October 27, 2020 · 9m read
“Don’t go chasing unicorns” and more security staffing lessons from Lisa Hall of PagerDuty
Subscribe to more posts like this
We recently sat down for a virtual interview with Lisa Hall, who leads Information Security at PagerDuty. PagerDuty is the central nervous system for real-time digital operations at over 13,000 organizations, including nearly 60% of the Fortune 100. The publicly-traded company is a household name in DevOps and IT and has led the recent renaissance in infrastructure monitoring and response, serving customers around the globe. PagerDuty is mission-critical for every single customer, and teams place unparalleled trust in the security of the company and the platform. PagerDuty's team works nonstop to maintain that trust.
Your path to leading a security organization is unique. How did you get started and what are you doing today?
Since the 80’s I have always enjoyed learning about computers and gaming (Playing King’s Quest on IBM really got me hooked). My first “tech job” was tier 1 support at an Apple call center and my start in the security industry was serendipitous. I was actually working Administrative Assistant jobs when I applied to an Executive Assistant to the CISO position at First American / CoreLogic. When I went to interview, I learned the CISO and Information Security Officer were both women, and I was excited to see women interested and successful in security. I loved learning about information security, and as the EA to the CISO, I had the opportunity to be a part of everything—from project planning to board meetings. I voiced my interest in learning more and advancing in security and eventually grew from EA to Security Analyst. From there, I moved into a Security Manager role. Since then, I’ve consulted with EY, joined my first Bay Area start-up,Twilio, in 2013, and now I head up a team of 12 here at PagerDuty! Shout out to Lou Viscusi, Coleen Coolidge, Laurel Geise and Cynthia Watson for opening doors for me along the way! A support network is everything.
You've successfully approached security hiring in unconventional ways. Can you share your approach and lessons learned?
I start with the assumption that security is learnable. One of the top struggles we hear about in security hiring is “finding talent.” The talent is out there. When we give people opportunities, they bring diversity, excitement, and fresh perspectives into the organization. In security, we have to think about one concept in many different ways to understand how something might be vulnerable or compromised. Security is a creative industry that requires a diverse skill set, above and beyond technical aptitude.
"Security is a creative industry that requires a diverse skill set, above and beyond technical aptitude."
Christine Chalmers, our Technical Program Manager, Information Security, came to PagerDuty with a background in education. Having attained her Masters in Social Sciences and Education prior to joining PagerDuty, Christine worked with educational institutions designing learning programs, forming needs assessments and facilitating contract agreements. She knew how to build relationships with stakeholders at all levels inside and outside of the organization, how to create consensus and how to deliver instruction. She managed departmental alignment and accommodation compliance through influence. Sound familiar?
Since joining PagerDuty, she’s led many successful initiatives and has excelled at being a liaison between security and internal teams (like engineering and IT). To prepare for a move into security, Christine sought out security resources (like SANS Women's Academy), networked within the industry, and demonstrated her passion for the field. That passion along with her ability to leverage a unique skill set, had an immediately positive impact by improving cross-team communication, driving process improvements, and bringing a fresh set of eyes to further build out our security program. Many technically-oriented professionals focus on technical proficiency (which is critical), but often downplay other important skills, like communication.
Promote From Within:
Here’s another example: Andra Burck, one of our Security Engineers, was a Technical Support Engineer at PagerDuty when I joined but showed an interest in security. She began to partner regularly with the team and sought mentorship and sponsors. By bridging the gap between customer-facing engineering and support, she took on responding to secure disclosure submissions. I can’t tell you how appreciative I am for Andra and that she decided to join our team. I'm all for promoting internally. We benefit immensely by keeping curious, driven people within a company—leveraging their existing skills and knowledge, and their different experience. They benefit by taking on new challenges, and growing their career and skills internally.
"We benefit immensely by keeping curious, driven people within a company—leveraging their existing skills and knowledge, and their different experience."
Don’t Underestimate Your Interns:
If you don't have interns yet, you should get them. Interns and hiring from organizations that support, mentor and sponsor(!) people in their early career are great mechanisms to open doors for individuals interested in security from different backgrounds. You have to build your talent pipeline. There are tons of great programs, like Year Up and Code2040 that can help you find talent and, at the same time, play an active role in closing the opportunity divide.
Neha Gupta, one of our Security Engineers, started as an intern on the security team. She came to PagerDuty with a bachelor's degree in Integrated Science and Molecular Biology and a doctorate in Naturopathic Medicine. She had completed a software engineering program at Hackbright Academy learning full-stack software engineering and computer science fundamentals. She didn’t even intend to move into security. But, she joined our team, and we won her over, as she did us. Neha demonstrated the growth mindset needed to learn security, she ramped up fast, and her passion for problem solving and creativity serves her well when tackling complex security projects.
What are some of the red herrings when it comes to hiring?
Oh, where do I begin! There are so many. The bottom line is: there is no silver bullet. First, education—I know some AMAZING security practitioners who do not have a formal education or a degree. Certifications are another one. Certifications are a great way to demonstrate someone can learn and test well, but a piece of paper does not mean they will be successful. Certifications can however, demonstrate passion and can get someone to a position where they know what questions to ask. A curious person with certifications will have a leg up. Bootcamps show dedication too. I know I just mentioned them, but I’ve seen some companies refuse to hire people from bootcamps because they are perceived to have less expertise. Those companies are missing out. At the same time, completing a bootcamp, much like a certification class, can’t guarantee someone will be successful or work out for a particular company. I can’t imagine there’s anyone out there who hires for security without assessing technical aptitude, but that assessment will be different depending on if you are looking for a Staff Engineer or an Analyst.
Another misconception is that you can find unicorns—don’t go chasing ‘em. They are few and far between. Also, stay away from hiring for a brand or—dare I say it—“security rockstars.” Security is a very, very, broad topic with a lot of nuance. It is always changing. Looking for someone who can do “everything” is rough. And hiring someone because of their brand, or the companies they have worked for in the past, could be a pitfall.
"Another misconception is that you can find unicorns—don’t go chasing ‘em. They are few and far between. Also, stay away from hiring for a brand or—dare I say it—'security rockstars'."
Years of experience as a proxy for ability to do the work is another distraction. I’m happy to see more companies removing the “must have this many years” requirements from job descriptions.
Knowledge of specific tools and tech is another common mix-up. Why ask for specific coding languages on your job req if what you really need is someone who understands coding? In the same vein, why ask for “AWS experience” if what you really need is someone who understands cloud infrastructure? Sometimes you will be in a situation where specific technical skills are needed, but don’t forget that balance. What if your company decides to move from on-prem to the cloud, or if the head of Engineering decides this year, we all will start coding in whatever fancy new language comes along? It's more important to have the capacity to learn; getting information is the easy part. Security isn't about an ingrained way of doing things, but being able to adapt what you know to a changing world.
"Security isn't about an ingrained way of doing things, but being able to adapt what you know to a changing world."
What’s an example of something you have done to make security hiring easier and better in the last few years?
We removed unnecessary requirements from job descriptions and interviews. For example, technical interviews should be technical, but shouldn't be overly restrictive. You should expect a technical interview to be difficult, but to me it’s more important for a candidate to demonstrate their capacity to understand and think through a problem. This means learning how to disregard questions that may not be relevant to the person and finding new ways to get answers through different means, rather than being rigid. Once, an interviewer asked me to whiteboard a solution to a Cross-Site Request Forgery (CSRF) attack. Instead of writing the code he was looking for, I drew out how I would approach solving the problem. I started by writing down questions, actions to take, and things to discover. I did not have the “technical” answer he was looking for, but I got the job.
There are a couple of lessons here. First, hiring and growing people like Christine, Andra, and Neha doesn’t only help your organization, your teams, and the individuals themselves, it also makes the industry better. Taking security classes and bootcamps may not be a silver bullet, but it is a good indicator of interest and a sign of passion. That's a useful signal. Second, security requires more than technical aptitude: it requires an ability to constantly learn, to adapt under pressure, and to empathize with others. These skills exist in many unexpected areas.
Taking a step back, there are so many changes happening in the way we work today. Being flexible and creating opportunities for our people is critical. As anyone who has been involved in hiring for security has likely experienced, it can be a long process. Industry data shows filling a cybersecurity position with a qualified candidate can take up to six months. And in a hot market, churn is inevitable. I appreciate that more companies are becoming remote friendly, opening opportunities for individuals with non-traditional backgrounds, and mentoring from within. By force of nature, we are becoming more adaptable and can lend further flexibility to the talent we have as well as look for talent in hidden places. It’s our job to dispel security myths, practice mindfulness and empathy, communicate effectively and build a community of learners.
"By force of nature, we are becoming more adaptable and can lend further flexibility to the talent we have as well as look for talent in hidden places. It’s our job to dispel security myths, practice mindfulness and empathy, communicate effectively and build a community of learners."
Subscribe to our blog
Get the latest updates from Material