The Secret CISO: Insights and Reflections from Cybersecurity Leaders

Jim Love

Welcome to cybersecurity. Today I'm calling this episode the Secret Seesaw. It's an episode I wanted to do for some time and I managed to put it together with the help of my friend John Pinard. We talk a lot about the technical aspects of our roles, the threats, the processes, the best practices. But I don't think we spend as much time talking about what we think and maybe even sometimes how we feel. And that might be just as valuable, maybe even more valuable, to share with others. All I needed was three people who were open enough and courageous enough to not only have the discussion, but to share it with our larger audience. And that's why I called it the Secret ciso. It's a little bit tongue in cheek, but we're sharing the secret with 10 to 20,000 people who listen to an episode of the show. So it's a pretty widely shared secret, but it is one of the things I value most. I got to know three incredible people and had a fascinating conversation, one that I just wanted to share. I hope you enjoy it as much as I did. I'm going to just let people introduce themselves and we'll get started.

Octavia Howell

I'm Octavia Howell. I am the Chief Information Security Officer for Equifax Canada. I have been in the security industry for about almost 19 years now. Time flies. I started my career in network security and really went from being a network security engineer to really overseeing our entire data security, network security, then moved into cloud security and I now focus on securing Equifax Canada in industry and working with our US counterparts to ensure that we are looking overall to protect the data and privacy of Canadians.

Daniel Tinsky

Yeah, so Daniel Tinsky, I'm the CISO for CDW Canada. I've been in the cybersecurity or information security industry for about 22, 23 years. I also started on the networking side as well. And at some point I was very lucky that I was. I had a kind of a mentor at the time who introduced me to security and kind of Red Hat and unix. That's really where I fell in love with all things information security. Got bounced around between various organizations and obviously now I've been at CDW Canada for about maybe six years and John.

John Pinard

John Pinard. I am the VP of IT Operations Infrastructure and Cybersecurity at Duka Financial Credit Union. I have been in IT for longer than I like to admit, but we'll just say 40 plus years. I started out as a programmer when there was no such thing as cybersecurity. Nobody ever talked about it because it just didn't really exist. And so I've grown into the area of taking over cybersecurity and so on, and it's just been along for the ride.

Jim Love

Yeah. Can I ask you guys a personal question? Is this where you thought you'd end up in your career? What did you, what vision did you have of this job when you took it?

Octavia Howell

I am not done with my career at all, so I can't say that this is where I thought I would be. I'm still on my career journey. I did not know when I started my career, I did not know there was a such thing as information security or cybersecurity or anything of that nature. I was just doing what I like to do and things that I like to do just happen to be in network security where I am now. I think I'm still trying to figure out what my next steps are. It's difficult because most people who are, who get the CSO role, they start looking at, okay, my next opportunity is board positions or anything else. It's very rarely that a CISO would say, my next position may be a COO or, or a CTO or a CEO. So I'm not quite where I want to be, but I think I'm on the journey to get to where I need to be.

Jim Love

But is the job what you thought it would be? When you think about a ciso, is it what you thought you'd be doing?

Octavia Howell

If you would have asked me that maybe 15 years ago, when I was very early in my career and I thought that executives were like the holy grail of the job, then I would say probably no. But if you asked me that five years ago, I would say yes. I knew what I was getting myself into. I think the only thing that was surprising to me was the fact that now you have to learn so many other people's roles and somehow they don't have to learn your role. It's just very interesting that I think that's the interesting part about the role.

Jim Love

Daniel, how about you? Is this the job that you thought it would be?

Daniel Tinsky

Yeah, my journey is interesting. So funny enough, growing up I actually had no real interest in computers, to be honest. And when I was in business school, I didn't know what I wanted to do at the time. I was really flip flopping between be an accountant or a lawyer. So technology wasn't anywhere on my radar. And so I happened to get a summer's job while I was in university at an accounting firm working in their IT department. And really my first job was literally it was like inventory, it was like move computers from shelf A to shelf B. And like my second job was somebody taught me how to format hard drives. So that's what I did for large form portions of that team. And then eventually I got exposed to networking and I always loved using my hands. Growing up I built models and I always loved building things. And when somebody introduced me to networking and I began to understood that you had the ability to build a network with routers and switches and pull cable and splice your own wire, I really fell in love with networking. And somebody at the time who's much more senior in that organization, I said, I love this networking thing, what do I do? And he said, go learn Cisco. So like one of the first certifications I ever did, probably the first was my ccma, right? And that's where I started and I really fell in love with networking. And like I mentioned before, eventually I was introduced to Linux and UNIX and the kind of information security. And then I pivoted a little bit from networking into security. And then in a small accounting firm I ended up getting hired full time after I graduated. And in the course of a couple of years I ended up being the security guy. So I was responsible for all things information security from building and managing all firewalls, the DNS servers, the DHCP servers. And because we were such a small team, we were all like Windows people and light red hat people. We had to wear a lot of hats. So I got to learn so much and I got exposed to so much. But that's really, I think it was at that time, and I'm going back probably over 20 years now, I really fell in love with information security. And similar to what kind of Octavia said back then in my career, to my, to me, like the pinnacle is to be an executive or a CISO or that's what it is. That's the holy grail. That's the thing that you climb the mountain for. So back then that was like, that's the thing I want. And so I'm not surprised. That's what I've been working towards for the last two plus decades to get to. Is it what I thought it would be? No. I think when you're younger in your career, you have unrealistic ideas of what it is to be an executive and kind of what it is, what that job entails and what you deal with on a daily basis. I think what I've come to learn over over the years and decades is we're just all people. And I think the important thing now is that we keep learning and we keep growing and that you turn those stumbling blocks into stepping stones. And the, the issues that one deals with earlier in their careers are not that dissimilar with some of the issues just in terms of the problems and the challenges. Yeah, the issues might be different, but how you go about dealing with those issues is similar. And we're just all people trying to do our best on a day to day basis. Trying to serve our organizations and at the same time trying to serve our customers.

Jim Love

John, what got you there? First of all, let's start with that.

John Pinard

So I started out as a programmer and I used to work on as four hundreds and well system 34, 36, 38 and as four hundreds. That goes way back. I used to work for a consulting company doing installations and so on and it just gradually worked its way in. I got into management and as technology. Like I said, when I started cybersecurity wasn't really an issue. I actually started in IT before the Internet was really a common thing. And cybersecurity really started after Internet came about because of the connectivity and I don't know, it was probably about 20 years ago that cybersecurity just fell into being part of my role and has gradually expanded from there and in different roles that I've been in. I've been a CIO in at two different companies and now as a VP at a larger company. Cybersecurity is still part of my role along with a number of other things including AI and operations and infrastructure. But it's. Jim, you and I have talked about this before that cybersecurity managing and controlling security isn't or shouldn't be an afterthought or a bolt on. It has to be built in from the ground up so that it's. Somebody doesn't think about security after the fact. You think about it as you are building things. So that's really what I've learned as I've grown through this, that the time you run into problems is when you think about it after the fact.

Daniel Tinsky

Yeah, it's a good point, John. It becomes a lot more. Typically becomes a lot more expensive and cumbersome.

Octavia Howell

Yes.

Daniel Tinsky

To add it on at the end, right?

John Pinard

Yes.

Daniel Tinsky

The earlier the better.

John Pinard

Yeah. And I think so as to when I really got into cybersecurity, I think as I said it's grown in as part of my role. But I think probably the trial by fire for me was about 10 years ago at a company that I worked at. Luckily it was in the early days, but we got hit with ransomware. And let me tell you, nobody has any idea just how painful it is until you actually get hit. And I always, you used to talk to people and they go, how could somebody be so stupid to fall for a fake email or whatever. And I can tell you in the case where I was at, it was an accounts payable clerk got an email that said, please pay the attached invoice immediately. They double clicked on it and Bob's your uncle. That was it. We were done. Luckily, as I said, it was the early days of cyber attacks or earlier days, so they weren't anywhere near as sophisticated as they are today. And ultimately we ended up recovering by restoring from. Luckily this was a Monday morning. We ended up restoring from the backups from the weekend. So we only lost about half an hour's worth of data. But it still took us four days to get there to figure out how we got hacked, where it came in, what it had hit, and everything else. So even in the early days when it was a simple recovery, it still had. This was a company of 14,000 employees with 2,500 users that were down for four days. And so it's. And like I said, that's the easy days. Now they've gotten smart, so it's an awful lot tougher to manage now.

Daniel Tinsky

Highlights BCDR and backups.

Jim Love

Yeah, in the early days, if you've ever sat in a room with a mainframe and watched the tape spin because there were no backups on them, you're lucky. In those days we took backups. We just didn't always take recovery, but in the role. And the reason why I asked about why you might feel it was different is because I think if we're all honest with ourselves, we'd say there's a certain amount of separation between CISO and the rest of the staff, be it the executive or the rest of the staff, because in one case, you're charged with making sure that they don't do things that are wrong. Now, that may not be true. You may be the most open, wonderful people in the world, but there is that sort of police like aspect that people perceive. But maybe I got that wrong. How do you think people perceive you in your organization?

Daniel Tinsky

I think traditionally, at least for me, it's very easy for folks in the organization to think of information security as the police or the department of know or SharePoint, that people making sure that people follow the rules and the policies or the governments. And I think it's incumbent upon us to and this is a lot of what I do on a daily basis is engaging parts of the organization and building relationships with parts of the organization and trying to impress upon them that information security or cyber security or an enabler or business driver and that in order for the business to be successful information security needs to be successful. And that's where the strategic alignment comes in is the things that we do should be enabling and pushing the business forward. But I agree with you. I think that the notion of kind of the you're the officer of no is it's a stigma I think that's been around certainly as long as I've been in the industry, but something that we have to work at to try it change that perspective and it has to be done on a daily basis.

Octavia Howell

Yeah, agree. However, I work my entire career to try to make sure that I'm not the person that goes around saying no all the time. And I think there's a little bit of a catch 22 where if you are perceived to be too relaxed and too negotiable then you end up chasing when things go wrong. Right. And so there's a balance that needs to happen. But sometimes it is our job to say no, not that way. But I would just say instead of saying N O we say K N O W. You need to understand why this is something that we don't recommend or why this is something you cannot do what should not be. And I've found that especially when you work so hard to not be perceived a certain way that sometimes gets taken advantage of. And so we want to make sure that we are being firm in our policies and what we can our non negotiables are and what we can do but then also at the same time be that business enabler, hey, this is how we can actually do this and still drive business growth, still drive revenue. We just want to move so quick.

John Pinard

I think one of the things too from a that I at least that I have found especially at the organization I'm at now is that we become educators too and that it's as Octavia and Daniel have talked about, the officer of no and so forth. A lot of the times we are saying no but part of what we have to do is educate people as to why we're saying no or how they could go about doing things differently so that it's a yes. Even I I quite often will go through on on various social medias that I see stories about companies being hacked or like when MGM got hit a Few years ago that I shared those stories with people at the company so that they can understand exactly how easy it is to get hit and what the impacts of it are. And I have found that doing that helps, as I said, to educate them so that they are a little more agreeable. And they've started to think about security as they go through their normal daily job that never used to include cybersecurity in it. As I said, I think it's a bit of education as well.

Octavia Howell

I also think that the privacy regulations help a little bit. We've had situations where other officers of the company will say, oh, things happen. It is what it is. And as soon as I say, oh, this is reportable to the OPP or hey, we need to actually notify if this happens, then that becomes, oh, I didn't realize that. I just thought that you were just telling me, no, that I can't do this or that I should not do this. I didn't realize there were consequences behind it. So sometimes it's really giving the entire picture. My team laughs at me all the time because I think consequences first. So as soon as they say something, my first thought is to run through all of the scenarios to figure out how it may end. And when we actually think about all the scenarios and how things may end. I literally, I need to be a programmer as well. So my brain works in if then elses. And so if then. If we do this then else or switch statements, that actually calls to multiple scenarios. And so I think that's a part of that education is that's how I think. But I realize that's now how my team and my peers think. And so how do we always try to set those things up to make sure that we can get to a yes, but get to a yes that is both mutually beneficial and keeps the company secure.

Jim Love

Yeah. One of the things I'll just share what it was like for me was I started out in development and I ended up inheriting operations. Operations was the most stressful job I've ever had. And that was in the early days because I back. John talks about the system 36s and things like that. If for those of you in the audience haven't seen one look at your phone and think of something half as powerful that runs a national network and that these things. So we were constantly coping with the capacity of technology, with things that broke, with all those, all of that. And so in the middle of the night, you. I was. You could be working for a financial institution. You have to come up in the morning and you're the one responsible. I left that behind because I became a consultant and ran a consulting practice. But so I lost a lot of that and then I got back in and I was suddenly in charge of security again and the old feeling came back. There was you. That tension of what's going to go wrong when the phone rings late at night, all those things. Do you guys feel that as well? Do you feel the pressure of the job ever?

John Pinard

I'll start out and say yes, absolutely. Being a financial institution, one of the biggest concerns is we need to make sure that our members data and finances are safe and secure. And it's just a matter of trying to keep. I have a good team that, that keeps on top of things and it's just go to bed at night with your fingers crossed and your toes crossed and hope that nothing happens while you're sleeping.

Daniel Tinsky

Yeah, for me it's not. I don't know if I would say I'd feel the pressure the job. It's just. I understand that's just part of the role and it's something that I've come to accept. Talk to point. I worked for a couple of years in just an incident response team where I did shift work and I was working like 12 hour, 14 hour days for subsequent days in a row. And so I was essentially doing shift work. And certainly as I was doing this over those couple of years during the winter, like I would go weeks without actually seeing the sun. I was doing the overnight shift. So having worked in that kind of environment and kind of understanding what that did to you mentally and psychologically, yes, there's pressure or stress in my day to day job but to me that was way worse. So yeah, I'm aware it's there and I understand at the end of the day I'm responsible, should suddenly go bump in the night. But that's just part of the job and I've obviously it's something that I've accepted. Right.

Octavia Howell

Yeah, I feel the same way as Daniel. Like I used to manage the network security and data networking operations for about five years and that I think was the most stress that I've ever had because again like Daniel said, I didn't. I never worked shift because I was always on as a manager, you're always on. So there was just. When I was younger in my career we had rotations where we took a week and then we would have a couple of weeks off and someone else would be on call. But when I became the corporate vice president or the director of the entire thing, it was. I always got the call. Right. And so I feel, as Daniel said, that was worse than where I am now. I do have a lot of compassion for my technology team because no matter if it is an operational, a technical outage or issue or a security issue, they are always on, I only now get called if it's a security issue. And so I think I have that appreciation in knowing that they might have been working for every single night for one week where I might get the call and just steer the ship one time or one day that week or for a particular incident. And then we wrap that up when we have things happen. Honestly, there are things that I have already suspected. I think the thing that bothers me the most is when I'm surprised. Right. When it's something that I was not aware that was happening, then I have to go back and calculate myself and my team to figure out how we missed it. But most of the things that we see or that happen within the Enterprise, we know that it's a possibility. So we've already played out those scenarios.

Jim Love

Yeah. In terms of the pressure of the job and all of that as a journalist now, and that's really what I do. I'm constantly exposed to stories about cybersecurity every single day. That's what I do. How aware are you of what's happening out there and how does that make you feel emotionally with knowing I did a story yesterday and somebody came up, somebody wrote me a note on YouTube and I always appreciate the comments. I answer each one of them. They said, I was expecting you to put something about how we would deal with this. And for the first time, I had to write. I have no idea. I have no idea how you do with this. Do the regular things, do backups, keep up to date, all that sort of stuff and pray to God you don't get hit by this, because I'm not sure technically how it would. How you could handle it. And I found more and more difficulty and more and more creativity in what's happening out in cybersecurity today. Beats really smart people. How do you. How does that make you feel and how do you cope with those feelings?

Daniel Tinsky

For me, I look at them at as learning opportunities. So on a daily basis, I peruse the sites that I tend to go to, Ars Technica, Computer Hacker News, and obviously I did the feeling beat out of what's going on in the world, in our industry. And for me, it's just to learn and understand what happened to another organization and how it happened, Are there lessons from that I can bring back my organization and either make a decision whether do we have the controls in place that would mitigate that particular risk, or is there something that maybe we could be doing better as an organization? So for me, it's just about. It's learning and how can I learn and adjust from things that I see in the external environment?

Octavia Howell

It's the same. The feeling. I'm going to be very honest, the feeling sometimes is that we're behind. And so it's a. For me, it's a balance of how do I ensure that my team and myself are equipped, educated, know what's happening, have the technical skills to be able to protect against some of those things that's happening, as well as my technology team. So I invited my technology team to security conferences and learnings and podcasts and webinars that I get invited to in vendor when vendors have demos. Like, it's a constant evolution of learning. And sometimes it does get overwhelming because you don't know what parts to focus on so much out there. But I think it's always. That's one of the reasons why we got into security in the first place. Most people that I know that are in these roles got in the roles because they were curious. Right. And so it's the curiosity that kind of helps when we see a security exploit actually happening. For me, it's, how did that happen? That's pretty cool. I think it's pretty cool sometimes. And then are we exposed at my company? Right. Are we. Do we have the same weaknesses and vulnerabilities? Do we have the same process? Do we need to actually tighten things up? But it's always evolving. And one of the things I. Someone said to me yesterday is right when you think you reach close to the finish line, the goalpost gets moved. Right. And we're always. We're caught. We're constantly at evolving goals. And so it's why I like the job. It's never boring. It's why I got into it. But it is sometimes feel like you're playing catch up.

John Pinard

Yeah. And I think I agree completely with Octavia and Daniel that it's. It's constant learning. I spent a lot of time looking at the news articles and things and learning from other companies perils, unfortunately. But also Octavia's comment about feeling like she's behind. I would agree completely that I think, I often think, what do we have to do to try and get ahead of things? And I don't think we can. I think it's as much as you try again, as Octavia said, they keep moving the. The goalpost. And so you're constantly trying to hit a moving target. And you can only do the best you can do to try to make sure that you provide people with as much training as you can, make sure that people are aware of what's going on out in the world with cyber attacks and so forth, and try to be as prepared as you possibly can and make sure your backups are working.

Daniel Tinsky

Absolutely.

Jim Love

No, I was just going to say. Yes. Make sure you can restore from your backups.

John Pinard

Backups, yes.

Daniel Tinsky

Important. Yeah. Like, for me, when I think about leadership and kind of this is a topic I'm very passionate about, I think everything rises and falls on leadership. And I think it's really important if you want to be a good leader, because obviously I've worked for leaders that I think are really good and people that I want to aspire to be more like. And I've worked for leaders who are obviously not my cup of tea. I think it's. I think a leader can be a lid on the folks that they lead, which means that if I don't want to be a lid on the development and maturation, the folks that I lead, it's. I myself have to keep getting better. So I'm constantly trying to find ways to level up myself and while at the same time helping those that I lead to also level up and learn and mature and grow so they can become better people professionally and personally. So there's constant pursuit of my inside and outside of work, of I again, Octavia said it and John said it is continuing to try to get better so I can lead my team better, I can lead the organization better. And when I do stumble, and it absolutely happens, I think we all fail is can we learn from those experiences so that we can come back better?

Jim Love

Yeah. The going back to the idea of. And this is what always got me was you have to be right a hundred times out of a hundred. The bad guys only have to be right once. And that's really what I meant was in terms of not only the creativity of the attacks, but there's. John, you pointed it out. There's so much to do, and are there ever enough resources to do it? We talk about staffing, for one. I don't know what your experience has been. Most people I've talked to find it really hard to find people both find the budget to have enough people and to find the people if you have enough budget. It seems to be a catch 22 on that. Is that a challenge that you faced?

Octavia Howell

Yeah. Yes, it is. I think one of the things I try to make sure that I'm actually looking at my team, my resources, the problems and the challenges that we have and the help that the company needs. I try to look at it from a risk based perspective. Like everything I'm trying to look at it from, hey, is it something that I can actually handle? Is it going to be a full time position? 100% of their time needs to be dedicated to this or do we have this risk managed? If there's a risk that I cannot manage or I need another person to manage, then that's the only time that I can look into. Okay, maybe we need more resources or if we're completely just overwhelmed seeing, starting to work 14, 15 hours a day, that's when we start looking at, hey, we might need to do something else a little bit different because we need to actually look for and look out for the mental health of the team. But I think one of the things that I am seeing is there's an abundance of entry level talent that's coming in. There's not an abundance of leaders who have experience that can actually help. And I've talked to some of my peers about this. A lot of times, a lot of times we just need help. Like we need people to actually think strategically, to actually think outside the box, to really think end to end. Not just task oriented. There's room for task oriented people, but we also need those people who can take things from the tactical to the strategic and make sure that we are whatever we're doing tactically when we build the strategy that we're actually going to not have to throw away the work that we did before. I do think that there is and those people who think that way are expensive and we always don't have the budget for them. And so it is a risk based approach. It is looking at all the options, looking at what you have in front of you and really identifying is this something that I need to hire for and what type of thinking do I need to hire in order to manage? I can teach technology, I can send people from training, they can learn how to code, program, networking, all that. Right. But I'm really looking at what are your skills in critical thinking, how do you manage to be able and how do I bring all those, to all of those things together so that we can actually enhance the program.

John Pinard

And I think from my standpoint, we have a small team from a cybersecurity standpoint and so we don't have the luxury of bringing in a number of more junior people that when I was staffing the team, we had to get senior people. And trying to find senior people that know what you need them to know and are at a price that you can afford is a very difficult challenge. At least it was for me a couple of years ago when we went through that. I can't imagine it's a lot different now, but other than the fact that some of those junior people are starting to move up into more intermediate type roles. But I, I don't know, Danielle, Daniel and Octavia, I'd ask you guys, but I'm encouraged by the number of people that I hear that are going to get their CISSP or that are going through cybersecurity training, that there will be more bodies available in the not so distant future. But I have. It has been a challenge, at least for me up until this point.

Daniel Tinsky

Yeah. When I look at my career, I've worked in very large organizations. Like I worked for one of the big banks in Canada where things tended to get a little bit more siloed. And I work. And I worked in smaller organizations. Right. So they're very different cultures. Right. In larger organizations you have. You tend to have your lane or your path and you can't divert too much. And then in smaller organizations you get to wear a lot of hats. So the question is, what do you prefer? I prefer to work in smaller organizations. I like the variety. So to what Octavia was saying on a daily basis, one day I may be working on governance or contracts. Another day maybe I'm working on kind of risks and compliance. Another day maybe I'm pumping with an insulin. So I actually like the variety. I've always enjoyed hiring folks either just out of university or a little bit more junior, helping them develop and mature. I'm very open with the people that reported to me. One of the first conversations that I'll have with my folks, either on one, on ones or just capital chit chat, is I understand you're not going to be with me forever. I get it. This is a career you're on, you're on our journey. What would you like to do in your career? Like, where do you see that next role? And I've had people tell me I'm interested in project management or I'm interested in audit or I really want to focus on governance. And so then my role as a leader is how do I get that person from where they are to where they want to go? And I think if you care for the person. If you care for the person and you help them get where they want to go, where they. In their careers, it just. You end up with somebody that's more passionate, you end up with somebody that's more motivated and you end up with somebody who's going to contribute more in the present because they see that you're invested in their future. So it's probably the part of my job that I love the most is again, helping to grow my people.

John Pinard

And I think that's great too because understanding where people's career paths are because it doesn't necessarily mean that if they're going to change a role, it doesn't necessarily mean that they have to change companies that you know, in Daniel, in your case, if you know what somebody's career path or desire is, then you can help to work to keep them within the company, which is always easier. It's. It's because they already know the business. Yeah, that's great.

Daniel Tinsky

Yeah. Like in the two examples that I gave, I've actually had this in my career where people who have worked for me and we have a small team, so you get to do a little bit of everything. But I've had people say they're really interested in project management or they're really interested in audit. So in those cases, I've worked in organizations where we've had those services, whether internally or client facing. So I've spoken to the leaders in those groups and saying I have somebody in my team who's interested in project management or I have somebody in my team who's interested in internal audit and they've worked with those groups delivering those services so that they can get the experience that to see if that's actually what they want to do and if it helps me anyhow. Right. Those are some of the things that I'm always looking for is how can I help? How can I help that person get to that next level. Any miniature within New York, our my own organization. Like I'm more than willing to do that. I think that's what my job is.

Octavia Howell

Yeah. I think I have a slightly different approach to that. I actually. Anyone who comes onto my team, they don't have to be a direct report to me, but they can be a skill level or anything. I am the final interviewer and the final interview is a coachable fit for the team. Cultural fit, ensuring that you actually have a desire to grow in your career. One of my prerequisites and a requirement for in order to be on my team is that you have to have a career path, you have to desire to want to do something that is bigger than this current position. And the reason that I have that is because I think that yields the curiosity for you to want to be better. What I or my team needs or my managers don't have to curate each individual's careers. Everyone's career is in their own hand. Another thing that I ask is the final question I always ask is why do you want this job and what do you see your career growth or what do you ultimately want to be when you retire? And so it's a question that especially people who are very young or newer in their career or have only been their career for about 10 years, they typically don't think about, but it causes them to really think about at least what do I want to be in the next five to 10 years. And then they give me that information. If it is something that I can help with or if it is something that I see a correlation. This is a job you're being hired for and this is how I can help you grow to that, then that to me. Okay. Yes. Okay. This candidate is probably someone who can come into the organization that we can work with. But I've had where people say, nope, I just want to do this for the rest of my career. This is where I want to be. Those type of people I don't necessarily take a second look at only because. Only because I feel unless it's a niche skill where they're highly skilled and I need that position. But if it's a junior level position, then I want someone who is more curious so that they can actually grow and that they can actually move towards what we need to do with the business. So those are my two records prerequisites that I require. Like I said, it's a little different. I still really want to help people in their career and their growth, but I also want them to take their careers in their own hands as well.

Jim Love

Thank you very much for this. I want to ask you one final question. I hope you'll be as honest as you can with me on this one. And that is we always ask that question. What would you advise somebody who's starting in the industry? What would you advise yourself the day you started this job? From you in the future to you in the past? What would be the advice you'd give to yourself about how to get more from it and how to do better at it?

John Pinard

I think for me it would probably be stay curious and always want to learn, especially in this industry. I think if you're not interested in learning and growing, as Octavia said, your career is going to be short lived because you won't keep up with everything that's going on.

Daniel Tinsky

For me, I'd say two things. Don't be afraid to fail part of learning. In most cases, it's the only way. Failure is a phenomenal teacher. The second thing I would say is it's more important to find a leader to attach yourself to learn from versus a company, kind of the name on the building. And if you can find that leader, that mentor that you and I been lucky enough to have a few of those in my career, even if you may not be in love with that particular role, you stay in the orbit of that leader for as long as you can. And it'll be incredible how much you yourself will learn and and grow. And that learning and growth will open many doors for you.

Octavia Howell

I'm going to give an answer to my current position of what I would tell myself at the beginning of the current position and that would be don't only associate with security professionals. Ensure that you have a wide breadth and really build relationships with people. Don't do what you do so that you could understand how they think and they can understand how you think. So really diversify your circle and your network. And then the second thing is have a plan and don't pivot from the plan until you understand why you need to pivot. Those would be my two things.

Jim Love

Daniel, Octavia. John, thank you so much for this. This has been fascinating. It's been great to get to know you. I think we fulfilled my mandate of the secret se so and that is that we've really shared parts of yourself and I really appreciate that. I think our audience does as well. Thanks a lot. So that's our show. Let me know what you thought of this episode. Should we do more of them? Should I have asked different questions? You can reach me at editorialechnewsday ca or you can find me on LinkedIn or if you're watching this on YouTube, just put a note in the comments and if you got this far, far, you've shared your time with us and that's the most valuable gift that anybody can give. So as always, I'm your host, Jim Love. Thanks for listening.