Hiring the Right Cybersecurity Role Behaviors
Now for the next pieces in the puzzle: determining what behaviors lead to success in what cybersecurity roles and setting up corresponding behavioral interviews. The purpose of the behavioral interview question sets is to cause the candidate to think, to dig, and to reveal behavioral characteristics which will predict actual future behavior in the workplace. Behavioral questions call for the sharing of an experience which reveals or illustrates a behavioral characteristic relevant to the job, and upon which the hiring manager can differentiate candidates. In short, behavioral interviews should uncover behavioral characteristics, not just instances of past action. And to design question sets which reveal the relevant behavioral characteristics, you must first specifically identify what those behavioral characteristics are for each job.
Role Descriptors … in a Perfect World
Cybersecurity roles change every minute of every day. Inherent responsibilities, expectations, and knowledge needs vary based on industry. Marie explains her approach to work:
Marie: I don’t have a traditional background in cybersecurity and technology—I’m just a naturally curious person. When interviewing, they knew I had potential. I’m a quick and independent learner. Working in tech and IT gave me more of an opportunity to figure out how to poke around at things and understand how to break and fix them. There were times when I’d have a stack of computers to my right side that I’d have to run through re-imaging them or swapping out parts, while I was working on various software activities, and still helping out end users learn how to use the printers or whatever they needed assistance with in that moment.1
The behaviors Marie is inherently referring to are curiosity, desire to learn, and the ability to multitask. As a cybersecurity project manager, it makes sense that she is successful! In combination with the requisite technical skills, Marie has something more than a strong drive to learn, it’s more of a drive to figure things out. The actual behavioral characteristic is the combination of a nearly compulsive drive to solve puzzles, a contentment when enveloped with things to do, and the need to continually explore. Her comment about understanding “how to break and fix” things is particularly revealing: a broken thing is not “bad,” so there is no stress or pressure to get it fixed to stay out of trouble. To her, something broken is an opportunity to explore, tinker, and fix. The creative destruction process matters to her.
The role descriptors we offer later in this chapter are illustrative and intended to inspire. While noting, importantly, that cybersecurity positions must always be specifically defined by the employer for each job role, what we provide below is a general framework within which job role functions can be matched with correlating behavioral characteristics. Adam Lee explains how his organization attempts to balance technical skills (Can) and behaviors (Will), alongside diversity and career lifecycle goals:
Adam: I mean we’re balancing a lot of company goals in our hiring practices: we have diversity goals, we have career lifecycle goals for the folks that are on board, we have a whole lot of things that interrupt the direct recruitment-hiring pipeline. There are other factors that we have to consider as we hire folks. I’m finding that in the cybersecurity area, we need a balance of squared-away folks that are smart in analytic discipline, but they’re also very technical, and that’s the hardest thing. Because if you’re just a network architect or you’re just kind of an IT type, just kind of a core-geek type, IT person, it’s sort of a different skill set than having the patience and focus of somebody building use cases for your SIEM, and sitting there and working cases in terms of when they’re seeing. Some folks aren’t cut out for it but it’s a difficult balance because you also need that technical skill set.2
For perspective, let’s frame this back into our Can–Trust–Will model. To grasp the challenge Adam articulates here, the approach is crucial, otherwise you risk getting overwhelmed. It’s the structure of Can–Trust–Will which keeps you on track. As Adam describes, it’s easy to get distracted when reviewing candidates who are highly qualified in the technical arena, but appear to be a poor match for the communications and teamwork requirements. The key is to understand that the tech requirements are both easy to find and easy to filter for—they are binary: can the candidate do the tech work, or can’t they? That’s Can, and it’s quick, easy, and high volume. It’s also inevitable that most of the tech-qualified (and techtrainable) candidates, those that Can, are also not going to be hired. But that’s because the behavioral characteristics are more rare and more difficult to find. As Bill Thornton explains:
Bill: There are people that have lots of certifications and still can’t find their way out of a paper bag. And so, the interviews have to be a lot more probing to understand the technical skills. And then there’s a level of interpersonal skill with some of our people, particularly in this industry; there are people that just don’t have the requisite people skills for managers. And so we have a dichotomy sometimes between business people managing technical people, which is fine if they’re immersed in the technology, otherwise it creates a schism that—because the two can’t communicate—I think places the company at increased risk.3
Consequently, it’s crucial to structure your process of filters so each succeeding pool is more refined. Once you have the Can pool established, and you’ve gone through the Trust phase, the most difficult piece of our model awaits—the behavioral interview, which extracts Will. You’ll then have the candidates to whom you should extend offers. Many employers, recruiters, and hiring managers refer to behaviors as “soft skills” or “the non-techie stuff.” If the conversation calls for this type of language, we consider the category of behavior important enough to call them “foundational skills.” But regardless of how you’ve understood them before or what you call them, the most important aspect is to appreciate the value of behaviors as part of a job description, particularly with regard to how they correlated with job success. Paul Casale, using the term “soft skills,” highlights this “narrowing” process:
Paul: Where our sales team comes in, which is invaluable to us, is talking directly to managers, building relationships and really narrowing down not only what the responsibilities and main skills are, but what they really want to see in someone. They find what type of skill background they want them to come from, what kind of company or industry they want them to come from, the soft skills that may not always be in the job description. We then may even target companies that the manager may find would help a new hire adapt professionally and culturally.4
Obviously, in a perfect world, employers would get to choose from a talent pool bursting with “positive” characteristics including ability to multitask, ability to communicate, ability to remain calm under fire, and ability to exhibit a proactive mentality.
But not all roles need these ideal traits; some positions are actually well-served by behaviors that have negative connotations. What if your open role actually needs a candidate who is selfish, self-entitled, impatient, or overly critical? A great general example of this is the successful delivery driver. Anyone successful in this role needs to be a bit selfish; otherwise they’ll spend too much time looking for legal parking instead of double parking, making the delivery, and quickly getting on to the next customer. And that includes men and women, all ages and all colors. But the very best of them roll right down Main Street, block traffic, go to three different locations on foot, and then go on their way. It’s not that they don’t care—but it just doesn’t register. Why? Because they’re prickly, and all they care about is knocking out their deliveries and getting onto the next one. Recognizing the value in that prickly attitude is extremely important. It’s a behavioral characteristic which correlates to success in the job role.
In cybersecurity, there are many roles that may require seemingly negative behaviors. For example, however you label the job that is tasked with handling internal employees who have mistakenly clicked on a phishing e-mail: that employee must be able to act in a disciplinary function frequently. You to be able to effectively say, “Listen you really screwed this up, and it’s really important that you not do this again,” and have them respond, “You know what, you’re right. And I know that you’re the tech nerd who lives in the basement, but I really appreciate you coming up here and sharing the importance of this problem with me.” You have to have a certain amount of drive, a certain aggressive nature to you, tempered with restraint and diplomacy. And you have to be unconcerned if the person you are speaking with is a midlevel accountant or the Chairman of the Board. This role could also likely include the requirement to tell senior employees—from the best sales person, to the managing partner, to the CIO—that they simply must participate in the new dual-factor authentication program (and, unfortunately, it typically is the more senior employees that refuse). To be able to say, “Listen, I know you’re in charge,” but still—“We have to have a talk,” while remaining forceful and respectful. You are telling them something that you know they don’t want to hear, but you are going into that conversation saying, “Look, I know you bring a lot of money into this firm but as much as you’re bringing money into this company, I am making sure that money doesn’t leak out the bottom of the ship.” It takes a unique personality to come in and say, “This is important. I get that you don’t think that this is important, but it really is—and here’s why.” And that you won’t let it go any more than the managing partner or CIO is going to let anything go that they think is important, because you are both a part of the team.
Spotlight: the New Perspective
An IT team lead for a software company came in needing advice on interviewing. The company was hiring twenty new people for its call center and five team leads (one of whom was our client) had been gathered together by their executive, handed a stack of applicant files, and told to “hire the best ones” (sound familiar?). Without any training or experience with interviewing or candidate evaluation, the team leads were struggling to select candidates who would succeed, or even just make it past ninety days. During our initial consultation we also learned that the company was struggling with a turnover rate of over sixty percent. Our client indicated that the candidates he hired seemed great during the interview and then either struggled to do the work or quickly engaged in disruptive behavior. Some quit, others had to be fired.
We quickly learned the team leads were interviewing candidates by doing what most people do: They would read the file and then sit across from an applicant and ask questions off their resumés. “I see you graduated from here, what was that like?” “I see you worked there, what was that like?” During our initial consultation, our client was very frustrated and he wanted to know how poor performers were slipping through their process. “How can they look so good in the interview and then be so bad when they show up for work?” We hear this question regularly, so we asked what has become our key initial question: “How long after hiring do you know whether a new person will succeed or fail?” His answer: “About two weeks.” This is typical, and also the best possible answer for us, because it leads us directly into the process of identifying the behavioral characteristics which form the foundation for the behavioral interview. The second question is: “Ok, how do you know? What does failure look like? What does success look like?”
Over the course of the next twenty minutes, we listened while he described in rather frustrated detail exactly what he observed in a person which made them fail and, on the rare occasions when they hired someone good, what made them succeed. After a few follow-up questions, we presented him a bullet point list of the four most important behavioral characteristics which he had identified as correlating with either success or failure in the job role. He confirmed the list, and within a week, we had question sets back to him for his next set of interviews.
Two months later we got a call and listened to his fascinating story. The interviews were done in groups—with the five team leaders interviewing approximately seven to ten candidates in a group (no kidding!). Four of the leads continued with their off-the-resumé questions. But when it was our client’s turn to speak, he proceeded with our behavioral questions in the “Tell me about a time when …” format. He indicated that the entire attitude in the room immediately shifted: the applicants started paying attention and giving thoughtful answers. And the other team leads began taking notes on the answers now being provided. Upon evaluating the results of the interview, our client hired two candidates that the rest of his colleagues had summarily rejected. In fact (and now he was laughing on the phone), the other four team leads teased him and told him he was “crazy” for hiring “losers.” His colleagues hired the same type of person they always selected. Six weeks later, both of the people he had hired based on his analysis of the behavioral interview were top performers, and every single one of his fellow team leads had at least one (and several had two) of their new hires either on performance improvement programs or termination trajectories, and a few of their new hires had already quit.
What was the difference? Our client changed his selection process based on what we taught him. And he did the most difficult thing which confronts someone who is just learning how to conduct behavioral interviews. He hired someone different. When you transition into a behavioral interview system, the first thing you’ll notice is the analysis will have you hire people you would have passed on before. And it will have you pass on the people you would have hired before. Now, this makes intuitive sense when the process is viewed as an academic exercise. Your old system resulted in bad hires and a high turnover rate, so to be better, your new system should cause you to hire different people. But it’s difficult because when you hire for fit and when you interview off the resumé, your process filters for “people like me” and the interview exists to confirm that feeling—and you’re back to making The Big Mistake. It’s confirmation bias at work. When you use a behavioral interview to extract differential data which correlate with success within the job role you are hiring for, very often that person will not “be like me,” but they will be who you need.
So what’s the challenge? The challenge is passing on the person who makes you feel comfortable and hiring the person who makes you feel uncomfortable. The good news? As you get more comfortable hiring people who make you feel uncomfortable, but who have the behavioral characteristics which correlate to job success, you’ll find you have a diverse workforce that performs at the highest level. What our hero learned is, it’s not whether he’s happy to see this person—it’s whether the new hire will get the job done. What he did was counterintuitive; he wasn’t hiring the person he was most comfortable with—he was hiring the uncomfortable, based on an analysis of “this is the behavior that I need in this role.” It takes a certain level of maturity to hire somebody that you might not want to invite to your house. In this case, maturity is revealed by understanding someone who is not like you, and through understanding them, getting to like them, in addition to valuing what their behavioral profile allows them to do.
And now we come to the general descriptors promised earlier in this chapter. The models offered in this book (which focus on cybersecurity and positions that inherently incorporate major cybersecurity aspects) should serve as a road map for certain types of roles and as a guide to the hiring process generally. Keep in mind as you review this section that every company interprets each of these roles a little differently, depending on corporate culture, industry needs, internal systems, and number of employees on the payroll. These are overviews which provide general categories of technical skills and behaviors that will get you started. But this is a departure point from which you must do your analysis to determine the behavioral characteristics which correlate with success for specific job roles at your company.
1. Chief Information Security Officer (executive level)
• Technical skills:
Create, develop, and keep current IT security policies, procedures, strategy, architecture alongside relevant C-Suiters.
Consistently review and proactively improve information security programs and guidelines.
Implementation of necessary security standards (i.e., ISO, NIST, and SOC).
Implementation of security audits, tabletop exercises, and penetration testing.
Balance between security and innovation.
• Behavior characteristics:
Calm and focused under major stress.
Organized multitasker.
Communicates opinions with ease.
Ability to clearly direct people.
Solid decision-making skills.
High confidence in ability to problem solve.
2. Network Engineer (mid- to senior level)
• Technical skills:
Build, maintain, improve network.
Handle network design upgrades.
Investigate relevant new technologies.
Monitor network performance.
Troubleshooting and responding to help desk in conjunction with IT.
Work with IT to plan, design, deploy new technologies and functions.
• Behavior characteristics:
Quick reflexes.
Passionate about subject area.
Reviews information and situations critically.
Note: Does not have to be major “team player” or very socially capable, but able to communicate across teams.
Attention to detail.
Problem-solver mentality.
Time management.
3. Incident Responder (senior level)
• Technical skills:
Evaluate and implement technical solutions, including artificial intelligence, big data analysis, and new technologies, to protect corporate information.
Integrate incident response with governance and compliance.
Ensure current and consistent practices alongside legal, regulatory/compliance, and CISO.
Monitor for events that could lead to an incident
• Behavior characteristics:
Quick reflexes.
Good communicator.
Reviews information and situations critically.
Can handle pressure well.
Can act without emotion in stressful situations.
Thorough.
Attention to detail.
Able to jump start.
4. Systems Administrator (entry level)
• Technical skills:
Support and system access control.
Support maintenance and integration of authentication systems.
Administer and support user administration.
Assist in security program management.
Research and report on current security threats.
Assist with IT helpdesk.
• Behavior characteristics:
Social skills.
Thorough researcher.
Able to take direction with ease.
Able to take criticism without emotional sensitivity.
Good communicator.
Spotlight: Grace Under Fire
This wasn’t just another crisis. All of the backups were infected—and the virus was spreading to the backups of the backups, which were unfortunately connected. This was a traditional mid-size law firm, where senior partners vehemently objected to new technologies, and the budget for the cybersecurity team was always a battle. The CISO was quickly briefed with a phone call at three in the morning, at which point she was raring to go. Her plan of action was pointed: get on site, brainstorm with her team, and call for backup as necessary. In this story, we were the vendor and were sincerely shocked by the level of calm with which the CISO presented the problem. She effectively and efficiently explained the situation and what steps had already been taken, without placing blame anywhere on the spectrum; she methodically talked through all options that we offered. We all came together to stop the virus in its tracks, and then moved forward with a plan to deal with the aftermath of the disaster.
This outcome would have been impossible with a CISO who had different behavioral characteristics. Even with the exact same team with the exact same technical skills, the outcome would have been dramatically different. What a person actually does in a crisis is driven by who they are. And who they are is the sum of their behavioral characteristics. And if you specify what behaviors the job role needs, you can find them.
Uncovering Behaviors
Technical skill matters. Experience matters. But as we’ve just read, action matters even more. This is where we move past the technical performance aspects of a good employee, the Can, and on to behaviors, the Will, which is the glue that holds everything together. Uncovering the employment-focused behavioral characteristics for your particular organization’s cybersecurity jobs is essential to an effective hiring process. Adam Bricker highlights the balance between technical skills and behaviors:
Adam: Technical skills are super important, but combined with effective communication, collaboration, and character, you now have the ability to consistently affect how someone else makes decisions, how somebody else gets focused on what is truly important (not just urgent).5
Behaviors that correlate with success in certain job roles allow for team success, and failure is expensive. According to the U.S. Department of Labor, a bad hiring decision can cost a company as much as thirty percent of the employee’s annual salary—and the expense only goes up with seniority.6 Employment-focused behavioral characteristics can act as the single best predictor of successful job performance. Bill Brennan hones in on how he uncovers behaviors that lead to success in certain cyber roles:
Bill: If I’m a cyber defense analyst—I’m looking for people who are inquisitive. I’m looking for the people that are going to come into an interview and say “Hey, sorry I’m a little tired—I was doing this puzzle last night and I couldn’t find this piece and I couldn’t go to bed until I solved it.” Well, cool, I can deal with a couple of hairs out of place—that’s how you look at the world. If you’re an Information Assurance person who’s doing compliance audits, I want someone who is very detail focused. Show me things in your background or give me a way to draw out as I go through my interview process, even if it’s not directly in your work experience, those things that I believe are transferable skills.7
In many ways, the technical skill, the Can, is the raw material. It’s straight-grain pine to the homebuilder, curly maple to the cabinetmaker, high-carbon steel to the toolmaker, and fine silk to the dressmaker. But what is it that turns the maple into an heirloom table? What makes silk into a perfectly fitted blouse? It’s the ability to see what the raw material can become if it’s used properly. And in cybersecurity, the raw material of technical skill becomes the final product of security through tightly coordinated interaction. We call it Will, but to understand what a person will do, as opposed to what they can do, requires an understanding of willingness—the combination of capability and action. A person may be capable of producing a masterpiece, but if they don’t sit in front of the easel and put paint on canvas, no masterpiece will emerge. Fundamentally, and particularly in the security world, a person’s brilliance is irrelevant unless it is coupled with action. Action which directly correlates to the outcome you need. Can is important, but what a person Will do is fundamental. And the best method to determine what a person Will do is a behavioral interview.
Behavioral interviews require more resources than the resumé-based interview. In addition to crafting the right behavioral question sets, hiring managers may need to be trained on best interview practices, and train other employees as well—time and expenses that come with implementing new procedures. So does every single candidate that reaches the Will phase need the behavioral interview? Yes. Absolutely.
The behavioral interview is a digging process, a deep dive into the history of behavior of each candidate who makes it to the Will phase. You are extracting differential data which correlate with success in the job role. But much of what you learn about each candidate will be Failure–Coachable, and some will be Failure–Noncoachable. Consequently, as you work through the question sets and help the candidate dig for relevant stories to share, you are also beginning to assess the data as the candidate shares it with you. And as you get better at conducting the behavioral interview, you will develop the ability to make accurate initial assessments regarding which data go in Failure–Coachable, which are Failure–Noncoachable, and which indicate Success. And just because a candidate has made it this far and has taken time out of a busy schedule to attend the interview does not render that candidate somehow more qualified. If a candidate is clearly Failure–Noncoachable through the first few questions, then doing anything other than ending the interview early and advising the candidate they will not be hired is unfair to the candidate and a waste of time for both of you. If you know what you’re looking for because you have done the deep analytic work, you will continually be surprised at how very quickly you know whether any given candidate possesses or does not possess the behavior characteristics your job role requires.
This is one of the first lessons woodworkers learn. Many come into the hobby thinking that they will spend most of their time cutting and shaping wood. They quickly find that joinery depends on the precision of the cut, and the precision of the cut depends on how the tools are set up. As a result, most of the time spent in woodworking is devoted to setting up tools and rechecking to ensure everything is correct before turning on the power. The cut itself only takes a few seconds. The behavioral interview is the same—it takes a good deal of time to set up correctly, but sometimes just a few minutes is all that is required to know whether you have the right person, or someone you can train to be what you need, or someone who will find success in some other job role at another company.
For large companies with vast cybersecurity teams, behavioral interviews for what Wheeler Coleman calls the “worker bees” might seem unnecessary, but as Wheeler points out, upward mobility and the changing nature of the field inherently support the importance of the behavioral interview for all:
Wheeler: I believe that behavioral interviewing should be an integral part of all job interviews. For IT roles, we tend to focus on the technical matters such as whether candidates know their craft, and whether they understand the concepts and the technology around it. Typically, the “worker bees” are not necessarily hired based on their personality or their soft skills. For example, I’ve hired many technicians with great technical skills, but they had no personality. As a result, I couldn’t put them in front of internal or external clients and customers. Instead, I would leverage their technical expertise and never expose them to clients. Even though the nature of technology allows specialists to only interact with their devices and the software, the tide is changing. And, of course, the higher up you are in the organization, soft skills are extremely important to be successful.8
For smaller companies, the behavioral interview is definitively a necessity. With smaller cybersecurity teams, everyone is put in the spotlight. As Austin Berglas explains, every team member on a smaller team wears multiple hats:
Austin: Everyone on my team is prepared. If you’re on a call and a client says hey, we have a question about the threat hunt that you just did, then we all turn to the analyst, who has two years’ work experience out of college, who is responsible for doing that threat hunt, he has to come up with the answers for the client. So, everybody needs to be client-facing, it’s just, depending on the level of seniority, how much expectation is there for actually meeting a future client.9
Within a smaller cybersecurity team, everyone becomes client-facing; everyone knows each other; and the team dynamic is more pronounced. The behavioral interview is the only way to determine whether a candidate is willing to interact in the way the boss needs, the team needs, and the client needs.
We’ve spent a good deal of time discussing efficiency in the Can– Trust–Will process. And the efficiencies are important to extracting the data you need in a cost-effective way. Behavioral interviews are difficult and require the most time and resources of the three phases. So, while placing the behavioral interview at the end of your hiring process makes it a lower volume and less time-consuming step than it would otherwise be, it will still be where you spend most of your time and resources. Can and Trust are the steps which allow you to focus your binary decision making where it will have the most effect. These first two phases are where you find and refine your raw material. The hard work is the behavioral interview. But it’s worth the effort.
Frequently, cybersecurity professionals do not have typical backgrounds—this is a truth clarified in earlier chapters. The behavioral interview allows the hiring manager to seek out the desired behaviors by digging into all experiences, not just cybersecurity-themed professional experience. As Bill Brennan explains:
Bill: I was hiring for a position nine months ago, and the guy had just finished his master’s in cybersecurity, but didn’t really have any practical experience. But I ended up talking to him for twenty minutes on his experience as a professional musician. And he kind of stopped me eventually and said, “Listen, I really appreciate the interest and I’ll talk music with you all day but I don’t get it—why do you care?” I said, “Well, music composition, the ability to create, the ability to manage all the complexities of being the tour manager like you’re talking about—those are all transferable skills to what I’m interviewing you for.” And he said, “Oh, yeah, I guess you’re right.”10
Bill understands the difference between behavior and application. The behavior is the candidate’s willingness to do what Bill needs done. The application, whether it’s in music or network penetration, is much less relevant. John Avenson echoes this sentiment, with a different anecdote:
John: A few years ago, we were looking for a help desk person. Among the many applicants was a Marine veteran who was in transition back to civilian life. He was looking for a job in IT while working toward a degree in technology. We asked a typical question relating to handling stress—something like, “Give us a sense of how you handle pressure, perhaps when a server’s not working or when the network is down.” He admitted honestly that he could not answer the question because he did not yet have those IT experiences. Knowing he could handle stress, I rephrased the question—asking him to give an example of an experience in the Marine Corps where he worked through a stressful situation. He told a story of how he and a couple other Marines needed to fix a broken CH-46 helicopter that landed in the middle of the desert during active wartime in Iraq. They needed to get the helicopter in the air within a few hours, otherwise it would be demolished. Well, that mentality is what we look for: somebody who can take charge and solve a crisis without necessarily waiting for somebody else, or someone who can take on that risk and responsibility. He got the job. His aptitude enabled rapid technology skill set growth, and he is now taking charge as Target Field’s Broadcast Engineer.
Again, you need to know what you are looking for, with a well-thought-out job description. The right behaviors could come from musicians to Marines, as long as they are tech trainable.
Spotlight: Teamwork and Trust (and the Uber Data Breach)
A terrifying amount of data was stolen as part of the 2016 Uber data breach: 600,000 drivers’ names and driver’s license information, and the names, e-mail addresses, and phone numbers of fifty-seven million Uber riders.11 But these staggering numbers aren’t even the truly terrible part of this breach; what’s worse is that Uber attempted to cover it up. The hackers apparently e-mailed Uber detailing their access and asking for money—and the (now former) Uber Chief Security Officer and his senior deputy took the bait, paying them $100,000 to keep the incident under the radar.12
How could this happen? And we don’t mean the breach. Cybersecurity is a lot like riding a motorcycle. They say there are two kinds of riders: those that have gone down on the pavement, and those who will go down. In cybersecurity, the dichotomy is those who know they’ve been breached, and those who don’t know they’ve been breached. Breaches happen, they are a nasty part of the cybersecurity world. But this is not about the breach. This is about the response, and how a person capable of such a terrible response could ever find their way into a position of such great responsibility.
Since everyone in cybersecurity knows the risks of breaches happening and also knows what to do in a data breach situation, how could a person, skilled enough in cybersecurity to be selected for the role of CSO at a company the size of Uber, essentially run, hide, and lie when disaster struck? The answer starts with looking at the observed behavior and, in an almost detached way, asking: “How must a person feel in order to act that way? How must a CSO be feeling to run, hide, and attempt to cover up a data breach which most assuredly cannot be covered up?”
Panic? Sure, he panicked. But we need to go deeper—why the panic? In general, a panicked cover up happens when a person feels: “OMG—if people find this out, I’ll lose my job.” That’s the visceral drive which causes a person to panic, then scramble, and often engage in a variety of self-destructive and sometimes criminal behaviors. But let’s go deeper—what is the root cause of the “OMG, I’ll lose my job” feeling? Part of the answer for any given person may be found in the corporate culture. If the company operates on a blame-and-terminate paradigm, then the fear of losing your job is rational. If someone gets fired every time something bad happens, then you can expect to be fired, and there’s really nothing to be done about it. But let’s look at the situation where that type of corporate culture does not exist. What happens in a corporate culture where blame is not assigned when disaster strikes? Do people in these “non-blame” cultures never fear being fired? Or is there something more? A person who fears being fired in a nonblame culture doesn’t panic because of a rational fear of being fired; he panics because he doesn’t have belief in himself.
What does that mean? The people who panic become focused on lying and covering up to save themselves and do so because they think they can’t fix the problem. They have a deep-seated lack of faith in their own abilities. They don’t think they can respond effectively; they don’t think they can respond quickly enough; they don’t think they can rely on the people around them; they don’t think the team can solve the problem; and they don’t think they can solve it either. Furthermore, they don’t even think they can clean up the mess well enough to save themselves. They get overwhelmed and panic for one reason: lack of self-confidence; more specifically, a lack of confidence in their own ability to do what needs to be done. And this is an issue that can lead to destruction of a team. As Amanda explains, the folks in her cybersecurity department trust one another:
Amanda: While our department has multiple tracks, we’re not siloed. It’s still important for everyone in the department to be apprised of all the different projects, issues, and incidents to ensure that we’re covering all our bases, this also provides the opportunity for different perspectives, and so we’re all in the know, in the event the user or someone at the C-level asks us a question. It’s about collectively being our best for the protection of the organization.13
Cybersecurity teams must trust one another—to be transparent, to be updated, and to do their best to “protect the organization.” How does this relate to hiring? Certainly, you don’t want your CSO in fear of losing his or her job, particularly for things which are beyond anybody’s control. And that’s a matter of good leadership working to create a high functioning corporate culture. But what you also want is a CSO to be concerned about the security of the company, damn the personal consequences. And that means two things: First, you actually need to have a person with the behavioral characteristics which drive them to do what’s right. Someone with the attitude, “Company first, me second.” They must have ethics, and we address that in the next section of this chapter. Second is making sure you have a person who’s not worried about their ability to fix anything that’s broken or to clean up any mess, no matter how bad. The behavioral characteristic missing here was self-confidence. Michael Woodson has a laser-focused perspective:
Michael: Another trait I look for in potential talent is truthfulness. In IT, things happen. Someone can move code in production and issues can occur. I want to hear the truth … a mistake happened. I want to hear “Oops, I grabbed the wrong module,” versus, “I don’t know, somebody else must have done something.” I want to be confident that a person will admit to moving the wrong set of code in production. In IT, we need truthful people. If not, they could send us running down the wrong path. I’m not going to fire a person for making a mistake and admitting to it. But I will terminate someone for lying about a mistake that they made. I don’t want this type of person on our team. They need to be willing to say, “I’m not perfect.”14
Do you really want a CSO who is anything other than one hundred percent confident that he or she can recover from a ransomware attack? Can you afford not to have that behavioral characteristic in your CSO? In your threat assessment team? Anywhere in your organization? You don’t have to—all you need is a good set of behavioral questions and a hiring manager who knows how to conduct the interview. It is very simple, and should be one of the first questions asked: “Tell us about the last time you faced a ransomware attack? Who did you communicate with, and how did you focus on saving the company?” Because it’s not “if”, it’s “when”. Every cybersecurity team will face this crisis, so as Amanda put it: “How will you be your best for the protection of the organization?”
We suspect that Uber did not ask this question. We suspect the company did not identify the crucial behaviors necessary for its CSO to be successful in a crisis. And if Uber did, they certainly did not collect differential data on his behavioral characteristics. If it had, it would have easily been able to determine this guy was great when things were great, but in the face of personal risk, he would aggressively protect himself at the expense of everyone and everything around him. T.J. Harrington explains how government experience translates into the private sector “concern” or “mentality” of putting the company first:
T.J.: I was coming from the government space where mission was more important, where it was about the name on the front of the jersey, not the name on the back of the jersey. I used to bring that up all the time in my interviews with candidates for Citi. In the end, it’s about the corporation’s success. It’s about the organizational success. And I was looking for people who were willing to make the sacrifices necessary to put the organization first, which we saw at the Bureau all the time. And that’s one of those questions that I would have had in my interview package—to get them to articulate to me the sacrifices they have made in past jobs to ensure the success of their team or their organizations.15
The most important take-away is this: you can extract data which reveal the behaviors of everyone you interview so you can create your team and get on the vector to success. As T.J. continues:
T.J.: It is critical that we have the right people. It’s critical that they play as a team. And so teamwork becomes an attribute that I’ve got to define for them. And then the technology is just a tools that leverages their ability and helps leverage their work and helps them to be successful. Some of the best companies that have had some of the darkest days in cyberspace have had good technology, but did not have great teams, or the right people working for them to manage.16
If you identify, in detail, the behavioral characteristics required for any job (including the CSO), then you can build behavioral question sets and conduct a behavioral interview which will extract the data you need to determine whether the person sitting across from you Will do the job you need done. Uber didn’t, and paid the price for it.
Will and Ethics
If you accept that who you are drives what you do, and circumstances can impact what a person does, you’ll also understand that some people perform well when things are fine, but they erode drastically when things go badly. On the other hand, some people are as calm under stress as they are when things are fine. This is really the intersection of Trust and Will, which is ethics. What really drives a person’s behavior? Opinions vary, and we don’t intend to do a deep psychological dive here, but we do have a simple point to make. Behavior is driven by values, and values are driven by ethics. Part of understanding what a person will do is revealed by understanding the nature of their convictions. And that means understanding their moral compass.
We’ve long known that the most effective anticorruption measure a company can have is to hire people who are not corrupt. And to get there, the hiring process must do more than seek alignment with company values. It should examine each candidate’s moral compass. It is possible to interview for a moral compass and to differentiate for ethics. And really, you can’t afford not to. One of the many good questions which reveal someone’s moral compass is, “Tell us about a situation where an authority figure (parent, teacher, boss) wanted you to do something you thought was wrong. How did you respond? What did you do? How was the situation resolved?” Chapter 6 will discuss the process of what to listen for and how to ask follow-up questions, but this examination is key.
John Kolb takes the complexities of ethics and distills it down for use in cybersecurity hiring:
John: I look for people that are first and foremost highly ethical. If you want to stay in Catch Me If You Can-type of mode then go find a job somewhere else, because I’m not going to waste my time with that. I want people that give me straight answers and are going to be very upfront about what they’re doing, why they’re doing it, and so on. I do think you want to find people that are good problem solvers, whether they have a degree or not. Do they know how to parse something apart, really think their way through it, and know which threads to really pull. How to triage across many issues requires someone that is very persistent.17
The reality is, people don’t really make mistakes when it comes to acting in accord with their values. They may face unpleasant consequences which, in retrospect, they would like to have avoided, but at the time of the action, they always choose a course of action aligned with who and what they are. Regret, generally, is the bad feeling driven by unexpected consequences, or more precisely, by a consequence which they expected to avoid, and not by a “mistaken” value judgment. As a result, you can know a person by the choices they make, because they choose in accord with their values. The point is: people engage in unethical behavior because they’re unethical, and a lack of ethics can be revealed during a behavioral interview.
As with the Uber data breach, and in the aforementioned quote from John Kolb, there are certain key ethical components when working in the cybersecurity world. Will the candidate act with integrity? Will the candidate speak honestly? For Adam Lee, it’s simple:
Adam: Dominion is a core values company, so the business case for anything you want to do, you’ve gotta cite it back to core values like excellence and ethics—all of the things that impact company culture—that if you’re not constantly reinforcing you’ll lose. If you’re highly qualified, but you show up and you’re clearly not Dominion material in terms of how you answer these questions, how you represent your integrity and how you do those things, you’re not getting a job, I don’t care what your qualifications are.18
Generally, ethics is not simple. It’s not just about whether a person lies, cheats, or steals; these things are important but they are also both binary and simple—you do these things or you don’t; you’re honest or you’re not. Consequently, they are easily disposed of during the Trust phase. Ethics is more substantial, it’s about right and wrong, it’s about the values a person holds, which not only results in honesty but which also structures how a person interacts with a broad range of people in a variety of situations. That’s why ethics won’t be revealed in the Trust phase. The Trust phase, fundamentally, is about honesty, while ethics, moral compass, and the values upon which they are built are much deeper.
The key to understanding a candidate’s ethics is to ask behavioral questions that bring out right and wrong, and examine, not just what the candidate’s values are, but also how the candidate makes value judgments. In the cybersecurity context, this can mean looking at how a candidate performs when forced to choose between moving quickly and staying within an ethical framework. Such an inquiry requires a close examination of how a candidate adheres to values when the circumstances are difficult. This could be about the moment ransomware begins to spread across the network, when the process of “shutting it down” also requires obtaining authority and reporting it within the business and externally. Or it could be about whether and how to hold accountable the senior executive that refuses to use an encrypted VPN connection when working from home because of the “hassle.”
But you need to ask the questions—and only a behavioral interview will get you there. Imagine sitting across from a regulator who is reviewing your response to a malware attack, or being under oath before a senate committee reviewing how your company responded to a data breach, and being able to articulate how you differentiated for moral compass during hiring.
Part of the key to ethics and building the moral compass into a business culture is to regularly reconsider and rethink values. The danger with codes of ethics is when it becomes dogma, merely a rubric to follow. When that happens, the values upon which ethics are based begin to lose meaning and start becoming rote. Values have to be continuously tested, not to the extreme, but stressed enough so you are reminded they are real and they have purpose. As we examined in the Uber case, part of ethics is how you prioritize yourself and your own interests against the interests of the business and against the interests of others. Never practicing these thought processes, and failing to keep your moral compass fresh, leads to disaster in the same way never having a fire drill leads to chaos when there’s a fire.
It is vital to act ethically consistently, to execute according to your code regardless of consequence. This extends to the idea that part of ethics is pride: how you value your own behavior against how you value the behavior of others. It’s the hidden problem with moral high ground; adherence for its own sake rather than adherence because it fosters the moral outcome. Paul Maurer explains the Montreat premise:
Paul: We approach the cyber problem with a Judeo-Christian worldview. It’s how we seek to operate, and it’s the framework of how we teach cyber ethics. It’s not the only moral lane in the world, but it’s our lane. And even people who wouldn’t necessarily agree with our particular lane, or all the particulars about our lane, agree with the basic premise that you have to have people of ethics and character as cyber operators and leaders.19
We share Paul’s optic regarding the importance of ethics in general, but his point about the interaction of people with differing moral codes is crucial. Own the lane where you operate, but recognize there are other lanes. Be careful of summarily dismissing those who don’t share your specific ethical system, but rather seek to understand what they believe. Find common ground. Remember, people are predictable because everyone acts according to their values. Understand a person’s values, their moral compass, and you can predict what they Will do. If you can find common ground, you can probably find a way to build a trust relationship with a person even if you do not share an ethical code or deeper moral common ground. The key is never to presume they will act in accord with your values, but rather that they will act in accord with their own.
1 M. Chudolij, in discussion with the authors. July 24, 2020.
2 A. Lee, in discussion with the authors. July 09, 2020.
3 B. Thornton, in discussion with the authors. July 29, 2020.
4 P. Casale, in discussion with the authors. June 26, 2020.
5 A. Bricker, in discussion with the authors. July 13, 2020.
6 F. Fatemi. September 28, 2016. “The True Cost of a Bad Hire—It’s More Than You Think.” Forbes. www.forbes.com/sites/falonfatemi/2016/09/28/the-truecost-of-a-bad-hire-its-more-than-you-think/#a72bc2f4aa41
7 B. Brennan, in discussion with the authors. August 04, 2020.
8 W. Coleman, in discussion with the authors. August 12, 2020.
9 A. Berglas, in discussion with the authors. June 30, 2020.
10 B. Brennan, in discussion with the authors. August 04, 2020.
11 Uber. 2016 Data Security Incident. www.uber.com/newsroom/2016-data-incident/
12 D. Etherington. Uber Data Breach from 2016 Affected 57 Million Rider’s & Drivers. TechCrunch. https://techcrunch.com/2017/11/21/uber-data-breach-from-2016-affected-57-million-riders-and-drivers/
13 A. Tilley, in discussion with the authors. July 02, 2020.
14 M. Woodson, in discussion with the authors. July 20, 2020.
15 T.J. Harrington, in discussion with the authors. July 31, 2020.
16 Id.
17 J. Kolb, in discussion with the authors. July 28, 2020.
18 A. Lee, in discussion with the authors. July 09, 2020.
19 P. Maurer, in discussion with the authors. July 13, 2020.