Building Strong Teams and Avoiding Toxic Leadership With Peter Ramadan CISO Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Building Strong Teams and Avoiding Toxic Leadership With Peter Ramadan CISO

February 12, 2025 • Joe South • Episode 183

Send us a text

This episode explores the challenges of making a meaningful impact in podcasting and cybersecurity amidst a sea of influencers and superficial content. The discussion highlights the importance of authenticity, technical expertise, and effective leadership in building a sustainable path forward in both fields.

• Importance of genuine value in podcasting
• Dangers of influencer-driven superficiality
• Navigating personal and professional growth
• Project management as a key leadership skill
• Managing burnout and team dynamics
• Balancing proactive and reactive responses to crises

Peter Ramadan shares insights on his growth in cybersecurity and offers advice on where to find additional resources and learning opportunities.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:53

How's it going, peter? This has been a long time coming right. We've been talking about this off and on since I started way back in oh my God 2021, I think is when I started this February of 2021.

Speaker 2: 1:09

Wow, four years now. Huh, this is the thing, right.

Speaker 1: 1:19

And I think that this is probably why like 98% of podcasts don't make it past episode 10. Is because you go into it thinking, okay, there's going to be a huge amount of discoverability, I'm going to have all the right hashtags, I'm going to have all the right titles, I'll eventually build a repertoire of really good guests and whatnot, and all of that will enable you to get discovered. And that's not the case. You could have the best hashtags and everything else like that. Sometimes the stuff just doesn't work and I know what my competitors are doing and I just refuse to do it.

Speaker 2: 2:00

Are they going into influencer territory, or is it a little bit for me? What do you think is the difference?

Speaker 1: 2:18

Yeah, yeah, we can air quotes right that are on LinkedIn, they're on Twitter, that are that are, you know, doing this whole. You know what a day in the life of a of a cyber security influencer looks like. I couldn't care less.

Speaker 1: 2:32

I could not I could not care less Right. In fact, it makes them look dumber, because you're telling me what your day in life is of being a cybersecurity influencer. Again, I don't even know what that is, but you're not talking to me about the nuances of you know Auth0 and Okta and how you set up an IDP or what you did right or anything like that. And, granted, this podcast has gone a little bit away from that right or anything like that. And, granted, this podcast has gone a little bit away from that right.

Speaker 1: 2:59

Like we were, we were super technical in the beginning, I feel like, and our guests would be caught off guard and they wouldn't. They wouldn't necessarily always be able to go that that technical right and it it would paint them in a picture that's probably not accurate for what people should look at them as. But then when I bring on someone from from NVIDIA who's an AI security expert, who's quite literally writing the textbook you know that sans is going to be using for AI security, and I bring him on and I'm asking, you know, probably the dumbest questions in the world- what's your favorite color?

Speaker 1: 3:32

What's an AI, you know, like that sort of thing. But I think, um, I think the things that I would have to do to make the podcast go viral truly aren't worth my time, because I get value from this podcast. Besides, like monetization, right, like, I get the exposure. The exposure is so much more important in this field than anything else. Right, and that's also what those influencers are doing right there. They want the exposure. They want the contracts to come in the back door that no one else is talking about. You know that they want to be up on stage accepting their awards and I've had on a lot of those people that accept those awards. Right, like, it's not out of the realm of possibility. I'm also not bashing people for getting those awards. It's cool and all, but at the end of the realm of possibility. I'm also not bashing people for getting those awards. It's cool and all, but at the end of the day, does it really forward anything in cybersecurity? I don't think so.

Speaker 2: 4:24

You forward yourself essentially because that's what I've been noticing too, is that the percentage of influencer into your work has to be smaller than the actual content. So I understand that, just to play devil's advocate, you want to be unique, you want to be seen, you want to stand out, you know, and that's when you start to go kind of taking on these influencer tactics to, you know, catch people's eye. I've been writing articles on LinkedIn. My best articles are always the ones that start with a number or it's two simple sock exercises to something simple, you know. So it's it's almost kind of counterintuitive to what you're trying to do, because you're trying to explore, deep dive, you know, really kind of get inside the facts and everyone's just skimming on the surface. So I think, with your focus, you're really trying to figure out exactly. You know how to get yourself out there. But but stay true to your content and I think that's what actually ends up showing at the end of the day to everybody and really standing out is that you're dedicated to this content.

Speaker 1: 5:26

Yeah, I think, yeah, okay, so there's a few different things there, right? So I feel like what you're doing is helpful. I'll give you an example of a cybersecurity influencer that is producing content that is not helpful, and I'm not going to name them. I don't feel like getting sued today Tuesday, is not a good day to get sued on. So this person is making a video on day in the life of a cybersecurity influencer. Right, this person isn't going to a conference or anything like that. Right, they're waking up, they're showing them, put on makeup and walk down to their home office and turn on a laptop. Right, I mean, that's what they're doing. And I'm just sitting here and I'm like what, what value is this content? Like? What's the actual value? Right, is someone going to look at this video and be like I want to be in cybersecurity. That's really cool, that's really intriguing. No, like, no, no one cares about you putting on your makeup.

Speaker 2: 6:30

Okay, You're losing the main message. Yeah, I mean, what are? You trying to tell me, you know, within this four or five, 20 minutes, you know, is it about your life or is it about how I'm going to apply this to my daily cybersecurity life?

Speaker 1: 7:02

no-transcript. I just like been grinding, you know, for 10 months, right? Like I talk about that every year. For the past four years I've talked about it, um, and somehow I can't get around not doing it. Right, I talk about my struggles when we were working together at the same company I don't say any company names on the podcast, so don't do that but when I was making $45,000 a year, not able to pay all of my bills, right, and people were not doing anything to help me, right Like? I had a lot of people around me that when I told them I wanted to get into cybersecurity, that just straight up laughed at me and were like that's never going to happen. You know, and you know that that competitor in me, right, people don't realize. Like I used to wrestle in high school.

Speaker 1: 7:50

But one of the one of the things that wrestling really ingrains into you is that competitive mindset where it's like you, you think I won't, I won't be able to do this. You think I won't do it. Okay, I'm going to go do it and I'm going to rub it right in your face and it's going to be fantastic. I'm going to enjoy it and I hope you have a great, terrible time. It's like that's. That's the mentality, right, like the quickest way to get me to do something is telling me that you think I can't do it. That is the quickest way to do it. I mean, hopefully my wife doesn't listen to this, so that, but you know that's neither here nor there.

Speaker 1: 8:23

Do not take me on vacation, do not take me to hawaii yeah, do not take me to hawaii for an all expenses paid vacation. Yeah I'll show you yeah you, you won't be able to afford this.

Speaker 2: 8:37

What I think that's good that you kind of add in the the personal touch as well, and that's why I yeah, I'll show you, yeah, you won't be able to afford this what. I think that's good that you kind of added in the personal touch as well, and that's why I was like kind of going back to like finding the right percentage that aligns with your ultimate message, because you know you're talking about burnout, because, I mean, the main message is you don't want others to get burned out. So you're kind of, you know, letting them know about your experience. Hey, this is what I've done that helped, this is what I've done that hurt. So you're even using your personal life to you know, give instruction to better us daily.

Speaker 1: 9:08

Yeah, I try, I try at least which I think that's, like you know, 90 of the battle. Right, is actually trying to do it.

Speaker 1: 9:17

But um, you know, peter, you've never been on the podcast before, so we gotta do an intro, right um and, as you can tell, I'm we're 10 minutes in and I didn't even do an intro, but we've known each other for a long time. But you know, why don't you tell my audience how you got started in it? What, what was that like? What made you want to go down that route? Yeah, what does that look like for you?

Speaker 2: 9:41

Yeah, so once I, you know, getting out of college, I was working at a very, very popular computer store. It's kind of like a pair but different. I think you got the idea. So I was able to start like really kind of learning, getting into the tech system, but like what I've noticed was kind of what you're saying, like I want to branch out, I want to build on what I have here. I don't want to fix people's computers, you know, I really want to just jump in and see where I'm going. And you know, that's where, kind of jumping in, like joining a random software company to work as an application support specialist, and you know I have no idea what I'm doing. But hey, I'm going to raise my hand and say I'll be the first one to do it if you need me to. And that's where you start to build your connections. And that was one of the first things that I was told is that you know you build your connections, you build your opportunities. Um, so that was like I said, like always, just try to keep that in mind, like just to continuously build your network out. So then, yeah, I would say that there was this one person that you know really gave me an opportunity to get into cybersecurity. I think it's the person I'm talking to right now actually and, you know, really gave me my first chance. So you know, in that aspect I like to think that I'm a bit lucky. I had somebody looking out for me there.

Speaker 2: 11:00

But then it was also on me to really kind of take advantage, take opportunity, not be stagnant and really kind of just learn and really kind of embrace. So, you know, the first, I'd say, you know, four years of working in cybersecurity, very kind of just technical, focused very much on the engineering side, and then I was met with, like this fork in the road Do I become more technical? Do I become more managerial? And honestly, I've always kind of had that leadership backbone. I love people. I love, you know, sharing, I love to be able to build programs. So, with kind of just laying all those things out, I was just like I think I'm going to get into leadership. I think that's where I want to go. I think that's where I can really truly make a difference and be able to myself grow as just a human being in general.

Speaker 2: 11:46

So then, moving over, I landed my first IT security manager job. I was a team of one, which is a daunting task for someone who's never been an IT security manager before. All it takes is just that willingness and that willingness to learn and also the willingness to take chances as well and not to be afraid of people kind of pausing or being like I don't think that will work. I would say one of the biggest things that I've done that sometimes gets met with resistance is project management. Of the biggest things that I've done that sometimes gets met with resistance is, you know, project management. That's one thing that I've completely invested a lot of my time in is advancing my project management skills and like adopting a full methodology and being able to implement it alongside with cybersecurity.

Speaker 2: 12:38

When I started to really dive into like the agile scrum methodology, being able to build sprints with my team, align my large projects with, you know, actionable tasks and having kind of that consistent, you know, weekly check-in, just ensuring that our priorities are straight. So we're looking at this sprint and it's always through the lens of risk prioritization and it's always through the lens of risk prioritization. So, thankfully, I was able to build my team when I was the IT security manager and you know, I had a team of five when I left and that was actually one of the most you know, I would say, worthwhile achievements I've had, because I got one. I got to understand the growth of, you know the team, understand the needs of the team, truly be able to state my case to my leadership and let them know hey, these are the projects that we have in place, these are the people we're going to fall short, you know. So, to be able to expand that team, expand our capabilities Uh, I was even at a point where I hired a GRC engineer to help me with SOC 2, type 2, a bunch of different items there.

Speaker 2: 13:43

So I really started to learn what it was like to delegate, which I think is a very difficult thing to do when you first start doing it, because you have this kind of dominant attitude where you, hey, if there's something I gotta, I gotta get it done, I gotta get it done. And once you get into that leadership spot, you got to step back, trust your people and give them the tools to be successful and you know you could always be there for them. But at a certain point you have to kind of let the bird fly out of the nest and let them be able to spread their wings. So that was one of the things that I've kind of learned is, you know, giving people the space but also giving them the tools to be able to succeed, so they could feel like they have some autonomy in the decision and they have more stakes in the decision, rather than just kind of being told what to do.

Speaker 1: 14:31

Yeah, that is for me personally, that's like the best way that a manager should, you know, lead and manage and whatnot. I had one manager that really like strongly, took that approach and I won't say obviously what company and whatnot, but you know, he literally described me as like a cyber mercenary. He's like you don't understand, joe, is someone else right, you're used to these people that are very regimented and whatnot, and what they do. Joe will literally buy you off, if that's what it takes. He'll take money out of his own checking account and buy you off to get work done, and I'm not ashamed to do that. I've done it before. Whatever it takes, give me the goal.

Speaker 1: 15:24

And he said, the most effective way to manage Joe is point him in the direction, tell him what you want him to come back with and when he comes back with it, you don't ask him how he did it, right Cause you may not like the answer. You may not like it, you may think that, oh, now you have to go do something about it. Like it's like. No, you know, and in that same role, right Like, I was working with 150 developers literally 150 developers working on 40 different applications, deploying a WAF to all of them in production across you know, four different tiers of accounts Right, and these developers, they would like, you know, gang up on me and I'm I'm not the type of person to, just, you know, give in right Like okay you're, yeah, you're, you're gonna, you're gonna provide a lot of pressure.

Speaker 1: 16:15

I don't, I don't really care, it doesn't register in my head for some reason, right. And so, like when I didn't crack, they went to my manager and my manager asked him one thing Did Joe tell you to do this? And they said yes. And he said then why are you asking me anything? You need to go do what Joe just told you. And they're like, yeah, but do we really have to, you know? And he goes him saying it is the same as me, it doesn't matter, and like it just shut them all up.

Speaker 1: 16:44

And of course, you know I started making a lot of progress, right. But I think that's really, that's really empowering, right, because I've had other managers that that will micromanage how you get something done, you know. And they will micromanage your project timelines and everything. I mean, like you know, my project timelines. Sometimes it'll look like they're falling behind, but the way that I'm staging all of this work, it's like, hey, you know it's going to be large amounts of progress in small amounts of time and then it's going to look like nothing for two months and then a whole bunch of stuff is going to get done all at once, right like sometimes. That's what happens, and the managers that I've really disliked working with the most have all been micromanagers, every single one of them. I just I can't do it.

Speaker 2: 17:35

Yeah, it's rough and especially, like I said, like you have to be able to trust your staff like he understands the risk, he has a plan. If he's already approached you with this, I'm going to assume that he's already done first two steps. So, you know, that's where you get into the conversation of, hey, how do we really kind of streamline this? You know, and then you go back to what's the actual policy and procedure behind it too, because sometimes you just need power of law behind you and that's where those policies really kind of come and save you, because you're saying, hey, I have a time frame to get this done. And you know, let's, let's do what we committed to the business. So, yeah, yeah, let's, let's do what we committed to the business. So, yeah, yeah, like I was saying, like one of the I would say like the three kind of pillars that I've built myself into when it comes to, you know, cyber security and kind of being that next up and coming leader is to really kind of just, you know, like I said, just compartmentalize it into three different parts. I would say, like leadership is obviously number one. You need to be able to provide a strategic vision for the organization. You need to be able to have alignment to the actual business goals itself, and then you also have to have the strong framework to apply.

Speaker 2: 18:46

I've always been a huge believer in CIS Top 18. That's the framework that I take to everywhere I go, just because it's really built, know, really built on this. You know this agnostic backbone of you know different industries, different people and it allows me to be able to kind of track progress. You know, in these like 18 different areas. So that's when I start to really kind of, you know, show that leadership muscle is saying like, hey, like I understand what the business goals are, I understand what our critical risks are. Here's the next year on how we could start closing that gap. Then you bring in, kind of, like I was saying before, the project management skills. That's when you really have to start to understand your capacity for your team and that's where I really started to, you know, begin to understand, like the day in the life of an analyst, of an engineer, you know, and a lot of us, you know, wear multiple hats, so you're not also always doing operational work. You might be doing some engineering project work. You gotta start then putting it into those different buckets as well, and starting to manage those that time. And then people also, you know, take time off. You have to factor that into all these different projects, all these different initiatives, and if you don't have that kind of that structure, then everything becomes a hey, did you get this done, hey, did you get this done, hey, did you get this done?

Speaker 2: 20:03

And it's not, it's not visible anywhere and it's not, you know, tangible. I'm not clicking someone moving over here to the done pile. You know it sounds simple, but it's. It's such a big thing to see something go from in progress to done and be able to say what's done, what's in progress, you know, and just to have that quickness, efficiency, you know're implementing it. What's the goal? What are you looking to mature it within the next year and also understanding what new technology is out there too, because that's the one thing that I've noticed over the last five, six years is that today's number one may not be tomorrow's number one.

Speaker 2: 20:49

I've seen that with a couple of products in the past the ones that I'm not going to say because I just remembered not to say them, but I've seen that where this is the greatest product in the world and then in the next three years. They're getting bought out by somebody and you're like I can't get a hold on anybody on support. I signed a three-year contract with these guys. I look like an idiot. So you have to really kind of understand your vendors, your partners, the technology that's out there and, like I said, aligning it with what you ultimately want to do.

Speaker 2: 21:24

You don't want that stuff to be on the shelf, you don't want to have projects become stagnant and you need to be able to continue leading by example. And that's why I myself throw myself in the um, the uh which fall our project management with, like, our sprints and, you know, our weekly check-ins. I have a person in there and I'm their director, so I want to show them that, hey, I'm assigning stuff to me as well, I'm getting stuff done. This is how I want you to do it. And I'm going to lead by example. And I've had in the past where I've had my cso lead that sprint and he never had any. He was not in there at all. So he's just like this omnipotent, you know person moving things around.

Speaker 1: 22:07

But you know, I want to have that kind of flat level surface and say like, hey guys, I'm right here on the lines with you yeah, well, I think, uh, I personally I really think that there's a there's a giant difference between managers and just all of management, right, just management overall, that haven't had the technical experience and the ones that have. Right, there's a giant difference. I remember one manager that I had, and he was the one you know that would have his whole team work. You know, 80 plus hours a week. And if you were working 80, you know you were getting talked to saying, hey, you're not working enough, right, 80 doesn't cut it over here, right? If you're going to do 80, go on to another team. And that was the feedback that I got. And the rest of my 12-person team got right, wow, wow. And he was technical.

Speaker 1: 23:14

At one point in time he was a web app developer, but he never did the security work and he never fully understood it. He knew all the right terminology and everything, he knew the right words to say at the right times and whatnot, but he never did the actual security work of what it actually takes with these solutions. And you know, like you said, right, with that knowledge comes knowledge of the industry. Hey, what technology is out there? What technology has been out there for 10 years? Right, that has been the market leader in this area.

Speaker 1: 23:49

Why are we looking at anything else? We're going to waste our time, right, unless a new technology comes out and they go into our environment. We do a year-long POC, right. Really test them out, really vet them, you know. And, yeah, we'll pay them a certain amount, you know, for that year, of course. But, like, why are we going with these subpar technologies? And that's what a lot of security managers overall are lacking it's being able to look at a tool and say this doesn't work, this looks like garbage, like this actually looks like you guys are going to go out of business and in 12 months or something yeah, like, how does that feature set align to my goals or my long-term vision for the organization?

Speaker 2: 24:32

How does it align with, you know, my CIS Top 18 framework? How do I map it to actual fields? That's where it starts to actually start to come together is when you're actually, you know, connecting these things and understanding. Hey, like I'm meeting about, you know, seven out of ten of my criteria, I need at least nine, you know. So it's just understanding those feature sets. And then also you know that path to implementation as well too. So you know there's all all these products, that zero trust, you know, and you don't just turn these things on once you put them out of the box, or else you just blow up your company, your company, yeah, so let's not do anything for a month after turning it on exactly everything is super secure when you can't turn anything on.

Speaker 2: 25:17

So I guess you know mission accomplished. But no, you need to be able to, like, truly understand. You know the technology, the risk of implementing, the risk of it going wrong, the impact on the business, because you know we're not generating revenue for the business, so we're already kind of at a disadvantage. So, when it comes to total cost ownership of products, we really need to be able to draw a granular line of value for the product to the business because, like you said, most people don't even understand, and you're even telling me some security managers don't even understand. So how is your board to truly understand the risk Right?

Speaker 1: 25:58

Yeah, yeah, you know, and you talk about, you know, actually like showing your team, you know that that you're, you're, you have a vested interest, right, that you're getting stuff done too. And I remember that same manager for me, right, that was telling us that you know we weren't working enough. He would like just completely rearrange our projects. You know, last minute, right, I remember one time in particular, we had a massive outage with one vendor because we rushed to do an upgrade, right, kind of at his, you know, behest or whatever whatever the right term is, and so we did this upgrade.

Speaker 1: 26:38

A massive outage was caused. And then, a couple weeks later, you know he's like hey, they put out a new version. We gotta, we gotta put it into production, like right now, we're gonna do it this weekend, right, and you know my response was like hey, because of you know, my response was like hey, because of that, you know, pretty sizable outage. Like I created the whole like testing plan. The testing plan intentionally takes six weeks of testing before we deploy it into production, right, and like it's very purposeful, you signed off on it, your manager signed off on it, the CISO signed off on it. If we don't follow that, it's not good.

Speaker 2: 27:17

Six is not an arbitrary number. It's not like my favorite number or a lotto pick or something. There's a reason why we have six weeks of work.

Speaker 1: 27:26

Right. Well, it was intentionally like that, because the vendor had a history of not fixing bugs in a timely manner Right, so they fixed it on a monthly manner rather than a weekly manner and they would try and give their one, one off customers that would run into them, you know, a hot fix, right, so let's minimize the hot fixes, let's get it all into one large update and test it. Right, and it was also a massive tool. It's a pam solution, right, so it also takes us two to three weeks just to run through all the workflows that we need to do in our day-to-day job and then go through and do all the onesie, twosies sort of stuff. Like, okay, well, this never really happens, but if we need it to happen, you, you know, we need to make sure that this works right. Like, if I say, stop rotating passwords, I need to know it stops rotating passwords, right, like that's a, that's a break glass feature that I need to work every time I put I push that button, right, and so, like it was, it was, it was very, you know, like we, very like I don't know, mindfully made that process long and arduous, right, because we baked in a period of two to three weeks of the solution just just running right, like, hey, no one, no one does anything. No one logs in, right, we're going to now interact with it from the outside and we're going to see how it performs and everything, and if it, if it, holds up to our tests we had performance standards and metrics and everything If it meets our standards, then we schedule the production change, right. And this guy was like, yeah, it's a Tuesday, we're going to do it on Saturday. You guys are going to work all weekend as if we didn't already have plans, you know. And, uh, we're just going to get it done as if we didn't already have plans. You know, and we're just going to get it done.

Speaker 1: 29:19

Right, and you know, I, I had to. I had to slow them down. I really tried to slow them down a lot before getting to this point. But it got to a point where I literally just told them hey, if you do this upgrade, I'm not going to be a part of it. Like, straight up, I'm the lead here, these, these guys are my team. I'm the lead here, these guys are my team. I'm not going to be a part of it. If you're going to do it, go ahead and do it. That's fine. You know where the executable is. You know where the file share is. I hope you get the upgrade process right. Here's the document that I created on it.

Speaker 1: 29:47

His response was he was going to let me go if I didn't do the upgrade. I said if you're going to force me to do the upgrade, that's fine. I'm also going to let the CISO know that I recommended, as the SME of this product, that we do not do the upgrade because it did not fall in line with our testing schedule. And he really backed off at that point. Right, but the only reason. I mean you, I mean everything I just said right there. Everyone that's technical, everyone that's ever held a technical role in security, everyone would say what that guy was asking for was absolutely insane. And I didn't even describe the entire situation around this product and whatnot right. Anyone with truly half a brain would be able to look at that and be like maybe we should slow. Whatnot right? Anyone with truly half a brain would be able to look at that and be like, maybe we should slow down right.

Speaker 2: 30:41

Maybe we should slowly understand risk. You know that's what our job revolves around is. You know risk of doing something and something going wrong and having a plan around that, and what sounds like is that he did not understand the risk of executing this earlier. He didn't want to communicate it to his CISO, he just wanted to get it done, because he might have other things to do. I don't know. I don't know what's the rush.

Speaker 1: 31:08

His risk calculation was based off of his bonus. Yeah, not the risk calculation for the environment. The numbers are a little flexible when it comes to his bonus. Yeah, not the risk calculation for the environment.

Speaker 2: 31:16

The numbers are a little flexible when it comes to your bonus stuff.

Speaker 1: 31:19

It was literally if I get more stuff done, I get more money at the end of the year. Who cares if I burn out every single person on my team. I mean, he had literally, I kid you not, he was known within the organization to build up a team of 12 to 15 people and within 12 to 18 months, after reaching that 12 to 18 people amount, all of them would leave. Every single one of them would leave, and he'd have to rebuild his entire team.

Speaker 2: 31:50

There's no need to look into why that happens. It happened three or four times. Oh don't let this happen again.

Speaker 1: 31:57

Here's another team, you know, yeah right when?

Speaker 2: 32:01

when does it become enough?

Speaker 1: 32:02

right and he was like, because of how the org structure was of that at that organization, you know he would be poaching top talent from the lower level security teams. Right, like I mean I want to call it lower level or whatever. But when you have a room of 250 security analysts, okay, like you know what I mean. Like there's, you know, tiers to it, then Exactly Right, you're by default creating those tiers and so he would be taking the top talent from these other teams and burning them out completely. And these are people that have been at the organization for seven, eight years. They really like it there and everything else. Like that. They go to his team and after 12 months they're leaving, right, but HR would never look at it because they're like he was here for eight, eight years. You know he just wanted to change. It's like, eh, not really.

Speaker 2: 32:55

Yeah, Like I'm just not going to listen to your exit interview.

Speaker 1: 32:58

They didn't even they don't even give them.

Speaker 2: 33:01

I wonder why yeah, you wonder why things are the way they are Weird.

Speaker 1: 33:05

Yeah, no exit. There's no exit interview. When, uh when, you're on security and you put in your notice and three hours later security shows up at your desk with a box. He says okay, your last day is today. We'll pay you through the end of the month, don't worry, your last day is today.

Speaker 2: 33:21

Yeah, you're seen as a criminal. At this point you could do no right. You could only do wrong at this point, so you need to go.

Speaker 1: 33:30

You're treated like a traitor for the CIA. I mean 100%. Like you just said, what You're quitting, we're going to quit for you. Here you go.

Speaker 2: 33:41

It's like there's one button to nuke all your accounts. Just one person just waiting, you know, to press on it.

Speaker 1: 33:47

Oh, dude, when I put in my notice, I think by the time I got back to my desk my accounts were disabled.

Speaker 2: 33:53

Wow, I am impressed that you did that like I was the only admin on that one application. Like I don't know what you're gonna do about that.

Speaker 1: 34:03

It's like not anymore, not anymore, that little guy. We're gonna get rid of that little guy throw the book on that one right, you know what I wanted to ask you, because I've, technically, not until recently, um, I've, I've pretty much always been an individual contributor, right? What skills would you recommend someone develop to make that jump into management?

Speaker 2: 34:31

yeah, I would say the first um kind of first step to getting into that management and you know the true delegation, keeping track of progress on, you know putting time into building it and you know putting their feedback, having adjustments due to you know just the risk of the organization or needs of the organization. You need to have a platform that has all of that work to, where you could start really kind of delegating it, scheduling it and like having that normal kind of cadence it could be once a week, two times a week but where you're really kind of keeping track of each task and understanding if there are any bottlenecks or any kind of issues. You want to be able to flush out issues as soon as possible, because what I've noticed is some people will have some kind of drag time with that. They'll send another email, they'll maybe message them on Teams. I didn't get a response. What do I do? You know? That's where you start to understand who are the stakeholders Like, who's truly responsible for this, and that's what I tell everybody on my team. I am truly responsible for this. If you reach a bottleneck with one of our vendors, with another one of the business units, you let me know, you raise your hand, you flag it, we get it taken care of. And that's one of the biggest things that the project management and sprints really allow everyone to do is it forces everyone to go through each kind of line item, give kind of a quick update and also let me know hey, I'm having an issue with this and it's just like oh, you know, it's on my radar, I'm taking care of it.

Speaker 2: 36:17

I've seen it where I've joined organizations and it's just like you jump on a call and they're like Joe, what do you got today? That drives me nuts. It drives me nuts because it shows that you don't have a plan. You don't have a plan. You're just waiting for people, for people to, you know, come up with what they think they need to do, what they're coming up with at the top of their head, because there's nothing written down.

Speaker 2: 36:40

Um, I, it's one of the things I cannot have. So it's like a nice structured system to where you know I, I use some kind of like devops platform. You know it's not technically doing any commits or anything like that, but, you know, having it to where I could build out epics and projects, tasks and, like I said, really being able to track each step of the way. So I understand if there's any kind of hitches. People to do is find a project management approach that fits for you, fits your organization, you know, and really enables people to become more autonomous but also gives them the information to collaborate better and just be more efficient.

Speaker 1: 37:26

Yeah, that is that's really critical. You know, on learning how people work right, how they operate, how what works best for them, right, like with me. You know that that cyber mercenary perspective, that like that works perfectly for me. You know, all day, every day, right For other people on my team it's probably not going to work right Like that. That won't work. It's because I come at it from a different mentality. But, yeah, having that project management perspective is actually critical and you know, I almost want to take it back. It's almost on the manager to cultivate that environment, that skill set Right. And I'll give you an example.

Speaker 1: 38:14

You know the best CCO I've ever worked with I mean he'll be on the podcast a little bit a couple months or so he, he like, explained it to us just how, just how he needed it right. He said look, I have a monthly call with the cio, the ceo and the cfo. I have to legitimize the project, spend every single month in this way. This is how I do it, this is the template I use and this is what I expect as an update. And I need the update at this time of this day of the week because I filter up that information and then at the end of the month I correlate all of it and tie it all in for everyone else to see. So that's how I expect it. Here's the template, right? And he even said he's like hey, if you got a better template, just send it to me. Like, if you want to view it differently, just send it to me, you know? But when he broke it down like that, like my information isn't just informing him, right, like it's informing, like the CFO, right, a guy that I've never talked to, never met, never want to talk to, never want to meet, right, and you know he needs it in this kind of structure. He needs to show, you know, progress in this way.

Speaker 1: 39:29

And then I also learned you know, give the updates in the email, break everything down, right, like this is what was accomplished, this is the project status overall. This is the percentage complete, based on this metric in jira, right, that has all these cards that are tied to this epic, that is tied to this project, that has all the funding and whatnot. And then here's all the upcoming work, right. So next week you can expect this stuff to be in the completed pile, and if it's not, I'll have a reason why. And then on top of that, let's take that information and just bake it right into his slide that he needs.

Speaker 1: 40:06

So my manager can just say, okay, drag and drop, it's now in my slide deck, my job is done for this project. But like having that opportunity, like I never realized that right, like I've been in this field for, you know, 10, 11 years at this point, no one ever broke it down to me like that and as soon as someone did. Now, that's just how I do it. You know, there's no other way that I do it. I try to make it as easy as possible for my manager to go and defend my work and give progress updates yeah, it's a keep it simple, stupid it's.

Speaker 2: 40:44

Uh, you know it's. Yeah, you don't have to really kind of make everything over complex. Like I said, it's, you're really looking for a slim, efficient model, that's, you know, adaptable to change, because that's that's what we truly have to be ready for is for our sprint to completely change the next week due to a new vulnerability, due to a new implementation, due to a new acquisition, due to a new implementation, due to a new acquisition from the business. So we need to be able to kind of be like a center fielder, you know, have your, have your uh, be on the balls of your feet and be able to go left and right when you need to yeah, yeah, that's a really good, that's a really good point.

Speaker 1: 41:24

You know, security isn't always I mean it's never cut and dry. You know, like cookie cutter every single day, right like man, it is not right. Like you know, when log 4j came out, right, everyone's getting ready for the holidays. I mean, I think it might have been thanksgiving, right like, and uh, sure enough, now you have a zero day that you have to deal with. Oh, and it's actively being exploited in the wild and if this one little thing is exposed to the Internet, it's, you know, game over for your environment if it's exploited, because there's no way you're going to be able to shut it off, like, quickly enough, right, right. And so now everyone in security all across the globe is no longer having Thanksgiving. They're no longer having a Black Friday shopping spree, right, they're no longer.

Speaker 1: 42:13

I mean, at the company that I was at, we had a large enough environment. We, we didn't stop dealing with that until February, right, I mean, that's people working seven days a week, all day. You know, we had shifts that were going in and working it because we had that many systems. I mean, there was systems that were vulnerable to it. Where we're, just like, we don't need it doesn't generate revenue. Shut it down, like some of them was like don't even just shut it down, just delete it, like, remove from our environment, we don't need it, you know, evaporate it. Yeah, we're just like like we. We had, we had the, you know, the blank check, so to speak, where it's like, hey, this thing is so serious, where we have 15 000 servers that are vulnerable to this thing, right like our, our patching solution would take a week to get through it if we just said patch everything, you know yes, there's so much risk around it.

Speaker 2: 43:05

That's where it's, like you said, there's a finite amount of hours that you can get from your team.

Speaker 2: 43:10

You have all these projects and then you have log4j coming around and it's like, why aren't all these projects getting done?

Speaker 2: 43:16

So that's where you know it's really on your leadership to be able to let them know hey, this is the capacity of my team, these are all the initiatives that we have. This is the kind of unplanned work that comes into our, our lives, because that's that's what we deal with. And you know, really breaking it down, like I said, building that roadmap to saying, hey, if this occurs again, we hire a couple more people. Or, you know, we find a partner to a third party to kind of work with, to to be able to lessen the load and, like I said, like really kind of use that time smarter. You know, and that's where, like I said, it's just you really need to focus on every little detail when it comes to, you know, managing your program, because you know the second something stops or somebody starts stops paying attention. You got to be aware of it because then you're, you know, allowing a risk to, you know, occurring your organization. That's on you.

Speaker 1: 44:10

Yeah, yeah, absolutely Well, peter, you know we're we're pretty much at the top of our time here and I'm I'm always very cognizant of my guests time, you know so. But but it was, it was a fantastic conversation and you're going to be, you're going to be back on the platform in a more regular format. We're not going to, we're not going to announce it just yet, all right, but you know, I think we got something good cooking here where we're able to provide valuable insights, you know, into different levels and layers of security. Overall, right, and I think it'd be really, really interesting to see where it goes. But you know, before I let you go, peter, how about you tell my audience, you know where they can find you right, like where your articles are on LinkedIn that are fantastic. That, you know, I always try to comment on and share and whatnot.

Speaker 2: 44:59

Yeah, yeah, so I post um, I get to create like a separate site to post these on. So everything's on LinkedIn. In P Ramadan, I made my custom URL so it's a little easier to pop in there. I just P Ramadan and yeah, I'm busting those out weekly and just kind of the same initiative as Joe, I want to be able to give from you know, in the past I've I've taken, so this is my opportunity now to you know, be able to share everything that I've learned and, you know, hopefully it helps you out yeah, yeah, absolutely well.

Speaker 1: 45:31

Hey, peter, you know I really appreciate you coming on and I hope everyone listening really enjoyed this episode thank you, joe, I really appreciate it yeah, absolutely, thanks everyone.

People on this episode

Joe South

Host