EPISODE 064 – The (not so) Secret Skills for Success in Cyber

Robert Wood, Founder and CEO of Sidekick Security and Co-Founder of Soft Side of Cyber unpacks the complexities of third-party risk management, discusses technical talents and soft skills in cybersecurity, and more in the latest episode of Agent of Influence.

NetSPI Field CISO and host of Agent of Influence podcast, Nabil Hannan, sat down with Robert to talk about his unique perspective on third-party risk management, the importance of possessing soft skills in the cybersecurity industry, and leadership approaches to create a team culture that attracts and retains talent. 

Show Notes: 

• 01:32 – Unique Perspective on Third-party Risk Management
• 06:13 – Rethinking Third-party Risk Management
• 13:23 – The Starting of Soft Side of Cyber
• 20:20 – Soft Skills Versus Technical Skills
• 25:25 – The Importance of Security
• 30:00 – Identifying Superior Soft Skills in a Candidate
• 32:57 – Retaining Top Talent

Transcript between Nabil and Robert 

Third-party risk management, leadership skills in cybersecurity, and retaining talent

This transcript has been edited for clarity and readability. 

Nabil: Hi everyone. I’m Nabil Hannan, Field CISO at NetSPI, and this is Agent of Influence. Today, Robert Wood joins us to talk about third-party risk management and also finding the balance between technical and soft skills in cybersecurity. Robert, so excited to have you. It’s been a long time since I’ve seen you. So glad we got to sit down and talk today. To get started, please tell the audience about where you are today professionally.

Robert: Right now, currently, I am running a team of cybersecurity engineers at a company called Sidekick Security. It is all services based, trying to help companies effectively go through this security-led transformation, security-led growth journey themselves, because I have this chip on my shoulder from my own experience as a CISO head of security role where I’ve worked with so many security people who talk about, you know, we have to enable we have to do this, we have to do that. But they don’t actually do anything to back it up. So I wanted to basically build a set of services and a team to help companies do that. Prior to that, I was the CISO at the Centers for Medicare & Medicaid services, an agency under HHS, I was there for a few years, and did a few startups before that, and was in consulting prior to that.

01:32: You mentioned having a unique perspective on third-party risk management that differs from the industry standard. Can you expand on that and share your take?

Nabil: Last time we spoke, you mentioned that you have a very unique perspective on third-party risk in particular. You said it’s somewhat controversial, so let’s get into it. I love controversy, and I love hearing people’s unique takes. So what’s your unique take? And let’s dive in. Help us understand it.

Robert: Almost everyone has this general agreement that questionnaires don’t work. We’re collectively on the same page: questionnaires suck. We hate sending them, we hate receiving them, everyone hates them, but a lot of people are still doing it. Or we’re investing in platforms and tools to effectively make that process easier. We’re doing this sucky thing faster and at scale. I don’t know why.

Robert: Being in the government, I saw this at scale, where we are spending so much time as an industry focused on answering the questions of, is this supplier secure enough to work with? We’re going to ask the magic questions. We’re going to find the magic things, not all the banks that worked with this company prior. None of them were smart enough. They don’t know what they’re doing. We’re going to be the ones that ask the right questions in the right way, and we’re going to get to the answers. It doesn’t work.

Ultimately, there is, in my opinion, this fundamental misalignment that is happening there. Security leaders or security teams are incentivized to enable the teams that they’re supporting—we want to say “yes and” to the folks that we’re working with. We don’t want to tell everyone “no.” We don’t want every single request that comes to us to be a hill that we die on, and say, “no, you can’t work with this vendor.” We’re incentivized to say “yes,” unless something is really, really crazy.  

At the same time, the vendor at the other side, receiving the said audit or security scorecard scan, questionnaire, or whatever, they are incentivized to answer things in such a way that it advances the sale because there’s big contract value on the other side of it. Small companies don’t typically do this. Big companies do this. Big companies have big contracts. And so there’s a big money incentive to do this.  

We have this inverted Pareto distribution where we spend probably 80% of our time focused on stuff that really we can’t control. All that “are you secure enough?” stuff we have no control over, like we could learn things, but we can’t fix. All we can do is decide to work with that company or not, and so in my opinion, we need to spend more time focused internally on things like, are we configuring these things appropriately? Are we making sure that they’re integrated with our identity and access management? Are we monitoring? Are we building business continuity, incident response plans? Are we configuring SSPM, CSPM-type solutions against these things? Do we have a sense of what data is going into what tools? We spend so little time focused there, yet that’s the outsized area where we can actually impact risk.  

I think we need to right-size that Pareto distribution. And for whatever reason, I feel like people generally agree that that’s a good idea, but the compliance drivers and the inertia of this is just how we have to do it. I can’t figure out why we can’t just flip the switch and move.

06:13: Do we need to think about third-party risk from scratch? Do we need a completely new, creative way of measuring third-party risk? Do we need to actually change how we measure third-party risk?

Nabil: I was always under the impression, or maybe this was just wishful thinking, that all these big companies that do these third-party risk assessments and send out the questionnaires, etc, that by now there would be a standard and there would be maybe one agreed-upon body that does these assessments for all the vendors once, instead of the way the reality is today is we get every customer sends us their questionnaire, everyone asks the same question in a different way, some of them ask completely irrelevant questions because it’s the same question for you, whether you are a pentesting provider, or whether you are a data center, or whether you are a vendor that comes to clean the floors every day.

Questions range from, do you have locks on your doors? Do you have employees that sit by a window where someone from the outside could look at their computer screen? And some of them really don’t make sense in today’s world, especially in a world where people work from home and etc., but a lot of times, the questions are wrong, and they’re asking literally wrong questions, and sometimes not even giving you the option to say that the question is not applicable to you. You have to put an answer in. And yet, we still haven’t gotten to a point where we can truly centralize this and reduce the burden on the vendors and the third parties to only do this once.

So my question for you really is why do you think we haven’t been able to get to that state? Why does everybody think they’re smarter than everybody else, and they’re going to somehow have this magic set of questions that’ll get answered. And two, is the approach completely wrong? Do we need to think about third-party risk from scratch? Do we need a completely new, creative way of measuring third-party risk? We can control third-party risk with techniques that you just mentioned earlier, with planning, recovery, detection, etc., but do we need to actually change how we measure third-party risk?

Robert: On the first part, I think a big chunk of that is this collective ego that teams have. There’s almost a built-in paranoia that security teams have: we can’t be overly transparent, we can’t share, we can’t do this because some nation states is going to sneak in and learn our secret recipes about how we ask our vendors questions, or whatever it is. So people are very secretive, they insulate, and try to do things themselves. I think there’s this sometimes misplaced tinfoil hat syndrome, I’ll call it, wrapped up in that.

But then building on that: do we need to rebuild or rethink third-party risk in general? I think there is a place for this—I don’t think we necessarily want to throw out all of that entirely, but companies need to do a lot more. They need to appreciate the fact that they’re not going to ask the right questions. For example, if I ask you, Nabil, are you an ax murderer? You’re probably going to tell me, no, I’m not. No, I’m not an ax murderer. Do you cheat on your taxes? No, I don’t cheat on my taxes, right? It’s a self-attested question, and you’re going to get an answer that aligns to what the person wants to see, the optimal outcome of whatever the relationship is.  

Nabil: There’s no polygraph test that validates it later on. 

Robert: Exactly. Companies and organizations need to appreciate that dynamic and just let their vendors supply what artifacts they do have. Maybe it’s SOC two type twos, maybe it’s ISOs—those audits are not perfect by any stretch; I’m certainly not advocating for that. But they supply those things, they supply questionnaire responses they have gone through, and they just kind of leave it at that, and then maybe they ask the 10 questions that are actually unique to the situation at hand.  

So like, with the floor cleaning company, you might want to know, are you putting your people through background checks? Because that’s going to be way more important, probably, for the floor cleaning company than maybe another type of firm or a software vendor. For your pentesting vendor, you might want to focus instead on how the firm does data management, or how they share results, things of that nature that are contextual to the relationship that you’re pursuing with that vendor.  

Fundamentally, we do need to shift more of our effort to thinking about how we are leveraging these vendors in our environments and apply security controls accordingly. For example, we do all of this stuff as CISOs, as security teams—we do monitoring, configuration management, vulnerability management, identity and access management. We need to think about and threat model each vendor relationship, classify them accordingly, risk assess them accordingly, and ask what kind of data are they handling, what type of mission and essential function are they supporting, so we understand where they fit in the org, and then we basically bring the appropriate security activities that we’re already doing to the vendor, the monitoring, the IAM, etc. Because instead we’re effectively taking our program, and we’re stretching it across this ecosystem that we have that includes both internal code, COTS tools, SaaS tools, service providers, etc. and we don’t tend to do that. We tend to think about third parties in this very unique, isolated way. I think that that’s just kind of a waste of time and a waste of money.

13:23: These challenges with third-party risk management aren’t hypothetical. They’re real situations we’ve faced. Can you tell us the story that inspired you to start your business, the Soft Side of Cyber?

Nabil: We know we’ve had an opportunity to work together for many years, and over that time, we’ve seen specific examples of this as well where we have, maybe software vendors that tell you, yes, I do code review and static analysis as part of my SDLC, and the attestation. Then later, we find an issue or something, and go, hey, show us your last static analysis report. And they go, what does that mean? Because they knew the word SAST, but they didn’t know that that meant static analysis. So they checked the box because they needed the deal done. So these are obviously real examples we’ve seen out in the wild. If I understand correctly, a lot of these things kind of motivated you to start the Soft Side of Cyber. And would love to understand from you what are some of the key motivations after witnessing these challenges in the industry, learnings from being a CISO in different organizations, government, private sector, etc., what were the key motivators and what made you finally take the leap and start this effort? 

Robert: Throughout my career in security, I believe you’ve probably experienced this as well, like there’s a lot of security people who are jerks—they’re abrasive, they can’t communicate, they can’t get their ideas across in a concise, digestible manner. I’m not necessarily proclaiming that I do this very well.

Nabil: It’s a spectrum.  

Robert: Some are better than others. I’ve worked with a lot of pentesters, for example, who are just abrasive. They like to do the mic drop report on the desk. Moving up to my role in the federal government where you’re the CISO, you’re pulling the strings, you’re calling the shots, you’re directing the budget, you’re setting the strategy. In theory, you should get the outcome that if you say, I want to go take that hill, we’re going to take that hill unless there’s some crazy obstacle that stops us. You don’t expect your own people to be squabbling along the way to the hill, and you never get there, but that’s effectively the equivalent of what kind of happened.  

Looking at that third-party risk problem, I had this fundamental belief that we need to stop putting so much emphasis into assessing the vendors, and instead focus on what we’re doing internally. We spent a lot of money, a lot of time, a lot of energy trying to get our federal teams and the contracting teams that were supporting us aligned and doing things in the way that I believed they needed to be done. And for whatever reason, there was a lot of internal friction and inertia that was kind of pushing and preventing us from getting to that place. It was people being unwilling to take risks, people being unwilling or unable to voice their concerns in a way that made sense, coupled with, just broadly speaking, these other dynamics that I’ve observed in the security industry.  

At the same time, we had incidents we’re managing and such. My deputy, who I love to death, his whole background was digital forensics, so he was observing the same thing from his standpoint, seeing these very technical SOC analysts write an incident briefing for a political appointee that was talking about specific strains of malware. It’s way over their head and there’s no way we’re sending that to them. So we basically ended up having to rewrite it, adding in the missing pieces.  

There’s a whole spectrum of skills that are needed to create an effective security professional and a lot of them are soft skills. That was our genesis: start advocating, publishing, talking about creating some conversation around the soft skills that go into cybersecurity, and that’s everything from communication to critical thinking to negotiation to building coalitions to self-care. We talk so much about burnout because we’re all burning out. There’s a lot that we can do to take better care of ourselves or support one another, and I like all of that stuff.  

Drawing it back to third-party risk management, it was this inertia that was preventing us from getting to an outcome that we wanted. It was people who were kind of unwilling or unable to think critically. It was poor communication skills. It was struggles in our internal team culture that we had to work on. It was all sorts of things that were not technical in nature. It was a really eye-opening thing for me as a leader that we had all of these fundamental issues that we had to roll up our sleeves and work with our people on. In the government’s case, it’s in that space. It’s people who work for you, the feds, and the people who indirectly work for you, being the contractors. 

20:20: Why do you believe soft skills are just as important, if not more so, than technical skills in certain situations?

Nabil: In my experience interacting with CISOs and other cybersecurity executives and leaders, I’ve started to notice a pattern where to be a good and effective CISO, you actually have to be more of a marketing and sales person than a technical security expert.  

Now don’t get me wrong, I think you need to have a baseline of technical expertise and understanding of security and risk as a CISO, but the ones that are most effective at their jobs seem to have to shift their focus and become more of a marketer of what they’re doing internally within their organization, and also sell the program that they’re building to key stakeholders within the organization. The ones that do it successfully are the ones that are really good at communicating at different levels. They speak a language that the rest of the organization understands, and they’re thinking creatively on how to truly build and expand that culture of security within an organization. Do you see that type of a pattern? What other things should some of these security leaders be thinking about so that they can be better at the soft side? 

Robert: I do see that pattern. I will say, I think there’s leeway in that for CISOs of slightly different backgrounds, depending on the organization that they’re working in. Let’s say, in a very product-heavy organization. You’re working in Silicon Valley, or some kind of tech startup or what have you. You can have a more engineering-centric head of security, or CISO, might not be called the CISO, but senior cybersecurity person. Even though you have that base of engineering product experience, you still need to be a strong communicator, a strong relationship builder, all of that stuff. And so if you’re working in a highly regulated industry, your technical skills might be more grounded in compliance. They might be grounded more in corporate security practices, like IT, IAM, things of that nature, and in those cases, you’re still going to need to be a strong communicator. There’s a complementary skill set.  

But generally speaking, yes, that is 100% true. You need to be able to evangelize and communicate what it is you’re working on, where you want to go, what’s the real risk in a given situation to the people who need to know, you need to be able to communicate all that stuff. As far as what leaders need to do, or what they should be doing, to improve on that front, I think one toxic habit that I’ve observed having mentored a bunch of people (including myself) is that we have a too common tendency to compare ourselves to others. Somebody, for example, that I’ve looked up to tremendously throughout my career is Jim Roth, fantastic communicator, amazing technical, amazing human all around, very well rounded, supremely successful. I could look at somebody like that and be like, I’m not today, where he’s at today; I have some kind of deficiency. I feel like what we can instead do is knowing that we need to improve on the range of soft skills that we have, is instead compare ourselves to ourselves. Don’t look at somebody else today. Look at yourself today. And you know, be looking at how you can effectively improve and be better than yesterday, and set a plan for where you want to go tomorrow and the day after.  

When you start doing that comparison game, everyone’s in a different place. I’ve met security people who have come from sales and marketing backgrounds. For example, I studied sports management in school. It’s kind of a weird background, but I got a certain kind of training when I was coming into the field, and then I got dropped into the technical world. That’s going to be different than somebody who studied computer engineering, computer science, software engineering, what have you. We’re all different. We’re all coming out of this from our own kind of unique perspective. We have to focus on ourselves, not get in our heads and down on ourselves by doing the whole comparison game.

25:25: What cybersecurity advice would you give yourself if you could travel back 10 years?

Nabil: Let’s say I build a time machine today and send you back 10 years to go talk to yourself, and you get to give yourself one piece of advice. What is that piece of advice? 

Robert: If I set aside all the personal things and focus on the cybersecurity stuff, I think the biggest thing I would probably try to drive home is this. Ten years ago, I was coming out of Cigital and getting into startups initially. I was stepping into this place of feeling like I’m responsible for the security of all this stuff, and so I have to show up and make sure it’s secure. I had to help myself understand that security is not the most important thing. It’s not the most important job in the room. One of the things that drives me nuts is when security’s job zero. Like, no, it’s not. Making money and building features, that’s all job zero. Security is probably a really important component of that. But it can’t be job zero. It’s always a supporting feature of what’s going on in an organization. 

Helping myself really understand that early on, I feel like would have been really good, because when I was in those roles, I made a lot of stupid decisions that prioritized security over everything else. They were overly complicated, but they were more secure. They were harder to maintain. All of that trying to advocate for more hiring, I was very good at: advocating and storytelling. I don’t know that I actually should have done all of that. I should have maybe just advocated for more engineering support in the form of engineering team members that had an interest in security and took the security champions route, in retrospect, would have been much more effective. Driving that home early on would probably be the single most influential thing that I could have told myself. 

Nabil: The lesson I learned in that similar vein is that security is one of the -ilities. It’s reusability, scalability, quality, etc. Security is just part of one of those -ilities that’s a property of things you’re doing to enable business, but it can’t be zero. It cannot be the end all be all, you have to actually function as a business. In fact, security is an opposing force against everything else, usability, scalability, maintainability, etc., so you have to make it an inherent property of your business. It can’t be just the sole thing that makes or breaks the business. 

Robert: And it’s not even in business too, because, like in the government world, they’re in the business of the government. For example, CMS, where they’re providing, or basically paying for, healthcare services for Medicaid, Medicare, vulnerable populations and so like there, it’s all mission work. The NSA, it’s all signals intelligence. DoD, it’s all defense and protection. I traveled back from Canada yesterday, passing through the border. They all have mission work to do, and there’s no money to be made in that. But even in those situations, that’s the core purpose: making sure it’s done securely is one of those properties.

30:00: What are some effective ways where you could tell during an interview if someone has the appropriate soft skills?

Nabil: You mentioned that you’re a good storyteller, so you are always good at getting resources and budget as needed. 

Robert: It’s my wife—I inherit any goodness that I get on that front from her.  

Nabil: Credit where it’s due. Louise, thank you for instilling that in Robert. We’ll give a shout out to her. But being a good storyteller, you said you were very successful in getting resources you needed, whether it be hiring, investing in technology, etc. So as someone who hired a lot of people, what are some effective ways where you could tell during an interview if someone has the appropriate soft skills? 

Robert: Early in my career, when I thought security was way too important, I definitely did this wrong a lot, and shot myself in the foot because I saw people who are rockstars talking about “I” and all their smart ideas, all the things that they could bring to the table, versus the “we” mindset and the things that they were doing for other people, that they sacrificed, or gave up or whatnot, and the just really simple metric of the balance between “I”s and “we’s” that somebody ends up using showcases a level of empathy or a level of self-centeredness, depending on where on the spectrum you fall. I want the person who is going to express more empathy in the job that they’re coming to do, because doing software engineering is hard. Doing it securely, that’s even harder.  

We saw that at Cigital all the time. I remember some of the folks that we worked with ripped apart, like the ESAPI framework. You’ve got this security tool, and you can’t even use that the right way. You have to do all of these things in the right context every time. It’s just so difficult to do security work right, and to do it right every single time, and seeing that security person who is expressing empathy for everyone else around them, I think is a really important metric and just a really simple indicator of that is the “I” versus “we,” or the way that they tell stories in their answers to questions.  

32:57: What does it take to build a culture that allows you to retain top talent?

Nabil: Taking that a step further, then—what does it take to build a culture that allows you to retain top talent? 

Robert: I think the definition of top talent is going to really vary depending on the org that you’re in, because having people who are extremely talented engineers might actually not be a good thing in the long run. I’ve worked with some of those people, and they can sometimes be really toxic team members. They have a kind of superhero mentality, where they step in and they save the day, yet they happen to own all the critical stuff and you have a bus factor, that kind of thing.  

As a leader, you have to first clarify, what kind of team you are really trying to retain? And when you understand that maybe it’s a team of generalists, maybe it’s a team where you’ve got some generalists and some people who are just very senior and kind of lean in a particular direction in terms of specialty, but they’re not self-declared specialists. When you understand that, that I think is job zero for the leader who wants to retain their team. You need to make sure that you are putting your own ego aside as a leader and giving your people as much opportunity as they can to advance.  

On the flight home from Canada yesterday, my kids were watching Home Alone 2. The bird lady had this line, “Everyone wants to be seen. Everyone wants to be heard.” And Louise, my wife, she’s like, “What brilliance coming out of Home Alone.” Just like drawing that in here, I think that’s right, everyone wants to feel like their work is seen and their work is appreciated.  

As a leader, you have to be willing to make sure that the spotlight is shining on the people that are under you, that they have opportunities for advancement, and even if you can’t technically promote them. Everyone wants to be a CISO. Everyone wants the staff titles, the VP titles, or whatever. Sometimes you just don’t have those to give out. So, get creative. Think about other ways that you can promote people. You can help them build their brand on LinkedIn. You can help them get out and speak at conferences or network, or potentially even help them land new jobs, which I realize is the antithesis of retaining talent, but if you’re making that intentional investment in people and not in yourself on their shoulders, then I think people will be more willing to stay with you, work with you, follow you, help you achieve where you want to go, because it’s good for them along the way. 

Nabil: Love it.That’s a great way to end. Thank you, Robert, for being here. This was fun. I’m glad we got to sit down and finally do this, and I’m sure there’ll be many more. 

Robert: Love it. Thanks, man.

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please reach out to us at podcast@netspi.com.