We all have a narrative identity, an internal story we tell to make sense out of our experiences and feelings. We pick and choose from our memories, and the reconstructed storyline reflects our backgrounds, strengths, and abilities. The stories we tell about ourselves explain how we came to this point in time and offer clues as to where we are headed.
As the CISO of LinkedIn, a social networking platform for professionals, Cory Scott understands the importance of matching people to the right team. Instead of looking for specific skills or job titles, he asks people to tell their stories. Here, he explains how he uses personal narratives to build out his security team.
You talk a lot about teams and how you have to think about who's on the team. Wouldn't we want the best person, the best security person, for your team? Why are we talking about people's narratives?
What I've typically found in many organizations, and it's not something necessarily unique to security organizations, is that leaders typically will hire people who have the same type of narrative as they have. They have the same type of education, background and approach to thinking through problems. If you look at the culture of technical interviews today, we all ask the same damn questions on the whiteboard and do coding interviews in order to figure out whether or not the person thinks like us.
In a majority of instances, what I've identified is that you're hiring people that look and act exactly like you. The problem with this is that you end up with a very homogenous approach to building your security team, which ends up being brittle. It can't adapt to changes, and [you] are missing a large opportunity to expand the security organization outside of the particular manager's set of expertise.
For example, I come from a background of penetration testing, offensive security research, [and] vulnerability research. I love to break things and if I hired a bunch of people who just broke things all day long, and their narrative was they love to hack, then the engineering team here would probably kill me because then we're not actually figuring out how to fix stuff.
When you're talking about a mix, you want different skills, different mindsets, all on one team. But how do you get that?
It's a combination of their skills and their ability to execute. It's also how they approach things. You take someone who has experience of [being] a first responder. That is a particular mindset of how they're approaching problems. Triage and containment. And compare that to someone who has a mindset of building something that will try to address security as an engineering problem. Oftentimes, you will see that people will have different types of skills that support how they think, and they may not even be necessarily from the security realm.
The most memorable interviews I've had with candidates have been people who have presented their narratives. Instead of "Oh, you have SQL on your resume. Let's talk about SQL." It’s so helpful when they come to me and they say, "I love hunting bad guys." That brings so many more things to the table, as far as understanding their perspective, background and what they're trying to do versus talking about very dry, typical skills.
How does a manager know that you have the right balance? How do you have the right mix of people in the first place?
I think one good barometer is to see how much disagreement happens during team meetings. If you have people that are from the same narrative, you'll find that they all just agree with each other. For example, in the case of application security, you might just have a bunch of folks that are focused on pen testing or breaking things and they're like, "I found this really cool vulnerability." And everyone kind of nods and says, "Yes, that's a cool vulnerability."
Instead, if you have someone saying, "Hmm. You know, I think I could write some code that actually eliminates all instances of that vulnerability across the board, rather than you just going and looking for this one vulnerability in all of our different products." Then, another person is saying, "Hmm. I bet you that I could detect the actual location of that vulnerability, so I wonder how complex it really is?" Then, someone else is saying, "Hey, is that vulnerability actually likely to be exploited in the wild? Is that something that we actually need to deal with first and foremost?" Those are people with completely different narratives on how they address security. If you have that healthy, constructive dialogue happening in the meeting, then I think you've got your narrative diversity set up pretty well.
This kind of creating the team, figuring out the right mix, is that something LinkedIn has within the hiring process or is that something the managers are keeping in mind and doing on their own?
It is incredibly difficult to extract the narrative as part of the hiring process until you get pretty close to the end where you see what motivates people at the end of the day. Not many people come in and say, "My personal narrative is X, Y, and Z." We try to ask questions that might elicit some ideas.
When we look at talent, what we try to do is, instead of hiring for position X, Y, and Z, we try to hire to the individual and find where they might be a good fit in the organization. When they come in, we think about it in terms of, "Hey, you know, based on the narrative or the types of things that we've extracted out of the discussions we've had with you, we think that actually you might be a better fit over here because we need that particular type of mindset in this team."
How do you get people to start talking about their narratives?
I often ask people how they describe themselves, as far as the stories that they tell. When you talk about work and the interesting things that you do, what is that story? Are you talking about how you came up with this awesome algorithm that reduced the number of false positives of your intrusion detection system? Guess what? You might have an engineering kind of narrative. If you're talking about, "Hey, I found this awesome way that no one had thought about to trick this piece of software into giving up some data that it shouldn't have given," and that's what you talk about at the end of the day, that is a breaker/trickster narrative.
We are the stories that we tell, and just getting people to start telling stories will often help define that narrative.
What is a breaker narrative? What does being a trickster mean? Cory Scott will return in a few days with more details about some of the narratives he sees in security teams.