“My biggest challenge is letting the little things go.”

Twitter: @MalwareJake

InfoSec professional. Breaker of poorly written software. Incident responder. Digital defender. Business bilingual. Jake Williams treats InfoSec like the Hippocratic oath: first do no harm. By addressing realistic risks, Jake helps businesses create secure environments that actually function. He penetration tests organizations so they can find the weak spots before an attacker does. When an attacker does find a weak spot first, Jake works with the organization to remove the attacker, assess the damage, and remediate the vulnerabilities that allowed the attacker access in the first place. Jake is also a prolific conference speaker, an instructor, and an InfoSec mentor.

Do you believe there is a massive shortage of career cybersecurity professionals?

This is such a hard thing to answer, because if you left “career” out of it, I would have said no. But by adding “career,” I think the answer is yes. I think there are plenty of people who want to get an InfoSec job because they want the money the field promises. But I think InfoSec salaries are more a result of supply and demand than skills. For example, many InfoSec jobs don't require more expertise than systems engineering, yet in many cases we're compensated differently. Bridging the gap will be difficult but will largely involve mentoring those who truly have passion for the job and not the money.

What's the most important decision you've made or action you've taken related to a business risk?

Recognizing that we can't do everything well. We're usually resource constrained and have to make compromises. If you prioritize everything, you prioritize nothing. We like to joke about “accepting the risk” in InfoSec, but there's nothing wrong with accepting risk. The issue is when you “accept” the risk because you ignored it. But choosing to accept a risk because you lack the resources to do everything well can be a good decision. Given the resourcing choice between doing everything in a mediocre way and simply not doing some things at all, I'll choose the latter. Then we need to brief decision-makers as to why we chose our priorities and what we chose not to do. Unsurprisingly, “We aren't doing this at all because we lack resources” gets more attention than “We are doing a lot of things suboptimally because we need more resources.”

If you prioritize everything, you prioritize nothing.

How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions?

If it's a hard decision, I probably shouldn't be making it alone. I should be involving others in the org. At Rendition Infosec, we have Voltron—the group of people who come together to make those “hard decisions.” The Voltron name is a nod to the fact that while we're each capable and accomplished on our own, we can come together to form something so much more powerful than any one of us alone.

Process is where I spend most of my time. In a pure leadership role, you probably shouldn't be making technology decisions. Those should almost always be delegated (with appropriate oversight). Get your team to research and justify the correct technology decisions. People decisions should also largely be made by the team. Especially if they aren't direct reports, they'll be working more with the team than with you. Get the team involved in the people selections.

In a pure leadership role, you probably shouldn't be making technology decisions. Those should almost always be delegated (with appropriate oversight).

What's something that you struggle with as a leader and how do you overcome that?

My biggest challenge is letting the little things go. My company, Rendition, was founded by intelligence veterans, and extreme attention to detail is often the difference between success and abject failure in operations. That's not to say that I'm a crisis person (someone who sees everything as a crisis). It's a balancing act understanding what you can and can't let go without risking an operation (yes, we often internally refer to engagements as operations).

How do you lead your team to execute and get results?

Delegate, delegate, delegate. Delegation is a real force multiplier. Get out of the way and let mid-level management do their thing. But also ensure that they know you're there for them. One of the rules I have is “I'd rather you bring an issue to me early if you don't know you can handle it.” Most operational risks were identified early by someone but not addressed correctly or in a timely manner. Good leaders are like good parents—provide direction, but get out of the way so you can grow mini-mes (who despite your best efforts will sometimes make mistakes).

Do you have a workforce philosophy or unique approach to talent acquisition?

Relationship counselors often advise their clients to learn their partners' love languages (side note: you totally should; that totally would have saved one of my marriages). Learning your co-workers' and reports' affirmation languages is equally valuable. Beyond a certain dollar point, the money doesn't matter. But people want to feel valued, and different things make different people feel valued. Learn what those things are, and apply them on a regular basis.

What are your communication tips for interacting with executive leadership?

Don't sell executives fear, uncertainty, and doubt (FUD), and don't try to impress them with technical wizardry. Executives by and large understand that security is an issue. They're not looking for FUD; they're looking for ways to address their issues that make sense from a business standpoint. InfoSec is a cost center, and we're only here to protect the profit centers. Stop pretending solutions don't have costs—the least of which is usually licensing. If a product/process/policy impacts the business negatively, you need to address that up front. Anything less will be seen for what it is—disingenuous.

How do you cultivate productive relationships with your boss, peers, direct reports, and other team members?

Listen. No really, listen. My employees will tell you that I'm regularly in the office (even off-hours for the SOC night shift) discussing operations with them. I'm not the CEO of the company, though, so I have to continue the relationship with my CEO. Most of that is listening as well. Empathy plays a big role here too. Sometimes I'm not happy with a decision or outcome, but if I can empathize, that makes a big difference in not sounding judgmental.

Have you encountered challenges collaborating with revenue-generating teams like sales and product development?

I don't personally, but it's only because I always remember that revenue-generating units are the only reason the organization exists. Instead of saying “No, you can't,” I'm all about “How can I help you meet your business requirements most safely?” If you adopt that attitude, it's amazing how much less friction you'll encounter.

Have you encountered challenges collaborating with technology teams like information technology and software development?

You might have already figured this out from my earlier answers, but I'm big on understanding motivators. Nobody says, “Let's go do this horribly insecurely!” Either they don't know better or they have competing objectives (most often it's the latter).

Development teams are concerned with release schedules. Penetration testers can derail those schedules or put them in a position where they have to ship software with known vulnerabilities. Embedding a penetration tester on the development team (even just one day a week) can help find issues early when they're easier to fix (and before a code freeze).

Likewise, IT is primarily concerned with availability of assets. If security tries to mandate things that jeopardize availability, they're likely to be met with resistance. There are three ways I overcome resistance from IT. First, I work with business leadership to get vulnerability management and security architecture written into IT job descriptions. Now it's not “my priorities versus your priorities.” Second, we prioritize realistic risk. If we need to fix a real issue, I'm not reporting “insecure cipher suite” vulnerability scan results like they're the end of the world. Focusing on realistic risk keeps me and IT marching in step together. Finally (and this is most important), don't talk down to IT like “You just don't get it.” Take the time to explain why a vulnerability is serious and how it can be exploited. When I hear “Nobody would ever think to do that,” I have a slight advantage in that I've been a nation-state hacker and can just say “Um, I thought to do that….”

Do you have any favorite books to recommend for people who want to lead cybersecurity teams?

Obviously the original Tribe of Hackers. There's a ton of wisdom there. Outside of that, I'd recommend A More Beautiful Question by Warren Berger—this book helps you assess whether you're even asking the right question in the first place. Another book I recommend to everyone is Good to Great by Jim Collins—it's packed full of business wisdom and every executive you meet is likely to have read it. If you know the contents well, you immediately have common ground you can build your communications on. Finally, I recommend Principles by Ray Dalio. It’ a fantastic book on building an organization from the ground up. Though it's a newer book, many in management have also read it (providing you more common ground).