EPISODE 33
Cybersecurity Organization Budget and Staffing
EPISODE 33
Cybersecurity Organization Budget and Staffing

CYBERSECURITY ORGANIZATION BUDGET AND STAFFING

About this episode

In this episode, we are focused on the ever-divisive question of the importance of certifications in the cybersecurity industry. The answer to this question has changed over time from certifications being unimportant, to them being extremely important, to well, it depends.

 

Certifications can be extremely important for several reasons, including their ability to help your resume get through the Applicant Tracking System (ATS) filters used by the human resources and recruiting team, but they are not a silver bullet that will instantly land you a job.

 

As Jason Dion (Lead Instructor of Dion Training) shares with us in this episode, certifications can be your ticket to getting an interview, but they alone won’t get you the position. That said, without having that certification on your resume, you can easily be filtered out of consideration before a hiring manager even gets a chance to look over your resume. This makes having the right certifications and experience imperative if you want to land your dream cybersecurity position.

 

Just as a certification isn’t a substitute for a college degree, you will also learn that a college degree is not a substitution for having the right certifications. This is often not an “either-or” thing, but a “yes-and” type of thing that you must achieve for many cybersecurity positions.

 

What you’ll learn

  • Why certifications are important in the cybersecurity industry?
  • Are certifications or experience more important to a hiring manager?
  • Are certifications or college degrees more important to a hiring manager?
  • Which certifications should you be getting to advance in your career?
 

Relevant websites for this episode

Tags:

Episode Transcript

Kip Boyle:

Hi, welcome. This is your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle, and here with me is Wes Shriner, we’re the co-hosts and we are experienced hiring managers of cyber security professionals. This is our third video podcast. You probably know we’ve been doing podcasts in 2020 audio only. So now we’re both audio and video. If you want the audio version, go to anchor.fm and find us there, or whatever podcast listener you like. If you want to watch us on YouTube, our channel, you can search for it, it’s called Your Cyber Path podcast, and that’s how you can get us there. So today is the third of a three episode series about the way cybersecurity organizations are put together. What we’re going to look at today is, well, I’ll let Wes tell you, because he put these slides together. They look fantastic. So, Wes, what’s the last part that we need to look at?

Wes Shriner: 

It’s going to be a good day today, Kip. We’re going to cover the last part of a security organization. We’re going to look at what is the budget? What is the staffing model and what is the organizational model for that security organization? This is, I would say a little more peripheral to the cybersecurity specialist finding a job, but I think there’s some golden nuggets in here and let’s watch. Where do we see large parts of the organization, where there are large swaths of staff or large parts of your budget, because that’s where we’re going to take some fresh out of school folks and we’re going to be able to use them really effectively.

Kip Boyle: 

Oh, that’s perfect. Thank you for making the connection. So the folks watch watching can understand, because I mean let’s face it budget and staffing, not a very sexy topic at the first glance, so cool. Let’s dig into it.

Wes Shriner: 

So Kip, I’m going to apologize now this is early morning recording for us. We are recording on a Saturday morning before the sun comes up and those roosters, they are up and they are crowing.

Kip Boyle: 

That’s right. Life on the farm. When the rooster-

Wes Shriner:

If you can hear some songs in the background you know the roosters are up and it’s time to start your day.

Kip Boyle: 

Man, maybe we should have a rooster crow as the intro to our podcast. I don’t know.

Wes Shriner: 

We got a podcast. We could call it two lonely roosters and just go with it. All right.

Kip Boyle: 

It’s perfect. Perfect.

Wes Shriner: 

It’s going to be a good day today. Let’s jump in and see what we’ve got. I want to start by reminding you, oh, where we at, there we are. I want to start by reminding you that this is where we left off last week. This is very much the security organization. This is the four sub organizations. This is the 15 disciplines or senior manager roles. This is the 23 services of a common service security service catalog. And then this is the teams that you might find are managed by line managers, inside your organization.

Kip Boyle: 

Right, right. Now I just want to remind everybody that the longest episode we’ve ever done-

Wes Shriner:

Ever.

Kip Boyle:

was ever the last episode. I think it was like 55 minutes or almost an hour. We drilled into not in a great detail, but we looked at everything on the slide. So if you didn’t see that episode, just go back one episode from the one you’re watching right now and you’ll get a thorough tour of-

Wes Shriner: 

You will.

Kip Boyle:

of this slide right here. We’re going to drill in deep in all of these in future episodes. But if you’re just joining us, that’s how you can learn this slide a little bit better.

Wes Shriner: 

Check out 32, because that’s going to give you a lot of the foundational background. That’s going to take us through the next couple, the next year of conversations. So let’s jump. Oh my goodness. What is this? We’ve got a pie chart. That must mean something.

Kip Boyle: 

Folks this is a… It looks delicious.

Wes Shriner: 

Go ahead. So this is a staffing swagger. This is if I had a large organization, if I had I’m going to say several hundred, couple 100 folks in my fortune 100 security organization, this might be how I would apply my staff. Now, let’s look at how we read the graph on the… And the inside circle is the same organizational unit, in that secondary circle is the same disciplines. In that third circle is the same team names that we saw on the previous slide. It’s simply sized by how many people might be assigned to that part of the organization.

Kip Boyle: 

Oh, okay. That makes sense. Great. Thank you.

Wes Shriner:

So now we can see that the operations portion is about 40% of my cybersecurity organization in headcount staff. We can see that the security engineering and architect test is about 27%. GRC makes up about 16% of my staff and product security is about 11%. I did leave 6% for your executive team just because they got to have admins and keep things running.

Kip Boyle: 

Okay, cool. All right. That makes sense. Wow.

Wes Shriner: 

What I think we want to call out here is in operations, it’s heavily, heavily weighted on your security operations center and on your keep the lights on operations. Both of those are 24/7 operations, and both of those are great places to get started in security.

Kip Boyle: 

If you love the third shift, man, you’re just going to do well.

Wes Shriner: 

There you go, right? In architecture and test, you’re probably heaviest in your IT project support space and in your testing areas, right? This is your chance to get started in testing. It might be in functional testing. It might be in pen testing. It might be in the internal threat hunting.

Kip Boyle: 

Right.

Wes Shriner: 

That’s your chance to get started in testing.

Kip Boyle: 

Yep. Some of your first jobs are probably not going to be all that sophisticated. You’re not going to have a lot of responsibilities yet, right? You’re going to support, right? You’re going to help make sure that the people who are actually driving are going to be successful. So just moderate your expectations and get in there and just be helpful.

Wes Shriner: 

That’s right. We don’t say this, that’s not my job. We certainly say, “How can I help? How can I make this better, right?

Kip Boyle: 

Even if that’s a Starbucks run, to be honest with you.

Wes Shriner:

Once some in a while, it’s not about the coffee you bring, but it’s absolutely about how do we add value, make this team better by being here?

Kip Boyle: 

Yeah. Just serve, right? Just serve.

Wes Shriner:

I think that’s well said.

Kip Boyle: 

Good. What else do you want to say about this slide, Wes?

Wes Shriner:

Well, I want to tell you that the GRC area is 16% and it’s heaviest in project management office, right? We’ve got an army of PMs who are helping us deliver on the agenda and the priorities that we have in space today. Your security analytics is a smaller tool, so it may not be as much the place to start, but do look at compliance. We talked about compliance in detail last week. Compliance, can take you in a lot of directions, that’s a great place to get started. Risk can take you in a lot of directions, that’s a great place to get started. Also, look in your PMO because that’s where you find some staffing, okay? In product security, it’s heaviest in the services security space, right? This is a great transition job. This is the great kind of job that comes from an existing IT professional who wants to move over to product security specifically.

I do want to call out a couple caveats in the chart, but before we get to that, product security at 11% is the biggest variable on this page, right?

Kip Boyle: 

Variable, in what way?

Wes Shriner:

Well, if you’re a fortune 100 company, you might have a 200 person organization and product security might be 11% of your security org, or you might not have a security org at all, and your first security person is actually 90% product security, right? And so-

Kip Boyle: 

Great point.

Wes Shriner:

your security org for a smaller org might be 90% protech and we cover some compliance, right? So, we get there and we’re going to grow our organization and I’m not saying this is the perfect picture, but this is a picture. It’s one that we think is probably verified and improved over time. I would guess, Kip, I didn’t do the math on this, but I think you and I together have been at a dozen different fortune 100 companies in the last 15 years.

Kip Boyle: 

Oh yeah. Yeah. They’re all different. I mean, the details are different, right? And the business case to bring somebody in to support product security is just so much more clear and compelling when you’re building this team out for the first time. So that makes a ton of sense.

Wes Shriner: 

It does. Really you’re building a parallel function for everything inside side cybersecurity for your external customer. Think about it as your internal customer’s lower KC customer. Then when you go outside to your external customer, that’s the capital C customer. If we use that jargon along the way, you’ll know what we’re saying now.

Kip Boyle: 

Perfect.

Wes Shriner: 

I do want to call out some of the assumptions, right? This is based on the ebb and flow of the investment priorities of the organization, right? It’s based on the maturity curve of the organization. If we’ve got more automation, it means we have less manual staff and it begets a focus on even more automation so that we can really accelerate what we’re doing as a business, a security business supporting our organizational business. It depends on where the organization priorities are for investment, especially the product security space.

What about government and industry regulations? If you’re in an industry that has a lot more regulations, your compliance is going to be a little bit bigger, not going to lie on that one. I know that Sox was a doozy for at least five years, everything was manual. And we were pulling user lists from every part of the company, users and privileged users, right? When the California CCPA privacy hit, that knocked out some companies pretty hard in 2019 and 2020, because we had to really redefine how are we doing business? We had to do that… So, the marketplace is also going to determine how we prioritize in our investments.

Kip Boyle: 

Definitely. I just want to take a moment to comment on the fact that viewers who are trying to get into cybersecurity, your heads are full of like security plus certifications and how do I use a vulnerability scanner and things like that, right? These hard skills and notice that we haven’t talked about hard skills at all yet. We’re talking about business cases and budgets and government and industry regulations and organizational maturity. I just want to point out to you that this is the typical stomping ground for a hiring manager. These are the things that are on our radar screen. So if you think we’re distracted and not paying attention to you, well, here you go.

Wes Shriner:

No.

Kip Boyle: 

Here’s a glimpse that what might be distracting us.

Wes Shriner: 

Those hard skills are table stakes. They better pay any resume and you better be able to defend them when we talk about it in the interview. But if we have to spend more than five or 10 minutes on it, on the interview, we didn’t do well.

Kip Boyle: 

Yeah. All right, what else about the staffing allocation or have you gone through it all [crosstalk]?

Wes Shriner:

Well, let’s… So this is kind of the model of how we might see staffing all allocated insider our organization. The bigger places are where we might find some startup roles and there’s a lot of transfer opportunities as well. Again, this is not gospel. This is just our opinion.

Kip Boyle: 

Right.

Wes Shriner: 

Let’s jump to the next model, which is really your non-staff budget. This might be a healthy budgetary allocation of non-staff dollars. Now this is the same type of chart. Blue is still your operations. Gray is still your governance. Orange is still your engineering, architecture, and test and product security is still that yellow.

Kip Boyle: 

I want to compliment you on the visualizations of… On these two slides. I mean, I’m a very visual person, and so line after line, after line of technical detail, it gets tedious. I fuzz out after a while, but I love to explore the visualizations. That’s just me. I just think this is great. Thank you.

Wes Shriner: 

Happy to man. This is fun for me. So if we take this picture and we understand, and I realize the font size is small, so you’re not going to be able to see it on the screen here, but download the PDFs and you’ll be able to get all of the detail in all of its glory. But what I do want to call out here is our operations was 40% of our staff. Well, it’s also 45% of our non-staff dollars. Now, that’s both OPEX and CapEx. Let’s talk about OPEX and CapEx.

Kip Boyle: 

Yeah. Okay. Then also I want to clarify what non-staff dollars means. It just means money that’s allocated, but that doesn’t go to compensation, right? Doesn’t go to salary. Doesn’t go to right, any of the costs-

Wes Shriner:

Right.

Kip Boyle:

of convincing people that there’s going to be paychecks and benefits.

Wes Shriner:

Right. This is all the things about, I want to pay a firewall company to sell me their firewalls. Then I want to pay the ongoing annual maintenance contract in order to keep those firewalls operating, and then I want to upgrade another point release next year, and I need a professional services team to come in and help me do that upgrade.

Kip Boyle:

Right.

Wes Shriner:

Right.

Kip Boyle: 

What about staff training? Is staff training included in this area here?

Wes Shriner: 

[crosstalk] that is such a small part of the budget. It did not hit my radar as to which one it’s going to land under.

Kip Boyle: 

Okay, well, that’s fine. But it also makes a point which it is that we need to train our folks and-

Wes Shriner: 

We absolutely do.

Kip Boyle: 

and a $3,000 tuition fee might seem like a lot when you first join, right? You’re like, oh my gosh, that’s so much money. But in the big scheme of things, Wes just said, it’s like, in the big scheme of things like $3,000 is actually going to create a lot of value if you go to school and get smart.

Wes Shriner: 

This is based on 150 or 200 million budget.

Kip Boyle: 

Okay.

Wes Shriner: 

So a $3,000 tuition is not even a point in the percentage.

Kip Boyle: 

Yep. That’s why it didn’t even make it into the diagram. Okay. Let’s keep going.

Wes Shriner: 

All right. So if operations is going to be 45% of our organizational size for non-staff dollars, where’s that money going? Half of that is going to be your internal and external security tools budget for upgrades and renewals. It’s going to be your single sign on, your antivirus, your firewalls, your tokenization, what other tools might we spend money on? Anytime you talk to a security organization and you look at their stack of tools, you see that in most cases, forgive me for being a negative Nelly here. Somebody ran free with dad’s credit card, right?

Kip Boyle: 

[crosstalk] Are you talking about shelfware?

Wes Shriner: 

Yeah, I’m very much talking about shelfware. I’m talking about more tools than we know what to do with, and they’re not deployed fully across the organization. So if let’s say, for example, I’ve deployed 50% of this tool’s functionality, and I’ve only deployed it in 30% of my organization, specifically, my e-commerce space, right? Multiply that I paid for that tool to be a hundred percent deployed across my organization. If I’m 50%, times 30%, I have 15% of my return on an investment for the money I spent, right? That is very much what we see sometimes in security organizations, especially with secondary tools, and that’s why I’m such an advocate for let’s consolidate our tool stack. Let’s build it in a way that we can deploy it, maintain it and use it.

Kip Boyle: 

You’re prompting me to think about all kinds of things such as, there’s a big philosophical train of thought about, do you buy best of breed products and integrate them yourself? Or do you buy pre integrated products that have multiple functionalities all showing up in the same user interface? I don’t think there’s any obvious way to go with this, but I do see a lot of conversation about what’s the best choice.

Wes Shriner: 

Well, and here’s some career advice in your first year at your new job, do not walk in and say, “What’s this tool doing here. It’s not being useful.”

Kip Boyle: 

Yeah. That’s like saying, “Hey, I’m glad to come visit you. Oh, what an ugly dog you have.”

Wes Shriner: 

I did not hire a pointer, right? A per person who comes in and points at things and says, “That’s broken and that’s broken and that’s broken. No, [crosstalk].

Kip Boyle: 

That’s not the way they taught us how to do it in school.

Wes Shriner: 

No, no. Instead, I do want you to make a list for yourself. I want you to make a list of the 30 things you find that are atrocious and abominations to organizational success, right? Then after you have your list of 30, I want you to winnow it down, and you have to have been there a couple months. Now, you’ve been there 90 days and you’ve got a list of 30. Winnow it down to the three things that actually are business case reasons for why I need to make a change and then approach your manager and have a one-on-one conversation that says, “Hey, I found this thing. And I’d really like to work on it in my spare time when I’m learning the other job still, is that something I can take a run towards?” You’re probably going to be a much more positive response with that.

Kip Boyle:

Yeah, show up with curiosity and show up with an attitude of helpfulness. You still might get shut down, right?

Wes Shriner: 

That curiosity, there’s a reason it was built the way it was, right? Somebody somewhere who’s probably still sitting in the chair, made the decision to build it the way we built it, and you don’t want to go sideways with that person in the first week.

Kip Boyle: 

Oh my God, relationships are so important. Ladies and gentlemen, keep your relationships in good repair.

Wes Shriner: 

It’s going to take you a year to fix the thing. It’s going to take you five years to fix the relationship.

Kip Boyle: 

If it can even be fixed. I got to tell you I’ve been in situations where either I was in sideways with somebody and the relationship had descended into depths that just there was no coming back from. That is just not a good for place to be. Sometimes relationships are irreparable. And boy, just avoid that.

Wes Shriner:

Let me just say this on relationships, because, hey, we’re looking at a slide about non-staff dollars and budget. Let’s say about relationships. We are an organization of influence. We do not own production. We do not own the business. We don’t own service to our customer, we own supporting our business, supporting our technology, and so our business is trading in ideas, trading in information, trading in thought leadership and trading in influence. And if we are unable to influence our technology and business teams, we’re going to be useless to our CEO.

Kip Boyle: 

That’s right. Then the budge area, should say the business case for us even existing starts to get thin.

Wes Shriner: 

I did one audit of one company, when I swooped in as a white shoe consultant and the CIO, I swear, he said to us, “I want to fire all of them and hire an anti phishing campaign and call it done.” Come on, man. That’s not the best approach.

Kip Boyle: 

But I think that-

Wes Shriner:

we’ve got to figure out how our CIO and CEO can become our biggest sponsors and biggest advocates and supporters.

Kip Boyle: 

Okay. I’m sorry. I completely took over the train of-

Wes Shriner: 

But how fun was that though, Kip? [crosstalk], how was it?

Kip Boyle: 

All right. Well, let’s get centered again, right? Let’s get re centered. So non-staff budget allocation estimates. What else do we want to say about this?

Wes Shriner: 

The rest of shared services offerings is the money is going to go towards VPNs or encryptions or as a services, that’s going to be your continuous automation stuff, right? We go to engineering, architect, architecture, and test, and that’s going to be 18% of your budget, rough swag, 18%. The majority of that goes to security testing tools and scanners. Those are table stakes for being able to operate those tools. You’ve got to have them in your environment. So it’s a little bit gray as to who pays for which items, does the vulnerability scanning team own the vulnerability scanner and have the budget for the vulner scanner, or does the security tools team own that vulnerability scanner and run it. In this case, because the vulner scanning team is sponsoring the tool, they’re the ones that bring the budget. The security tools team will continue to own and operate it for them.

Kip Boyle: 

Got it.

Wes Shriner: 

That’s the common way to do this. All right. Governance, risk and compliance is 20%. What do you mean? How could it possibly be 20%? It’s just governance risk and compliance because half of that budget goes to the risk team to prioritize and support risk remediations, right? How many times do we find a bugaboo in our technology team that absolutely has to be fixed, but nobody has the $1 million it takes to fix it. And 1 million is a drop in the bucket for what our organization spends every day, every year. But for some reason, nobody can find the $1 million it takes to fix this. Well, if the risk team can produce the 1 million now we’ve called their bluff and now it’s time to make that happen. And so we do want to give our risk team, arguably 10% of our overall security budget for the purpose of remediation activities across the organization.

Kip Boyle: 

Got it. Got it. That makes sense.

Wes Shriner: 

All right. So product security gets 17% of the budget, and that’s really because they’re building a parallel organization for our enterprise, big sea customers. All right. That takes us to the end of staffing and budget. Now we got to look at the next tricky piece, who does security report to?

Kip Boyle: 

Okay, so this is good and provides fuel for a lot of afterward conversations and other way more serious conversations too. This subject has actually cropped up for me as part of a legal case that I was actually brought in to work on. So some of this can get really serious.

Wes Shriner:

I think the key message here is at the top, right? The organizational formal reporting structure can be designed to emphasize specific relationships to influence how groups work together within the organization. This is very much your business organizational theory. I just finished a master’s in cybersecurity and leadership, and I’m not going to lie, one of the things we emphasized was how do we have continuity inside our organization to meet our mission that is stated outside our organization. When we have that continuity, our organization is going to be built to be more efficient and more effective. So let’s take a look at each of these examples. I’m not going to drain them here. Don’t worry about trying to read the whole slide here.

We’re going to go under a little more detail next. Here, you’ve got the one… The first example on the left is almost entirely linear. We’re calling it linear consolidated. As you can see all security functions roll up to the CISO who reports to the CIO, who reports to the CEO. This can be really useful for ensuring alignment between security technology and risk items. This is a common model especially in smaller organizations where it’s clear, I’ve got a linear progression.

Kip Boyle: 

Even in larger ones, I’ve seen very large sprawling enterprises with this particular reporting structure.

Wes Shriner: 

I want to call out on this org picture. You can see CEO, CIO, CISO reporting directly to one another, but then you see how the line is on the left hand side for security operations are engineering GRC and product security. That means that those are peers. Those four are peers to each other. I just want you to understand how to read the chart so that we can run with it.

Kip Boyle: 

Good point. Thank you for-

Wes Shriner: 

All right. Now we’re looking at number two, the elevated CISO, right? That CISO is now stepped up peers with the CIO. It’s useful for security autonomy. If you want to be able to report to your CEO, and say the CIO is not doing good things, and this is a really effective model for that, right? It also could make it really difficult for security and technology to work together.

Kip Boyle: That’s the thing about each of these four models is that there are pros and cons to each.

Wes Shriner: 

Pretty much so.

Kip Boyle: 

It really depends on the situation as to which one is optimized for you. That could change over time. You could go for 10 years in a linear consolidated model, but then find that things aren’t working very well, and there’s some conflict in terms of prioritization. You may need to switch over to the elevated CISO model for 10 years or so in order to clear out that conflict, that clash.

Wes Shriner: 

That’s probably a good comment is you use the model to accomplish the goal. The model is not the goal, right?

Kip Boyle:

Right, right.

Wes Shriner:

I believe this number two is the one that’s advocated for by ISC squared. I’m not sure I advocate for it, but this is what ISC 2 says is the model that must be in place.

Kip Boyle:

Well, and I don’t know that they’re saying that this is the model for the ages, but as I look around these days, I think more organizations should be considering this model because a lot of them are conflicted, I think. And with the… Why are they conflicted? Because the linear consolidated model, I think, reflects old thinking about how big of a risk cyber really is and that, by putting it into the technology area, your kind of saying well, it’s just kind of a technology problem really. Certainly, that’s the history, but it’s not where we’re at anymore. And I don’t think it’s where we’re going to be going forward. It’s just a little comment from Kip.

Wes Shriner: 

Well, and this number two means there’s no mixed message because the CISO has direct access to the highest levels of the organization, right? All right, let’s jump to number three and see what number three has for us. The third diagram returns the CISO under the CIO, but it distributes the product security function to the product realization teams. There’s value in this because we can both retain the security risk and technology alignment and build security into the products from inside the product organization. If I had an opinion, I’d probably prefer this model. It’s really useful for aligning product security to the product teams, and I find that pretty high value, right?

Kip Boyle: 

Well, and then the con here is product security could end up pursuing their own agenda and not being well aligned with the rest of the security organization.

Wes Shriner: 

That’s true. I’m also going to put a philosophy out there that the person closest to the floor closest, I’m sorry. The person closest to the job gets to choose the tools, right? So the person who’s going to be sweeping the floor gets to choose which broom they’re going to use to sweep the floor.

Kip Boyle: 

Yep. Yep.

Wes Shriner: 

In the same way-

Kip Boyle: 

I don’t have a problem with that.

Wes Shriner:

I’m convinced that if we delegate and give authority to that product security team to work within the product team to deliver better results, they’re going to choose the best broom for the job and they’re going to be really effective. If they find they’re getting stomped by feature priority, instead of security feature priority, then we may want to pull them back and use a little more voice behind that to get those security features driven into the product.

Kip Boyle: 

Okay.

Wes Shriner:

That fourth diagram is similar to the third, but it moves security, governance, risk and compliance function out from under the security umbrella. That’s your distributed alignment model, right? It could go two ways from here to the enterprise risk function, so that there’s alignment between cyber risk and enterprise risk or to the legal organization so there’s alignment with regulatory and compliance initiatives. I’m not a fan of this model. It separates things in an odd way. I’ve seen large white shoe organizations make recommendations to fortune 100 companies to make this split and do that kind of hard work of security. Again, I’m not a fan of it. The risk organization from a risk driven security function, the security governance from the actual security organization, these are odd. The cyber risk and cyber compliance should be with the technology organization in my opinion, if we’re going to have a risk driven security organization.

Kip Boyle: 

Okay. Okay. I don’t have a big opinion about number four. I’ve been a part of a organization that was organized according to model number four. And there were times when it was awkward and goofy to try to get something done, because I had to work across two other silos that just thought about the world differently.

Wes Shriner: 

I say, let’s roll with it because I can work in any of these four organizations. The organization does not define who we are. It define… It’s a means to our goal, right? That brings us to number four, right? The four pictures come back together and we say, there’s no right or wrong organizational model. Everyone highlights different benefits and has its own drawbacks.

Kip Boyle: 

By the way, Wes, for those in the audience who don’t really know, what’s a white shoe firm? You’ve said that a couple of times, what is that?

Wes Shriner: 

Well, so you’ve got big four consulting firms. Those are the four that do the primary auditing and assurance for America. They do it for every major organization in the country and those four, what would they be? They would be Capgemini or [inaudible], Deloitte, [crosstalk] PricewaterhouseCooper-

Kip Boyle: 

KPMG?

Wes Shriner: 

KPMG. KPMG makes the list. Those are the ones that you might hear if there’s a lottery, and someone has to certify the results of the lottery.

Kip Boyle: 

Right.

Wes Shriner: 

That’s going to be the organization that’s going to do that.

Kip Boyle: 

Right. Okay. Got it. Okay, cool. Just want to make sure we didn’t leave anybody behind on the jargon.

Wes Shriner: 

It’s a good conversation. We didn’t cover OPEX and CAPEX either, right? OPEX is your operational expense. CAPEX is your capital expense. Capital expense is something that you do if you’re buying new or creating or adding value to your company operational expenses. Once I bought it in the first year, now I’ve got to operate it, and there’s an operational ongoing expense to keep it alive and keep it running. That’s going to be both your money spent on the tool maintenance and your money spent on staff to keep it going.

Kip Boyle: 

There’s an… What I think is an inordinate amount of conversation about OPEX versus CAPEX. So don’t be surprised if you hear a lot of people talking about it.

Wes Shriner: 

But for now, thanks for joining us. I think that brings us to the, oh yeah, to the final thoughts. We’re here.

Kip Boyle: 

That’s great. Okay. So the key takeaways, right? What are they?

Wes Shriner:

Cybersecurity is hard, it’s complex. There’s a lot of moving pieces. And in a large organization, you’re looking at a staff count of 200 a potential budget of 150, 200 million. On the flip side, you could be doing it all by yourself. You could own product security, 90% of the time. Both are okay. Both are part of how we grow security at our organization. So understanding the dynamics of security across the small company, the mid-market and the large company is going to help you find your dreams that as you dig in and find what’s going on in there, you’re going to find yourself. And when you find yourself, you’ve found your dream cybersecurity job.

Kip Boyle: 

That’s great. Okay. Next week, next episode, we’re going to do a deep dive, right? We’re going to start really going through the organization. One, was it one team at a time, right? One service at a time?

Wes Shriner:

I think we’re going to start at organizational units. In the next four episodes are going to be the four organizational units. We’re going to bring some guest speakers in, who are going to really take us… They’ve spent their career in that organizational unit, and they’re going to take us deep into what they do and how do they do it and why it’s fun.

Kip Boyle:

Oh, I can’t wait. Brad’s up first, right?

Wes Shriner: 

That’s the plan I’m looking forward to it.

Kip Boyle: 

All right, we’ll see. I’m looking forward to it as well. So fantastic. Thanks Wes. Listen, ladies and gentlemen, if you like our podcast, we put together a free guide, and we want you to have it. Now, it’s called Play To Win. Getting Your Dream Cybersecurity Job. Because we now have visuals, I asked Wes, could we please show you-

Wes Shriner: 

Of course.

Kip Boyle: 

guys a part of what this guide looks like. On the screen there, you can actually see pages six and seven. Well, you can kind of get an idea of what’s going on there, right? But pages six and seven tells you how to overcome blocker number one, which is, you don’t know the title of the job that you’re going after. You kind of have a sense for what you want to do, but you don’t know the actual title or maybe a couple of different titles that it could be.

That’s a really important thing to know. It’s going to really help you be successful if you know the job by title. So anyway, this part of the free guide tells you not only that you need that, but how to find out what those titles are. Anyway, it’s just one of the four blockers that it talks about. If you want this, it’s yours for free, go to your cyberpath.com/pdf and download it for yourself. We’d love for you to have it. We’d love to know what you think about it. If it’s helpful, if it’s missing anything, I want to know. So, all right. So until next time, remember you’re just one path away from your dream cybersecurity job. See you later.

Wes Shriner: 

See you.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.