Explore the evolving landscape of IT roles amidst the shift towards modern security organizations. Martin and Vorthman provide an insightful conversation that uncovers the critical importance of adapting traditional IT skills to meet the demands of cloud technology and cybersecurity, offering valuable perspectives for both current professionals and those aspiring to enter the field.
Guest: Lee Vorthman, VP, Chief Security Officer, Oracle [@Oracle]
On LinkedIn | https://www.linkedin.com/in/leevorthman/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
This pivotal episode from the Redefining CyberSecurity Podcast hosted by Sean Martin explores the ongoing relevance of traditional IT roles within the modern security architecture of organizations. This discussion features insights from Lee Vorthman, the Chief Security Officer for Oracle's advertising group and centers on the profound shifts within IT roles driven by cloud adoption, technological advancements, and a deeper integration of security practices into the business process.
As businesses increasingly migrate their operations to the cloud, the episode explores the evolving skill sets demanded of IT professionals. Vorthman and Martin discuss the journey from traditional data centers to cloud environments and beyond, considering the transformation required in workforce competencies. Highlighting the blend of technical and business acumen needed in today's security roles, the conversation pivots around how the business strategy shapes security priorities and the professional growth of IT personnel.
The discussion emphasizes the paramount importance of considering the human element in cybersecurity. Vorthman, drawing upon his extensive career spanning military service, web development, and cybersecurity leadership, advocates for a holistic view that combines technical prowess with a deep understanding of business needs and risk management. He underscores the significance of continuous learning and adaptability for professionals navigating the cybersecurity field. A salient point raised during the episode concerns how traditional IT roles adapt and evolve in the face of cloud technology and digital transformation.
Martin and Vorthman muse on the future of roles such as network security professionals in an era where infrastructure becomes increasingly abstracted and code-centric. The conversation also broaches critical issues around the cost of security deficiencies in cloud migrations and the need for robust security processes. Vorthman stresses the opportunity for security to be interwoven into the fabric of business change, rather than being an afterthought or impediment.
The dialogue ultimately transitions into advice for emerging professionals and maturing organizations looking to harness the full potential of their cybersecurity workforce. Emphasizing the importance of a diversified skill set that marries technical knowledge with business understanding, the episode serves as a beacon for those charting their path in the cybersecurity landscape.
Key Questions Addressed
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Are Traditional Roles Still Relevant In Today’s Modern Security Organization? | A Conversation with Lee Vorthman | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of redefining cybersecurity. I'm your host, John Martin, where I get to talk about all kinds of cool things with cool people, looking at how we can enable the business safely and security. Of course, a lot of that's driven by technology. The business adopts technology and security teams adopt technology to help shore it up.
We often miss the mark on the. Human element. And, uh, I saw a post online as most of my, uh, most of my episodes are driven by inspiration by others, uh, good work. And today's no different. Uh, Lee Worthman is on with me. Lee, thanks for joining me.
Lee Vorthman: Yeah. Thanks for having me.
Sean Martin: And, uh, you did a good post on whether or not we pulled the right, uh, right title, our traditional IT roles still relevant in today's modern security org.
And it's a thought that I've had for a long time. It's been rattling around in my brain. Uh, In the dust and all the other stuff up, up in there. But, [00:01:00] uh, it, it prompted, prompted the thought because I often looked at it purely early on from the cloud perspective, which you touch on in your post, but I think there's a broader, broader view here.
And we're going to get into some of that today and look at the role and the skills of the people and some of your thoughts on that, uh, many of which I share and, uh, I think it'd be a fun, Fun chat today. So I'm thrilled to have you on before we get into it though. A few words about what you are up to Lee.
Lee Vorthman: Yeah, sure. So, um, for those of you that don't know me, um, find me on LinkedIn, uh, or, um, you know, I have a blog that, uh, you know, Sean, um, is referencing. It's called three 70 security. com, uh, blog dot three 70 security. com. Um, but I've been the chief security officer for Oracle's advertising group for the past, uh, about five years going on now.
Um, and so, you know, doing all the things security and. I draw a lot of inspiration for what I write about from my current role, but I obviously don't reference [00:02:00] my current company because they'll get mad at me. Uh, and so my thoughts are my own and not my company's, but, uh, you know, I've been in the tech space, um, honestly, since like 97, you started out writing like webpages and, you know, doing that stuff, went through the.
com crash and the whole, you know, uh, you know, two digits of 2000 versus like, is it going to cause a, you know, existential crash with the whole 2000 thing? And, um, uh, you know, uh, went through that and, uh, did networking and, um, Did some stuff with defense contractors after I got out of the military and then got back into cyber security and I've been doing it ever since.
So, um, it's been a whirlwind and I hope that, um, my experience as diverse as it is can act as a, you know, as a hopefully a guiding point or a lesson for other people that want to get into the industry or at least learn from stuff. And, um, you know, I'm constantly evolving as well. And that's what I try to share with my audience.
So, um, great to meet everyone and, uh, hope to see you out there.
Sean Martin: Yeah, it's fantastic. And I encourage everybody to check out the blog and I have to, um, I don't know what the [00:03:00] What the reference is, there's a four or five one on the badge on this image. Does that mean anything in particular? It just happened to be a random number on the blog.
There are two runners crossing the finish line.
Lee Vorthman: Oh, you know, um, I, I, I'm not overly happy with that image. I was trying to figure out like a metaphorical representation of like trying to represent like how someone's getting left behind, you know, cause like, that's kind of what we're talking about here with the change in the rules of that.
Someone's going to feel left behind as you're pivoting. And the only thing I could kind of get the, um, I was using Microsoft copilot, right? And so they're using Dolly and, uh, I, the only, I could kind of get it close to like, uh, generating something that felt relevant was that running image. And then of course it puts in like these, um, you know, random numbers and texts and stuff in there.
I was like, well, it's good enough, you know, so they don't mean anything. It's just trying to give you all something to anchor off of. And, uh, obviously AI still has its challenges.
Sean Martin: Aye. Oh, yeah, because I, because I look at that and I think [00:04:00] security and I think the analyst industry and that number reference references, uh,
Lee Vorthman: one of the things to go on with it.
That's awesome.
Yeah, it's definitely a hidden message. If you
crack the code. There you go.
Sean Martin: I'll tell you what I'm thinking there. But, uh, cause it's interesting cause when I was thinking about it, the, the analysts, God bless them. I mean, I'm, I'm not picking on them by any stretch here, but, uh, a lot of them focus on the tech as well and, uh, and how can the tech over help overcome problems and I don't know, some of them do a good job, I think, looking at operations, which definitely ties people in too, but.
It's really about when you, when you're looking at, at, uh, magic Quaalude quadrants, uh, it's always about the company and their technology. Um,
Lee Vorthman: we're seeing that, that fundamental shift now too. I mean, if you've noticed a lot of the conversations going on and with like, you know, the SEC guidelines, which, you know, is a whole nother topic, but you know, a lot of the security [00:05:00] roles that are out there, right, are, it's no longer about technology, right.
It's about the business. It's about risk. It's about the software skills, right. Of that type of thing. And I think. We're definitely seeing that pivot in the industry for the role. And, um, I think it's a good one to write about, right? It's a good one to talk about because, uh, people want to get into security cause it's the cool thing and you can hack stuff, right.
And you can learn about all this cool technology, but it's like, that's just one component of it that you need to master and to be a true, good professional to your point, like an analyst or whatever. There's a lot of different aspects to it. And, and, you know, the magic quadrants only capture a certain part of that.
They're not capturing, you know, the cost of change or the cost of people or the cost of the technology or whatever it's going to be.
Sean Martin: Yeah, absolutely. So what, um, what was the catalyst behind this? Was it, was there a trigger that, that said, I need to write this now? Or is it, was, has it been brewing in your mind for a while?
Lee Vorthman: It's been brewing in my mind for a while. I think that, uh, you know, there's journey companies and businesses and organizations are at different periods of their journey. Right. And [00:06:00] I'm still surprised, you know, not, maybe I'm not surprised, but there are still companies out there that are still. In traditional data centers that I've talked to companies that are like, we're getting out of the cloud.
We're going back. We're not happy with it. And so I think that prompts kind of the discussion right around like, well, like, what does it look like? Right? If you know, if you are in a traditional data center, and then you go to like a hybrid, and then you go to like a true cloud, and then you go to like microservices, like, how do I need to think about that as a leader?
Because like how you structure your organization, how you up level and design the skill sets and training for your people, how you think about hiring, you know, all of everything kind of follows from the business strategy. And I, it's not something I've seen a lot of people talk about, and it's been like rattling around in my head.
I'm actually going to give a talk about it at, um, the Rocky mountain information security conference along this same topic, because I think, you know, if you're an aspiring CISO or a security leader, like you can't just go out and be like, well, I'm just going to hire these. These traditional roles. I mean, I need a network security guy.
It's like, [00:07:00] well, do you like what, if everything's code, like, do you. Right. And so, um, that, that's kind of what prompted it to me was just share my thoughts and experience having done multiple cloud migrations, you know, from, you know, uh, data centers on prem to the cloud, it's not something I've heard anyone like really talk about how their org structure changes and how the skill sets change and things like that, and so I figured I'd just share my thoughts and I'm glad it resonated.
Sean Martin: Yeah. I think I shared many of your, uh, many of your thoughts. As you bring your tech stack over, uh, on prem to cloud, the software basically has different configurations. The way you look at the logs looks is different. The way you, uh, ingest the logs, the way you respond to incidents looks different. Uh, talk to me a bit about that, Chan, and we can also talk about microservices and third party services and open source stuff.
Take it as broad as you want. But what are some of [00:08:00] the things that most organizations fail to recognize? Beyond that, we're going to move this physical thing to a virtual thing in the cloud.
Lee Vorthman: Yeah. Uh, so a lot, a lot, there's a lot there. Um, I, I think the first thing to recognize, right, when you're shifting from like an on prem or data center environment to the cloud is that you're, you're giving up.
Uh, control of that environment. Um, and you know, maybe some of the financial benefits of like being able to amortize or, you know, um, capitalize on resources for agility and velocity and speed, um, but that's a trade off. Right. And so like, Great. We can get products to market faster. We can do things faster.
We can do things, you know, more agilely or however you want to describe it. But, um, There's a trade off there in terms of like you don't own the network, right? So like most cloud companies, right? Amazon, Azure, Oracle, Google, right? Have a shared service model where it's like they, if you're doing infrastructure as a service, right, they are the ones that manage [00:09:00] the underlying infrastructure.
So you don't have to worry about racking and stacking. You don't have to update, you know, the underlying firmware of anything. Um, a lot of times you don't have to like plug anything in, right? You're just there consuming it. So that's great, right? We can consume all the things. But that presents challenges from a security perspective, because, like, if you're used to, like, running and controlling your own network, um, you know, you can do a lot of things.
You can do full packet capture. You can get net flow. You can run your own scans and full penetration tests and, you know, not have to worry about the consequences. But in that kind of cloud service model, um, there's very defined ways to do that. Like, you can't just go penetration tests like the entire environment without contacting them first.
You have a very reduced scope. So, um, yeah. Same with like packet capture or net flow, you can get it, but it's definitely reduced and maybe not as useful as it would be if you had like the full access to your entire network. Um, so I think, you know, it's just changing the mindset a little bit of like, okay, I'm operating in this shared tenancy model.
Um, I don't have full control. How do I still maintain the security of that? Um, [00:10:00] and, you know, it comes with a skill set shift as well, right? Because like, to your point, if you're going to go to virtual machines or virtual environments or being able to scale up, compute, get logs, things like that. Great. We can consume all those things.
It costs money. Right. So do you really want to store like, you know, petabytes and petabytes of logs? Maybe, maybe not, maybe you don't need it. Right. And so I think, I think, you know, the agility and getting to the cloud. Um, really, I think for companies forces them to become more optimized in terms of like their it fundamentals, um, you know, because you're no longer like physically constrained and so you can do a lot of different things.
And then, you know, the other issue I see with like getting to the cloud that people sometimes forget about is like, great, yeah, we can spin all these things up, but you know, you need to have really robust processes. Um, to a couple of things, right. First of all, you know, before the virtual machines or your containers or whatever you're doing, get kind of launched.
You want to have some some level of visibility and control into that, because, like, if you don't, [00:11:00] everyone's doing their own thing. You have no standardized images. You're gonna have a lot of vulnerabilities. We can talk about open source software and supply chain. That's a whole big issue, right? So I think they're my biggest recommendation to people having done multiple cloud migrations is, um, If you don't know what you're doing, get someone in to consult and help you understand, because if you just tell your company like, Hey, we're going digital first, we're going to the cloud and let everyone do whatever they want to, it's like Pandora's box.
And it's really hard to like reign that in. And specifically from a security perspective, if you want to like. Get in front of like, you know, the CICD, you know, pipeline and put in, you know, software security scans and make sure images are vetted and hardened before they go into production and don't have vulnerabilities.
That's all process changes. That is very, very difficult to kind of rein in after the fact when you've given people all of this freedom to do stuff. So I'll stop there and kind of, you know, we can, we can dive in wherever you want to, but there's like a ton to think about as you shift to this, you know, philosophy.
Sean Martin: I think we're both filling our [00:12:00] minds with. Too much stuff, but I mean, it's cool because I'm thinking the time. I'm sure the folks listening and watching are as well. I want to go to, because you list some traditional roles here and as you were describing some of the stuff and I was looking at these roles, I'm thinking, okay, so.
To your point, somebody's racking and stacking the hardware engineer, right? Building the, building the boxes, perhaps even, um, what do they do instead? Do they, if they're left, if the company doesn't have a good plan, do they like try to slot themselves and they don't want to lose their job, of course. So do they have to re find a, find a new place in the cloud environment where they become relevant or what happens to some of these roles?
You list a few of them.
Lee Vorthman: Yeah, I think it depends. Right? I mean, um, so certainly that skill set is still needed. It just might not be needed within that [00:13:00] organization. Right? And so the reality is, like, if you're racking and stacking, are you doing, you know, motherboard design or something like that? You know, that is.
Um, no longer like a physical security or physical thing needed by the company. There's other companies that need that, right? You can go work for those cloud companies, but let's just say you love the company that you work for, you've been there forever. I think the honest answer is it's, it's a skillset change, right?
And we've had some conversations, you know, with our team members where it's like, Hey, you know, we're going to this thing, we don't need this skillset. Like we're giving you enough time to learn the new skill set and kind of retrain yourself. But if you don't want to do that, let's have a conversation and we can help you find a place to land somewhere else.
So I think it's honestly, I kind of put it back on the individual. It's like, you know, it is, is this place somewhere that you want to stay and you're open to learning like something new, which might require coding, it might require an entirely new skill set or a fork in your career. Or do you really, really love what you do?
And if you do, if you love racking and stacking, you love these traditional roles, like [00:14:00] there's someone out there that needs that just not us. Right. And I think that's the pivotal conversation you have to have as a leader to kind of transform your business is like, you're going to have to. This is always a challenge, right?
You're going to have to keep the business going with what you're doing while slowly like turning over, right? The skills and resources and people that you have to be able to do the new thing, but not so catastrophically that like, you know, you leave the old thing behind and it's, and it's, you know, falling over and you haven't gotten to the new thing yet.
Right. So I think, I think it's a delicate balance act. And I, I usually, at least for me, have a conversation with the team or the individuals and say, Hey, look, this is where we're going. This is enough time for you to get there. These are the things I recommend you do. If you don't want to be on this journey, let us know and we'll help you find a place to land.
Sean Martin: Can you, can you describe kind of the process of the initial move? Um, and what I'm trying to figure out is do organizations, I know there's different levels of, of, uh, shifting, [00:15:00] right? Moving stuff over, do you refactor, do you all this, all these different things? Um, what, what's your sense do? Do folks, organizations, I should say, they basically kind of lift and shift, or do you see many refactoring applications?
Do you see a big move all the way to containers, uh, so they're not dependent on specific, uh, underlying platforms? Um,
Lee Vorthman: I think it depends on your org. What I would say is more typical is what happens is like they lift and shift, right? So like they have a core data set. That's their intellectual property.
It's easier to stand up the compute and the networking stuff. So you kind of get that fence, you know, that that, you know, area carved out and then you move your data over, right? And so you really just kind of duplicate what's in the data center. In the cloud environment, and that's that's a learning thing.
And then usually what happens is someone gets the bill and they're like, why the heck is this more expensive than like, you know, us running [00:16:00] on prem? And they're like, Oh, because like, that's not how you do it in the cloud. Like there's, you know, you need to optimize. And so then to your point, then they go down and they refactor their applications.
They are really tight about how they, you know, ingest and egress data. Um, because that's one of the primary cost of the cloud is like, you know, um, how you get data in and out of there. And so they optimize, right? And then once they optimize, they're like, oh, you know, it'd be really nice if we didn't have to, like, build a gold image for this O.
S. Every time we want to do something, let's go to virtual machines. And then they get the virtual machines. You're like, man, this is like a pain to manage. And we noticed that, like, you know, we we provisioned this You know, whatever, 10, 000 core system, but we're only using like a thousand cores. That's not, that's not great.
We're paying more money for something then, you know, that we don't need. Then they go to like containers, right? That's like, this is the progression they go to containers because they already virtualized. So their apps have already kind of gotten to that. So then they go to containers. Much more efficient use of like their compute and their, their resources stack.
And so I, I generally, what I see is like [00:17:00] an evolution as the company matures and gets more comfortable around this, uh, cloud digital environment. They, they kind of like naturally start figuring out like how to do cost control, how to do optimization, how to use their resources, how to get to the next step and be more agile, how to improve their CACD pipeline, et cetera, et cetera.
So, um, yeah, I haven't seen a company that's just like magically gone from the data center to like Kubernetes and containers. If you have a congratulations, I think that you've, you've leapfrogged to like, you know, a lot of, um, you know, the evolutionary step of going to the cloud, but I wouldn't be surprised if someone has, you know, if, if you're a very, very mature data center, it's not, um, you know, it's definitely possible for you to do that, but I, it's not typical, I would say.
Sean Martin: Yeah. And even less typical, I would think is organizations that maybe rethink Their business processes and the apps that they're using and the workflows that enable them and I don't know, redo all that [00:18:00] stuff as well. At the same time. Probably not. Um, yeah,
Lee Vorthman: probably not. I mean, you know, um, 1 advantage, right?
Of moving to the cloud is that, you know, um. There's typically what are called like availability zones or different regions. Right? And so, um, you know, you can kind of stage your stuff similar to a data center, right? You can stage yourself closer to where your customer base is and things like that. But, um, a lot of people, or at least I've seen a lot of companies that rely on the inherent.
Disaster recovery nature of the cloud, right? The fact that it is distributed, they're like, that's good enough, right? But to your point, like, you know, that's, you know, that's not necessarily sufficient, right? For your application. And the advantage of being in the cloud is that you do have that distributed environment, but you have to do, um, a little bit of planning to make sure that your app is going to work.
Function, right? You know, because as we've seen, like if, you know, uh, you know, the eastern region, right of a cloud provider goes down, like Netflix goes down, right? And then everyone's unhappy. So, [00:19:00] um, you know, this is why the whole like site reliability engineering, like type, you know, of field has come out, right?
Because it's like, okay, great. We need to figure out how we can, you know, have certain services disappear. But still keep our customers, you know, operating and maybe we cash stuff, or maybe we have a complete failover, or maybe we do something different, right. To make sure that our business is functioning.
But to your point, it's, it's a mindset. I think that you need to, um, think about how you're going to design your applications to be able to run in this more agile environment that comes with these advantages of being able to, you know, fail over or provide customers with. Faster access or, um, lower latency or, you know, better reliability or, you know, et cetera, et cetera.
Right.
Sean Martin: So when you mentioned SRE site reliability, reliability engineering, um, I, my mind immediately goes to the next level, perhaps, of, uh, [00:20:00] platform engineering, where, I don't know, I think there's a tremendous overlap between the two.
Lee Vorthman: Yeah.
Sean Martin: Um, what, what are your thoughts on. On this and we, I'm probably kind of steering as most people do back to the tech, but bringing it back to the roles and the skills, is there a value for some of the existing roles to apply themselves in the SRE and the platform engineering type of environment?
Perhaps if organizations can embrace those things properly to provide value where they're not, they're not needed in other areas. Yeah.
Lee Vorthman: I definitely think so. Right. And you know, the point of my blog post was that like, even though you might not need. a dedicated person to do that role. You still need the skill sets.
And so like with site reliability engineering, right with your SREs, you know, you need someone that understands the fundamental architectures of how the platform or the underlying infrastructure works so [00:21:00] that they can design and implement. Your application or your business or your site to be able to have that reliability that you want.
And so, you know, they need to understand networking. They need to understand load balancers. They need to understand DNS. They need to understand authentication, right? They need to understand all these things that are core technology. Um, skill sets that typically, you know, if you ran your own data center, probably would be done by a dedicated function or team.
But now is a, is a skill set, you know, that's a more breadth skill set of these, you know, specialized roles you're seeing kind of come up as part of going to the cloud. So, um, so yeah, I definitely think that the roles are still needed. Um, if we go off a little tangent, I wrote kind of a followup on this one, which is, um, I wrote an article about like, why isn't auto patching a thing?
And I'll tie this back to like the SRE stuff because like. It should be right. We should be able to just go and like say, don't, don't call me, right. Just apply the patches, you know, reboot the server, you know, do all of your QA and, [00:22:00] you know, um, quality assurance, you know, and quality, um, control testing. And, you know, all of that stuff that you want to do as part of your Dev and test and staging, that should all be automatic.
Well, why isn't it automatic? We're still dealing with vulnerabilities. We're still dealing with applications that have bugs and things like that. We're still dealing with applications that aren't up to the latest version. On and on and on, right? It's because Coming back to, you know, S. R. E. Like the core functions of how to design your application or your business to be reliable, which, by the way, is not just a business thing, right?
It's like, yes, you want to get money. You want to make sure you're still up and doing the things you want to do. But it's also a finance thing, right? It's also a security thing. It's also a sales thing. And so, like being able to think about this from a business standpoint and take it Uh, the advantages of the cloud, right?
And then design your business function to be able to operate, you know, like Netflix is famous for doing this, right? They had the chaos monkey that would go through and just tear stuff down. And then if it degraded too much, they would, you know, okay, [00:23:00] good. We've broken it. We'll bring it back up. And, but they were testing stuff for that, for that reason.
I think that level of maturity is. Where critical businesses or businesses that are really serious about it need to get to, which will have knock on effects to security and sales and operations and customer experience and all that type of stuff. But a lot of people don't think about that. They still come back to and say, we're in the cloud.
It's, it's great. If you know, it never goes down and it's like, Good luck with that. You know, so I do think, you know, tying back to, um, you know, the skill sets, right? If you have people that have this skill set and can come in and help you on your journey, getting to the cloud and can help you do this stuff to up level and optimize and make sure that your business is going to run, even if an availability zone goes down or you have a denial of service in one region or whatever it's going to be.
That's a core skill set that's drawing on those traditional skills. That are then, you know, amalgamated and slammed into this, you know, these new skills, whether they're a site reliable engineering or some other type of role that, you know, um, [00:24:00] has been smashed in with these different skill sets.
Sean Martin: Yeah, I love it.
And the, I'm just wondering, cause I, people who listen to the show have probably heard me say this before, but I, I feel that organizations spend a lot on transforming something of the, some part of the business. Right. And a big part of that is investing in the cloud and maybe then enhancing their, their applications and improving the workflows and really crunching the numbers to get the most out of marketing operations, right?
So the lot of investment to transform things, to cut costs and increase revenue. And I, I feel security gets left out. It's the, the, the, I don't want to redheaded stepchild. I know how much time do we have? I think it's the perfect time to, to do that stuff. I know it to our, to your point earlier, it's very tactical.
We just want to shift [00:25:00] and then we'll go from there. But to me, that is a great place to look at what's our risk exposure. What, what's our real objective with the business and how do we achieve that most effectively in the safest way possible without killing our security and, and surrounding it organization.
So I don't know, any, any thoughts on that?
Lee Vorthman: I think you're spot on. Right. I think, um, you know, security tends to be an afterthought. Um, or, you know, if it is thought of, it's viewed as an impediment, right? It's like, oh, well. We'll worry about that afterwards because they're just going to slow us down. Like we got to get to the cloud, you know, as quickly as possible.
Right. But, you know, to your point, you're missing an opportunity. And, you know, I, I don't know, um, we can get technical a little bit, but like in, in my undergrad, right, I was a systems and industrial engineering. And one of the classes we took was like on requirements analysis. And there's like a famous graph that there, which is like, um, Basically, like there's a, there's a line is like an exponential line going up, you know, like an S curve going up from the, from the bottom left up to [00:26:00] the top, right?
And that S curve is showing the cost of change. The longer you wait, like on the, on the X axis, the longer the time goes on. The Y axis is the cost, right? And so like to your point, if you, if you wait to do security, like after you've gotten to the cloud and you're many months down the road and you're like, Oh wait, we forgot about this.
We should do it. You're gonna spend a lot more money up on that curve than you would have. If you had just built it in from the front. And I think it's honestly a travesty of our profession in that we're an afterthought and you know, we're viewed as like, you know, this insurance policy or this impediment when the reality is if we're included at the front, help design these things properly.
Really, what we're talking about is we come back to the S. R. E. Conversation. These are fundamentals right of I. T. Operations of business operations that should be in place anyway to make your business function, but they help security in terms of what we want to do. Asset inventory. Great example. Is that a security issue?
No, right. But we need it in order to be successful. But [00:27:00] so does finance, right? So does your operations team. So does like your development team, right? So like, you know, I think that, um, what I would like to see or my ideal, my, my, if I can plead to the industry and if I can help in any way is like, if you're going on this journey, right, get involved early.
Um, and really, you know, help to convince the business that you're there to add value and not be an impediment. Because I think if you can get these fundamentals right, So as you're migrating, um, instead of doing it after the fact, um, you'll be in a much, much better place than, than trying to, you know, reign in Pandora's box after the fact.
Sean Martin: So let's, uh, as we, as we start to come to the close here, I'm sure I have a gazillion more questions, but anyway, um, let's bring it back to the roles and the skills and maybe latch on to this point that we were just, we were just talking about. As people. Want to enter this field of cyber security, um, coming out of university, coming out of trade, coming out of [00:28:00] hack the box or try hack me or whatever, wherever, whatever path, um, that they take and and others in I.
T. or in business that. I have a desire to, to, uh, enter this field. What would you suggest, and maybe that's two different groups, but what would you suggest they focus on to really make a difference? So clearly they're going to focus on things that get them hired. Yeah. But I think this next generation that, that enter.
Be it new folks or adjacent folks that, that have been in the workforce for a while. I think there's an opportunity for them to help redefine cybersecurity and, uh, and bring in some new insights that isn't just about, uh, we've always been the afterthought. Let's continue to be the afterthought and we'll just continue to go as we go.
So what do you think?
Lee Vorthman: Yeah, a little bit of a [00:29:00] history lesson. I'll start with that. Is that, you know, if you think about how, you know, security functions got started, right? We were a function of I. T. or an offshoot of I. T. And, you know, most security professionals that I've talked to that are, you know, have kind of the same tenure that I have.
Um, they were just admins, right? They were helped us people. They were network engineers. They were, you know, whatever, you know, um, Linux admin, you know, people, right? And so they kind of took all of these different skill sets. And then eventually they landed in security. Uh, and then, you know, that kind of career progression got started.
So, um, I think my biggest advice for anyone that wants to get started in the industry is recognizing that There's a lot in this field to understand, and you don't have to understand it all at once. I'm not recommending you go out and just like deep dive and how the internet works. But I think, you know, the nice thing about our profession is that there's a lot of different specializations, right?
You can go into compliance, you can go into privacy, you can go into data, you can go to identity, you can go to, you know, technical and offensive stuff and you know, choose your [00:30:00] poison where you want to be. But my biggest advice is that to be as effective as you can be, like never stop learning. And like, you know, if you're a penetration tester and you don't understand how the packets are flowing from your end map tool over to the end system, like figure that out.
Right. Because understanding the, I, you know, the iOS model. Is going to be effective for making you a better, you know, person and a better asset, you know, down the road, and it's going to make you better at your job. And if we come back to like the cloud model, right? As the business shifts, right? So if you were, you know, really comfortable in the data center model, and you went to the cloud, or you're really comfortable in the cloud, and you don't understand Docker and Kubernetes and microservices, The more you understand about the underlying technology and business processes and regulations or whatever your specific specialty is, I think the more job security and flexibility you'll have as the business pivots to get there, because you'll be able to be like, Oh yeah, I understand that there's nothing different here.
Or we need to worry about this thing. This is a risk that we haven't considered whatever it's going to [00:31:00] be. So my biggest advice is like, if you're coming out of school or you're bootcamp or whatever you're coming out of. Great. You know, do that thing, land your job. Once you land your job, be a sponge, soak it all up.
Um, I'm a huge proponent of like, okay, just cause you're in GRC or just cause you're in security engineering, or just cause you're an incident response. Like go sit with another team for, you know, one day a week and learn what they do and see from their lens and their shoes and get that cross training.
Um, and, you know, the last thing I'll say on this topic is like, I think regardless of where you sit, whether you're in GRC or privacy or engineering or technical or non technical or leadership, I think, you know, the reality is. Um, having an understand of coding and scripting is kind of a must at this point in terms of like being effective as your job.
And I don't mean that like you're writing some, you know, the next version of, you know, the SIM, but like if you're in GRC, right, and you need to pull a data set and help with an audit. You know, you might want to, you know, write some code to be able to help you [00:32:00] do that more easily as opposed to just, you know, trying to do it in Excel spreadsheets.
Right? So I think there's a lot of advantage to that. Um, and so that's what I'm seeing the trend, especially as you go more into microservices and things get compressed up the stack. It's all becoming code and to be able to do that. Be more effective at your job, um, understanding that will really, really help you.
So that's, that's my kind of summary of, of, of that.
Sean Martin: I love it. And, and, uh, I'm going to make you do it again this time, this time from, uh, the security leadership and executive leadership perspective. Cause I, I think, I think we need to change the way we hire folks as well. Some of the backgrounds they have to your point.
I think. Coding is necessary, but also logic, business logic is necessary, workflows and understanding use cases and stories and the experience that users have, be it. Be it internal employees, [00:33:00] be it partners, supporting the supply chain that helps you deliver your services, be it the customers that interact with you and your services.
So what do you tell them in terms of how, how to, I want to say confidently is the right word, but, Be comfortable, I guess, in changing and opening up how they find new talent as they bring new folks in.
Lee Vorthman: Um, yeah, you know, I think there's a couple things here, right? Which is, let's just talk about the kind of security leadership side.
Which is, the trend that we're seeing, at least that I'm seeing with security leadership, is that You know, historically, the CISO position or any of the kind of leadership positions and security have been viewed as very technical or like compliance rules and okay, like, we can, you know, just kind of simplify it, but I don't think that that is anywhere near accurate, nor is that.
Where the industry is going, [00:34:00] um, from a regulatory standpoint or from a business standpoint. And I think, you know, if, if, if anyone aspires to be in a leadership role, regardless of what your specialization is, or if you want to be a CISO, you have to understand the business fundamentals. And I liken this back to, you know, the military, which is, you know, If anyone was a Marine or understands the Marines, they have the saying of every, every, you know, every Marine is a rifleman in the Navy.
Right. Um, where I was at, um, everyone gets kind of like their surface warfare pan or some sort of designator. Really? All that is, is that you spent time to understand the rest of the business or the unit. Um, to be more effective as, you know, a sailor or a soldier, right? So similarly with leadership, I think that that's really critically important.
How does HR work? How does finance work? How does, you know, how do all these things work? And if you don't have that, like, I just don't think you're going to be successful going forward. So to come back to your original question, I was like, well, what do we need to look for? So what I look for now in, in, in, in the roles that I look for is [00:35:00] I try to keep Like the job description, very, very open, right?
So I'm not asking for, uh, degrees necessarily. Cause I don't think that that necessarily represents, you know, the skillset of someone I'd rather hire for aptitude and attitude than hire for like technical skillset. Um, but you know, we try to, at least I tried to, um, flavor my, my job descriptions to have.
Like, here's what you will be doing. Here's what we expect you to do. And not like a laundry list of like every technical certification and every protocol and everything like that. Um, the challenges is I'm finding, right. Is that like, if you want someone that's a DevSecOption engineer, or you want someone that, uh, understands Kubernetes and Docker and microservices, if you want an application security engineer or a really good, you know, offensive, you know, security or threat hunter or penetration tester, those skills are in exceptionally high demand.
Right? And so you have to kind of craft your resume or your job description in a way that is going to get people to, you know, come and join you, [00:36:00] um, and be descriptive and you got to be willing to move very, very quickly on it.
Sean Martin: Fantastically. Uh, boy, I feel we could keep going for hours on this.
Lee Vorthman: Let's do another one.
You want to break it up, you know, multi part series.
Sean Martin: I think we should, I think we should maybe, maybe a dive into some of the different roles as well. Um, Yeah. Well, let's, let's do this. I'm going to encourage everybody. You said you have a follow up to this, so please share that link with me as well. I'm going to, I'll include both of those in the show notes.
Sure. And, uh, yeah, folks should check out the blog that Lee puts together. And, um, you're very welcome back anytime, of course, an area that I love to talk about anything around platform and engineering and, uh, security operations and. All back to the business is fun, fun, fun stuff for me.
Lee Vorthman: Definitely.
Sean Martin: Um, any final thoughts before we wrap?
Lee Vorthman: Um, [00:37:00] you know, uh, just for the audience, uh, you know, keep learning and keep doing what you're doing and keep fighting a good fight. And, uh, you know, I think, um, I'm, I'm really pleased with where the, the industry is going and I think we have a great community and, you know, continue to be a part of it and continue to participate.
And thanks for listening.
Sean Martin: And thanks for giving back to the community through your, through your posts and. joining me here on this. Thanks everybody for listening to this episode of Redefining Cyber Security. I think we did a bit of that today and uh, very grateful for Lee helping me do that. Uh, appreciate you all listening.
Please do share, subscribe and all the other fun stuff. If you have something to say, let me know. I think something differently about what we talked about today. Please do comment. And Lee, I'm going to close with a congratulations and, uh, it's for something we didn't talk about. And I'm going to leave, I'm going to leave it at that.
And if somebody, somebody can guess, uh, I'll give them, give them the high five when I see them, what, what it was that we didn't talk about that I think everywhere else does [00:38:00] as talked about on every other episode. So anyway, thanks everybody. Thanks Lee. See ya.
Lee Vorthman: All right. Bye bye.