“The cold, hard reality is that one or two talented folks and some automation tooling could easily replace a SOC or security department of a dozen people who have no clue what they're doing.”

Twitter: @viss • Website: phobos.io

Dan Tentler is the executive founder of Phobos Group. He has a long history of both attack and defense roles, as well as public speaking engagements and press interviews. Dan has made a name for himself and Phobos Group by approaching security from an entirely new direction, resulting in routine discoveries that have had a major impact on customers as well as the greater security landscape.

Do you believe there is a massive shortage of career cybersecurity professionals?

I think that there are several moving parts here and that it is not as simple as “there aren't enough people.” I think that the influx of candidates who are comfortable being dishonest when representing themselves and their abilities is polluting the job market. I also think that recruiters are amplifying this problem by forcing unqualified people into positions that require experience, and I also believe that businesses are happy to hire people who have little to no experience and call them “seniors,” because the vast majority of businesses in the United States are, for some reason, comfortable putting their safety and well-being into the hands of dilettantes.

It is unfortunate when businesses elect to take the “Whatever, we're insured” or “We'll just do the absolute bare minimum that the compliance statutes require of us and not a hair more” path. All of this results in a situation where businesses “can't seem to find enough talented people” and will complain about that. The cold, hard reality is that one or two talented folks and some automation tooling could easily replace a SOC or security department of a dozen people who have no clue what they're doing because they paid some guy in India to take their OSCP exam for them or bought a CISSP boot camp so that they could get past the HR firewall and land a job they aren't qualified for to work for an organization that only cares about doing whatever the bare minimum is to make the auditors go away for another year. Changing this means a massive, fundamental change in how security is conducted, and it starts with throwing away the status quo, which won't be comfortable for everyone playing security theater.

What's the most important decision you've made or action you've taken related to a business risk?

Almost every other startup founder has told me horror stories about taking VC money. I think we dodged a bullet by not seeking funding out of the gate, and this keeps getting reinforced every time I hear about another startup who took funding and fizzled out or got “acqui-hired” or otherwise didn't get where they wanted to go.

How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions?

It took me literally years to rewire my brain. The only way to get things done is to presume that the folks you're working with are adults and will behave appropriately. Sometimes hard decisions have to be made, and the wrong choice will devastatingly hurt your business. You just have to be okay with telling people things that suck sometimes.

What's something that you struggle with as a leader and how do you overcome that?

They say never hire your friends. I didn't believe that saying. I was wrong.

How do you lead your team to execute and get results?

Setting goals and objectives with deadlines in plain English. Make it simple for everybody, and make it clear and easy to understand. Being part of a small company means wearing lots of hats, so just being clear and communicating well applies no matter what the job is.

Do you have a workforce philosophy or unique approach to talent acquisition?

Referring to the first question, we've found it challenging finding honest candidates. The signal to noise ratio is terrible. The “right people,” when presented with the work we do, will find it fulfilling and interesting, so that part is handled.

Have you created a cohesive strategy for your information security program or business unit?

Yes. Taking into account the sentiments from folks like Haroon Meer and Alex Stamos, the enemy of productivity is complexity, so we're redefining security by throwing away all the fluff and complexity added by companies that exist only so that those companies can sell the “decoder ring” to solve that complexity. Fortunately, as a security consulting firm, our corporate strategy is pretty straightforward: do what makes the customers happy and improves their security posture!

What are your communication tips for interacting with executive leadership?

Get to the point, and decide what is important. Surface problems and concerns early; be prepared to make hard decisions. I'm the executive founder, so from where I sit, my communication strategy is essentially the same for everybody.

How do you cultivate productive relationships with your boss, peers, direct reports, and other team members?

Find out what folks are interested in. Encourage people to adopt hobbies. Talk to folks about their hobbies. Avoid playing devil's advocate all the time, and avoid being snarky all the time. Constant, persistent contrarianism makes people think you have a terrible attitude, and attitude counts for everything.

Do you have any favorite books to recommend for people who want to lead cybersecurity teams?

Yeah, but they're all sysadmin books. I feel strongly that if you have no idea how a system works at all, you are going to be a terrible defender or attacker. Understanding the systems you want to either attack or defend is a critical prerequisite.