Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts talk to Lisa Tetrault, Vice President of Security Operations at Arctic Wolf. In her current role, Lisa is responsible for spearheading external and internal initiatives run by Arctic Wolf’s SOC team. Lisa has over two decades of experience in the cybersecurity and enterprise technology industry, previously helped lead operations teams at multiple global companies including IBM and BlackBerry.
In their discussion, Lisa shares her experiences in helping to hire hundreds of security analysts at Arctic Wolf, provides insight on what the industry could do better to recruit and retain both seasoned and entry-level candidates, and talks about why organizations like WiCyS are so important to finding the next generation of cybersecurity professionals.
Ian McShane 0:13
Hi, everyone. Welcome to the latest episode of the Challenge Accepted podcast from Arctic Wolf. My name is Ian McShane, I’m VP of strategy here.
Adam Marrè 0:22
And I’m Adam Marrè, the CISO of Arctic Wolf.
Ian McShane 0:26
And we are recording this at the start of 2023. So what a what a time to be alive. Adam have got any interesting New Year’s resolutions based on things you did or late last year, maybe not busting your leg open?
Adam Marrè 0:37
Yeah, well, that’s, that’s exactly what I was gonna talk about is, I had the unfortunate experience of having my first bone broken. And I chose a big one, the femur. So anyway, my goal this year is to not break any bones.
So that would be like an achievable goal.
Yeah, hopefully, I don’t know, sometimes I get the better of myself and do stupid things. Like jumping on mountain bikes.
Ian McShane 1:02
Kind of related like, so I’m in the process of kind of moving to the US and big soccer fan. I’m pleased to see that soccer is interesting. You know, there’s people are interested in soccer in the US, obviously. But I started to think about maybe taking up some kind of North American sport. And so I’ve thought about football. And I’m like, ‘Look, I can barely throw a tennis ball, let alone a football.’ Thought about baseball. And you know, I enjoyed baseball, but mostly the drinking and watching part of baseball. And so what I decided to do this year was to take up ice hockey, which sounds like a big stretch.
And you know, to be fair, ice hockey is pretty popular in Europe, obviously. But the interesting challenge for me is that I just can’t skate. And it made me laugh when I’m trying to figure out how you how do I get started in hockey, if I can’t skate, and it kind of reminded me of cybersecurity, because, you know, you hear all these things like ‘just vulnerability management, you’ll be way more secure.’
I was like, how do I learn how to play hockey and people were like,’ just just learn how to ice skate.’ And I’m like, I’m one of these people that ice skates once or twice a year, like my wife is an excellent figure skater. So she goes regularly. But we tend to go around the holidays when places have ice rinks up and I’m the idiot that goes very slowly around the edges for 20 minutes until I remember how to ice skate and then forget again for the next year, which is great, but it sucks when it’s so hard. And again, it kind of aligns with cybersecurity is like failing sucks, especially when you see and hear how easy other people make things seem, like my kids are diving past me at record speeds, or it seems like record speeds and the ice gets real difficult.
Adam Marrè 2:38
Yeah, you might have a hard time not breaking my resolution of breaking a bone. So hopefully that doesn’t happen.
Ian McShane 2:44
I’m one of the dogs that signs up in all the gear I’ve got helmet. I even bought like the cage to go with my face. I’ve got like gloves like literally the epitome of all the gear and no idea.
Adam Marrè 2:55
No, but I love the idea of adult learning and adults taking on things that they don’t know anything about and jumping in. And, you know, as we know, it’s that consistency of chipping away at it. And then you’ll be amazed at what you can do. I think oftentimes we’re measuring ourselves against kind of an impossible standard or other people when if we just take it one bite at a time ourselves will be amazed at what we can do. So I’m excited to hear about your progress and learning how to ice skate and play ice hockey.
Organizations Building Their Own SOC
Ian McShane 3:26
I’m definitely one of the people that rapidly loses interest when I realized I’m not immediately good at something like it sounds like a great idea in my head. But then I’m immediately disappointed in myself and the rest of humanity for not helping me achieve my own goals.
There was certainly see about that, talking of fashionable and talking about goals. One of the things I’ve I mean, obviously working Arctic Wolf, but one of the things I’ve noticed over the last two or three years is how fashionable it is to have for an organization to have or to want their own security operations center. And if you something you’ve noticed, Adam, but when I was, you know, five, six years ago, talking to organizations, no one was really interested in building a SOC, they wanted to deploy tools and things like that they wanted to have, you know, EDR, wherever, whatever the buzzword, the shooter was at the time, but I would almost never hear of a security leader saying ‘this is the year we’re going to invest in a SOC.’
Adam Marrè 4:17
Yeah. Well, I mean, it’s one of those things, everyone knows it’s an issue. And I think in the past, they wanted to solve it and the easiest way just like ‘throw up a tool, and that’ll do it for us.’ Realize that is not a winning solution. So kind of the easy button mentally he’s like, Well, we just need a SOC. And that’s where you need to stop and start really thinking about it. Especially you know, your level of maturity or do you really understand what it means to try to set up a SOC? That is a really good question to ask yourself once you start going down that path.
Ian McShane 4:51
Yeah, I love this tagline that the state of Nebraska had at one point which is called you know, as part of that tourism, they were like ‘Nebraska, honestly, it’s not for everyone.’ And I feel the same way about security operations. It’s like, it’s great. It really works. Well, it can really, you know, have a monumental change on your security posture. But honestly, it’s not for everyone.
Adam Marrè 5:10
Well, certainly maybe not to do your own. But obviously, the question itself has to be answered, right, we’ve got to be able to detect and respond to all the nastiness out there. So it’s a really good question. But I think setting up your own SOC and running your own SOC is definitely not for everyone.
Ian McShane 5:29
And we are very fortunate today to have one of my favorite people at Arctic Wolf join us. Lisa is the VP for global security operations. And as this conversation would probably have you I’m thinking she is one of the people that helped to build and continues to help build the security operations practice here at Arctic Wolf, so Lisa, welcome to Challenge Accepted podcast.
Lisa Tetrault 5:50
Hello, Ian. Hello, Adam. Thanks for having me.
Ian McShane 5:53
You’re welcome. So would you like to give us a quick background of yourself? Like how did you get to Arctic wolf would be a good place to start?
Lisa Tetrault 6:00
Sure. So my name is Lisa Tetrault. I have been at Arctic Wolf now for five years, almost five years. I landed at Arctic Wolf through maybe a little non-traditional path. Do you want me to talk about my background?
Ian McShane 6:17
Yeah, we love we love non traditional paths. Absolutely. Yeah.
Lisa Tetrault 6:21
Maybe it’s a traditional in some ways, non traditional to today’s mechanisms or today’s standards. I started out in Canada, they did internships, which is 18 months, instead of co-ops, I had an internship opportunity where you take off a year in between your third and fourth year of university. And so you went in, you did like full immersion into, so I was doing my bachelor of computer science at Western University with a software engineering specialization, and I had the opportunity to work at a bank.
And so into the bank, I go, I’m doing a lot of Unix type work. And I remember thinking, my second week there, I’m not going to make it, 16 Lyons is not for me. And from some act from above, there was a reorg that happened within the first month. And I had walked into this room, I had this org chart, I looked and I ended up in the network security team. And that was it for me. And so I ended up in network monitoring. And so it was wonderful. I’m telling you, it was so wonderful.
Ian McShane 7:47
So what was your favorite thing about the network side of things? This isn’t so much traditional. This is a non traditional path. And I think of people, I think a lot of people in cybersecurity come from the classic kind of helpdesk or, you know, endpoint support kind of background as opposed to the nuts and bolts of network security.
Lisa Tetrault 8:04
Well, coming from the software engineering and coding and scripting type. I guess the education part, I had one or two courses in networking. And it made lot more logical sense to me. And it allowed me to be a little bit more creative. So I understood the firewall routing, switching components. And so when I ended up in network management, I could see and monitor things. And the operations was a bit more thrilling to me, I just back office type environment was just not my thing.
I wanted to be doing the changes, I wanted to see what was happening across the wire. So the monitoring piece was was quite interesting. So lo and behold, I finish, I go back to finish that out. I finished my degree, and I landed a job there. And so that was that was kind of my in into networking, routing and switching. I ended up then shortly thereafter at IBM, and then into Blackberry. I did data network operations at Blackberry.
I then ended up at Sandvine and did customer support at Sandvine, which was deep packet inspection, and then ended up at Arctic Wolf. So at each of those companies, they wanted something a little bit different about security. And I always found that I was kind of pivoting into the security aspects but was never fully in security. So at TD, I learned a little bit about risk adverse and how important security is we invested in a lot of tools.
At IBM I learned about compliance and security audits and disaster recovery and backups of BlackBerry or learned about Incident Management and responding to breaches and you know how sneaky backup bad actors can kind of get into environments what you had to do. At Sandvine I learned about global operations and how to operate in 10 different countries and the importance, you know, things are and how to handle customers and at Arctic Wolf, I had the opportunity to kind of build SOC and to protect him respond to the customers that way. So a best practices, threat intelligence, all those wonderful things. So that’s how I ended up here.
Adam Marrè 10:16
We’ll see. That’s incredible. So you’ve had that all that wide variety of experience? I’m just curious. I mean, you’re kind of at this point at Arctic Wolf. I’m curious like, what are you able to focus on the things that are what you enjoy the most now? And you’re a leader here? And do you find that the leadership, obviously leadership tools are different than the technical tools, and do you find your distance from the keyboard to be dismaying at all? I’m just curious, like, at this point in your career, are you doing the things you’d like to do?
Lisa Tetrault 10:50
I always think it’s a balance. I like seeing the operation side, I think it’s fast paced enough that I’m able to kind of see people do their best and excel, and bringing an organization from a small organization up to a big organization, and operational processes. I’ve been here and we’ve outgrown processes, quarter over quarter and telling you, I remember writing run books myself, I had to be in the in the trenches, writing run books, because we had nobody writing run books at some point. And now it’s a whole organization that’s doing it. So to answer your question, I love it. I love what I’m doing right now. When I don’t get my fix of fingers to keyboard pieces, what I find is, I’m doing that on my side, on my spare time on the side. So I have no problem with that.
Adam Marrè 11:42
Oh, wow. That’s yeah, that’s great. I do know a lot of security leaders that do that they block off time, or they spend time making sure they stay technical, or at least technical to a certain degree so that they don’t get too far away from where the technology is going. So that’s awesome. How big was the SOC when you joined here?
Lisa Tetrault 11:59
Well, we had 30 people in security services at the time that we’re doing shifts within the SOC. And so I had the opportunity of building it out and to the couple hundred people that we have now.
Adam Marrè 12:13
Wow, that’s amazing. And I should paint a picture of how amazing this organization is. When we say this talk, we’re talking about the SOC that offers, you know, security operations services to our customers. And there are multiple rooms around the world that provide this service. And I sit in Arctic Wolf’s Utah office. And so right next to me is a big room with 120 seats. Really impressive. That’s full of operators. And that’s just one of the SOCs. So it’s really impressive what you’ve built here Lisa.
Ian McShane 12:47
Yeah, it’s great to see it’s scaling that out as well. So you know, we’ve recently in the last couple of years opened what the Frankfort security operations center and stuff that way, and we’re moving into Australia and New Zealand right now. So I guess you spent a lot of time hiring as well. Like in your spare time in your spare time, spare time, aside from coding and your day job, like how do you how are you thinking about hiring? How many people do you think you’ve hired so far since you’ve been here?
Lisa Tetrault 13:12
So dedicated triage team, I’d probably personally or within my organization, hired over 350 people.
Adam Marrè 13:27
That’s incredible. Can you share with us some of the things you’ve learned? I mean, I want to get into, you know, like, what do you look for? But I’m wanting to take a step back, you’ve hired 350 people to be security operators, what have you learned from that,
Lisa Tetrault 13:44
I will tell you, when you hire a lot of people or you have open recs that are more than one, it’s a lot easier.
So let me let me kind of paint it out for you. If you have five or six recs in a quarter, I like hiring five or six people at the same time, because you don’t have to look for the perfect set. You can hire a group and a cohort together. And when you do that, together, that group actually excels together as a cohort. And those relationships get really, really built out quite well. So you’re not looking for the perfect person, you’re looking for the group of people that can kind of interact together. And so what I found is those relationships end up being very, very solid, and you see them interacting with each other still to this day. In their dens. We call them little dens that they have.
You see them interacting very well, the relationships are really strong, they on-boarded together. They’ve been through incidents together, they’ve supported customers together. And those relationships are within the culture as well. And we’ve been very successful in hiring and cohorts. And I found that that is almost easier, because you don’t have to be as picky because you’re looking for similar characteristics. And it’s been beneficial to us to hire in that way.
Ian McShane 15:10
Certainly interesting for me, because when I think about hiring across my career, it’s always like one row at a time. It’s never like, I’m gonna hire five people to do the same job. So that’s a really interesting point that you don’t have to look for the perfect one individual, you can spread the characteristics you want across a group of people. How does that how does that work for distributed organizations, though?
Lisa Tetrault 15:31
It still works the same, and you end up having, because we’ve, in a lot of the way we kind of scheduled it out, a lot of the dens are distributed. So in our SOC location, I don’t have, you know, a team that’s only in Waterloo, I’ve always had the diverse SOCs being a team together on their shift. And so they have those strings together. They’re on-boarded together, and they’re at different locations, and it’s kind of built out together.
We can have anybody on the management team interview whatever candidates and they trust each other’s judgment, it also allows it to be a little bit more diverse, you’re not looking for the same person graduating from the same program you are looking for, you know, baristas, you’re looking for a chemist, and then you’re looking for somebody from legal, and you pair them up with other people that have the traditional masters in cybersecurity or what have you, and you put them together and you have like a diverse thought path. When you’re you’re looking through a security investigation, and it’s quite interesting what they come up with. It’s wild, actually.
Adam Marrè 16:42
Yeah. So when when you are looking at the individual, what kind of what have you found had been the most valuable things to look at and try again, like, so like, let’s say someone’s listening to this that’s trying to get a job entry level or just trying to change careers or something? And like, what are you looking for education, certifications, personal characteristics, kind of walk us through that whole sort of, you know, what you look for?
Lisa Tetrault 17:11
Sure. So it would depend if it’s entry level, or more, you know, mid-career senior level, but if I’m just looking at kind of the entry level type role, we’re going to look for some that have gone through school, or through some sort of a program or someone from a characteristic perspective, we’re looking for an interest in cybersecurity.
We’re looking for if you haven’t gone to school, what are you doing other than going to school? Are you listening to podcasts? Are you watching videos on YouTube? Are you doing a try hack me or hack the box? What are you doing to make and build that interest? Tell me what you’re doing? Are you inquisitive? Are you an analytical thinker? How are you staying current? What is your passion, and then we also need really good communicators.
So tell me how you’re communicating because you’re gonna have to communicate with people that aren’t physically next to you, you’re gonna have to communicate with customers, you’re gonna have to communicate as a team and be a team player. And then you also have a high-pressure environment, because, you know, there’s breaches out there, there’s attacks out there, how are you going to behave in those situations. So those are some of the characteristics and situations are going to be in. So we’re looking for skill sets, that can be displayed in an interview or, you know, tell me about a time, tell me about a situation that you’ve been in these situations that can be articulated in an interview.
And so we’re looking for those types of characteristics. And if you don’t have the education, then tell me what you have done to kind of, I guess, fill in for that lack of education. Tell me about try hack me where, you know, tell me what you’ve learned.
Ian McShane 18:58
Yeah, that’s great, you know, as a callback to an earlier episode, I think callback is the professional term for people that listen to podcasts. But we had a new starter, or someone that joined our company a year ago. And he joined and he gave us a great run through of his story of joining, you know, with limited experience, but just a passion for security and was able to find in, in Arctic Wolf, in your organization, specifically, the home that would welcome him in and so that sparks all that interest in trying to learn and wanting to learn but not having necessarily all of the educational opportunities that some people were very fortunate to have.
Lisa Tetrault 19:39
Absolutely. But we don’t just hang our hat right there. We’ve hired people that come from different walks of life, and that’s okay, just show us the passion. What are you doing to fill those gaps?
Ian McShane 19:53
One thing I’m always impressed with, in the US especially, and especially in cybersecurity is how many organizations lean into military vets. And you know, the kind of talent that comes out of there. Like, there’s no, I mean, if you work in this industry, you know, there’s going to be a lot of people that come from that kind of background. But how much success have you seen looking for those kinds of characteristics looking for those kinds of attributes and people coming out of the veteran service?
Lisa Tetrault 20:23
So we have a partnership with Skills Bridge, which is the military pipeline for us, and we’ve had a lot of success with that pipeline, actually. So Skills Bridge is bridging military into the private sector. And so we’ve had quite a few candidates come through, and we’ve hired a lot of them. So that’s also a great pipeline for us.
Ian McShane 20:44
From your hiring perspective, obviously, as the leader of our own internal security services, like how do you approach hiring? Because I’m going to make an assumption that you’re not doing the same, you know, scale of hiring, like five or 10, people at a time and able to afford that cohort approach, or you must be looking for individuals that tick number of boxes, rather than just a luxury of one or two.
Adam Marrè 21:07
Yeah, and I’ve done this before at other organizations. And that’s probably more analogous to what Lisa is doing, where you get to hire a lot of people pretty fast to build out a security operation center.
Here, we’re able to maintain a much more, I would say, high skilled, but smaller team, because it’s the team that’s built on top of us using, because, of course, we use Arctic Wolf for our customer, ourselves. So we use this, you know, 350, 400, 500 people in the in the Arctic Wolf SOC to, you know, be our SOC, and then we have a small internal team on top of that, that are the ones that interact with them and make sure we’re taking care of everything internally. So I’m able to maintain a much smaller, sort of high skilled team here. So it’s a little different, which is great. Something you can do with service like Arctic Wolf.
Now, at previous organizations, I did have to go through and do a lot of things Lisa are saying, and you look everywhere for good people. And you hired all the different levels. And I would say I would echo everything she said, what you’re looking for, although I’ve done a lot more of the hiring one at a time.
And it is really hard to try to find that one person and it happens to be the person that’s looking for a job when you’re looking for them, are they in the right location. And then you know, trying to get diversity of background diversity of person type, you know, age all the different things you’re looking for. It’s a huge challenge to be able to do that. So I am curious, with Lisa, with your involvement in WiCys, like what I know that’s, that’s for women in cybersecurity. Tell us about your experience there. I’m really curious about that.
Lisa Tetrault 22:50
Sure. WiCys is a global organization that is focusing on and kind of the women in cybersecurity. And there’s other organizations that also do the same. I’m on the membership chair, for the women in cybersecurity program in Ontario. However, I do partner with other leases, chapters that are, you know, located with our sock and encourage a lot of the women in cybersecurity women in in organizations to also be part of the local chairs.
And so there’s a conference that happens every year, it’s a global conference, I’ve done some speaking engagements there. I’m very much a supporter there. And I find that it’s really good avenue to help support, get a voice and understand and find new talent and new pipeline. And kind of find partnerships there across across the world really, and what they’re doing is really trying to get the women in cyber to feel like they have a voice because I know in some organizations, a lot of the women they’re one of, so if you have a small cyber presence, you’re one of it feels very, very lonely in some in some cases. So they’re giving them a community that they don’t feel alone or isolated or alienated.
So it’s just giving them a voice and finding them some some partnerships and giving them some extra training or support or resources or what have you. And so if that’s going to help support them, and then they get extra talent and extra pipelines, and it also gives organizations the ability to partner and support and sponsor and then give some job boards and other pipeline things. If you don’t know where to go to find additional, a diversity that would be a pipeline or an ability to do that you can post your jobs on their job boards, and they used to you know, have a lot of focus on you new talent, new grads, entry level and now they’re doing more senior level investment and mid career investment as well.
So there’s a lot of work being done in that space. And there’s a lot of opportunity there. So it’s an untapped thing, that it’s new, it’s evolving. It’s pretty inspiring. I would encourage male allies to also sign up and be part of it. It’s pretty wild. I remember being at the conference for the first time, and I was like, ‘Oh, my goodness, this exists.’ I feel like, this is like wild. I’ve never been at a conference, a Cyber Conference, a technical conference where it was, like, 1,500 people around me and I was not one of or, you know, I didn’t feel like a minority. I was like, Oh, my goodness, I’m a majority. So I was taken aback. I remember like the first four hours, like this is a little bit surreal for me.
Ian McShane 25:57
I heard similar feedback from folks that attended the Grace Hopper conference as well, which is a similar kind of organization, right?
Lisa Tetrault 26:05
Absolutely. Yeah, it’s a little bit different. So it gives a lot of women that don’t necessarily see that on a day to day basis, a little bit more of a community that they didn’t necessarily have. And it helps them if they wanted to start a community in their own organization, we had a lady in Utah start a school chapter out of the SOC in Utah, the BYU chapter there, and so getting more women from BYU. She’s an intern at our location. And so that’s great, it helps give them that framework to have more and more support. And that’s just a really good thing.
Women in Cybersecurity
Adam Marrè 26:47
I’m going to speak next week. So I’m really excited about it. I do think, from, from my experience, talking with like BYU runs, you know, one of the oldest, maybe do this girls cybersecurity camp in the summer for high school aged girls, which is great. And one of the things I have learned from interacting with that, is there is this this challenge when you’re a person and your perception is there isn’t anyone like me in that profession? It’s really intimidating to say, ‘Oh, I could do that. Or I’m going to I’m going to do that.’ What do you say to women and girls that are thinking about entering cybersecurity, but they think it’s all you know, for people not like them?
Lisa Tetrault 27:34
Oh, it feels like challenge accepted! I mean, from my upbringing, I’ve always played sports. And I always find a challenge. And I always lean into it. And I think I’m in this leadership role that I have, I have a very diverse leadership team. And my goal has always been to be one that’s like leading people, and being a face and being a voice so that other people feel like they can, they can do whatever they they put their mind to.
So I want to be an enabler. And and so in my mind, I want to help other people see that they can do it and build their confidence. And I don’t care what gender, what background, whatever they are. And so from my from my point of view, it’s, let’s start with the confidence, what can you do to build your confidence? You know, it’s just your inner voice. And so if I can get out in the community, if I can get them paired up with any organization, it doesn’t matter what it is, I don’t care if it’s Out in Tech, I don’t care if it’s Blacks in Tech, I don’t care if it’s WiCys, whatever organization it is, that will help them feel like they have a voice and support system that will allow them to move ahead and be part of the cyber community to then move ahead, be part of it, contribute, and then get in here. That’s the way to go.
Ian McShane 29:05
That’s amazing. It’s so inspiring to hear you say that, like I was chatting with a Slack the other day to my colleagues and just pointed out that Adam is one of the most inspiring people I’ve met, but are you saying that is you’re close to overtaking him on that front right now? So for all kinds of say, I get this, I get asked a lot. It’s like, hey Ian you know, we’re trying to hire for X Do you know some people or where can we go and find someone that fits in why so you mentioned that WiCys is largely untapped. So it’s telling me that next time someone says to me and where can I go and find a person to do this? How do I how do they use WiCys?
Lisa Tetrault 29:40
Right? So we just had so for any organization, they can partner with Lisa’s, they have job boards there. Most organizations actually have job boards if you partner with them, so I know some of them that are just mentioned Out in Tech, Blacks in Tech, WiCys, there’s a number of them out there, that you can just partner with them, be part of their partnership agreements, and you can post jobs out there, they’re looking for partnerships like this. Invest in it.
I mean, part of it, though, is like, you can’t just have lip service and just get these candidates, you have to invest in it, you don’t want to be one of. It’s not about tokenism, you gotta you have to invest in it, there’s allyship, there’s allyship, that has to be part of it, you have to have people at the table, you have to have a voice and, and being included. And I think, you know, at our company, we have a lot of investment in this area, right.
Ian McShane 30:47
It’s one of the one of the things that make me proud to be at, and we do a lot of work in that area. So hiring is like one side of the coin, we hear it talked about all the time, how difficult it is to hire people, how difficult is to find people? You know, it’s true.
But the flip side of that, from an organization’s perspective is how do you keep people? And you know, the obvious answer is like, don’t be a scummy employer. But in general, how do you how do you manage to retain security talent, especially in a world where you’re taking maybe people fresh out of school with limited experience that, you know, after a year or two are going to look pretty attractive to other organizations looking to build their own security practice? gonna ask you the same question in a second Adam as well. But how do you focus on retaining talented individuals?
Lisa Tetrault 31:31
So at Arctic Wolf, we have been fortunate in that we have a lot of different roles within the company that anyone can kind of grow into. So we’ve got a very unique position that other companies may not have, right? So it will be a developer, you can be a product manager, you mean sales, you can go work in Adam’s team from from the security service team. So we’ve got a lot of great avenues there.
I think there’s a lot of investing in the people. So culture is one thing, as well. So culture and investing in people career paths. Really understanding what that makes that employee tick. So you could do stretch assignments, you can have them do the certification program, which is what we built, we have little steps along the way that kind of identifies what they’re capable of doing. We have it built out within the security services organization to where you train, and you’ve got time and seat.
Ian McShane 32:38
Do you give them time as part of their job to do that, that training? Or is it you know, their own personal time.
Lisa Tetrault 32:45
So most of it’s on their own personal time, so there’s training that they do, there’s also it makes them an eligible candidate for the next role. And then they get to interview for that role.
We’ve got a platform that we use the training platform that we use, so there’s on the job training, there’s specific role training, but there’s also general training like with immersive labs as an example. We also do stretch assignments. So somebody might go and shadow somebody and figure out what that looks like. We do a lot.
We encourage people to go do speaking engagements. So attend conferences, and we have a lot of recognition. Our culture is pretty cool. We’ve got certification jacket ceremonies, and I think culture is probably one that you can say it, you can put it on the wall, but you got to live it. So we do a lot of fun things in our culture.
Adam Marrè 33:40
Yeah, they roll out a red carpet. And you get this cool bomber jacket that’s got patches for your different certifications. It is absolutely deal when someone gets this. And that’s not a small thing when you make a big deal out of all the things you’re talking about.
Lisa Tetrault 34:06
Yeah, so every month this jacket ceremony happens. So you have to be at the company, you have to get certified as soon as you’re in the role, and then after a year, you have to be re-certified and then you get your bomber jacket. And there’s like a whole program around this. And it’s a huge investment in the people in the team. That jacket is really a badge of honor. He’s got our Lego people, we’ve got shout outs and, you should see some of the fun shout outs that we do. We’ve got channels and Slack where people are recognizing each other and lots of fun things.
Ian McShane 34:48
Yeah it’s a fun culture, and Adam, for you I’m not saying that opportunities are slim on your team, but from an internal security perspective, tell me how you motivate the team and how you keep them engaged? Is that also a culture thing? Is it believing in the mission?
How Do You Retain Cybersecurity Talent?
Adam Marrè 35:07
Absolutely. It’s a culture thing. And, you know, I’ve learned a lot from watching Lisa and her team. You know, Mark, and Brett and others there. It’s really impressive.
Going back to the original question of how do you retain the talent, I really like, I really focus on leadership and training my leaders to be incredible leaders. And, you know, there’s the saying that people don’t quit jobs, they quit bosses, right. And they’ve got to have great leaders. And so one of the things I like to do is really lean into that and talk about callbacks, you, you asked me a book, I’d been reading the first one of these podcasts we did. And I go back to that book when you went by Russ Laraway. And it is a great book that teaches principles based on data that show you how to really create a great place to work for everyone, where they feel empowered, where they feel like they have control over their life. So it’s not just I come to work and there are dictates given out and I don’t have any power, or maybe I have power over the project and working on but nothing else, you don’t want that you want to create a culture of candor where people can bring as much of their whole self to work as they want to, and then they have a voice and they’re listened to.
And, you know, if they don’t have these things, that’s why people leave. So we really try to create a place like that. And then give them the power and resources, they need to be able to do their job, while getting the direction and strategy from their leadership. And then really focusing on empathy with the leader. So I really focus on that a lot. And then let each leader have their own sort of culture within their own teams, because I have pretty wildly different teams, I don’t just have a security operation team, I also have application security, and compliance and others. And so we have to focus on all these different areas. And they’re a little different, right.
But if we have good leadership at all those levels, then that creates an incredible culture where people want to come to work and they want and they you know, they have a great sense of camaraderie, if not love for their co-workers and their leaders. And it becomes a place where they get to really express themselves with their work.
Ian McShane 37:22
Honestly, look forward to the day I get to work for you, every time I hear you say stuff like this. As part of leadership, one of the one of the things we’ve heard a lot about specially during COVID and almost especially in cybersecurity, but you know, I’m sure it applies to other industries as well, is burnout, and especially for security analysts. And it’s, especially for those that work dedicated shifts, and don’t necessarily get the freedom that the other roles provide of being able to pick and choose when you when you work as long as you get the job done.
So, Lisa, how how big of an issue has been out been over the last couple of years for your team? And if you got any advice you can give folks that are trying to deal with that or even preempt that now.
Lisa Tetrault 38:04
Yes, so our 24/7 operations is a little bit different than other organizations. And we did it with intentionality. Because we wanted to curb the burnout. And so I recognize having done a roll of 24/7 myself before, and having been in the trenches with them, when we were growing up the team that looking at a board for eight to 12 hours a day is it’s just a recipe for burnout, and we weren’t going to turn and burn these people. So let’s give them something exciting.
And part of that was a bit of variety and stretch assignments. Okay. And so we had this amount of work to do. And why would I give you this task to do and then that task to do and do it separately. So we’re just going to cut it up throughout the shift.
And so what we’ve done instead of burning you out, for the whole time, we’re going to to change your shift, so that you had it strategically set, but you’re not doing the same thing for the entire time. So what we did was a 10 week rotation, and we had an entire week off in the middle. So nobody works straight days. Nobody works straight nights. Nobody works straight weekends, we did a 10 week rotation with a week off. So you’re only working two weekends every time.
And so that in itself with four hours doing a board and then four hours working tickets, four hours doing an investigation four hours doing something else, it provided the variety and so if you didn’t necessarily like doing a board work or working on tickets, you had some relief. So then the burnout was was a lot less and so that seems to have served us well.
Of course, people are not going to always love the shift environment. But we did work through that. And so that has served us quite well. We’ve had pretty low turnover. As a result, our retention has been quite high. And so as a result, it’s been great. We haven’t had the same issues that other SOCs have had.
Adam Marrè 40:13
That’s incredible. I’ve always found that to be a challenge, especially in small, scrappy, security operations, or as it was in at the beginning, you know, companies thinking about it, and they got all these tools, and people are trying to respond to the alerts. And so it’s amazing that you really spent the time to think about it, I definitely think that’s what security leaders have to do. They have to really think about their people, you know, lead with that empathy and say, ‘What can we do? What is reasonable?’ Because oftentimes, it’s like, ‘just figure it out’, you know.
People in security are so passionate, and they’re so duty bound their duty driven people, mission driven people. And so when you say just figure it out, they’re like, ‘I’ve got to do all of these things’, rather than what Lisa is talking about, you know, getting a strategy of prioritization, and thinking about what’s monotonous what’s going to keep people fresh, and then really saying, ‘here’s where we have to take breaks.’ And we really have to make sure that people are not working all the time.
Because I know security people, I see you out there. You’ll work all day, and then you’ll go home, and you have your laptop open, and alerts are coming in. And you know, no one else is watching it. So you are and we have to change this culture. So it’s not just this heroic effort all the time.
But it’s leaders like Lisa that have thought it through created a great strategy then executed on that strategy with discipline to make sure that folks aren’t burnt out. Love that.
Lisa Tetrault 41:35
Yeah, we did just that we and we take your feedback. I mean, this is the work that has to be done. Here’s, you know, during this period of time, we have to cut it up. This team does this, this team does that. It’s all covered. Get your feedback that isn’t working. Okay, let’s change it a little bit. Great. It works.
Ian McShane 41:56
Yeah. One of the things I love about this podcast is that I get to learn so much stuff from really cool people. So, Lisa, thanks for joining us today. I’ve learned a ton I’m sure our listeners have learned a lot about not only the insights of Arctic Wolf, but also, you know, some of the ways that they can motivate and retain this stuff. Is there anything Lisa you want to plug or mention or advertise or point people to or ask for help with anything else? Now’s your time to get on the soapbox and say anything you’d like.
Lisa Tetrault 42:25
Oh, one thing I haven’t really talked about is the importance of internship programs, and really thinking through your internships really giving non traditional team members a chance before they start with a full-time role.
So internships are really important in our SOC, we treat them very much like a true employee doing the role. I’ve had interns come to me and say thank you for giving me the opportunity to actually do a security role. I said, ‘What do you mean,’ and they’ve said to me, and other interns that we’ve internships that we’ve had, ‘I was not doing a real security role.’ And so what do you mean by that? They say more. And they said, You know, I was doing like copy, and I was doing like reports. And I was like auditing things. But I didn’t actually get to do the role.’
So these people that you’re hiring, and you’re you’re bringing in to do these roles, they are hungry, given the opportunity, given them the chance. And so just take that as information and give them the opportunity. Also look at non traditional paths. We’ve had a lot of success with chemists, with people from transferring in from a legal department from marketing. And I’m telling you, pairing them up with people from traditional cyber backgrounds. It makes a wonderful dynamic together when you put them on teams. So I think that’s, that’s all I have.
Ian McShane 43:58
That’s a great takeaway. Thanks, Lisa. And Adam, as always, it’s a pleasure to have you here. What’s on your mind at the moment?
Adam Marrè 44:04
Great to be here. Well, I just I love what Lisa said, I just like to do a call to all of us in cybersecurity, especially cybersecurity leaders, where people been doing it a while. Is, you’re gonna have I know you do and you have lots of people reach out to you and want to know what cybersecurity is like or talk about it. And it’s one of the things I do is I always try to make time for people reach out to me, and just talk them through it.
You know, some people, they’re wondering, they’re sort of like curious about cybersecurity, and it might be for them. And I like to walk you through that conversation. But I just think I can’t echo enough what Lisa’s saying about giving people a chance like interns. And I also think just the time that we can donate to folks even five minutes, 10 minutes to have a conversation with them about what it’s like to be in cybersecurity how they can succeed. Try to inspire people, try to let people from diverse backgrounds know that there are people like them, there’s a place for them, we want them we need them and that there’s so many different roles that they can fill. It’s not one thing. I just think that’s really important. And I’m inspired by Lisa today.
Ian McShane 45:06
That’s great. As always, like I said, I learned something and I don’t have anything that I can do to top that. So I will end today by saying thanks very much for listening and Adam and I’ll be back soon with another episode of Challenge accepted. Lisa, thanks so much.