Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings Talent Systems Ai

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Cyber/Info Security Employee Retention

I think the corporate world has this idea that people come into a job, become “perfect” at it and never change, let alone leave. This construct has been shaken over the past several years with the huge push towards remote working and a larger shift from my generation and younger on prioritizing a two-way contribution in the relationship. Meaning if people don’t feel they fit into the cultural environment in the organization, they will find a better fit.

Many organizations don’t want to train people outside of their roles because they don’t want to lose them (you’re too valuable in your role to promote). This is, partly, because most don’t have solid internal transfer and promotion paths.

I’m firmly of the opinion that this is a mindset problem, not a programmatic one.

Imagine an organization that accepted that they’re going to hire in people who are either not ready to do the job yet, or are just reaching competency, and that they’re going to learn it. Second, the organization is going to teach them the skills they need to move on to the next job.

Now, some will think that’s a sure-fire way to lose people. It’s not. Most of you know I’m an evidence-based guy… according to Linkedin’s workplace learning report, 94% of employees would stay at a company longer if it just invested in helping them learn what’s valuable to them.

In a crazy turn, let’s look at the military. You have 2-3 years tops in a job, then you’re on to the next position. Much of my foundational motivation for my position becomes:

  1. How am I learning this job; how am I preparing and learning for my next job? and

  2. How do I make this easier to understand for the next person? How do I create systems and processes to enable the next person to hit the ground running or at least make their uptake faster?

  3. How do I identify and cultivate talent, passion, and motivation for those within my sphere of influence and promote the right persons to either managers, or put technical subject matter experts with no desire to lead into positions where they can push us forward?

Granted, the all the branches of the military are struggling with recruiting right now. That doesn’t change the model. New employees come in with little to no skills. They receive training for their roles, education, and training to promote them, and mentorship along the way. All while knowing, no matter how good or bad they are at their job, they will leave. It’s not perfect, but it’s a good model to start with.

We struggle in this across the military, academic, and industry sectors in the cyber profession. The best technician isn’t always going to be the best team lead, the best team lead may not have the correct skills to become a manager or director; they also may not want it.

I don’t have a magic wand. But if I were a wizard for a day, I’d start with inculcating the idea and commitment from executive leadership all the way down that we will invest in our people. It’s great to put them in training and develop skills that they’ll use in their next job.

We develop a culture and system where there are laterals and promotion opportunities inside the organization through additional skills education and on the job training. It’s acceptable that they might leave us. People will come and people will go; that’s ok.

Really.

When we build a reputation for training people to be better at what they do and what they want to do than when they arrive, people will want to work for us. They will also want to keep working for you.

If you’re too afraid to give people opportunities to grow because you’re concerned they’ll leave, they’ll leave to find opportunities to grow.

In the News

Understanding Risk: Re-Victimization from Police-Auctioned Cell Phones

This Blog post from Brian Krebs showcases a University of Maryland study where researchers bought several smartphones seized by police for various reasons. These phones then made their way to PropertyRoom.com, which bills itself as the largest online marketplace for property seized during law enforcement investigations.

Researchers purchased 228 smartphones sold “as-is” from the site. Researchers were able to unlock many phones using pin or common pattern guessing, and many others had no pins or passcodes.

One phone had full credit files for eight different people on it. On another device they found a screenshot including 11 stolen credit cards that were apparently purchased from an online carding shop. On yet another, the former owner had apparently been active in a Telegram group chat that sold tutorials on how to run identity theft scams.

Why should you care about the info from criminals? Great question. The sensitive data was from the victims.

This simple lack of security practice where the government organization or the organization that purchases the property wipes the hardware creates a significant risk of revictimization for those persons and raises concerns about protecting personal information and potential misuse by new buyers.

| More | PDF of the study here

AI Attack Surface Map v1.0

Daniel Miessler has a great first swing at teasing out AI attack surface. AI is coming regardless of our opinions, so we need to figure out how to assess AI systems and their many components beyond solely the LLMs and models. I like Daniel’s thoughts on needing to understand where AI systems intersect with legacy business systems.

| More

The Taxonomy of Procrastination

This is an interesting deep dive /shower thoughts on procrastination from Dynomight.

| More

Quote I’m Musing

““Train people well enough so they can leave. Treat them well enough so they don’t want to.”

-Sir Richard Branson

Imagine you’re talking to someone from company X, and they know so much about the company, its vision, it’s direction, and future that you think they must be an executive. Then they introduce you to their manager. Wouldn’t you think this company had it together? Would you want to do business with that company?

Investing in our people is an investment in the organization and ourselves. I recently talked with a technician who was interviewing for a cybersecurity engineer position. He had his OSCP, he loved pentesting and offensive security. He wanted to move into putting in pace the security and protection features and policies that guard against what he’s been doing.

The kicker? He was interviewing for the position as a lateral movement within his own company. Their culture was such that when he wanted a change, he didn’t even bother looking to leave. He told his boss, who put him in a room with the director. They saw talent and began helping him move forward.

That’s a company that has people who know multiple aspects of how they do business and how to put it together. That’s a company I want to work with.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.