beginning, I know you’ve taken talent so seriously. So I appreciate the time and insights that you’ve provided to us here today. I look forward to new things to come. And I hope that many of those that tuned in today take some valuable lessons around how they can think about embedding and really integrating talent development and unconventional approaches to talent development into their security programs as well. So thank you so much for your time. Thank you everyone for joining, and we’ll see you next time.

Jim 46:38
Thanks, everybody.

Transcribed by https://otter.ai