Back

EP 4 – Caleb Sima: How to Hire and Retain a High-Performing Security Team — Lessons From Scaling at RobinHood

read

To build a high-performing security team, organizations must rethink how they approach recruiting, hiring, and retaining talent.

The problem is, building a great team is incredibly challenging today. With an estimated 400,000 unfilled security jobs, security teams are understaffed, burnt out, and struggling to keep up with an ever-increasing number of cyberattacks each day.

Our guest today teaches us exactly what security leaders can do to overcome these challenges and build a high-performing security team.

Caleb Sima is the Chief Security Officer at Robinhood. He’s spent more than 20 years in cyber security following the unconventional path of spending his early years as a founder before transitioning over to the operations side and leading security teams at organizations including Databricks, HP, and Capital One. This unique journey provides Caleb with a unique and interesting perspective that every security leader can learn from.

Topics Discussed: 

  • What incentivized Caleb to transition from a company founder to an operations leader — making the translation from an “arms dealer to a soldier on the battlefield”.
  • How Caleb’s experience of building (and selling) his own startups shaped how he approaches being a CISO.
  • Why security teams need to think about other internal departments as their customers.
  • How to know when it’s okay to let fires burn and how to communicate this decision with other leaders at your organization.
  • Why outsourcing your number 1 priority of recruiting to someone else is a recipe for disaster.
  • Lessons learned from building the security team at Robinhood — bringing on 100+ new security people in less than a year.
  • How to instill a culture that believes hiring, talent, and people are important.
  • Why security leaders need to focus on building a hiring pipeline.
  • How take a data-driven approach to hiring and why time-to-hire is such an important metric to focus on.

Additional Resources: 

Caleb’s talk from RSA Conference 10 years ago:  Don’t Teach Developers Security

Caleb’s twitter: https://twitter.com/csima

Transcript
Harshil: Hello everyone, and welcome to another episode of The Future of AppSec. Today, we are going to talk about one of the most difficult topics that every single security team faces, which is hiring and retaining a high performing team. Now, to demystify this topic, we have an incredible guest with us, Caleb Sima. Caleb is currently the CISO at Robinhood. And over his 20 plus years of security career, he has been a security researcher, a serial entrepreneur, and a security leader at companies like Databricks and Capital One. Caleb, welcome to the show.

Caleb: Thank you. Glad to be on it.

Harshil: Caleb, you've done a lot of amazing things over a long career in cybersecurity. We can probably do a whole podcast on just your career journey. But one of the things that fascinates me is that over a period of years you've started several companies. You've been a serial entrepreneur building companies like Spy Dynamics, Armorize, Blue Box Security. And then surprisingly, you came back into the corporate world as a security leader. That doesn't happen very often. I'd love to know what incentivized you to come back into the world of running security organizations as a CISO, and leave the startup world aside

Caleb: Yeah, I get that question a lot because most people are like, don't you go the opposite direction? People go operations into starting their companies, why would you go backwards? And so it's an interesting question. So let me tell you just sort of what happened. So after my last company was acquired, Blue Box, I really was looking around and trying to think of what's the next thing that I want to go build, right? What's the next idea that's cool to go do? And I started going through all the different problem sets, and looking at all of the amazing startup companies that were popping up everywhere that we're solving and building really really cool technology, right? But yet when you look at the reality of how people are getting breached, they're getting breached through really common standard things like “I left a database open on the Internet with no authentication”, “I did not patch the server”, right? Like there's all of these very simple things. And I was like, “Well, why do we have all this really cool technology?”. And actually my last company really focused on mobile application, like runtime protection stuff, but yet the hacks and the breaches are happening for very simplistic things. And so I thought I saw this really big disconnect that was there. And so I was like, “Okay, I can go talk to a bunch of CISOs and really try to figure out what's going on”. Or I was like, in my entire career, - I've been in security since the 90s, so I'm pretty old in this industry - I've never really just been a defender. Like, actually go in the war zone out in the field and try to figure out how to defend against real attackers. And so I was like, “Well, I can go talk to people, or I can just go do it”. And so I made that transition, and that's when I joined Capital One as sort of my first entry into this what I call “the battlefield”, right? Because I feel like as a vendor, when you're making tools, it's almost like you're like the weapons maker, the weapons manufacturer and dealer, but you're not in the battlefield actually fighting the enemy. And so going out into the operations field gives you this real amazing opening of eyes to say, “Wow, this is the decision that you've got to make on the field, here's the real problems that are going on”. And so when I did that, my plan actually was I wasn't supposed to do this for more than two years. I was actually supposed to do this for two years, I was going to figure it out, and then I learned, people were like, “Hey, Caleb, you're actually quite good at this”. And two, I happen to enjoy it quite a lot because you're really in the fire and you really know what the real issues are. And so that's sort of what led to this transition. And Capital One led to Databricks, Databricks led to Robinhood. And I'll be blunt, Databricks was going to be my last operations gig. I was like, at the end of Databricks I'm going to go start my own thing and do it. And Robinhood just kind of came out of the middle of nowhere and sucked me in. “And so I'd like to say I think I'm going to put a stamp on it here. Robinhood is my last operation gig, and doing this”. But that's sort of what led me into this area and how that transition occurred.

Harshil: That's amazing. I appreciate the fact that you decided not to just throw a bunch of buzzwords together and raise millions of dollars to build yet another security product. That's awesome.

So tell me about you having gone through this experience of being a leader of the company, starting a business, which is so much similar to what we do as CISOs on a day to day basis, although on a different scale. Like, you're managing risk every single day, different types of risk, whether you're managing that, you're focusing on hiring, you're trying to figure out what could go wrong around the corner. Has that experience of running a business given you any different perspective than what traditional security people, traditional CISOs would have?

Caleb: I mean, I believe so, right? I mean, the real question is asking sort of my team and others. But my entrepreneurial background has absolutely flavored the way that I am a CISO in the aspect that I think of the security team as its own “entity”, right? And as a company, we are serving our customers, but our customers happen to be our partners in the organization. It's engineering, it's marketing, it's sales, it's customer support, like all of those have become our customers. And so when I think about both the philosophy of building a team, running the organization, looking at how we solve problems, and what does that look like, I really look at it through this aspect of this sort of lens of, “Okay, if I'm the CEO, what are the direct reports? What are the different things we think of? Like a simplistic example - just because you build something doesn't mean they'll come. You have to sell it, you have to market it. You have to have a go to market plan. All of these things apply right inside of an organization. I don't want to just go to the engineering group and say, “Well, you have to use this”. I want to go there, I want to advertise it, I want to market it to them, I want to give them the options, I want the availability so that they have the right customer support pipeline to work with us, I want the right MPS capability, right? MPS score of what their experience is with us as a business. And so I think a lot of that thought process really does flavor both the way I hire and the way I operate.

Harshil: That is so cool, man. It's not very often that I hear this customer focus from the security teams. And customer meaning internal customers, like engineering, IT, what have you. A lot of times what ends up happening is a security team gets a lot of money or some money to buy a bunch of tools, and they buy those tools, and year after year, they realize that nobody is actually using it. Developers are not looking at it, the DevOps teams are not looking at it, and people are not able to figure out why we are actually not seeing adoption. But exactly going back to what you said, if you build doesn't mean they will come. You have to sell it to them. You have to make their life a little bit easier. I think there's a similar topic around making the secure path the easiest path, right? To drive adoption of the secure practices. I think that's super important to build a collaborative function of security along with the rest of the company.

Now, going back to the most important topic that I'd love to hear your thoughts about in terms of building that team, hiring that team. You know, almost everyone we talked to, they would say “Hiring is my number one priority”. Everyone says that. What does it really mean, in your opinion? How does that change from just talking about hiring as number one priority, to day to day things in terms of how you actually make it a priority?

Caleb: Yeah, I mean, listen, I'll sort of caveat a lot of things, which is it depends on where you are in the building of your team, what tools and avenues are available to you, how much support do you have in your organization, right? Budget wise, versus resource wise, versus time wise, I think a lot of those things are variables in this. But here's what I'll say, I'll say that overall, I think it starts with a philosophy which people are the most important. At the end of the day, it doesn't really matter what you have, or what money you've got, or what tools you have. If you don't have great people, you have nothing. And so can we get everybody to agree on that philosophy, right? And I think we can. And then the next thing is, okay, if we do agree on that philosophy, then how do we operationalize it? How do we show that people are really the most important? And it's not just about culture, it's not just about sort of the way we treat employees, it's about bringing those employees and those people in the door. And I think that's really the key part, which is, okay, if we know that people are the most important, how are we going to bring them in? How do we focus our time to make sure that we bring them in? And listen, I can walk through my experiences, at least at Robinhood and others like Databricks that show how I did that, but they're very different. What's really interesting is the way that I was able to hire people at Databricks is very different from the way that I was able to hire people at Robinhood. But I think one core thing was pretty central, which is to me, I think that there's always a decision that needs to be made between fighting a fire or hiring a person. And how you balance that is really the key to being able to do this because most people are too busy to really spend the time hiring or building the right processes around hiring. And if that's true, then if you don't hire, then you're never going to be able to get out of the fire in order for you to build those processes. And so you have to take a hit somewhere. And I think in both, when I think about all the companies I've been in, I've always had to make that decision. Let a fire burn or go and figure out the processes to go hire people.

Harshil: Right. Yeah, that's great. A lot of times when I talk to especially new managers, they would say, “Yes, hiring is my number one priority. And when I asked them, “What are you actually doing about it? They'd say, “Oh, yeah, we have this recruiter, and they will find candidates for me”. And that's it, right? That's all they're doing. They're relying on somebody else to source the candidates. And in my experience, that almost never works, right? You can't outsource your number one priority to somebody else. If it's your responsibility, you just have to do something about it. I don't know if you have any thoughts to share on that one, but also I want to dig deeper on…

Caleb: If you want me to walk through the details, I can walk you through all that.

Harshil: Yeah, let's do that, man.

Caleb: “How deep of a level do you want to go?” is probably my question.

Harshil: Yeah, I think as a leader, I'm guessing you have several other hiring managers within your organization, right? So I guess if you run into someone, how would you help them understand? What do they need to do? What is their ownership versus what can you reliably outsource to a recruiter, internal or external?

Caleb: Okay, I'll just walk through at least Robinhood and at least some level of detail. Maybe then we can kick it off from there. So one of the things I think first you have to establish is “What's my budget? How can I hire? What does the hiring process look like? What gates do we have to go through in order to approve people to get in the door?”, and all of those questions. So like at Robinhood, I was quite lucky in the fact that Robinhood really needed to build a team and they needed to build a team quickly. When I walked in the door, I didn't have a lot of hiring managers. I really, at the time had just a couple, and we were very much on fire. So there's a lot of reactivity, a lot of fires that had to be figured out. And so the first thing is I worked with my existing team, and basically the status is like, “Hey, there's going to be a lot of fires, I'm going to need you to help me”. And so they gave me cover to go fight the fires. And at the same time, we also made a lot of calls on “these are fires”, and we had to tell this to the executive team, to the company that these are just going to burn. We're not going to touch them, we're not going to do anything with it. There's lots of inbound things. And I'm just telling you, I'm setting the expectation up front. We're just not going to do anything about it because I have to get people in the door. If I don't get people in the door, it doesn't matter how many times we try to tackle them. It will be never ending. And so we set those expectations. My existing leadership team, when I walked in the door was like, “Okay, Caleb, we're going to cover you. We'll get your back. We're going to go fight the fires that we can that are really big”. I went out to all leaders in the org and I basically said, “Here's what's going to happen. I'm going to go into a hole, and my next six months are going to be hiring, and fires are going to burn like crazy. Unless it's an incident or unless it's, like, super critical, my team's going to handle it. Here's what's going to happen”. And I got sign off to go do that. And then I dug, right? And then I figured out my head count, I strategized, built out the org chart around what it's going to look like. And for me, I had to hire a lot of people. And so key things, there are a couple of key things. One, I really needed to focus on senior talent, and I needed to focus on senior leadership. because if I can get the senior leadership in, then these guys can go and get delegated and then hire their team underneath, right? And so what was really key is I need to really focus on those things. And then I had to go look at “Well,how do we bring them in? What's my budget like? Do we have hiring committees? Who says what? How do we do these? Who passes? What are the right bars? Who signs off on people hiring?”. I really figured out that process and really optimized it for being able to hire quickly and being able to hire the right talent. Got the recruiting team together, really sort of walked them through some of the process, and I worked with them really tightly to help build a really tight, very very nice process. And so a lot of times the way I did it in Robinhood is I created a single channel where all the hiring managers, all the recruiters and me were there, and we just single... like, that channel was only dedicated to leads coming in, who is, what was the discussion, how fast can we make our time to hire. We were really focused on these metrics, on making sure that we really rotated people in, really gave them a good experience, move things off calendars. One of the things you'll learn to learn is in time to hire, especially in this market, you've got to move quickly, right? And so you don't have time, like three weeks, four weeks, just to schedule out your interview loops. I made sure that if we had P zero candidates, I don't care what's on your calendar, you move it right. If a P zero candidate comes in the door, we make sure that that person gets on the schedule and we get interviews and we get turnaround times. And so it's just the optimization of a lot of that process and getting things in place really helped. And so we actually went from, when I joined Robinhood, we were around 40 people, and then today we were about 146 people. So we hired about 100 people within a year.

Harshil: Amazing.

Caleb: With a 76% acceptance rate.

Harshil: Wow. That's fascinating. So it's like two people roughly a week, right? It's incredible, incredible growth. One of the biggest challenges that people run into is it's actually not the budget, right? Almost every single team has some hiring budget available. The challenge is, like, how do you build that funnel? Where do you source the candidates from? I mean, I'm sure it helped you all over at Robinhood, so it probably does a lot of brand recognition, right? So have you seen any unconventional sourcing tricks that work rather than just posting it on your website, and putting it on LinkedIn, and reaching out to people? Do you have any other tips and tricks to source the right people?

Caleb: I wish I had a great answer for you. I wish I had something that people could use, but there isn't. I mean, I found even when I was at Databricks or others, it's just elbow grease, right? It is working hard through your network, working with your recruiter team, if you've got one in the company, along with - the way that I've done it at both places, I paired my internal recruiting team with an external recruiting team to open up the top of that funnel as wide as I could. And it's just a lot of work. It's really digging into your network and pinging people and reaching out and finding people that you know in order to do things.

I'll tell you a funny story. When the pandemic started, a friend and I started this Thursday night Zoom poker game where every Thursday night we would just play poke, And then over the pandemic, it grew into this group. I hired two people from that group that came from that poker night. You're constantly just pulling, so it can come from anywhere, you just got to be eyes open. You got to dig a lot. And I got to tell you, I worked really really hard, both at Databricks and at Robinhood, in order to really recruit and bring the team over. So I wish I had a magic formula. I wish there was something that you could do to say, “Oh, go to this University” or, “Oh, there's great places to go”. But it really was sort of instilling a culture of hiring is important, talent and people are important, and making sure that those people also carried and instilled that, right? So that the people that I hired also carried that forward. So they reached out to their networks. What you'll find is once we started getting a good amount of people coming on board that carried that, that spread their network, and the top of the funnel opens up wide, they start referring people. And so when you look at a lot of our hires, a lot of great referrals, because as we started getting those bases, that just started coming in. Yeah, I wish there was a magic formula, man. And at least in my experience, I'd love if someone told me if there's ways to do this easier, but I don't have it.

Harshil: Yeah. For me, some of my best hires have been through just referrals, mostly people I got together at conferences, other peers. But obviously that doesn't scale. But yeah, I haven't seen any interesting formulas, repeatable formulas either. Now, you also mentioned something interesting, which is defining that process of hiring, like figuring out how do you keep track of who's in the pipeline, how do you make sure you turn them around quickly, defining an interview process. Do you have thoughts on the types of like any formalization of the process? Do you have a template in the sense that we got to figure out who's the interview panel, or what kind of structure do you put around interviews? Because a lot of times it could just go all kinds of different directions if you don't manage it. Any suggestions on that?

Caleb: I mean there's a lot when it comes to the hiring process, right? There's just a lot of detail that can be in there. And I think in a lot of instances, many companies don't spend a lot of attention to that. For example, you know this, this actually goes back to my entrepreneur experience, right? When you have a sales pipeline, the hiring pipeline is very similar. You go down in your upside down triangle, right? Like you're narrowing your funnel. You want to start with how are you getting your leads? Referrals through your recruiters, making sure that you're very in your strategy, that you're very specific about the types of hires. Am I hiring an L3 engineer? Am I hiring an L6 manager? Where am I? Where is it? What location is acceptable? And also there are ranges, right? Like, I'm acceptable here, not just as an L3, but maybe an L4, maybe an L6, depending upon where those things are being opportunistic about the hires. For example, I strategize who I'm going to hire for. This month I really wanted to hire an L3. Two months from now, I really wanted to hire an L5, but the L5 may show up opportunistically this month, right? Not next month. How do you challenge those types of things? And so just building out the process, making sure you have your templates, what does your interview panel look like? Making sure you've got the right people probing on the right things, making sure that again, going back to scheduling. Scheduling, I think, is the number one area of I would say time waste. Making sure that when I look at the pipeline, we have a time to schedule. in that time to schedule with my recruiters, there is a green, yellow, red. If a candidate is in red, then I'm like, what's going on? Is it because the candidate can't schedule, or is it because my team or the interview panels can't schedule and the recruiters have to stay on top of that if we're in yellow because we're like, “Hey, this person in their time to schedule is in that phase is reaching like past two weeks, three weeks”. And I'm like, “What's going on, right? Where can we go and poke? Is it on my side?”. If it's on my side, our hiring managers should be poking and making sure those interview panels get in. And it's just keeping these metrics of what's my time to schedule, obviously what's my time to hire,What's my time to offer, all of those things. We have hiring committees, so what's my time to hiring committee, how many candidates have been rejected from hiring committee for need more signal, or not no hire, like all of these things you have to dig into. And the thing that I found the most valuable is I had all of this in a single channel. So all of my managers, all my leaders and myself saw every candidate, their kickbacks, their turnaround, the reds, the yellows, the greens, all in a panel. And so I could keep track of, and micromanage this for the first six months of the process on what's going on, who's going and what are the things. And then once I got my leaders and they got the process and they instilled it, then I could just step back and then they get it, and then they take their own pipelines and run with it.

Harshil: Right. That process actually also incentivizes or promotes some sort of gamification of the process, right? Because all the managers directors are in the same channel and everyone can see everybody else's numbers, who are running continuously red, green, yellow, you can see all of that stuff. That's amazing. Data driven hiring, right?

Caleb: Yeah, it's a hard process, right? But I think what we've learned is that it works really really well. And I think our hiring managers and our leaders have seen that, and they've then taken that and instilled it.

Harshil: Yeah. I think it goes back to what you were saying earlier. We just let the fires burn. It's also something that I've heard repeatedly from Reid Hoffman. I listened to his podcast. For those of you who don't know, he's the co-founder of LinkedIn, and he is a big believer in “let the fires burn”. You’ve got to focus on what's actually important. If you try to fight every single fire, you're going to end up being burnt by it. So taking a step back, if hiring is your number one priority, focus on it. Focus on building a great talent team makes a lot of sense, and it's a good long term decision.

So now you have a lot of things going for you. Robinhood, Databricks, Capital One, all really good brand names, a lot of resources. Now, when you have candidates who are in the pipeline, everyone is happy with it, the whole process, you're extending an offer. In this kind of an environment where good candidates are either very happy with their current positions or they typically have multiple offers on hand, how do you make things more exciting for them? Obviously, the cash equity bonus, the compensation is one piece, which is obviously very important. Any other things that you've observed that can sway the decision in your favor?

Caleb: Yeah. Generally, I think there are three levers that you've got for people. You've got the compensation lever - “Is the comp good?”. The second lever is “Do I like the people that I work with?”. And the third level is “Do I like what I work on?”. I feel like there's obviously others, but to me, generally, by and large, those are the three major levers you've got. And so you've got to be able to hit these three levers. I would say that you could win people if you can get two out of the three. You can never win people if you only got one out of the three, right? So if my comp is good, and the people are good, but what I work on isn’t good, it's okay, things can change, I know what I'm doing, But if the comp is good, but the people that I work with are not good, but what I work on is cool, that person, is like is that really where they want to go? If they've got multiple options, they would probably rather find somewhere where they can fit two or three out of the three at best. So one, I would say that's the way I sort of look at things, these are the three things. One of the things I would also say that I think has been really important for me in hiring these people is I don't interview them as much as I allow them to interview me. And I think that's very key. Any single leader or senior IC or even not senior IC - I've gone on people, I always do this thing that I call the reverse interview, which basically, I get in front of them and Harshil, you were my interviewee, I can be like, hey, most of the time in interviews, most people leave five minutes at the very end of the interview for you to ask the interviewer their questions. I reverse it. I say, “Okay, you have 20 minutes and you can ask me whatever questions you want. You interview me”. And I make them know that if at the end of your interview, if my answers aren't sufficient, it's okay to say “Hey, I don't think this is a good fit”, or, “Hey, maybe this isn't the right time”. And by the way, I've had people do that. I've had people in the middle go like, “Hey, this sounds cool, but probably not the right fit for me”. And I'm like, “Awesome!”. We shake hands, we look good, and that person moves on, right? And I think it's a great angle to do this. And the second thing I think is I do not put sweet icing on anything. When you ask me questions about what's going on at Robinhood or Databricks or Capital One, I don't try to gloss anything. I don't try to make anything sound awesome. In fact, I tell them very much the real pros and I think the real cons of the business, and the situation that I'm in. Like, if you talk to me and you say, am I going to tell you all of this really cool stuff that you've got to do at our current stage? No, I would tell them I don't have anything that's like super super that you can get deep in. I'm dealing with fundamental problems. And I'll tell them, like, “I've got fundamental problems. This is the thing that I'm worried about, this is the thing that you'll probably work on”. And I'm very straightforward with them, and I don't gloss, I don't add icing, I don't put cherries on top. I just tell them the way it is. And I think that carries across because I'm bringing authenticity and I don't want them walking in the door being surprised. That's the last thing that I want.

Harshil: Yeah. They'll come in with a very trusted mindset, like, “Hey, this team is very authentic, transparent”. So they're going to get what they saw.

Caleb: And hopefully stay because of that, right? Because I'm not pulling wool over their eyes. They're going to walk in and they'll be like, “Caleb, you said things were crazy and chaotic. You weren't kidding”. But the thing is some people want that, right? And those are the people that I want. And then some people don't want that. And so they're like, “Hey, I'm really at this point in my career really looking at digging in really deep on certain areas. I want to be a solver in this area”. And I'll tell them, “Hey, we're not that space”, right? And I think that's good because I don't want them coming in even if they're great talent and then their talent is not being used in the right way. That'll just make them frustrated.

Harshil: Yeah. And you just established a really good relationship so you can come back to them in a year or a couple of years whenever it's the right timing for both of you.

Caleb: That's right. Which has happened. That has definitely happened already.

Harshil: Yeah. So tell me more about this topic you touched, which is retain them, right? So people usually would join and the first year would be super exciting for them. They would be at their productive best, but retaining them and not just retaining, but engaging them continuously, challenging them continuously is also a big challenge other than just comp and equity, that's one piece, obviously. And interesting work is very important. Any other thoughts on how do you make it challenging and engaging for your team, especially in this remote world where there's not a lot of opportunity to be in person, to build that personal relationships with a lot of people?

Caleb: Yeah, I think there's probably two things. it's important to… maybe three. One, as leaders, we have to be able to paint a vision and a strategy that people believe in, right? I think that's fist. Second, I think you need to enable your people. Give them freedom, give them accountability, enable them to be able to... like, we're hiring really smart people, like “Go screw up, go make mistakes, go do things”, right? And then the third, I think is we have to be flexible. And many times people will go into something, figure out that's not really what I want to do or that's not really what I'm good at doing, and then being able to be flexible and think about, okay, how can you apply those skills and where is it that is the right place to be able to fit you where you can. The way that I always call it is how can you be in your power band. When you think about like a motorcycle or a car, like, there's a power band in your RPMs that you're hitting on all four cylinders. And many times, many people, they're not quite, or they're either in overdrive, they're getting burnt out, or they're just not hitting all four cylinders. So how do you find that power band for them and being able to find that if it's not in there, being flexible about being able to do that. And the other thing is, as leaders, as managers - and by the way, I struggle with this, everybody struggles with this - is how do I keep in contact, be proactive in reaching out to these people as much as I can if I think that they're not in their powerband, or making sure that they're in their power band, if they feel like they're in their powerband, right? Like always keeping in touch with your people. And listen, I don't have a magic formula for this either. I think this is something that we're still struggling with, of course. And I think everyone probably is making sure that you're keeping in touch with those people, making sure that they are enabled, making sure that you do have a strategy and vision that they can believe in and making sure that we are finding that power band. I think it's a very difficult thing to do, and it's a continuous, constant process that is never over.

Harshil: Right. So now since you have more than 100 people in your organization, what kind of check-ins or like, how do you get that information as a leader from such a large organization? What are your tactical things you do?

Caleb: Well, I mean, first is to hire great leaders that know how to do this and hopefully that they also hire great leaders that know how to do this. But I would say that there are two things that I probably do that maybe put me more in touch with people, even if there are lower levels, right? That's probably the key is how does someone who is new, perhaps junior, how do I get as a CISO a connection with them? Because that's really tough, especially the bigger that you get. And so minus just your general management philosophies and how to do that well through an org, there are two things that I think keep me in touch with that. The first is Qa&A. So we have in sessions all-out Q&As where people can ask whatever questions they want. Leadership and myself help answer those questions. But the second thing - actually, maybe there's three - but the second thing that's been really interesting is in this remote environment, whenever I have slivers on my calendar that are open, which, by the way, is rare, I'm trying to work on that. This year. My goal is to get half my calendar free, if that's possible. But when I have slivers of open time in my calendar, I will randomly pick people in my org no matter what level, on Slack, ping them, and say, hey, are you around? Or do you have like five minutes to catch up? And I will jump on just random people and just talk to them, like, “How are you feeling?”. I asked them for advice, even if you're an L2 engineer in my org who just joined three months ago, I asked them, “Hey, do you have any advice for me? Is there anything that you think I should look at that I'm not?”. And I just ask, “How are you feeling? What do you think about the org? Are there things that surprise you both negative and positive?”. And I just ask sort of these questions, and I've gotten amazing information through these just random when I have open slots, pinging people and asking sort of what's going on. And that's been one pretty amazing thing. And the other is we've just started doing all-hands and happy hours at our company headquarters location on Thursdays. And so I've been able to really sit down and meet with people and just talk about things that aren't even work related, which is the best. That's actually really the best part of doing that.

Harshil: I was hoping you're going to mention Donut on Slack as one of the ways of connecting with people.

Caleb: So here's the thing is that is the more formal way of doing what I've been doing, which is like pinging people. The problem with Donut that I've got is one, I think you're right,I need to focus more on making that a little bit more scalable because I think Donut can make my method a little bit more scalable where we could say our leaders should do that, like once a month, you should just randomly talk with somebody. Once a week, you should randomly talk with somebody. So I do agree that's probably a good method to use that. I have been doing the more manual method of that.

Harshil: Nice. Yes. I love the fact that what you mentioned is just asking open ended questions, right? Because it opens up so many different avenues that as a leader of 150 people org, you might not even know about some of the things that all the folks on the front lines have to deal with. So a lot of these things you talked about, Caleb, I'm sure you learned the art and science of it over several years of practicing again and again. Now if there was a new manager or somebody who's just entering people's leadership role, are there any resources that they can at least start reading about, learning about these things in terms of how to be a great hiring manager, how to be a great people leader?

Caleb: Yeah. I wish I had a good answer for you on that, Harshil. But unlike most, I think I don't read a ton of management leadership books. And so there aren't particular ones that I would call. I would call myself less of an academic in that, and more of a school of hard knocks in that, where I have learned plenty of ways of failing in this management and leadership scenario and just have learned my own sort of intuition and lessons learned on being able to do that. So there's not a particular one that I would say go read. I'm the worst person to ask for this level of advice.

Harshil: Yeah. I'm guessing since you have been a very active advisor to a lot of people in different worlds, I'm guessing you would also have some sort of mentorship relationship, advisory relationship, at least when you were early in your career.

Caleb: You know, maybe. One of the things that I think that has actually been a struggle for me is I have wanted some of that mentorship leadership. I've wanted to have someone which I really idealized, and I wanted to get mentorship from people. I just haven't. I would say the closest was actually maybe the CEO of my first company. He would be probably one of the closest that I would say would be more of a mentor to me. But by and large, I don't have someone at which I've been able to go to. And that's been a real struggle for me because I feel like I should. I should have that and I really need that, but I don't know where to go to get it.

Harshil: Interesting. One of the advice I got a long time ago was mentors and advisors are really good for a certain problem that you're struggling with, but especially if you're growing in your career super quickly, your problem set will change every six months. So you may have different advisors, different people who guide you through that journey. And that's what I've done personally. It's not one person. Over the past several years, people change every few months depending on what we're struggling with at the moment.

Caleb: I do have things like I've got an executive coach. I also have a Robinhood CISO advisory board. But to me, I feel like a mentor is a different level, right? That is a personal connection level, right? That is a thing that is not just about my business or my strategic decisions in my corporate life, but about my personal life, right? Especially with me, my corporate and business life are kind of the same thing. It's just really tied and ingrained. That mentor to me is someone that has to be personal, and at the same time be at that level that can also help me I think in an executive business position, and that's, like, really hard for me to find. I really need to find those people. But I don't know where to look.

Harshil: I think that's the biggest challenge, right? It's really hard to find somebody who can coach and be a mentor, but also has the time to do that. I think a more accessible way and not exactly a replacement for mentors, but what you mentioned is an executive coach. Now if you take yourself five or ten years before now, would you recommend somebody else in that position getting an executive coach?

Caleb: I do. Yeah, I recommend everybody getting an executive coach, especially as an executive. Because you need someone who has, if you don't have a mentor. Like, for example, myself, you need to brainstorm things around, everyone has a very specific perspective and view as to what's going on on a decision. And being able to bounce those things against someone who has been in these situations, is experienced in these situations is unlimitedly helpful, right? There's no question my executive coach has looked at me and said, “Caleb, I don't know what you're thinking or what you're smoking with that. That does not sound like that does not sound right at all. You need to go double check on some things like you need to go do this right”. And so it's really great to have that person who can really kind of push back and keep you in check on “Hey, are you sure that that's the right thing? Have you looked at this? Have you thought about that? Well, maybe the different perspectives are this”, and I think that's been extraordinarily helpful. I would have made a lot more mistakes if it hadn't been for that.

Harshil: That's a phenomenal piece of advice. I think that's relevant and very actionable for a lot of people who may not have access to a great group of advisors or mentors, but at least executive coaches are much more accessible.

Caleb, it has been a pleasure having you on this podcast. I'm going to remember this. Let the fires burn. It's important to focus on the priorities. With that, thank you so much for your time. Really appreciate it.

Caleb: Thanks, Harshil.

Harshil: Thanks for listening to the Future of Application Security. If you enjoyed this episode or you're new to the show, I'd love to have you subscribe wherever you get your podcasts so you don't miss any episode. And if you like the podcast, I'd be grateful if you can leave us a review on Apple podcasts. Thank you for listening.

Rate this article

Recent articles

Solving the Challenges of Engaging with Developers

On a recent episode of the Future of Application Security podcast, Chad Girouard, AVP Application Security at LPL Financial, talked about some of the challenges to overcome...

Read more
What’s Caused the Need for Software Supply Chain Security

On a recent episode of the Future of Application Security podcast, Dave Ferguson, Director of Technical Product Management, Software Supply Chain Security at ReversingLabs, explained why the...

Read more

Ready to Scale Your Application Security Program?

Sign up for a personalized one-on-one walkthrough.

Request a demo

[email protected]

Request a demo