How to Hire and Develop Security Assurance Talent

Clarke Rodgers (00:18):
So Jessie, as a AWS security leader, part of your job is to make sure that you're bringing up that next generation of leaders within the company. What kind of things are you doing to help that?

Jessie Skibbe (00:30):
Well first and foremost, Clarke, I think we're always looking for ways to scale ourselves as leaders. And I think it's really important to understand that leadership itself is not... It's a learned skill. It's not something people are born with. That term, “born leader” really doesn't exist. So leadership, like any other development opportunity, is something that people really need to learn and grow in over time. And I definitely have been on that growth journey personally, and I take it very seriously and I'm very passionate about the topic and thinking of the right ways to scale myself as a leader on the team.

And I talked a little bit earlier about, I think my role on the team was really to help establish a high-level vision, kind of telling the team, “this is what we want to accomplish.” But I needed to develop a team of leaders that could really define the “how,” because I was never going to do it on my own and nor should I, because they have so many great ideas. And the team is really, they're the reason why the team is successful, because they're the ones diving deep with customers, they're the ones deciding how are we going to work the most effectively in finding the right value.

So, along my own personal journey, I've really been looking for ways to develop myself so that I can, in turn, help develop others. I really think that's my responsibility as a leader. And so, several years ago I took a John Maxwell certification course — I really have a lot of respect for his work. And so, I became certified as a John Maxwell team member, and I got my first window into coaching at that time, I really didn't understand exactly what it was, but I'm a very curious person. And so, I dove straight into doing an executive coaching program. So I'm a Hudson executive coach.

And the reason why I think coaching or the art of coaching is so critical is because the idea of asking a question, it's the best way to help other people develop themselves and actually create behavioral change. Because if I tell you to do something, you're not going to remember the thought process behind it, it's lost on you. But if I ask you a question and ask you to share with me how you're thinking, I honestly believe that this is the true key in scaling yourself as a leader. Because if you can figure out how to solve the problem yourself, you're not going to come back to me later and ask me for the same help.

So, I really look at this as a way of empowering leaders on the team. I rarely give direct guidance, but I will ask a lot of questions on, “How are you thinking about this?” And really help them understand that they are empowered to make decisions. Taking ownership is one of the leadership principles that I personally gravitate towards most, and I instill that on the team. We need a team of owners that are going to take that responsibility and do what's right working backwards from the customer. And as long as they have those guardrails, they know what we do, they get to define how we do it, and they get to take ownership over that. And so, having the team feel empowered is, in my opinion, one of the ways of scaling yourself as a leader and creating success for the whole team.

Clarke Rodgers (03:30):
That's awesome. So let's pivot a little bit back to your hiring.

Jessie Skibbe (03:34):
Yeah.

Clarke Rodgers (03:34):
So, when you look for someone for AWS SAS, what kind of skill set or skill sets are you looking for in that person?

Jessie Skibbe (03:43):
Yeah, well that's definitely something that we've iterated on over time as we've matured, but I think it's always been, we start with our leadership principles. And what I love about Amazon, the way we think about hiring is we're hiring for Amazon first and then it's skill set, it's technical depth, it's functional fit second. So, from a leadership principle perspective, what I've established as must haves for the practice is, well, of course customer obsession is always kind of a given. We need to be able to earn and maintain trust with our customers. So earning trust and keeping trust is a definite must that I look for. The other is insist on the highest standards. And because we have -

Clarke Rodgers (04:23):
Makes sense.

Jessie Skibbe (04:24):
Right? We have to as a QSA company, we have strict quality control requirements. So we perform quality control on our deliverables as though they were rocks, as though they were report on compliance. So everything is peer reviewed, everything is double checked, everything we put in writing publicly is double checked and peer reviewed. So that goes back to earning trust, but also just keeping that bar really high. And so those are two things that I look for.

And then of course, learn and be curious because you really won't be successful, I don't believe, in an AWS environment with all the ambiguity that we deal with on a daily basis, if you're not constantly curious and looking for new things to learn. But then we also look, we have a pretty good combination. We like to diversify on the team. So we have a lot of former QSAs, which I really never believed that I'd be able to take a team of auditors and create this innovative, fun working environment, but I have.

Clarke Rodgers (05:23):
Right.

Jessie Skibbe (05:24):
And then we have a lot of internal auditors, and then we also have engineers. So we actually started incubating a new area of our business about 18 months ago, really focused on privacy engineering. So we are definitely really raising the bar on the technical depth in the team because from the auditor profile, we're really looking for tech breadth because my consultants need to go to a customer and be able to advise on all AWS services. So you can imagine how complex that is across the board. So tech breadth is really important, but in some of the areas that we're focusing on right now in privacy engineering, it's really about tech depth. And not only security expertise, but also understanding of the privacy regulation and landscape that's changing all the time. So it's quite a balance of complexity, but we've definitely made it work with the diversity of the team.

Clarke Rodgers (06:17):
No, that's great. So, if I'm a customer, so a CSO, CTO, whatever the case may be, and I'm looking to modernize my audit or compliance program, what are some tips that you would give me to move into the 21st century of automated audit and compliance?

Jessie Skibbe (06:37):
Yeah. Well, I think the first thing that comes to mind is having that right skill set. We talked a little bit about having the audit and compliance background and knowledge, but also be willing to invest in some of the technology training that that person may need because we have to be able to demonstrate the art of the possible and to have the understanding, especially as it relates to all of the different security tooling that's available on AWS. So possibly even thinking about the security certification as a first step. And on the training and certification page, in fact, there is an auditor learning path in addition to, like I mentioned earlier, Cloud Audit Academy, several times, there's a free E-learning for Cloud Audit Academy 101, the very basic agnostic version. So I guess my point is to that leader, that stakeholder in the company who cares about modernizing their compliance program, you have to be willing to invest in the people.

I think the people that are going to be bringing that innovation to the table and having them be part of that lifecycle because everything is agile and you're thinking about DevOps, how are you incorporating compliance advice, security into that DevOps cycle? And how are you testing in a continuous cycle? And also on the back end, there's so much capability today to collect automated evidence. So not only just from a monitoring's perspective, what tools and resources are available for a constant monitoring, but also consistent audit. Continual audit is an actual real capability that people have now in the cloud environment.

So focusing on that effort, because there's a considerable amount of time savings and cost savings involved in automating that because think about the lifecycle of an audit and how long it takes to manually gather evidence. And we are way beyond the days of screenshots. And with a compliance size code mentality, how are you gathering that data consistently versus waiting once a quarter or once a year? So thinking about that and really asking those individuals to think big, invent and simplify. A lot of our leadership principles apply here because there's a lot of room for a compliance engineer to really focus on saving that time and money for the customer.

Clarke Rodgers (08:57):
And then I imagine saving that time and money also comes into development hours, right? So, if the development engineer is not spending time producing evidence for the audit team, he or she can be developing feature SATSs and getting code out the door and actually helping the company make money and reach more customers.

Jessie Skibbe (09:12):
Well, we talk a lot about waste when you're developing products. And that's one of the things where when you insert your compliance engineer as far left in the cycle of product development, then you do have less waste. Because what you don't want to do is wait until that application is ready for production, then bring in the compliance people, and then have to go back and do considerable rework. So, if you insert that on the front end, you're going to have a lot less waste and a lot of faster time to production on the back end.

And actually, several of our engagements have concluded with leadership coming back to me saying, "Jessie, will you help me write a job description? Because I did not know that this skill set was needed in my organization."

I think that would be one of my biggest takeaways for customers in that the CISO leadership or the compliance leadership is that investing in the right way to make sure that the people on the team have the right cloud awareness and can dive deep into the technology. There's so much innovation that can be done in the realm of compliance that the art of the possible just needs to be proven and they'll see. So, I've written many of a job description to help some of our customers be able to hire very equally qualified people that are on my team.

Clarke Rodgers (10:29):
Jessie, thank you so much for joining me today.

Jessie Skibbe (10:31):
You're welcome, Clarke. I really enjoyed the conversation.