In this week's episode Dr. Crane talks to Brandon Hines about building your cybersecurity team and culture, from your first to your 100th hire.
Brandon Hines, the vice president of security at Dimensional Financial, has spent over 14 years establishing and growing a cybersecurity program and continues as a senior leader. Brandon has deep experience in hiring and then managing an effective cybersecurity team.
In this episode:
00:00 — Welcome
01:42 — Your First Hire
03:02 — Brandon's Method for Hiring
04:37 — Mistakes And Red Flags In Hiring
05:37 — The Importance Of Training
08:34 — Gaining Insights From Business Units
10:47 — Assessments
12:07 — Weighing Consistency In Assessments With Diversity Of Assessments
13:01 — The Value Of A Security Framework In Maintaining Consistent Assessments
14:17 — What To Look For When Hiring A Third Party For Assessments
16:33 — Dangers Of A “Brittle” Third Party Assessment
19:12 — Sign Off
Brandon Hines:
LinkedIn — https://www.linkedin.com/in/brandonjhines
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/006-your-first-100-hires-with-brandon-hines
One of the biggest challenges in my mind is making your first hire because your first hire is such a make it or break it decision, that if you get somebody who's going to create a net drag on your initiatives then all of your time is going to be spent focused inward to your function instead of outward for the services that you're going to deliver.
[00:01:47] Brandon Hines: And I was fortunate enough, when I was launching the cybersecurity practice at Dimensional, that my first two hires were very strategic and very focused. And, we weren't a big program, and we were still selling the concepts of cybersecurity. we were growing with the organization's needs, which was a great position to be in at the time.
And then I needed someone on the operation side and I ended up finding, through a mutual friend in the world of cybersecurity, someone who had very little practical cybersecurity expertise, didn't necessarily have all of the confidence in the world. But when I first met him and I sat with him. And, when he didn't know something the way he didn't know it and his approach to it was exactly what I would have expected from a seasoned professional. And so I got him his first job in cybersecurity and security operations, and he did fantastically well, he was a great fit.
And so, unfortunately I didn't get to keep them too long cause his stock went up, but he was a great first hire within an early program.
So you get beginner's luck as a new hiring manager. Looking back on it now, is there anything that you could tell your earlier self or a new CISO in a role? What they should look for to try to find someone that would be as good of a hire as that individual.
[00:03:05] Brandon Hines: Well, he's probably like my hundredth higher overall throughout my career. So I've kind of got a method. First and foremost, I want somebody who is going to be adaptable to the needs of the organization and the function. And I often times, and this is always a difficult conversation to have with the HR folks when they bring you this résumé gem who's just not the right fit either from a timing perspective, maybe that's the person I need in two years when that function is fully filled out.
[00:03:32] Brandon Hines: But often times if you bring someone in too early into a function, and it hasn't fully developed their expectations of what that function is going to deliver for them in order to be successful is going to be very different than what you can actually feed them.
[00:03:42] Brandon Hines: So looking for that right fit. I'm looking for someone who is adaptable. Someone who has enough capabilities so that I can give them an independent project to start day one. So I'm not someone who likes to make a huge negative investment in hopes for a far off return. I'm looking for someone that I can invest in.
[00:04:01] Brandon Hines: They can grow. This is going to be interesting, but they have a key capability that I can apply immediately to the problems that I have at hand. That way I don't have to sit with them every day, I don't have to put them with someone else knowing that somebody else is going to be distracted for too long of a period of time. We can have check-ins, we can build, we can add capabilities and add responsibilities as we go.
[00:04:22] Earl Crane: Since you've done a hundred hires or so. What are some things that maybe HR will go towards or will seem attractive at first, but they end up being shiny objects that are not as important?
[00:04:33] Brandon Hines: I find that certainly there's the buzzword bingo that happens on résumés. If someone's going to put something on a résumé, I like to go deep on it. To me, anything that you put on a résumé is fair game.
That should be the shining example of what you're most proud of and what you know most about. I have had individuals who thought it was unfair that I asked them about a project that they put on their résumé from two years ago. Personally, I've got things on my résumé from 20 years ago and if someone wants to grill me on that that would be perfectly acceptable.
People who have too much experience, like if they've jumped every two years, when you're launching a cybersecurity program, that's not a two-year effort. You're thinking out five years, and you need, to have some level of stability that you can build on. Otherwise, you're just going to get on this treadmill of trying to churn people in and out of the program.
[00:05:17] Brandon Hines: When everything that you do is either going to contribute or distract, you need to make sure that you've got the right fit.
[00:05:22] Earl Crane: Before we started recording, you mentioned training, and how that ties into building your culture. Can you expand on that a bit more?To me, training is an important part of culture. So I think those things tie together very well. That's one way that you establish and reinforce a culture.
Well, it certainly ticks a box and that's important. Because you have auditors who will come in and say what's your training program. But if that's all you're doing, you're probably missing a huge opportunity. I think training is a really important way to get people connected to concepts and ideas.
So I'm not a big fan of doing the, you're going to do an hour and a half of computer based training once per year, because if they're only hearing that once a year, it's probably all gone within two months anyway.
[00:06:05] Brandon Hines: But if you structure a training program, certainly have a computer-based component to it so that you have an objective document that you can measure. You can see that people took an assessment test, or You've got something that's objective.
[00:06:17] Brandon Hines: But to interlace that with more pragmatic training. Either splitting that out and doing smaller units over the course of the year, interlacing it with messages out to the organization, whether that's through email or whether that's participating in various department meetings.
[00:06:31] Brandon Hines: But I even think that there's often a lost opportunity if you don't get to know what the various business units charters are and where the risk areas are.
[00:06:40] Brandon Hines: Training could be as much as even getting involved in peoples, down to the team meetings not even at a department level, but going and having lunch with key people so that you can understand the challenges that they face.
[00:06:52] Brandon Hines: Maybe there's some security controls that they're currently responsible for because that's the only way to do it in they're in the current level of maturity. But this is what they're doing, and it's business impactful. Maybe you can understand that more and help learn about the business, but then teach maybe more optimal ways to approach those problems.
[00:07:10] Brandon Hines: Or in some cases you can take that back. I always keep a long list of things that I know I won't likely be able to touch, but maybe I can pull those forward into a project, or maybe I can group things together that I learned throughout the business to say, how do we solve that big problem?
[00:07:24] Brandon Hines: It's not the biggest problem in any one area, but it's like the third problem in five areas. And if there's a way that you can get across the business because you're having that kind of interaction. You're learning, and you're teaching other people simultaneously how to think about security in the realm of their area of responsibilities.
[00:07:42] Brandon Hines: Training is not just about training to the organization. It's also training to your own staff. It's training to technology. And I used to work in healthcare and there's a huge, chasm between what happens on a clinical side and what happens on the IT side.
[00:07:56] Brandon Hines: And every once in a while, when I needed to get people to better align with the clinical side. I would see if I could reserve some space in the ER of the regional trauma center and I would have someone go work there doing their normal job, but just being in the mix of everything that else that's going on. Because I think it gives people a different appreciation to see the actual work that an organization performs as one of the critical services.
[00:08:19] Earl Crane: Let's peel that back a little bit. And I want to ask about getting to know the businesses that you're serving as a CISO.
[00:08:27] Earl Crane: I'll give you an example. When I was at Homeland security, I took a day and went out to work at TSA. And so I went there, and I was just there seeing how the operations went. But I got a big appreciation for the machines that they were using, the way that they were using them and the challenges. And so when we from IT would send an update, the amount of chaos it caused was something that we didn't appreciate necessarily back at headquarters.
[00:08:57] Earl Crane: Do you have any examples where you've met with the business units, and you've learned some insights?
I'll reel back a couple of careers ago. We had to understand how to make sure that all of the various providers within the organization could operate both as a whole to the organization while still being isolated within their own service provider organizations. So it was an organization that was really a conglomerate of many different service providers.
[00:09:26] Brandon Hines: And it was very difficult to understand what the key concerns were until we could really sit down and understand like, okay, you've got this equipment and this equipment's got to go talk to that service providers' equipment, and how should all that work, and what does that mean? And then you've got these people who have to do some level of data entry or monitoring, and how does that all work? There's how you might whiteboard that out as a technologist. But how you whiteboard things out as a technologist, doesn't always translate to how things actually work in a pragmatic world. There's always some other limitation that you're not aware of.
[00:09:57] Brandon Hines: And so until you can understand that, that makes sense. That's all secure. That's how you can think it, but maybe that requires someone to do 20 pages worth of data entry because now we can't transfer this file seamlessly between these two systems on these two disparate networks, because the protocols just can't be secured the way you think they should be.
Maybe you're. preferred control is not the appropriate control. Maybe you need to lower that security requirement a little bit, then come in with some supplementary controls or some compensating controls. But you won't know that until you get out there with the business and really understand what makes them tick, what their drivers are, what levers can they pull within the world?
[00:10:32] Earl Crane: So far we've covered hiring and training. What role do assessments have and managing and having oversight for an effective security program?
[00:10:42] Brandon Hines: Assessments are something that I have deep experience in. I think one of the biggest challenges from a technology perspective is you've got a lot of people with deep skills throughout the technology function. And even out to the business function who might have some responsibilities for various components of a security program.
[00:10:59] Brandon Hines: And especially in technology, they're going to have a very deep level of skill and expertise in their area. And they're going to think, mathematically, am I doing the right thing? Am I doing something that's a very good? But not necessarily, is this something that can be tested, and can I have a retro review of this in a way that's independent and measurable?
[00:11:23] Brandon Hines: And so I do find a lot of times that I'm having to work with folks to try and bring in, not just what's a good practice that aligns with the overall goals, but doing it in such a way that we can measure it over time, and we can be transparent so that eventually senior executives can look at this, and they'll see that yes I've got confidence in this thing that's going on over here. As opposed to just trusting it because we have trust in people.
[00:11:48] Earl Crane: So consistency in assessments is important.
[00:11:51] Brandon Hines: That's correct.
[00:11:52] Earl Crane: And sometimes you can do that by having the same firm and the same testing methodology, but there are advantages in having different assessors and different assessment methodologies. How do you maintain consistency while also getting the value of diversity of other assessments groups?
[00:12:09] Brandon Hines: I try and whenever I report things up, I like to throw things into a larger themes and trends so that they can understand what the impact to the organization would be.
If you have a pen test, and they findan inconsistently configured web server, that's like a very specific thing. But if you, put that under a term like baseline configuration and standards. Then that's something that, that you can put a larger theme around for an executive, and they can say, okay, my environment is managed consistently.
[00:12:40] Brandon Hines: And then the detail underneath that might be, well there was one inconsistent thing that we found or whatever the case may be.
[00:12:46] Brandon Hines: What about the value of defining a security framework to maintain that consistency across assessments? Yes. Either formally or informally and certainly, so in my view, you've got, your policies, the agreed upon things within the organization, then you've got all of your guidelines underneath that, and then you've got your, standards and best practices. And you're always trying to work up that chain to get to the point where you're confident that something can be measured and tested as a policy. And policies might just be the things that you're fantastic at, or it could be the things that, there's other either business or regulatory or whatever requirements that have to be codified into a policy.
[00:13:22] Brandon Hines: So wanting to get that practice up so that everything can be to the point where you can deliver under scrutiny. That's always a good strategy. And then it's a matter of, well, how do you take these things that are maybe not quite as important as the things that start off on the policy, but the things that you want to work up over time. Either in response to the evolving threats or just new capabilities that we want to be able to take advantage of.
So really how do you build a strategy around whether it's network segmentation, whether it's lateral monitoring, whether it's, intrusion prevention, whether it's, web filtering, whether it's email, whatever it is, how do you get that to be measurable and ratchet up under a very testable scenario?
[00:14:02] Brandon Hines: How do you hire? Because you're looking at assessments externally, what do you look for when hiring a third party? Well, often times it depends on what we're looking to assess. So it could be anywhere from, you know, you want to get an overall assessment of where you are on a program so that you know what kind of roadmap you can build out for the next couple of years, it could be much more tactical. Maybe, you're, launching a new web service, and you want to get some really focused attention on that particular type of web development.
[00:14:31] Brandon Hines: Those could be two very different organizations that you bring in to do that. So you can bring a firm that's focused on that type of technology to give you the best type of perspective.
One of the things that I often test, any firm that I'm going to bring in is how adaptable are they to the local realities of an organization? What I mean by that is there are some firms that I've engaged that have a very brittle approach, a one size fits all, but it doesn't necessarily adapt well and play well within the organization.
Even if I want to test a very sensitive, operationally sensitive, system, I might need to have specific rules of engagement so that I'm not disrupting key business times.
[00:15:14] Brandon Hines: Or if assessors tend to have a very brutal view on what a risk is, because all risk ultimately is a business risk. In my view, there's no such thing as a technology risk. But you get some young gunslingers in the pen test world. And anytime they see something, they think it's the biggest risk because, they feel like that's what they're being graded on. I guess the best example that I can think of is if I get a pen tester that comes in and says people can get into your front yard. I'm like, well, yeah, kids can play my front yard. I'm not that grumpy old man who's yelling at the kids to get off my grass. Like my front yard is just not a critical business asset. Now if they're in my house, that's something completely different.
[00:15:52] Brandon Hines: And so understanding that there's the front yard, there's the backyard, there's the inside of the house. There's even parts of the house that might be more important. But those are not inherent in what the technology is, that's the value that we put on them.
[00:16:06] Brandon Hines: And so finding firms that can really understand that in their process is geared towards that. To me, gives a much more successful engagement. And I actually find thatthey don't get too distracted on things that we don't care about.
Clearly you've had an experience about working with a third party who was not malleable, who was brittle and things didn't go as well. Can you share a story about a time when you had that third party, and they were brittle, maybe they even broke?
[00:16:31] Brandon Hines: Yes. So it actually was a report that was handed to me as we were building a program. And the report was really focused on and assessed the organization as if they were a bank, but they weren't a bank.
[00:16:45] Brandon Hines: So there's a huge difference in the types of controls and concerns. And we see this all the time with, folks who are trying to sell something, and they believe that everybody has credit card information, or everybody has personally identifiable client information. But not all businesses operate the same way.
So you end up with this artifact that's got a highly critical view of things that aren't even relevant to your business. And then you spend the next six months of your life doing nothing but addressing things that are distracting you from where the real risks are, or having to have those internal conversations to understand well, how did we even get to this point? And that's, definitely not a healthy way to progress a program.
[00:17:27] Earl Crane: No. Plus you've had to deal with then the result or the report coming in from a third party that maybe doesn't understand your business, doesn't understand the type of data assets that you have in there, and you spend more time educating them than them actually providing value.
[00:17:44] Brandon Hines: Yeah. And it's funny, one of the strategies that I've used over time is to always make sure that I've got a short list of vendors that I can bring in or folks who can come in and do various types of assessments so that we're not wholly reliant on one opinion. That we can rotate regularly, but that you still have some level of consistency so that they can come in, and they can operate quickly.
[00:18:06] Brandon Hines: And that also, that you can bring in at a moment's notice to do an assessment. It also gives you some flexibility to periodically bring in a new provider. Getting the first one's tough, getting the second one is not quite as tough because you always have to fall back to go to your first one.
[00:18:20] Brandon Hines: But you know, when you're bringing in a third or fourth one, you've got a lot more flexibility because you've already established a track record. You've already got a cadence. You already know that if this doesn't work out, I can just rotate in one of, the assessors that I have a high degree of confidence and faith in.
Sometimes when you need an assessment it might be your favorite assessor's busy time of the year, and they just don't have time to fit you in. And that's just a logistical reality that you have to be prepared for. So having that list of folks that you can just reach out to and go down that list and make sure that you can keep everybody happy and everybody engaged. And that they know where they are on your list so that they can scale up and scale down you as an opportunity appropriately?
Brandon, I really appreciate you being on the podcast. Brandon Hines is the vice president of information risk and security for Dimensional Fund Advisors. Brandon, thank you for joining us.
[00:19:08] Brandon Hines: Thank you for having me.