Karl Sharman is head of cybersecurity of solutions and consultancy for Stott and May in North America. He has helped build and scale teams across multiple types of business including Fortune 500, Pre-IPO late-stage ventures, early-stage startups, security consultancies, and MSSPs. Karl Sharman is often brought on by companies for either extremely difficult hires, mass hires at speed and scale or discreet leadership hires. As a contributor and a consultant to the cybersecurity sector, Karl contributes with regular white papers, podcasts and public speaking, He was recently featured in the top 1% of Search & Staffing Professionals globally by LinkedIn.

00:10 Introduction

01:34 How to transition to cybersecurity from another profession

05:33 Is soccer not a lot more fun than cybersecurity?

07:52 Commitment, passion, and perseverance for cybersecurity personnel

08:36 Why work at Dark Rhino Security vs Disney, Goldman Sachs, Nike

10:45 Do people quit over money? 14:44 Diverse voices and personnel engagement and being valued

18:26 When a company scales what changes?

22:42 Maintaining your values during hypergrowth

25:24 The one question that should be asked in every interview

26:35 Is it okay to put people under pressure in an interview?

30:45 Strategies that work for cybersecurity companies

34:45 Rapid advancement-get comfortable with being uncomfortable

41:51 Right processes with the right people

43:01 2021 outlook for cybersecurity? Detection and Response?

44:58 Karl Sharman’s upcoming works

Additionally Karl’s knowledge and experience cover the following:

Specialities: CISO, Compliance, Risk, Incident Response, Digital Forensics, Ransomware, Architecture & Engineering, Governance, Audit, Security, Cyber, Physical Security, Resilience, Business Continuity, Cyber Insurance, Product Security, Mobile Security, Application Security, IAM, Disaster Recovery, Strategy, Operations.

Frameworks: NIST, ISO, PCI, COBIT, HiTrust & NERC

Regulations: NYDFS, GDPR, CCPA, HIPAA, FISMA

To learn more about Karl Sharman visit https://www.linkedin.com/in/karl-shar…

To learn more about Dark Rhino Security visit https://darkrhinosecurity.com

The podcast for this episode can be found at your favorite podcast outlet by searching for Security Confidential.

 

Video Transcript

– Hello, everyone. Welcome to another episode of Dark Rhino “Security Confidential.” Today, we are honored to have Karl Sharman join us. Karl is head of cybersecurity solutions and consultancies for Stott and May across North America. Karl’s helped build and scale teams across multiple types of businesses, including Fortune 500, Pre-IPO late stage ventures, early stage startups, security consultancies and MSSPs which is what we are here at Dark Rhino, right? And MDR, but I digress. He is often brought on by companies for either extremely difficult tires, mass hires at speed and scale or discrete leadership hires. Karl is a contributor to the cybersecurity sector with regular white papers, podcasts and public speaking appearances. He was recently featured in the top 1% of search and staffing professionals globally by LinkedIn. Thank-you for joining us.

– No, it’s my pleasure, thanks for having me on.

– It’s great to have you. I think cybersecurity we’re seeing such growth in the industry and hiring people retention. These are all critical topics. One of the things that I’d love to get your opinion on is anyone that’s looking to make a transition career or they’re transitioning into cyber. Do you have any pointers for them as what they should do to get a foothold in the industry?

– Yeah, and of course I think is a big topic right now. I’m not the biggest fan in saying there’s a shortage. I really don’t think there is. I think there’s a lot of people that want to work in security where I think the issue is with the employers themselves. They have these requirements that’s very unicorn-like where I suppose the expectations are too high of what they’re looking for and it’s an incredibly competitive market. And I think we need to make sure we bring in a range of people with a range of backgrounds to the table to make sure that we have more security professionals and transitioning is one of them. Transitioning is such a great, great way of getting more people into the sector. And I think whether your previous guest is Karl, between me and her we’ve been a big supporter to help people transitioning into security whether that’s women who going have children and then come back into the workforce and are retrained into cybersecurity or whether it’s other professionals who are looking for a new career change. I’m a great example of this. Like I started in the soccer industry. I was doing recruitment for soccer clubs in the Premier League and the Football League in the U.K.. And I wanted to try something different in the business world and I happened to fall in recruitment because it’s what I did. It’s very similar to what you do in the soccer world but I had to learn cybersecurity and I had to spend time learning that, doing courses and trying to make sure that I understand as much as I can about it of what I need to do. So I’ve done the transition myself, although it’s seen differently and that’s all it is, is what seen is how it’s interpreted. So I think for anyone that’s doing that, I think, what we need to consider is firstly what education can you go and get? And everyone always thinks, well, that’s cost, that’s time, I want it now and stuff like that. And I totally get that. And I think the easiest way to counteract that is go and get a science course, go and work with cyber InfoSec’s. These companies that offer short courses, certified courses that can just show that you have the appetite to want to work in there. You don’t necessarily need a bachelor’s degree or a master’s degree in cybersecurity. There are companies like the Big Four consulting that will ask for a bachelor’s but they don’t ask for a cybersecurity specific bachelor’s. So it’s important to go and get the education. And then the second thing on that is just mentoring. Like I have a group of mentors around me. They are CSOs of large banks or heads of consulting practices and that’s because their fingers right on the post and they give me their time, they give me the insight of what I need to know from an intelligence standpoint, from the next career move I make because I’m still trying to work out where I go next. Every day, every month there’s a new challenge that we have internally that I need a bit of outside resource. And I think people that are transitioning the easiest way to understand what’s going on in the market is to have their mentors. So they’re the two starting points that I’d always say. Go and look where you can get certified and what education you can do to supplement where you want to go. And then secondly, to help you along that journey go and get a group of mentors. Don’t be afraid to ask people for their time. And that will be the starting blocks of making that transition.

– And well, a couple of things, one is football not a lot more fun than cyber.

– Yeah, I get that a lot, obviously. I lived a lot of people’s dreams. Like I got to watch soccer for free every day and just go to these great stadiums in the U.K. and Europe and travel Europe and whatever else and it was all paid for. But the flip side of that is, I shouldn’t really say this ’cause we do this in cyber, but it can be long hours and you don’t see your family that much. And you’re expected to be, it’s not always the nicest industry. There’s a lot of backstabbing, and politics, and whatever else. It teaches you a lot, it teaches you. It taught me a lot of how to defend myself, how to promote myself, how to manage politics of the boardroom and stuff like that. And I learned hell of a lot during that period, but also I work for a lot more than money, like that’s not what drives me. What drives me is adding value to people’s lives. And you can do that in soccer but like you just moving players to another contract. You’re not really giving them, occasionally you would get a player out of nowhere and you give them the opportunities as you’ve seen as many examples of doing that. But there’s a lot more to it and that’s what I like about cyber is that you can really actively help companies defend. And we actually have a value in the market where we’re actually protecting the industry because we’re finding these resources for these companies to help them defend or whatever their objectives are as part of their business. And we actually help solve that. And that’s a bigger part of what I didn’t feel was in soccer because in soccer all you do is help line the owner’s pockets and there’s a lot more to work in than that. But I have a lot of time for anyone that works in that industry ’cause it is a hard graft.

– Well, yeah, there are no easy jobs-

– No.

– Out there that are worth doing at least that you would wanna be in, but that commitment, passion, perseverance those are all traits that we’re always looking for when we hire people. And I think you’re absolutely right, getting back to your earlier comment that you should find mentors and you should get an education and that education doesn’t have to be a college degree. We’ve had end number of guests on this show that have actually talked about that topic. Most people are looking for that art, is someone motivated? Are they willing to learn? Are they driven? And do they have a passion for what it is that they want to progress towards in their career goal? If that’s the case then you’ve got great claims and you can then mold it.

– Well, just on that like there’s so many companies. you can’t compete with the top banks. This is what people get so fixated on is like, oh, I want to work at Disney, or I want to work at Nike, or I want to work at Goldman Sachs. And that’s great, we all do. But sometimes that’s not the route, sometimes the route is you have to go and work for a Dark Rhino, or 20-person company, or whatever it might be to go and get there. There might have to be these stepping stones in your career where you have to go and do something you maybe didn’t imagine doing. You might have to go and be an IT manager or an IT administrator and then make that step in. And I think you just need to work out what’s them stepping stones. And the great thing I find is, and this is what fascinates me and what I constantly study, is like everyone, the famous thing is like I want it to be a CSO when they’re starting out that’s where I want to get my career to in 25 years. Okay, what’s the stepping stone? Well, the great thing is there’s no direct line. There’s not a straight line to CSO. And that’s what people forget. People are like, well, I’m gonna go to Goldman Sachs. I’m gonna go up through the ranks and I’m gonna get to CSO. Nine times out of 10 it doesn’t work that way. You have to take on the opportunities and you have to go and get mentors. And people forget there’s this whole iceberg effect where there’s so many other things under the water that you can’t see that’s holding the iceberg together. And just because the top of it looks beautiful. That’s where everyone thinks that people just end up once they get into that. And a lot of people forget that. Like a lot of people when they get into these companies they just forget that you need to keep mentors, you need to keep training, you need to keep meeting new people. And there’s a lot more to it, like you’re saying. And I think companies like yours will give people a lot more exposure rather than being siloed in a large organization and that’s where people transitioning in need to go. I need to go and talk to you because I’m hungry, I just want an opportunity, I want to learn. I’m willing to do whatever it takes.

– Right.

– That’s where the focus needs to be.

– And we’ve seen, well, let me ask you this. Do you think people quit because of money? Is that the primary driver? Is that why they wanna go to a Goldman Sachs or a-

– It’s a good question.

– Citigroup or?

– I mean, the primary reason people quit is because they’re managers we can’t get around that. Like that’s still the number one driver of why people quit. They’re upset, their managers are upset, the politics. The things that come internal of a company that’s the first thing. The second thing is everyone looks for a pay increase. And in cyber you can unfortunately get 10 to 20% salary increases which has been aided by companies not being allowed to ask what you’re currently making. And that’s where companies rely on us for salary information in terms of how do we value this talent because we can give them the outside resource and actually help them better understand of what someone could be making. And that’s been a real hard graft for companies to understand. So that is the second thing. Why do people go to Goldman Sachs and whatever? I think it depends on where you are in the ladder. It definitely has a bit of steam. There’s a lot there that’s-

– It’s a brand.

– Brand name, you get to, they give you a hoodie, you’ve got a badge that says Goldman Sachs. Like you said everyone’s little bit a dream to have on their LinkedIn. A little bit of pride. If I think about my family. My family expected me to stay with a company for 35 years, that sort of thing. Large organization that I was just gonna stay in and be a number. That’s how my family grew up in. And there’s a lot of family pressures there that come with that. That is the reason that people go to that. I think money is one of a few objectives. And I think that brings us into retaining staff of like, how do you retain staff? There’s a lot of things to consider. There’s a lot more than just money.

– Yeah. So and that’s exactly where I was going with this. ‘Cause like I, and I’m just gonna pick on Dark Rhino because we are a smaller company. We’re 21, 22 people. Actually we just added another 23 as of this podcast. But one of the things is that there’s a quality of life. ‘Cause from a salary perspective I think we’re pretty equitable relative to what the market is doing. But there’s a lot of quality of life things that you get at a smaller company that you can’t get. There’s a lot of flexibility. You can bring your dog to work if you need it to. If you needed to bring your child to work you can do that. There’s a lot of, if you need it to disappear for three days because there’s something happened no one’s gonna penalize you over that. But I think also more importantly we do some very interesting projects on the government side, even in the private security side and some of our folks have had top secret clearances. We’re specialized and I think that might give you a range of exposures that you’re not gonna get at a much larger organization where you’re just an analyst, or a red team, or a blue team member, or whatever your role is in their cybersecurity environment. And we’ve seen that from a retention perspective that we’ve been very fortunate that we’ve been able to keep people. We’ve lost several but we’ve by and large been able to keep folks.

– Just on that, I think people make large businesses complicated, I think our organizational design makes it incredibly complicated, I think the great thing is when you’re a small business is you feel you have access to them people. And I have a lot of time for executives who keep that door open as they get bigger. And I think from working with venture capitalists scaling is one of the hardest challenges you will ever have because often you lose people during that journey because people become less engaged or whatever the reason is.

– Right.

– And I think engagement is such a key term because I’ll give you example, so Booz Allen Hamilton commercial team they focus on the private sector. The great thing they do is they have the mid level, switch managers as we call it. Historically they bring them to the executive table quite often. And for me that’s engagement, that’s allowing diverse voices to come to the table and make sure that everyone’s being listened to and heard. And I think that’s such a simple thing. And that’s when we come back to the original point of me leaving soccer to come into cyber. I was at the executive table and I still wasn’t getting listened to. I was part of that executive team and still not getting listened to it. It matters. It matters. People want to be listened to, people want to be heard. We’re seeing that with the black lives matter movements and some of the other diversity pushes right now. People want to be heard, people want to be valued. And that comes back to engagement for me. And that comes back to the my original point of why people leave of like the manager is the normal reason or a leader is the normal reason of why people leave because they don’t feel listened to, they don’t feel trusted. Whatever that value is that’s what needs to be corrected. And people, there’s a number of companies now, I won’t name them on here, but there’s a number of companies that rely on money by paying people more money to try and keep them rather than actually focusing on, well, how do we develop them? How do we seek out that person to make sure that they feel valued and they go home feeling worthy? And I think that’s so crucial. And what I would say to anyone who’s looking for a new position is do your due diligence on the company like really understand do they understand people? Do they actually do people first? ‘Cause so easy for me to go away from here, go on to PowerPoint, put these values on a slide and send them out to every candidate I work with and say I am people first, I will make sure I develop you but actually go through examples. Like oh, who was the last person that came into my level? Can I go and speak to them? Or who come into my level? Where are they now like two years down the line? Have they been promoted? Are they still at the company? Actually go and ask these questions. And for me every interview is a two-way interview and that’s the great way of treating it is like that’s how it should be because you want to be heard. If it’s all one-way in the interview you probably not the right company. If you want to feel valued and be worthy it should be a conversation.

– I think that’s a real gem right there. Every interview is a two-way interview and that is absolutely correct. And people do wanna be heard. If people don’t feel a part of the process, if they don’t feel like they can really have some control over their contribution, their contributions are valued they will leave. But when you scale what changes. So when you’re going through hyper-growth and I could envision that happening at some point for us and I can see many startups I’ve been involved with many of them, there is that stage where you need to scale from 20 to 500 people. And you need to do that in the course of a year. Any thoughts or advice on how that process should be viewed?

– Yeah, I could experience around this. I’ve watched it firsthand. I’ve watched companies, like you say go through to IPO or be acquired. And I’ve been part of them journey is not in-house but as a recruiter helping companies scale. And we’ve got a few projects that we currently doing in the security space to where they’ve got their series A or series B and they wanna get to the IPO and we help them out. And I think firstly, it’s the most fascinating thing to do for me because it’s so exciting. Every candidate will want to speak to that company because everyone dreams of getting a little bit of stock or equity, sorry, in hope that it IPO’s or sales. And that’s where the money is for any normal person like you and I, right? That’s what we aim to do.

– Right.

– Is actually build something. And so I think that’s the first thing is that candidates get excited by it. The second thing is what changes on your actual question? I honestly think people are overcomplicated, people think that they have to change it. It’s no different, all you’re doing is adding more heads. And what happens is then you need to make a decision on well, how many employees to people. And I’m always looking at this from a school perspective. So if we consider a say an elementary school or middle school, let’s say. So middle school fascinates me because there’s so many elementary schools that go into the middle school. But a middle school on average is about 14 to one. It’s a kid to teacher. Now, when I talked to a lot of organizations they’re looking at more six to eight to one. So I’m constantly studying this analysis because I want my children to have more access to their teacher. Now, if you’re 14 to one that means you’ve got a problem because for me that means you’re gonna have to either be the loudest, the naughtiest or whatever it is to get a teacher’s attention. And that isn’t necessarily right. And that’s how we have to think about organizations is like we’re talking about engagement. You need to think about how much access has that person got to their manager? How much does that team? What size to that team need to be? Because we wanna keep it efficient, we wanna keep it lean. We wanna make sure that everyone’s being enabled to make the right decisions and the right communication and whatever the values are. So for me that’s what I’m always considering is have we actually got the right strategy. And for me that starts back at the center path, the business. So the values, the operations, have we got the right people, plan in place like talent development, HR, all the bits of operations. And some of these you can outsource, some of these you don’t need, some people you can group up into one.

– Right.

– But you certainly do need that plan because otherwise people are gonna join. They are gonna leave very quickly and that won’t help you get to your target numbers. So you need to invest in the individuals. You need to make sure you’re taking time to onboard that individual and bring that individual up to speed very quickly and then help them to then help others who are going through a similar experience of onboarding when you’re doing that. It’s a real team effort. And unfortunately that’s why VCs tend to invest in people that have done it before because they understand what they’re doing. But I honestly do believe CEOs, or founders, or executives anyway over-complicate this because I think it’s actually a lot simpler than what it needs to be. And I think there’s a number of steps you need to go through in order to be successful with it.

– Let me ask you this. In that cycle in hyper-growth how do you maintain what you were doing as a smaller company where you were hiring for cultural fit and hiring for personality, attitude, and then knowledge. I mean, that’s kind of the way we do it but ’cause we wanna make sure that they will be a good fit in the company. Not just that they’re a great engineer but they’re gonna be a good fit with the people that we have. How do you maintain that? Is there or is that where things get lost and that’s where you end up having people leave?

– Well, I think if you look at a company that’s come out of security. Let’s look at a company like DoorDash who have accelerated, gone through the roof in terms of their growth. DoorDash, obviously the pandemics really helped them. But if you talk to anyone at DoorDash as like one of our clients really like for me it’s the values are still there from day one. Like the executives have never changed their values. So even though they’re this large organization where there’s a lot more individuals, there’s a lot more restaurants they’re serving too, there’s so many more delivery drivers. Like they’ve got all this complex. From the outside it looks like a very complicated business. Their values and their core have never changed. And that is the underlying thing with all these businesses. If you look at Disney, you go back to Walt Disney’s values. Bob Iger has never changed even though he’s obviously he’s retiring now, but even though he’s been there for the last 20 years Bob Iger has never really come away from the values of what Walt Disney put in. And that’s why I’m saying like people are overcomplicated, people think I need to do what Netflix are now doing. You’re not there, you’re not at that. And Netflix have to focus on as they always have done from a small company getting A-players. That’s all Netflix care about. Is getting the best people to get on the boats, everyone’s heading in the right direction. And that’s where I think people are overcomplicated. It is they get so invested in this people part and they actually just need to keep it simple and just need to focus on what worked to get us here today? Let’s keep focusing on that. Where else do we need to innovate and bring on ideas? Obviously we do need to keep changing to move forwards but the core of the business should really stay the same unless it’s not working. There’s one question I get every candidate I work with to ask at the end of an interview. And that is very simply, is there anything that I haven’t covered that would help you make a decision in this process? Because people go away and they think they’ve done a good job and I get it all the time. I’ll bring up the candidate after the interview and they’ll be like, yeah, great. Yeah, I did okay, got everything answered. And then I get the feedback and they’re like, well, they didn’t cover this and they didn’t cover that. And I’m not too sure they really dealt with this question well. Like them individuals, them hiring managers will have them concerns on the court. They don’t just think about them after. They will be thinking that in their head they will probably have made a note of that. So make sure you clarify that. Is there anything that you’re not sure on, just make sure you get clarification at the end. And there’s difficult question to ask, a bit like actually trying to get feedback on the end of the call as a candidate. People don’t like asking that, but like ask it. Just don’t be afraid to show that you want it, show that you want to learn or you want to get better. Push for that feedback on the call don’t fear on the answers as well.

– Do you think it’s okay to put people under pressure in an interview?

– It’s a really good question. I’ve looked at this a lot mainly because of my soccer background, right? If you put it down to like, if we compare it to soccer or the Navy SEALs, let’s say, I’m a big supporter of how they do things, we’ve been the SEALs. But I think for me they are constantly, we talk about this in soccer ’cause we still don’t do it that well. But like we’re constantly trying to replicate real life situations like the SEALs will do, right? Everything is trying to replicate that. So get people in a mindset and a mentality of where they need to be. And I think insecurity we’re actually coming away from that. And then we’re expecting people to behave in a certain way when these incidences happen. And I do a lot of work in instant response. It’s a real fine balance for me because I think candidate experience is crucial, I think speed of process is crucial, and I think a lot of people are designing these technical practices, especially around coding to test people’s knowledge. Penetration testing used to be tutorials technicals assessments as part of the importance. So I think you need to consider, anyone who’s considering their interview process or recruitment process needs to consider is this time efficient for candidates who are incredibly busy and often already in the workplace. Secondly is this a good experience so actually get kinda feedback. Did that actually keep them engaged? How does that, not necessarily compare to competitors ’cause I think you can innovate and be a leader and be disruptive from that perspective, but like how does that compare in terms of their feelings, their emotions towards the company. Does that make them feel they want to join the company, sorry. And then I think the third thing is on the flip side does that give you the trust and confidence that this is the right person? And I think that’s where you’ve gotta find the balance. There’s a very, very fine line of balance of getting this right. And often companies get it wrong because they focus too much on their selves and not enough on the candidates. And on the flip side people are so desperate to get candidates. They put it all to candidates experience but it’s gotta be a flip side. And I think in soccer if we’re looking at a player we do it from freeways. If we haven’t we either watch them. So we see them live, see them replicate actually. How do they fit into our team? What’s the characteristics that we’re looking for a player in that position, do they fit that? We then back it up with analysis. So I heavily data usage in terms of does that match to a player that we currently have in the team. And then the third thing is often we might be able to bring them into our environment and then see how they set it in from a culture, a social standpoint, a personality standpoint, and how that overall fits into whatever we looking to have. So we have free uses of that. And if you can try and replicate that into security in terms of actually giving people insight and providing that level of detail as well as replicating what a person might go through in that process then I think you’re onto a winner. And I think you can really stand out actually from a candidate experience standpoint as companies have done. Very often your Disney’s and a variety of other companies, sometimes small companies in the instant response world, crypsis are clear leader in how they do candidate experience, got a lot better over the last couple of years, but that’s come from innovating, and trialing, and getting feedback and going again. And it does take time but I think it’s tryna balance them free things in that triangle which can really if you get the center of that triangle you can really be effective.

– For cybersecurity companies what has your experience shown you as strategies that might’ve worked really well or not so worked so well in providing a great experience for the customer base and for the employees. That’s a mouthful.

– Yeah, yeah.

– I know that. It’s a loaded question so.

– No, it’s a really good question. I spend a lot of time listening to people and reading. And I think the Etsy’s new CEO he was former eBay and he was saying that when he got into, I think it was Etsy that they had a lot of things that were very easy for their employees to carry out and do their jobs. They didn’t wanna do the hard stuff which would have actually improved the customer experience. And I think there’s a fine balance between it all because you don’t want it too hard on your employees because then they’re gonna leave. But ultimately without having customers you don’t have employees and that’s where sometimes we get so fixated on there. There is a real fine balance. When I worked in soccer it was all about the I’m lucky to work here. That was the mentality. I should be very, there’s hundreds of people that want my job so you should just take it and be happy.

– There’s a lot of gratitude.

– Yeah, and that’s fine. Like I’m always grateful for having an opportunity, but at the same time like I want to feel valued, I wanna understand that people understand that I come with a lot of value. I should. Anyone deserves to be in that job. They’d been given that job for a reason because they clearly was over the best candor or the best suited or however they look at it. And that’s how people should believe. I’m a big believer in the reason that we don’t have a diverse workforce is because often the most diverse candidates don’t believe they actually value that job and tend to ignore that job ad for and just go past ’cause they go, well, I’m not good at all these things. And often a white man will look at a couple of things and go, yeah I can do them two things out of the 10 so I’m good enough for the job. And often a woman will look at them 10 things and go all through the 10 and go, well, I can’t do one of them, but I can do the other nine so I’m not gonna apply. So funnily enough my last four placements have all been women. It’s been I have a lot of success in that. We have a lot of success of starting may because we have a lot of programs that do mentoring for women and we get access to a lot of candidates.

– Okay.

– And the last four have been women. There’s two bits to this answer. The first is I had a woman who was easily, easily good enough for the role. She talked herself out of it over a week. She’d gone through the interview. She flew through the interview. By the time it was a week away a couple of days away from the final step of the process she talked herself out of the process. She like I could tell I was talking to her and she was like yeah, I’ve had to look at the job description again and just like I’m not too sure. I’m not like, I think I really missed the mark on one of these things. And I don’t wanna fail and stuff like that. And she talked herself out of it so much that I just said to the client, I was like, look, I think you need to have another chat with her and just reclarify. And they had a chat and they ended up agreeing to go separate ways. And she was against people that were better than her. Not that she knew this in terms of coming from bigger companies or more experienced and stuff, but she was still their number one candidate. And they kept telling her that and that still wasn’t good enough because of the job description. And sometimes that can really hurt.

– And one point I would make on the person who talked herself out. I think anyone who’s listening, one thing that if you want rapid and great career in advancement, and this is just my advice, is you have to get comfortable with getting out of your comfort zone. You just must. I would say go for the harder job, go for the one. If you can take it that you think you’re the least qualified for because you are going to grow astronomically. And if you carry that self-confidence it is gonna get noticed in the cream always. That’s how you get to the top.

– It’s just the mind-blowing like where you’re in rooms that I really shouldn’t be in or meeting I shouldn’t be in. Like I wouldn’t never say that I deserve to be in there, but I think one of my favorites is the theater production Hamilton because they focus on the room where it happens. And that really fascinates me because that’s exactly where we all wanna be. We all wanna be in the room where it happens. And that’s where it comes back to what I said about Booz Allen Hamilton about getting more people to the top table to hear their voice because they wanna be in that room. And that’s that accessibility. And for me I want to be in that room and I need to be, I don’t wanna be the smartest person in the room and that’s fine for me. I don’t want to be the smartest person in the room. I want to feel a little bit uncomfortable in these rooms. But that way I know I’m always growing. I’m always looking at the next steps. And that’s what I say to anyone insecurity is that’s how you need to be. You need to be that learner, you need to be that questionnaire, you need to be that adventurer, you need to be that person always challenging, always wanting to grow, wanting to go to the next level. For me that’s where it starts. They’re the types of people that I’m looking for my clients because they’re the ones who I know I’m gonna be a little bit more successful insecurity.

– So you’re in a position where if you’re not comfortable with the uncomfortable you’re gonna have a very difficult time of it. And you’re not gonna enjoy it. It’s not gonna be a fun, fun experience. And you got to enjoy what you do, life is too short.

– Absolutely, and that’s a great point right there. Is you do need to enjoy what you do. And that comes back to the soccer stuff. I love the game, I have a lot of time for people in the game, but there was times when I didn’t enjoy it and I wanted to try something new. I felt like I had achieved quite a lot which I don’t think ever helps in a short amount of time. And it felt I didn’t know where to go next. And I think that’s why I wanted to try something different. But yeah, I think enjoying it is such a crucial part but let me quickly come back to your original question of organizational strategy. And yeah, so coming back to my previous point of when I was on Etsy. Like for me we have to, and that’s what I was coming to, is we have to sometimes do the challenging stuff and the hard stuff for the benefit of our customers because you can’t do it without doing the customers. And there’s a real combination now I find is what used to happen was customer numbers, employees numbers and then suddenly there was this real value for customers then suddenly there was real value for employees which I think we’re going still through the value for employees. And I think we just don’t see a flip again on the value for customers. And for me is that value add that I’m constantly saying what do I with this client today I’ve got this client meeting. What’s the value add that I’m gonna get because it’s no longer for me. Recruitment is sounds ridiculous. Traditional recruitment is redundant. There’s too many companies doing it, there’s too many competitors. Everyone’s tryna do the same thing. It doesn’t work after a while because companies just get fed up with the same pitch time and time again. But what does that do to me? If customers are not engaging with me that then makes me feel worse. So that’s where I think there’s a real balance from an organizational strategy, right, and strategy perspective. And if you flip it back to Walt Disney. Walt Disney focused on giving his employees the best environment to work in because he knew that was going to affect their relationship and the way their output to the customer. And that’s what I focus on is how do we add value a storm may that we’re gonna enable our staff to go and service our customers better. And that’s where the focus needs to be. Is we need to constantly think what’s the value add? How do we enable our staff to be better? What technologies do we need to give them? What development do we need to give them? How do we need to communicate and manage them? And that’s where organizational strategy has to focus. Is how do we enable our staff to go and do that. Now, for Netflix coming back to them it’s about having the A-players, having the best people. And that’s fine. That will work because I now trust in Netflix security, I now trust in Netflix product. And our trust that’s what it is for them. It’s the confidence and trust in their product that comes from having the best employees that’s all driving towards each other and doing that. And I think you can correlate all of this and what ends up happening often in organizations that foul is that you have the silos, you have HR over here, talent acquisition, you have sales over here, product sort of in the middle. You need to bring this all together because candidate attraction affects all of this. Recruitment affects all of this. Retention, the HR operations function needs to be at the center of the hall of all of this because it needs to enable the business to actually develop and grow. And that’s where I think organizational strategy has to start is on your employees and then on your customers. And then you can start talking about profit revenue whatever your objective is as a business. But you’re not gonna get that unless you get the right employees and you develop that culture to actually then develop your customers. And the last example I would give is the instant response spaces is really fascinating on this for me because everyone tries to undercut each other on cost. In terms of with the insurers, with the law firms to make sure they get in that work and that’s great. But at point there’s gonna be quality of work. So who’s hiring the best individuals to go and carry out that quality of work? And it’s the quality of service, it’s communication with customers, it’s actually managing the customers for a difficult process. It’s a very emergency, it’s a similar of, it can be another version of the terrible nine, 11 or seven, seven event. It can be at that level for companies that are going through that not never knowing what they’ve been through, it’s a bit like COVID. It’s that sort of level experience. So it’s all then things that come in and that comes back to the actual talent on the ground, doing that job. And that’s where I think organizational strategy needs to focus is on purely that the strategy and tactics from a people perspective.

– If you put the right processes in place with the right people then the outcome is gonna be the best that it could have possibly have been.

– Yes.

– Right, so you gotta design for that. That doesn’t happen by accident.

– No way.

– That is it’s engineered. In the companies that I’ve seen be successful with it they very much engineered thought into their customer cycles with whatever good or service they were delivering.

– And that brings me back to the operation. Like for me, operational excellence is at the center of every business because I know a lot of services, businesses that are fouled because you have the best people, but then you put in the wrong processes or the wrong technology and that doesn’t enable them to then be successful. So it is a very fine balance of what you’ve said there like trying to balance out. But yeah, if the processes aren’t right you’re spot on, like you’re just gonna hinder the people. And if you’re strangling the people the people won’t be there so then you’ll lose the good talent that you’ve already invested in.

– I know we’re coming up on the hour here and we’re grateful for your time commitment. Don’t wanna keep you too much over, but I gotta ask you 2021 what do you forecast for cybersecurity? Do you think it’s gonna be a good year, a better year than 2020 or?

– I would never say it’s ever a good year for security when you see obviously the solar winds is the latest one that the everyone’s sort of fingertips right now in terms of what we’re dealing with. But I think, yeah, it depends on the objectives. I think from a recruitment perspective it’s always a boring and exciting market. I think globally there’s so many more companies hiring. There’s so many more opportunities. I think there’s a lot of different programs coming out to allow people to enter into transition to the industry. I think if I was to pick out key areas that I think I see high growth in for the next year or two it would definitely be product security, cloud security’s still at the forefront of everything right now and we’ll still maintain that. I think they’re the two core areas. I think other ones to highlight is instant response is still going through the roof because we can’t deal with the incidences, the amount of them still. And I think from an internal perspective on top of that is detection response on the flip side is like actually building that in and and how we work on that. If I was gonna make a bet on any services line right now I would say have a look detection response or DevSecOps they’re the two options that I’d probably say invest your time in if you’re not already doing them. And like I said, a lot of service lines are really focusing on product security and cloud security as they are mainstays have a lot of the CSO issues.

– And Karl, let me ask you this as a parting. Is there anything you’d like to plug? Are you going to be making any appearances? Are you gonna be on any podcast shows or anything that you would like to let all the audience know about that’s coming up here?

– Yes, I mean, we do a lot of this but mainly we do a lot of sort of white papers and research projects. So I think we’ve got a couple coming up one in product security, one in instant response which shows you an insight into that industry from a candidate or a hiring manager perspective. So if any listeners or watches are considering going into them areas or want to understand them areas definitely watch out for them because I think they’re downloadable files from either our LinkedIns or our websites. So feel free to connect with me. And when they come live, I think, at the end of this month and the start of next month for them to come out I think they’re really great papers to look at what hiring managers and what people in the talent space are saying about what’s going on in them sectors, but also see what candidates are feeling like because we have a research in the back that really suggests what candidates are going through in that sector and how it’s being improved to make it a good career for anyone looking to work in that side of the security space.

– And if any of the listeners wanna get a hold of you is there an email you wanna give out or how should they contact you? We’ll put links to your LinkedIn profile in the show notes.

– Yeah, of course. Yeah, my LinkedIn is a good place to start on. My LinkedIn is normally my, I’ve my cell number or email if you can’t see it on there. Then yeah, feel free to reach out and I’ll send you my email nonetheless, but yeah always a good place to start.

– Fantastic. Well, Karl, thank-you so much for joining us on this Friday afternoon, it was a wonderful conversation.

– Likewise.

– We deeply appreciate you being here. I hope you have a fantastic weekend.

– You too, thanks for your time.