Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Rick McElroy

Until recently, mental health wasn't getting talked about. I think over the last two years, there's certainly been an encourager movement out of the major conferences to include things like community tracks and have speakers that talk on these topics. But lots of people don't like to share their fears or failures, right? So, I think we need to do a bit more of that because they're all lessons learned for everybody. I think a lot of it had to do with us just not sharing as a community and facilitating those types of discussions. But I think that has started to change.

Rick McElroy, Head of Security Strategy for Carbon Black, has 20 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has held security positions with the U.S. Department of Defense, and in several industries including retail, insurance, entertainment, cloud computing, and higher education.

Brian Contos:                

Welcome to the Cybersecurity Effectiveness Podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is Rick McElroy. Welcome to the podcast, Rick.

Rick McElroy:                

Oh, thanks for having me.

Brian Contos:                

Hey Rick, before we get going, I'm was hoping you could give the audience a little bit of background on you and sort of the path you took that led you to become the head of security strategy for Carbon Black.

Rick McElroy:                

Yeah, so I started my career off at a very small value-added reseller and integrator, but they were pretty progressive. This was back in 1998, 1999 and they hired a bunch of hackers and the job was basically to do a bunch of security testing and then, of course, sell a lot of defensive things too to stop those things. And did that for awhile and then I went to over to Booz Allen and Hamilton and actually did that for the government for a little bit. I got to do that with the Navy and Marine Corps, which was a pretty good time. And then decided that red teaming was too easy and defense was way harder so I started building security programs in San Diego, where I live. And I did that for a long time at three or four companies and then working my way up to CISO, eventually started doing virtual CISO work on the West coast and met the co-founders of Carbon Black. Really saw what the technology was doing and asked for a job and it worked out, so it was great.

Brian Contos:                

There you go. That's awesome. Well great. Well we're really happy to have you here and we touched base a few months ago when we were brainstorming some topics to cover on this podcast. And you brought up one that I think is not only just very important and timely, but very unique and something that we haven't talked about on this podcast before. And really that's the mental health within the cybersecurity community. But before we jump in, what is it that drove you to want to cover this topic?

Rick McElroy:                

Yeah, well I think it was a number of things. One, I actually do care about the people that I work with. And then two, I think talking to my peers and fellow people that I know in the industry about our individual challenges. So, I think it was sharing, I think some of it was getting involved. And then of course, seeing the actual impact to friends of mine along the way on the journey. And yeah, whenever I can do to be a positive influence on this topic, I've kind of stepped in and been an advocate for it.

Brian Contos:                

Yeah, no, I think that's amazing and kudos to you for doing that. You know, when people think about mental health and think about the cybersecurity community, things that lead to more stress and anxiety or just less happiness, what's happening that's causing that at our space particularly?

Rick McElroy:                

You know, there's a number of different factors. I mean, I think some of the biggest ones are just the amount of work, the few number of people that can actually do that work. The fact that those people care. Yeah, so we work a lot of hours. We spend a lot of time on tech and what we do, and not a lot of time on ourselves or our families. And yeah, all that stuff starts to add up after 10, 15 years, 20 years in the industry. And some people just quit. Some people look to make some changes in their lives to drive that stress down. But yeah, I mean, it has a big impact and I think just a ton of it is the pure amount of work. And then feeling like there's no end. And then of course the stresses of -- especially when you work your way up to leadership -- I could get fired if something happens.

Brian Contos:                

Yeah. You brought up a couple of points there. We tend not to think of ourselves sometimes or our families as much as we do the job. And it does take a physical toll, right? I mean, there's people that have been traveling for 15, 20 years and their bodies are breaking down with the stresses. And they're probably not eating healthy and they're missing birthdays and they're missing anniversaries and things like that. I mean, it's a very demanding space for sure.

Rick McElroy:                

Oh yeah, that's definitely true. Especially when you're traveling. You have to be very mindful of that. Try to sneak in exercise when you can. And yeah, I mean I certainly, I think the first year on this, on this job I put on tons of weight. So you have to kind of make it a point. And I think the two are just interlinked. And yeah, certainly, I mean, look, as a community, we drink a lot, right? Most of our events are, we drink a lot of beer. Yeah. We like to eat. And then we also work very hard too, so we got to start taking care of ourselves to be around for the long outcomes that we want to see.

Brian Contos:                

Yeah. I think at Verodin we call it the Verodin 25. But I think that's more like the Verodin 35. It creeps up on you. So, let's just talk about what's happening. I mean we all know people that have been in this industry and have now left and it is such a demanding role, even at entry level jobs, all the way up to executive leadership. Are people just quitting?

Rick McElroy:                

Yeah, totally. So, this is part of Gary Hayslip and I, CISO of Webroot, did a preso at RSA this year on this topic. And one of the stats we found along the journey was 38% of people have just quit the industry, due to the stress. And then as we were presenting and sort of talking to some of the other people that were presenting on similar topics, we met a group of women who were presenting on the high amount of women that actually leave the industry too. And it's way higher, I want to say it's64%.

Brian Contos:                Oh wow. You're kidding me.

Rick McElroy:                Something like that. Yeah. And so yeah, you look across it and you're like, wow, it's not a very accommodating environment. We're not very diverse in our thinking and we're not taking care of each other. So that's kind of a recipe for disaster.

Brian Contos:                

In your research, how did that compare to other professions? You know, a doctor, a lawyer, an accountant?

Rick McElroy:                

Yeah. It was interesting, that was one of the things that Gary and I spent a lot of time thinking about [was] comparable positions. And it's not true to say that certainly in all cases, lives depend on what we do. Although certainly in some cases, lives do depend on what we do. We really started to look at the first responder community, it's another community that sometimes sits around for long periods of time and then undergoes a high amount of stress for short periods.

Rick McElroy:                

And there was very interesting in numbers amongst, and when you looked at firefighters as an example, the high amount of stress, or higher amount of stress that the male community would experience, as well as alcohol abuse. As opposed to women firefighters, who it was much less in. So, I think it makes a case in amongst itself for diversity. If people just care about their own mental health. And I think some of those factors are the shared stress. They talk about the things they go through, they share with each other and so it becomes a shared burden, not one the individual has to bear on their own.

Brian Contos:                

Sure. I'm wondering why Rick, before talking to you about this topic, I've got to be honest, and like you, I've been in this space for a couple of decades, why do you think that it's not getting the attention it probably should? Why do you think maybe this is such a"wow, I never knew that" type moment, when people hear some of these statistics?

Rick McElroy:                

Yeah, well, I would say, in large part it wasn't getting talked about. I think over the last two years, there's certainly been an encourager movement out of the major conferences to include things like community tracks and have speakers that talk on these topics. But I think one, lots of people don't like to share their fears or failures, right? So, I think we need to do a bit more of that because they're all lessons learned for everybody. So yeah. So, I think a lot of it had to do with us just not sharing as a community and facilitating those types of discussions. But I think that has started to change.

Brian Contos:                

Well, let's go a little bit deeper. Let's talk about the impacts that you're seeing on defenders out there and the folks that are charged day in and day out with protecting organizations, and sensitive data and just their organization's ability just to do business.What are you seeing as it relates to that?

Rick McElroy:                Yeah, I mean, all kinds of things, right? So, I get to fly around the world and meet with awesome defenders all over. And I've had emails from CISOs in Holland about nervous breakdowns, right? I've certainly had friends that have abused substances, right? I mean, I certainly, probably have drank too much at one point. Yeah. And so, I think when you start to care, and you start to look around and you really invest in the people around you, you start to see that stuff. And Gary would share a story about, his doctor told him if he continued the same job, he would have a stroke.

Brian Contos:                

Wow.

Rick McElroy:                

And so, you start to think about what to do. And for me personally, some of it was bringing the job home, and just being snippy and angry. You know, sometimes you'll throw your phone, things like that. Or just losing perspective on, the world's a little bit bigger than InfoSec and it can't consume all your time.

Brian Contos:                

Yeah. So, people listening to this right now, what are some of the things maybe you learned during this research, maybe some opportunities out there in the community that people can leverage for help?

Rick McElroy:                

Yeah. Well one, I think Gary andI are big believers in tribes, right? And we talk about that in different ways, right? Your tribe could be your family or your tribe could be people that you meet along the way, that are similarly aligned. But I think finding a tribe, sharing your stresses, reach out to them from time to time. Make an investment in them where you have that type of relationship where you can say, “Hey, maybe it is time to go out and hang out for a little bit and get outside of work.”

Rick McElroy:                

And then there's been quite a number of speakers at all of the major events that have all linked and posted wonderful things. Gary and I, I think, post wonderful things a lot. So, I would say, again, when you start to look around there's a lot more people talking about it and posting resources.

Brian Contos:                

Where's a good place for people to go out to find some of the research or maybe see some of the talks that you and Gary have put together?

Rick McElroy:                

Yeah, I mean, you can certainly start on YouTube. There's tons of great stuff on there. RSA has posted all the videos. There was an entire day, it seemed like, or a day and a half, where those tracks were all covered. And Black Hat, of course, posts videos. And yeah, so I'm just a big fan of looking out to the community to provide that stuff as well. I mean, I know certain resources work for me. I've certainly taken lots of classes on the topic and read some books, and none of those books were related to InfoSec, right? So, I think sometimes we have to do a little work on ourselves, outside of the wisdom that we want in cybersecurity too.

Brian Contos:                

Based on all your research, and all the various talks and things that you've put together yourself, what are the top two or three takeaways that you'd suggest to maybe somebody out there in our field that, they're feeling these stresses?

Rick McElroy:                

First thing I would say is try to unplug. I mean, I find it hugely valuable to leave my phone in the other room, sometimes now. And I never used to do that. And I know when I was in the middle of operations, it's very hard. You might get an alert at two in the morning and you have stress about whether or not you're going to hear it, you're going to know about it, right, when that type of moment happens. So, for me personally, I go out to the desert a lot, because I live in San Diego, and it's not that far and mobile devices don't work. I go fishing, I definitely do lots of things with my dogs. So, I think interests other than InfoSec, are healthy.

Rick McElroy:                

So, find some hobbies that isn't hacking or information security. Because I know, that became my hobby and my job for a long time. And so, you've got to turn that off. Find people outside the industry that are friends, find people that are interested in other things and try to grow in those areas. Yeah. And then definitely find a tribe, invest in that tribe. And then I would say if you start to look to be mentored by people and look to people outside of information security, again as well, and also be a mentor, I think that starts to change how you relate to people and helping them grow and be healthy and all of those things.

Brian Contos:                

Yeah. Well, it sounds like really sage advice to me. So, Rick, as we wrap up here, we have a question we'd like to ask every guest on our show. And that's who's your favorite superhero or super villain and why?

Rick McElroy:                

This is going to take one second to get to this answer. So, I'm a huge geek. I grew up on comics, like literally, going with my best friend to collect them. I would say, right now, if you add up all the things, the comics and the movies combined, it has to be Tony Stark and Iron Man. I always was drawn to the character himself and the struggles that Tony experienced along the way, right? I mean they were real human struggles, like PTSD and alcoholism and those things. And so, I was a big fan of Tony. And then I would say, from a supervillain perspective, I think the most perfect supervillain that's ever been displayed is Thanos from the current MCU.

Brian Contos:                

Oh yeah. Yeah. It's interesting. I, as well, grew up on comic books and definitely geeked out. And I remember when there [were] a couple issues of Iron Man, I think it was referred to as the Demon in the Bottle, and it was talking about Tony Stark's alcohol addiction. And then Green Arrow and Green Lantern had one about drug addiction that came out and there was some other, Spider-Man did some stuff around that. Yeah. So, really interesting. But yeah, it's great to have a hero that's also human, right? A little bit flawed. I think Superman and heroes like that, kind of sit on a pedestal and they're not quite as relatable. So, definitely agree with you there. Well, Rick, thanks so much and thanks to all our listeners for joining us. I think this was a really important discussion. Please definitely take sometime to look at some of the research that Rick has done. It just, something that our community definitely needs to follow up on. And be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin.

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog