March 3, 2020

The cyber talent search feels like a global, dangerous game of Marco Polo. 

We’re all looking for each other, but nobody can find anyone. (And even if we do, it’ll only last 18 months or less.)

In this episode, we interview Deidre Diamond, Founder and CEO of CyberSN, about attracting and retaining cyber talent during the talent shortage.

What we talked about:

  • How the fact that we are short 500K information security pros in the US impacts attracting and retaining them
  • How career planning is the #1 way to retain talent
  • Why job searching should be like using a dating app

Check out these resources we mentioned during the podcast:

This post is based on a Virtual CISO podcast with Deidre Diamond. To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator:                          You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry:                       Hi there and welcome to another episode of The Virtual CISO Podcast. As always, [00:00:30] I’m your host, John Verry, and with me unfortunately as always, the Gabrielle to my Xena, Warrior Princess, Jeremy Sporn.

Jeremy Sporn:                 It’s pronounced Gabrielle. Hello everyone and, your highness?

John Verry:                       Just for the record, anyone listening, Jeremy promised me that he’d buy me a beer for doing this and I’m going to look for a founders’ KBS or equivalent. It’s just cost about $6.25 cents at the best at Best Buy, just let you know that now.

Jeremy Sporn:                 [00:01:00] Oh my goodness, you called yourself Xena Warrior Princess, you’ve earned your beer. I’m totally cool with being Gabrielle.

John Verry:                       All right. Did you have a chance to listen to this show with Deidre Diamond?

Jeremy Sporn:                 Absolutely. What I love about her is she is really a business person first, and an information security staffing expert second. That’s really what her company does, but her expertise in running [00:01:30] and growing a business is extensive. Just to have that refreshing grip on both sides of the coin, being that SME and recruiting and information security, but really understanding of business, she holds those things in a really cool place, makes her extremely interesting to talk to.

John Verry:                       Yeah. Listen, to be honest to you, she was dynamic. She’s engaging. I thought this was one of the most fun that I’ve had conducting interviews. I think she does a great job. [00:02:00] The topic is really important because if you look at … One of the biggest challenges that we have in our industry right now, is there are not enough people. You need information security people, you can’t get them. She runs one of the leading companies that goes and gets people. Who better to ask the question, how can we attract and retain information security talent? I thought it was a great topic for our podcast.

Jeremy Sporn:                 Very true. Her desire to help people [00:02:30] and with her deep interest in human psychology and sociology, which you will hear, gives her unique perspective and really, I think, sets her and her organization up for success in this area. Really, really cool. I was excited to listen to her. I’m excited for everyone else listening to it. I think you’re going to get a lot out of it. With that said, Deidre Diamond, the founder and CEO of CyberSN. She’s also the founder of Secure Diversity, which is a diversity and inclusion focused not-for-profit organization.

Jeremy Sporn:                 We’ll have links to [00:03:00] her site they’re. She has put out some really cool events called Day of She-curity, and some really great stuff. Anyone who’s going to stick with us for the whole episode, expect to walk away with a clear understanding of the information security talent shortage, and really how you can turn this threat into an opportunity for your own organization.

Jeremy Sporn:                 If you’re a SWOT analysis person, it is a massive threat, but everyone knows that any threat can be an opportunity if leveraged well, and I think she provides great guidance to do that.

John Verry:                       Okay. [00:03:30] Before we get to the show, Jeremy, and it’s a great show to get to, I’m going to tease a little bit and ask you one of the question.

Jeremy Sporn:                 Cool.

John Verry:                       Have you seen the Hyundai commercial with the guy that plays Jack Ryan, John Krasinski, I think is his name? The guy that puts down the office attempt–

Jeremy Sporn:                 Krasinski. Yes. The one where he has the accent? Is that the one?

John Verry:                       Yeah. “Pack the car.” I’m to figure out, they were advertising a car that parks itself and I’m trying to figure out are the people who are going to buy it [00:04:00] or is the commercial the dumber of the two combination because I’m watching them do this and … First off, if you can’t park a car yourself, you shouldn’t have a license. The only value to that car would be that you’re squeezing it into a space that you’re not going to be able to open the door to get out. But if the space is that tight, A, you shouldn’t be parking there. B, the guy next to you can’t get into his car. Right.

John Verry:                       The only thing you’re going to end up with is scratches [00:04:30] and dings on your car from angry people. What is the use case for that parking?

Jeremy Sporn:                 I feel like I’m on an episode of What Grinds John’s Gears and this is … And it all of a sudden showed up in the middle of our podcast, but–

John Verry:                       I’m like, “Seriously?” What’s the real use case for that car? I can’t figure it out.

Jeremy Sporn:                 Yeah. I’m pretty sure it’s a marketing ploy. Being in the marketing world is my guess that it’s just to gain some interest. Also, [00:05:00] this is my guess and this is not me because I’m an extremely competent driver. I think people are not very pleased with themselves when they look to backup in a car. John Verry [crosstalk 00:05:09].

John Verry:                       This isn’t backing up, this was pulling in forward. I mean, listen, I understand the cars that parallel park themselves. I know a lot of people that would find that really exciting, but a car that parks itself straightforward, I’m sorry. All right, that’s enough said. I ranted a little bit, I got it off my chest. I don’t know why it was bothering me so much, but I [00:05:30] feel better now. Thank you, Jeremy.

Jeremy Sporn:                 You know what? I’m here for you. All right, Xena, I’m here for you.

John Verry:                       Gabrielle, is that it?

Jeremy Sporn:                 Yeah, [inaudible 00:05:38].

John Verry:                       Enough. Let’s get to the show. Deidre, how are you today?

Deidre Diamond:            John, I’m great. Good to be here with you. Thank you.

John Verry:                       Yeah, thanks for coming. We’re going to start super simple. Right. Tell us just a little bit about yourself, who you are, what you do, and a little bit probably about CyberSN and what you do.

Deidre Diamond:            Yeah, absolutely. My name is Deidre Diamond, and [00:06:00] I am a sociologist at heart, is what I call myself. I majored in sociology and criminal justice. I’ve been fascinated about human behavior since I was a young child and particularly criminal behavior fascinated me. That fascination plus schooling ended up putting me in technical staffing, actually, out of college, believe it or not, where–

John Verry:                       Not, but it must be true. Right?

Deidre Diamond:            … It did. It’s super fascinating. [00:06:30] I ended up working for the folks that hired me out of college into technical staffing after being very turned off from internships in the criminal justice system. Anyhow, I worked for them for 21 years, building technical staffing agency and then building software companies, one of them being Rapid7, which is where I got in [crosstalk 00:06:49].

John Verry:                       Where you got the information security.

Deidre Diamond:            Yeah, that’s how I got it, in 2007. Tech staffing was super fascinating for a sociologist. Again, jobs is at the heart of our [00:07:00] happiness, at the heart of stability. It super brought me into the modern world of making money and where it’s coming from and then, adding cyber to that and selling software and getting into software and actually, running with a software team. I was the VP of sales for Rapid7, 250 million, so I took my staffing experience, went to sales.

Deidre Diamond:            Anyhow, that really even fascinated me more because now I’m like, I’m around more criminal behavior defense, [00:07:30] if you will and selling to people that find this stuff interesting too. Fast forward, as the folks I work for retired and it was time for me to start my own company, it made sense to put the two together. CyberSN, which is Cyber Security Network was born five and a half years ago. We are a technology staffing firm in that we utilize technology to make staffing [00:08:00] affordable and for professionals to not have to bear the awful job searching process.

Deidre Diamond:            That’s where CyberSN was born, and along the way, I’ve certainly recognized that I represent the 1% of women that are founding CEOs, they’re successful< so I certainly joined the conversation of diversity and inclusion and getting involved in helping solve the inequality gap.

John Verry:                       You’d be interested [00:08:30] to know that I actually have a little bit of a passion for STEM, science, technology, engineering and math with women. My wife is a long-term engineer from when women generally weren’t engineers, worked in a man dominated field her whole entire life, so I’ve experienced some of the stuff that she’s dealt with firsthand through her. Now, my daughter is as pursing an engineering degree in Biomedical Engineering.

John Verry:                       One of the things we’re going to do … Some of the podcast episodes we bring on people that are nontraditional. We’ve already had [00:09:00] on America’s top cardiologist to talk about stress and the things that it does to people in the information security field. I also want to bring on some people from some of the programs which are intended to promote women in engineering, women in Science technology, engineering and management, because I think it’s an underrepresented concept and it deserves attention. I applaud you and I’m in agreement with you completely.

Deidre Diamond:            Yeah.

John Verry:                       Cool stuff. I always liked to ask, before we get down to business, when you need to sit down and think or chill out, or whatever it is, [00:09:30] what’s the drink of choice? You can learn something about people from what their drinking choice is. It might be tea, it might be water, it might be bourbon. What’s your drink of choice?

Deidre Diamond:            You’re going to learn a lot. If you’re talking about, I’m sitting down to think, it’s nothing alcoholic. It’s an iced tea or a latte. I like ice lattes, and I’m most likely walking. If I really want to think I’m most likely up and about with one of those in my hand literally, [00:10:00] taking a walk. If I’m having a good time, I’ll take a … What do you call it? A Margarita, skinny Margarita meaning no triple sec, meaning to that. I think what…

John Verry:                       Basically, you’re saying tequila.

Deidre Diamond:            Tequila is the thing I will have and [crosstalk 00:10:16].

John Verry:                       Tequila and a lime juice. If you a skinny Margarita … I used to drink a lot of, I think they would call it either cactus bites the snake bites, but it’s basically lime juice and tequila.

Deidre Diamond:            Yeah.

John Verry:                       I used to do it a lot when I [00:10:30] was skiing out west, and heavenly, we had a bar that served these fantastic, whatever they were, cactus a snake bites. I always smile when people talk about tequila. Let’s get to why you’re here. Obviously, you are a recruiter in the cyber security space. I’ve heard there might be, I don’t know, a challenge or a shortage of people in that space. Care to comment?

Deidre Diamond:            Come on. [inaudible 00:10:58].

John Verry:                       Let’s start with the shortage [00:11:00] because I hear various numbers, a billion, 1.7 million, 1.8 million, 3 million. What do you think? Educate us.

Deidre Diamond:            Yeah. The stats keep saying 500,000 in the US and the million number, which is really just around two million, 1.9, something is international.

John Verry:                       Okay.

Deidre Diamond:            I think that’s important because that’s why people are a little skeptical of the stats. They see the 2 million and they see the 500,000 and then they think, “Well, which is it?” Well, it’s one’s quoting us and one’s quoting the international. Yeah, it’s [00:11:30] 10 times more difficult than IT and software staffing, and 10 times more expensive, John.

John Verry:                       I’ve seen that. The price escalation, you’ve seen it, I’m sure. I mean, I think for a lot of the positions that you’re probably dealing with … I mean, CISOs are even worse. That’s probably three X and four X, but even just the average positions, they’ve gone up, I would guess, 50% in the last five years?

Deidre Diamond:            Yeah, pretty sure. I was talking about the expense [00:12:00] to recruiting them [crosstalk 00:12:01].

John Verry:                       Al right. Okay. I was coming up with the cost to actually pay them.

Deidre Diamond:            The cost to paying them is 25% higher than software and IT roles today of equal or years of experience or even raw. Of course, east to west, what’s happening in San Francisco is really at the top of the charts in terms of … Like anywhere else that we see. The [00:12:30] cost that I’m talking about is the cost to recruit them and that’s a cost that organization, boards really need to understand. Because they don’t understand it, they’re not budgeting appropriately.

Deidre Diamond:            One of the biggest challenges I see is firms, not filling their roles because they’re not budgeting to fill their roles with recruiting costs that make sense. If it’s literally 10 times more expensive for me, I built a $89 million IT software staffing [00:13:00] firm before I went and built Rapid7 sales, and that was literally from 2 million to 89 million in five years, we did that.

John Verry:                       Wow. That’s amazing.

Deidre Diamond:            It is amazing. The model is exactly the same model I’ve put into Rapid7 sales, meaning, how do you do an inside sales model transactional in software, which is … Bain Capital calls it their Bain Capital sales model. It’s my sales model, they…

John Verry:                       They stole it.

Deidre Diamond:            … We interchange the term with them. I’m okay as long as I can take [00:13:30] credit.

John Verry:                       As long as they’re paying you a commission. Right?

Deidre Diamond:            Exactly.

John Verry:                       You get to use the Bain yada [inaudible 00:13:36].

Deidre Diamond:            Yeah.

John Verry:                       It’s on that lake in New Hampshire that you’re on. Right?

Deidre Diamond:            Yeah. It’s a fun offer.

John Verry:                       They put the yacht in there for a little bit float it around.

Deidre Diamond:            We could say that. We could definitely say that. It is [crosstalk 00:13:46]

John Verry:                       You need me to negotiate these deals for you. You know what I mean?

Deidre Diamond:            … It is an impressive model that has been utilized a lot. Imagine me going and starting CyberSN and putting the two together and being hit with a [00:14:00] sales model, which is the staffing model cost, right, the cost of sale, to the tune of… It’s actually nine and a half times higher, but no percent.

John Verry:                       Wow.

Deidre Diamond:            It’s because of a lot of things. One is how new the industry is. It’s super under budgeted. People are doing two or three jobs in one, which means recruiting is like, how you going to convince that you’re not? You’re just going to keep talking to people until you can stretch your job or stretch the salary cap on your job [00:14:30] or never fill it, which costs a lot of money to do regardless. It’s also because of internal staffing firms … Internal recruiters not speaking cyber security, recruiters in general not speaking cyber security, so the call or the conversation never even gets to be heard with a professional. Cyber professionals are only on LinkedIn to a tune of 35%.

John Verry:                       Not surprising.

Deidre Diamond:            Where are you going to get them? Well, I mean, most of the hardcore engineers, [00:15:00] technologists, which is my clientele, of course, I’m information security staffing. We’re in with the leaders and we’re in placing very technical. They see it as a privacy model. They don’t want their public information, they want to be social engineer, they don’t think it’s good for the company for them to put a profile and talk about the technologies they use and what they’re doing.

Deidre Diamond:            That means, to be able to find these people and match these people is super expensive, [00:15:30] match them into job if you don’t speak the language, and then the traditional, why are they going to work for you? What do you have to offer? What you and I were talking about earlier, retention. How do you retain? We can talk about that too. We’ve got this problem where there’s all these jobs open, 500 in the US–

John Verry:                       Mm-hmm (affirmative). 500,000.

Deidre Diamond:            … 500,000, thank you.

John Verry:                       Just to be clear.

Deidre Diamond:            Yes. It takes quite a few years to create a professional in the technical roles. [00:16:00] There are non-technical roles that can be had faster, in risk, in compliance and other roles.

John Verry:                       [crosstalk 00:16:08].

Deidre Diamond:            Yeah. In fact, I’d published the 35 job categories in cyber security. It’s on my website. It started when I first started at 32, it’s now 35 and growing, of course, some technical roles, non-technical leadership. Anyhow, in the technical roles, which is where the majority of the jobs are, there is a realtime frame that it takes to get that skill set [00:16:30] of an attacker or a defender.

John Verry:                       Right.

Deidre Diamond:            What? Is it three years? Is it five years? Either one means, if we’re short, that moment–

John Verry:                       Yeah. We’re not solving it soon, is what you’re getting to.

Deidre Diamond:            Yeah. Not just not solving it, it’s really very difficult problem to solve. It’s come upon us so quickly.

John Verry:                       The other thing I find is you don’t have the time to train the people. Even if you said, I got this smart kid coming out of college, he’s got a cyber security degree. Unfortunately, [00:17:00] the schools can’t yet prepare them to really do the jobs that we need them to do. The problem is, if you’ve already got a guy that’s working 60 hours a week and he’s overworked and you’re short of staff, he doesn’t have the time to actually bring that person on board and actually train them.

John Verry:                       That’s another problem to solving this is that you’re not going to get those people to be able to do that for a while because they’re already maxed out. Right?

Deidre Diamond:            Yeah. I gave a talk in RSA last year, and I’ll touch on some of this in my talk this year at RSA in that, succession planning. If there’s no succession planning, [00:17:30] then there’s no way to absorb entry level.

John Verry:                       Right.

Deidre Diamond:            Entry level and the CISOS have it the worst for job searching.

John Verry:                       I was just going to ask two things. Let’s look at this from both sides. The first side is, while the skill sets that I would guess, the ones that are the hardest to deal with right now … I might guess, would be privacy is brutal. You’ve already talked about …I would think privacy and CISOS are those are two of the harder areas to deal with right now.

John Verry:                       Anything else, it really … I mean everything’s bad, [00:18:00] but those would seem to be exceptionally bad just because of what’s going on with privacy and the fact that there’s just not enough people that can translate information security to the business realm.

Deidre Diamond:            Yeah. This will blow your mind. For us, no job’s hard, and I’ll tell you why. It’s because most organizations have no idea how to treat their people, which means most people do not love where they work. They are recruitable, if you understand what role they’re really in and capable of and what … You got to be able to get [00:18:30] that right role in front of them, which is why other speak cyber, you got to be cyber, you got to get it.

Deidre Diamond:            My point is this, for us, it’s nothing because of unfortunate circumstances of how employers take care of employees, but for an organization, it’s extra hard because those two roles that you just mentioned, privacy and leadership, have so many stakeholders tied to the decision making of, who is [00:19:00] the person that’s right for that job? What are they really going to be doing?

Deidre Diamond:            Those jobs are so vast in strategy, that there’s too many stakeholders or so many stakeholders, if you will, that it’s paralysis by analysis is what we see on a regular basis, and regrouping and restarting because so many stakeholders have opinions.

John Verry:                       Right. I liked what you said earlier. You touched on the concept of retention, [00:19:30] and that it’s easy for you to recruit people, which is bad for the people listening because the people they have are at risk and they’re having a hard time getting new people. If you’ve got information security people working for you, how do we retain them? What are the key, three, four or five, whatever it is, things that you would to someone like, “Here’s what you need to do to make sure that the people you have are not going to leave you?”

Deidre Diamond:            Right. Number one is career planning, period.It’s number one. It’s so number one [00:20:00] you could forget about the rest and-

John Verry:                       Really?

Deidre Diamond:            … Get people, yes. Leaving a job is not something fun. The experience of deciding to leave, the looking … It’s super emotionally challenging. People don’t do it just because. They do it either, because they can’t see how to get ahead. We all want to achieve, we all want to make more money, we all want to grow our skill sets. If that’s not happening, then people will long for that, they’ll look [00:20:30] for that and when calls come in, they’ll take those calls, if they don’t have that plan for themselves. That is the number one reason.

Deidre Diamond:            It could be disguised in the word of opportunity. It could be disguised in the words of onboard, it can be disguised in the words of no money for training, can’t get-

John Verry:                       This is where that psychology comes in? I can almost see these conversations you have with these people, and it’s like … You said psychologist or just a psychiatrist? Can’t remember which one.

Deidre Diamond:            Yeah, psychologist.

John Verry:                       That’s what you’re doing. [00:21:00] You’re reading what the issue really is and then helping them find the right spot where they fit.

Deidre Diamond:            That’s right.

John Verry:                       That’s cool.

Deidre Diamond:            Well, we simply will take care of them. Where they’ll go fit in that the organization has a need for somebody of their skill set and their brains and their demeanor of interest, but also somebody that’s going to take care of them better than where there at. If we can’t pitch, here’s what’s going to solve why you’re leaving, which is almost always opportunity to grow, career, invest in me, train me [00:21:30] certifications, they’re all under that umbrella of help me get better. I want to make more money. I want to grow. I want to achieve. I don’t want to ever get bored.

John Verry:                       Right.

Deidre Diamond:            I always tell my clients, certainly, a lot of the talks I do, “Look, to solve your staffing needs, the first thing you do is think about your retention strategy, which is your succession plan, your career development for these people.” What’s your story and is it true? Is it in place? [00:22:00] Are you prepared to really back up the story?

John Verry:                       Walk the walk, talk the talk, if you’re going to say that.

Deidre Diamond:            Yeah.

John Verry:                       That makes sense.

Deidre Diamond:            Yeah, because we’re taking people from jobs. Nobody’s desperate, necessarily.

John Verry:                       Right. No one’s sitting on a bench somewhere, unless in an unusual circumstance. I mean, like you said, you’re recruiting someone. Quick question for you, there’s a very common … I don’t know the right … Axiom, that says that people don’t leave jobs, they leave managers. [00:22:30] How does that tie into what you just said about the career path? Is that the bad manager doesn’t give them the career path or there’re other things that the manager needs to be cognizant beyond the career path?

Deidre Diamond:            Well, the manager is responsible for career path development. I tell people all the time, in my word, we speak this language, everybody is in leadership. Everybody ought to act like a leader. A leader ought to be any human that comes to work and wants to be successful. [00:23:00] A Manager is the person that actually manages the success of operations. Success of operations, in any department, is really about succession planning.

Deidre Diamond:            I mean, we learned this back in the 60s and… I mean, 70s was the manufacturing era of how do you grow people so that they don’t burn out started way back then. Most departments have this culture of career development. [00:23:30] Cyber is last to it mostly because it’s under budgeted, but also mostly because people typically become managers because they’re good individual contributors.

John Verry:                       The other problem I see is that they become managers because they’re good practitioners. They’re good at doing something technical, so they become a manager because that’s the next logical progression to reward them. Very often, people that are good practitioners are not good leaders. They don’t understand the soft skills, they don’t understand the management, [00:24:00] they don’t understand the leadership component of it. I do think that’s part of the problem as well.

Deidre Diamond:            Absolutely. That’s why those people need training. That’s why training shall not ever stop. I walked into working for the gentleman that I worked for, for 21 years across three companies, and it was all about training and development and it never stopped. We were always being trained and development. If you got promoted, then there was more training to be successful in that role.

John Verry:                       Right.

Deidre Diamond:            [00:24:30] We’re not investing in that in security people. We’re really not.

John Verry:                       Like you said, the problem you run into is that they’re already understaffed. We don’t have enough people. What they do have, they think that they should spend on tools because that’s the way to solve problems, but tools without people that operate them, people that are trained to know how to use them, really, it’s a false sense of security. I think in too many places, we do have a false sense of security for all of those reasons.

John Verry:                       You’re saying that, from your perspective, [00:25:00] absolutely the single most important thing is set people up … Now let me ask question, do you differentiate succession and resilience? I mean, I think succession helps build organization. One of things we’re trying to do internally here that I think I worry about is resilience because it is so hard to recruit people and it is so easy for you to lose people. If you lose a key person in a key spot, what are you going to do? To me, that’s resilience. Do they tie in together from your perspective?

Deidre Diamond:            Yeah. I think they [00:25:30] do. For me, succession planning is a strategy. It is concept and then when you go to implement it, like you’re talking about, it really comes down to what somebody’s doing on a daily basis, hourly basis, such that you can manage their time enough where they don’t burn out, or they don’t get overwhelmed and that they’re really able to have the benefit of a succession planning program. [00:26:00] I see getting into the details of tasks and projects that we give to professionals in general need to be really clearly defined and documented.

Deidre Diamond:            In fact, the talk that I gave at RSA last year was rolling out the human hygiene model. We’ve got all our tech hygiene models. Well, here’s the human hygiene model and you can look at it just like you do technology, like identify the roles and responsibilities and [00:26:30] the tasks and the projects and document them and know how much time they take, and what’s appropriate. When doing that a business owner can really look at time management, because that’s what it comes down to.

John Verry:                       Right.

Deidre Diamond:            It’s how effective are we in our time management, which means how in tune are we with the tasks and projects that need to get done such that we as managers, not leaders, managers, can manage such that high efficiency, low [00:27:00] burnout to no burnout, which is [inaudible 00:27:05] of the game.

John Verry:                       I think a lot of that is prioritization, is that, there are going to be some things that aren’t going to get done and you have to recognize the operator rule 80/20. It’s figuring out what the 20 is so that if that gets done, we’re in pretty good shape and then we’ll knock off as much as we canon that. Real quick for you, obviously, somebody who’s looking, a small to medium sized business owner who needs to [00:27:30] bring on a new person, they have one option, which would be to call somebody like yourself and say, “Hey, go get this person for me,” which is a good strategy.

John Verry:                       If they were trying to do it themselves, if somebody says to you, “Hey, I can’t afford your services, or hey, I already have three HR people” any thoughts on … You could talk about the pros and cons, but also talk about, what would be some strategies for someone to recruit people themselves?

Deidre Diamond:            Yeah, totally. I just launched a blog last week on this exactly, giving everybody all the–

John Verry:                       Oh, cool. Maybe we’ll put a link to it in the [00:28:00] transcript for the podcast.

Deidre Diamond:            Yeah. I’m such an American patriot that literally, when I realized the problem and why my cost of sale was so high, I thought to myself, “Oh my gosh! This is a massive national security issue.” Meaning, we’re all running around and we can’t find each other, we can’t-

John Verry:                       Look at CMMC. It says exactly what you just said. I mean, CMMC is because of the fact that we’ve got a massive national security problem.

Deidre Diamond:            I have been saying this since the last four years of my [00:28:30] life that the fact that we can’t organize ourselves and find each other and really know what we’re capable of, what skills we have, is so archaic that when I started to solve it for my cost of sales search in [MACS 00:28:44], that was my massive cost of sale, I realized that I needed to provide … Once I figured out the solution, which I figured out pretty quickly, meaning how to automate what we do of figuring out a job and figuring out what a human’s skill set really is and how do you automate that.

Deidre Diamond:            [00:29:00] I did and launched a platform at Black Hat last year called No More, and it’s International and so I encourage everybody to go use that platform. It’s what we use, meaning, your job descriptions make sense, they speak cyber security so that [inaudible 00:29:13] seeker that’s working but not really totally happy, you can look at your job and it makes sense to them and know right off the bat, will they sponsor citizenship if I need it? Will they pay for some relo, if I’m willing to relocate? Can I work from home at all?

Deidre Diamond:            All that basic stuff that attracts people, it’s automated and right there [00:29:30] in your face. Also, cyber professional can have a public profile without releasing their identity. It’s game changing. That being–

John Verry:                       That’s pretty cool and that’s know more as in K-N-O-W M-O-R-E?

Deidre Diamond:            … Yeah.

John Verry:                       Oh, that’s cool.

Deidre Diamond:            Yeah. No more shitty resumes and no more shitty job descriptions and then K-N-O-W M-O-R-E, have more [crosstalk 00:29:50].

John Verry:                       Yeah. I was going to point out that you had spelled know wrong, but I’m glad you corrected that. There’s a couple of people listening going like, “I thought this woman was smart to that point.” [inaudible 00:29:59] [00:30:00] head off the cliff.

Deidre Diamond:            That’s the thing. That’s in terms of searching and matching and then getting the platforms very new. Depending on what geography you’re in, if we’re not there really pushing it out, then you still will also want to put your jobs there, but go to local events, go to local meetups. It’s a great way to get involved in the community. It’s also a high cost, but it’s what you have to do, literally. You’re not going to post a job on your website and get a response [00:30:30] most likely.

John Verry:                       No.

Deidre Diamond:            You’re not going to-

John Verry:                       We have the ‘an on the waters’ at all time and its brutal recruit, so [crosstalk 00:30:36]

Deidre Diamond:            Yeah. You got to get behind the job description on the website and get involved with the community, which is why it’s super costly. Again, my plan is to completely disrupt this problem. Internationally, I want to see humans, when kids have gone and you want to go work in Italy now, be able to go with the platform and find jobs in Italy and know how they sponsor and what it would be like and [00:31:00] go work in Italy.

John Verry:                       If you can find me a job in Pienza, which is about the–

Deidre Diamond:            Pienza.

John Verry:                       … Which is one of my favorite place I’ve ever been down the Piedmont region. You know what? You have me? Put me on that list, find me that-

Deidre Diamond:            Well, I’m on that.

John Verry:                       … Find me that job. Florence is a close second, so I can’t–

Deidre Diamond:            I’m on that.

John Verry:                       [inaudible 00:31:19] I’m okay there too.

Deidre Diamond:            It makes sense that as humans, I think to myself, “Gosh, we’re in this wave of information and yet, we’re really not utilizing the ability [00:31:30] to match for jobs.” For instance, look what eHarmony and the dating apps have done to relationship statistics. Do you know this data?

John Verry:                       Yeah.

Deidre Diamond:            They have totally flipped the game. People are staying together, divorce rates, if you met–

John Verry:                       Really?

Deidre Diamond:            … Yes, because think about it, you have options. You’re not just meeting that one person at work or … One person that you met at work or you’re not going to a bar and hoping you meet the person [00:32:00] in settling, if you will, which goes on.

John Verry:                       All right. Let’s go no deeper than that.

Deidre Diamond:            Let’s not go any deeper.

John Verry:                       Let’s keep this PG. Don’t mention beer goggles. I just want–

Deidre Diamond:            [inaudible 00:32:12].

John Verry:                       … To stop there.

Deidre Diamond:            It is so true that I literally video on my website, I am liking what I’m doing to the data apps. I want it to be as us as professionals where, we know the tasks and projects that we’ve been doing, we know the tasks and projects of the jobs, we should be able to categorize ourselves [00:32:30] digitally in one place per profession, and be able to match to jobs so easily that we have options. Right now, even though there’s a shortage, most cyber professionals will say, “Job searching is horrible. I never talked to anybody that’s got the right job for me. It’s just buzzwords.” It’s a super wasted time, 20 conversations to maybe one right job.

John Verry:                       Yeah. I mean, on our side of the fence, right, reviewing 100 resumes to find [00:33:00] somebody … You wonder half the time, why are people even submitting this resume to this job? I can’t begin to tell you when we recruit, right, Pivot Point Security. We’re an information security firm. How many security guard resumes we get.

Deidre Diamond:            Yes.

John Verry:                       I mean, it’s an ordinate and it’s like, we’re wasting each other’s time. When you have up there, let me know.

Deidre Diamond:            That’s right. I do.

John Verry:                       I just have to make sure my wife understands that it’s a job searching–

Deidre Diamond:            You have to put your profile up, [inaudible 00:33:28], put it up, [00:33:30] if you’re willing to relocate to those countries, which is what it will ask you and then only jobs from those countries will be allowed to apply. That’s how I made it. Just because of what you-

John Verry:                       Are you still on no more?

Deidre Diamond:            Yeah, which you find at [crosstalk 00:33:42].

John Verry:                       I got to check it out.

Deidre Diamond:            You have to.

John Verry:                       I’m supposed to ask you about something that I’m scared to do. One of the questions I’m scared to ask, so let’s start with the other one. I was supposed to ask Deidre about secure diversity, addressing the cyber security talent shortage. Does that tie into the women in engineering, [00:34:00] science, technology stuff we were talking about earlier?

Deidre Diamond:            It does. You left out one part of it. You’re so [inaudible 00:34:06].

John Verry:                       No, there is another part. I haven’t asked that question.

Deidre Diamond:            They go together.

John Verry:                       They go together. You’re saying, being the brain babe is part of that. Are you the brain babe?

Deidre Diamond:            No. Shit. So funny.

John Verry:                       Is that what I’m trying to understand?

Deidre Diamond:            Okay. My not-for-profit that I was telling you, I mentioned earlier, we never got into it, [00:34:30] bringing women into cyber … Handling this shortage was named ‘Brain Babe’ until just a few weeks ago.

John Verry:                       That’s where it comes … Okay, you were the brain babe. A lot of people refer to me with similar terms, as you can see why.

Deidre Diamond:            Well, that’s why I changed the name [inaudible 00:34:48], especially, it really happened when #MeToo happened. The name was-

John Verry:                       Yeah. I don’t blame you. It’s a cute name and everything, and then you realize that it almost, [00:35:00] in a weird way, goes contrary to what you’re trying … It takes a little bit of the seriousness away from what you’re trying to do.

Deidre Diamond:            … Yeah. Most people don’t want to read before they judge and the reality is, if people took a few minutes to read, and even once they did, they still … Some of them didn’t like the name. I’ve got sponsors from all kinds of names. It’s not like it was a massive problem, but it was big enough to where I realized that I’m not being inclusive If I don’t take everybody’s needs into this into it. Listen to this, [00:35:30] the name brain babe comes from getting involved in stopping what was going on with what we call booth babes, which was sexual [crosstalk 00:35:39].

John Verry:                       I know. I hate it.

Deidre Diamond:            I definitely put that stuff to bed with some other leader, and that’s how the company was founded was me realizing RSA put out their article about booth babes and then that’s when my brain was like, “We need more women. Let’s just train them. Let’s not ban them. Let’s not change their clothes,” [00:36:00] which is what we prefer at first. Let’s train them. Let’s make them brain babes. That’s how it happened.

John Verry:                       Instead of booth babes. That’s cute. That’s actually a good story. You actually have a non for profit that’s designed to this?

Deidre Diamond:            Yes.

John Verry:                       Okay, cool. What’s the name of that?

Deidre Diamond:            Yeah. It’s

John Verry:              We’ll put that and the transcript as well. That’s cool stuff. I’ll take a look at that as well. Like I said, I have a personal interest in it and having seeing what my wife has gone through, we employ a lot of women here. I’m very proud [00:36:30] and very happy about that. I want to make sure that the environment is as appropriate and welcoming as it can be for my daughter when she graduates.

Deidre Diamond:            That’s right.

John Verry:                       I’m right there with you.

Deidre Diamond:            That’s right. The good news is-

John Verry:                       That’s cool stuff.

Deidre Diamond:            … The good news is, when people really take on the conversation of inclusion, it helps men too. I mean, we were talking earlier about retention rates being 18 months. Well, the majority of the workforce and particularly, what we’re talking about cyber is men, that’s not that fun either. I work with the same guys for 21 years. [00:37:00] When I think about moving jobs every 18 months, if that was my life-

John Verry:                       It’s draining.

Deidre Diamond:            Yes, my God. As if we don’t have enough pressure in life.

John Verry:                       Right.

Deidre Diamond:            We know that when pressure turns to stress is when the body breaks down, the mind breaks down. I mean, it’s just ridiculous. The conversation of inclusion, for me, just brings the conversation of, make a place for everybody. [00:37:30] Humans are emotional in general and in general, we all want the same things. The same [crosstalk 00:37:37].

John Verry:                       We’re not going Maslow’s hierarchy here, are we? Deidre, are you impressed?

Deidre Diamond:            We could.

John Verry:                       You thought I was just another pretty face. There’s a little depth here.

Deidre Diamond:            Do you go to sociology class because I know-

John Verry:                       No, but I do think that … I have done some reading, the Viktor Frankl kind of stuff. I mean, I do think what you’re talking about, it’s interesting. [00:38:00] I might have gone into psychiatry, but it scares me that I would end up self analyzing myself and analyzing my kids. It scares me, so I stayed away from it.

John Verry:                       I thought I do understand and appreciate, and I actually find it really … Honestly, I’ve enjoyed our conversation and it’s just making me think about something I never thought about was how these concepts that you’re talking about, I guess psychology concepts, could have such a significant impact on the recruiting and retention process.

Deidre Diamond:            Yeah.

John Verry:                       Logically, that makes a lot of sense, which [00:38:30] would make sense as to why you’re so good at your job, so thanks. I learned something.

Deidre Diamond:            Thank you. I would say, let’s call it sociology because-

John Verry:                       Sociology. Okay.

Deidre Diamond:            … Don’t you all, I mean, psychology is super important to the conversation too, but if we think more sociology than we think society, we think how humans interact with each other, how humans spend time with each other, what’s societal norms and emotions that are created based on behaviors and what have you? It’s more in-depth [00:39:00] there. Yes. I appreciate you saying that. I know many amazing SMEs like yourself who tell me that, back in the day when college was happening, that sociology was the class they couldn’t wait to stay away from as much as [inaudible 00:39:13] psychology. Now, they like, “Shit, it’s the top of the food chain.”

John Verry:                       Every interrelationship involves some level of sociology. It is understanding. I’m a big believer in the concept of emotional [00:39:30] IQ. Emotional IQ and sociology or understanding these sociological triggers and cues and reading people, right ties all into that. Correct? That ties into the other thing too, which is interesting, because I think the other thing that you talked about, from a retention perspective, is having a value … Excuse me, a set of core values that creates that environment where someone does feel inclusive and feels comfortable. I think culture is an important part of retaining those people as well, right?

Deidre Diamond:            Yeah. [00:40:00] That goes for men and all any gender that … Everybody wants where people humans thrive in mental safety. I mean, they can speak their opinions and their ideas and they won’t be made to feel stupid or get in trouble, that’s culture to me. It’s not do you have a ping pong table? Do you serve food? All the shit that people talk about when … It’s like, “No, that’s not culture.” Culture is, what’s the communication like? How fluid it is, are people able to-

John Verry:                       Do I have a voice, my influence?

Deidre Diamond:            Yeah.

John Verry:                       I agree. Things like that.

Deidre Diamond:            I will say [00:40:30] this because I don’t … I know that there’s many managers out there who don’t know what the future for their teammates are and they can’t really present something because they’re not getting the support from above to present something. I tell those people, the thing that you can do is be in the conversation. Just being in that conversation and saying, “I don’t have all the answers and yet I know how important it is to have career development. Here’s what I’m thinking we do now and here’s where I’m going to be talking [00:41:00] about with those above and around me.” I mean, don’t shy away from the conversation just because you don’t have the answers.

John Verry:                       Mm-hmm (affirmative).

Deidre Diamond:            It means a lot to a human to just be in the conversation, I know that someone’s thinking and caring and working out some of these details.

John Verry:                       Yeah. It’s so funny one of the one of the problems I’ve seen with a lot of our, leader new leaders, when they first go into role, when they don’t have an answer or they have a situation [00:41:30] which is a little uncomfortable, they’re hesitant to go into it.

Deidre Diamond:            Mm-hmm (affirmative).

John Verry:                       They’re hesitant to enter that danger zone and they think that by not entering the danger zone, they’re actually helping the relationship, but I think in the long run, you’re actually destroying the relationship. I mean, then just the bad stuff festers or they don’t think you’re interested. I think you’re 100% right, that’s a critical part of it all.

Deidre Diamond:            I did a lot of training and what the [inaudible 00:41:54] say were transformational mind dynamics, which is really [crosstalk 00:41:57].

John Verry:                       All right. No, that one I would have skipped. I have to be honest with you. That what I want in [00:42:00] the curriculum, but I think I’m good with … Maybe I would have taken over thermodynamics, which is really tough, but not many would that be [crosstalk 00:42:11].

Deidre Diamond:            What it taught me, the biggest lesson it had for me is what you just said and this blew my mind. When I got it this way, it was like, “Oh shoot,” confrontation is love. The willingness to confront–

John Verry:                       I am going to use that with a concept.

Deidre Diamond:            Right.

John Verry:                       That’s now tying to the same … There’s a statement [00:42:30] that I love, and I might screw this up, that the opposite of love isn’t hate, its indifference.

Deidre Diamond:            Mm-hmm (affirmative). The opposite of love isn’t hate, its indifference. The opposite of love is indifference.

John Verry:                       That’s exactly what you just said it’s that, that feeling that, whatever the interaction is, you’re showing someone you care by having the interaction. Right?

Deidre Diamond:            Yeah.

John Verry:                       The indifference is that, I don’t really care about you and really, if you think about it … Because if you think about it, if you tell me you were to break up with me and I was in [00:43:00] love with you, and if I didn’t react and if I just said, “Okay,” that’s really the opposite of love, because I still love you if I respond super strongly like, “No, don’t leave me,” right?

Deidre Diamond:            Sure. I find myself often saying, if you’re unwilling to speak your internal truth, whatever’s going on in your head, you’re unwilling to share with that person, you’re unwilling to confront, then you don’t really care about that person. The other side is, you’re not talking, you’re not engaging. [00:43:30] Well, the point is, if you’re staying in a conversation, then you cared. If you’re not even willing to engage it, then you can’t possibly care.

John Verry:                       Right.

Deidre Diamond:            Fear is the only thing that stops us from engaging, and so it’s that ability to put aside the fear. Now, a culture can foster less fear or more fear. We all have some level, but the culture will foster as having less or more.

John Verry:                       Right. I would agree with that, but it will overcome … You still have to work to overcome [00:44:00] that challenge.

Deidre Diamond:            Yes.

John Verry:                       There’s certain people that embrace the challenge or embrace the controversy, are willing to embrace it, and then there’s others that it’s hard for them to do so.

Deidre Diamond:            That’s where it comes down to managers, it can’t be hard for them to do it or they shouldn’t be in their job. This is where other managers above those … Anybody in a management seat, meaning the responsibility of another human success ought to have the training that allows them to have [00:44:30] the EQ, which is what I’m talking about at RSA this year, the EQ, the emotional intelligence to have a low fear environment, high mental safety environment, even if it’s somebody else’s department that’s interacting with your department.

John Verry:                       Very cool. Note to Jeremy is our producer, Jeremy no more sociologists on the show because you [inaudible 00:44:53].

Deidre Diamond:            I’m coming back. I want to talk with you [crosstalk 00:44:53].

John Verry:                       No, you’re not coming [00:45:00] back. You and I can get together for a drink, because we can waste 16 hours.

Deidre Diamond:            See, it’s waste-

John Verry:                       We’re both drinking a bottle of bourbon or tequila. I’ll drink tequila with you. Milagro is good. I’m hesitant to wrap up this conversation by asking you this question for sociologist, but I’m going to do it anyway because I always ask it. You’re in our field and you know a little bit about this. What fictional character or real person, [00:45:30] give us an example of someone that you think would either be an absolute great or an absolutely horrible CISO, and why?

Deidre Diamond:            A horrible CISO, I think of-

John Verry:                       Or, good.

Deidre Diamond:            … When I think of a horrible CISO, I think of an introvert, period.

John Verry:                       Yeah.

Deidre Diamond:            Whatever that character is … Unfortunately, I’m not a really good TV or movie person. That being said, an introvert, somebody who truly doesn’t enjoy interacting with others.

John Verry:                       Mm-hmm (affirmative).

Deidre Diamond:            I would say that for any C-level management role. [00:46:00] The best would be somebody who really recognizes that they can’t know it all because a CISO role, depending on what company, it’s just so vast. There’s not just this one thing that you know. You have so much to cover that it’s really about a human that’s capable of having other really intelligent people around them and not feeling [00:46:30] insecure because there’s just so much to cover. You’ve got risk, you’ve got compliance, you’ve got security operations, you’ve got privacy.

John Verry:                       You’ve got leadership. You haven’t even touched on the soft stuff, right?

Deidre Diamond:            Yeah, exactly. It’s how long you got it. It’s all about who you assemble yourself with. Somebody that’s competent and understanding that it’s all about how you build teams, and I guess that would be Wonder Woman.

John Verry:                       No, wait a second. [00:47:00] Diversity, and now you’ve got a woman in tights and a push up bra as the person you’re pushing forward? I hope that was-

Deidre Diamond:            I haven’t seen that part when I watched her at–

John Verry:                       Are we talking about Lynda Carter, Wonder Woman? Now that we’re completely off the rails here, let’s bring it back in. Deep breath John, deep breath. Last question, you’re talking to the same people that we’re talking on an everyday basis. You’re talking to business leaders, you’re talking to information [00:47:30] security leaders that are needing people. What are the subjects that they’re asking you about that you think might be an interesting topic for future episodes of this podcast?

Deidre Diamond:            Let’s see, I think it’s really the EQ stuff, so much so that I see [crosstalk 00:47:51].

John Verry:                       EQ is the same as EIQ?

Deidre Diamond:            Yeah. You can [crosstalk 00:47:52]

John Verry:                       Or, it’s like EQ or is it … Okay.

Deidre Diamond:            IQ stands for intelligence, yes.

John Verry:                       Oh, no I’m sorry. [00:48:00] I always thought that … Malcolm Gladwell was I think one of the first people to talk about. I always thought it was EIQ not EQ. Is it EQ, and I’ve been saying it wrong for 10 years?

Deidre Diamond:            You could say either, it’s fine. It felt good. EQ is a little bit more modern that’s for a new study.

John Verry:                       I’m old school. We’re okay. You’re saying I’m old school. I’ll take that as a compliment.

Deidre Diamond:            It’s really and what we mean by that is, is that it’s one thing to say we want it and another thing to [00:48:30] actually get the skills into our people. More and more people are talking about, I want it, now it’s like, okay, what are you going to do to make sure? I offer classes for practitioners and leadership, I’m sure others will start to, you can send people to trainings that have been designed for sales people. The irony of all of this is that, sales people were the only people that we’re supposed to be need [00:49:00] to communicate or business leaders.

John Verry:                       That’s interesting, something like soft skills, communication skills for people that’s actually a cool topic.

Deidre Diamond:            Yes. Win-win communication making and managing measurable agreements and lean language those are my three top classic.

John Verry:                       What was last one, mean?

Deidre Diamond:            That’s so funny. You said mean my CFO calls it mean language lean language. You can imagine the conversations we have.

John Verry:                       Yeah.

Deidre Diamond:            The one you and I have. [00:49:30] Lean language. Those are skills that were typically taught to sales people, and I’m bringing it to all of us because they’re really key. I’d like to come back and talk about that.

John Verry:                       Well, Jeremy, no she’s not coming back. Before we say farewell-

Deidre Diamond:            Get a couch.

John Verry:                       … Give it, okay. We should do that. You should come into the office.I’ll lay on the couch. You can sit with a notebook and we’ll record another episode.

Deidre Diamond:            I’m down.

John Verry:                       That would be funny. [00:50:00] Before we leave, how can folks get in touch with you if they’d like to learn more about? I mean, you got a lot going on between the know more, the brain babe, which is now called Security I think you said?

Deidre Diamond:            Yes.

John Verry:                       And obviously, when you’re not doing all that stuff you’re recruiting, talented cyber people. How can people get in touch with you?

Deidre Diamond:            Well, luckily, I have an army of people that work for me and so nobody needs to rely on me recruiting for them while I’m doing all this. That being said, [00:50:30] is where you can find all our information about our services to include our platform no more, and you can log in from there. Then is where you can go to find about the events that we put on and how to sponsor an event. We do free training events and we do fundraisers to raise money for certifications and training because it is the number one way to advance.

John Verry:                       Oh, that’s pretty cool. [00:51:00] Do me a favor, do send some information about that. What we do is part of our net promoter score, so that we can get feedback from our clients because, we would like to know we’re doing a great job. We incent getting those by giving donations to a couple of different. Maybe we can put you on that donation list because we let them select, but because I think that’s, like I said, it’s an area that’s of strong interest to me and us here. Thank you.

Deidre Diamond:            Totally. Mine I’m going to leave you with this, my New Year’s resolution was [00:51:30] to come up with my new year’s resolutions, I spent a bunch of time in know more database and our database, excuse me, and just looking at who’s in the power seats. It was very obvious that the people in the power seats had certifications and degrees to the highest level. That’s when I realized, okay, I’m doing a ton to bring women in I need to help build them. These certs are very expensive.

John Verry:                       Yes.

Deidre Diamond:            I’m really excited about the work we’re doing to solve that problem.

John Verry:                       It sounds awesome. [00:52:00] Thanks a lot for coming. I genuinely enjoyed the conversation, I hope you did too.

Deidre Diamond:            Me too, fun super fun.

John Verry:                       Cool.

Deidre Diamond:            I’ll be back. I want a couch, I want my tequila and [inaudible 00:52:12]

John Verry:                       We’re going to use that as the, Jeremy that’s what we use as the snippet we put up front.

Deidre Diamond:            Yes.

John Verry:                       I’m coming back, I want the-

Deidre Diamond:            Yes, please do.

John Verry:                       All right, okay.

Deidre Diamond:            Because it’s not good for us.

John Verry:                       Okay.

Deidre Diamond:            All right.

Speaker 1:                        You’ve been listening to The Virtual CISO Podcast. As you’ve [00:52:30] probably figured out, we really enjoy information and security. If there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. To ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.