Episode 15 of The Cyber Talent Series is officially live!
Join Thomas Rogers, Co-Founder of SkillBit (formerly MetaCTF), and co-host Phoebe DeVito as they speak with Joe McCallister, Senior Manager of Cybersecurity at The Trade Desk, about building and leading modern cybersecurity teams. Joe shares his unconventional path from retail and sales into cybersecurity leadership and how those early experiences shaped his approach to hiring, mentoring, and developing talent. The conversation explores why curiosity and community are critical traits in cybersecurity and how managers can evaluate these traits in candidates when building teams. Joe emphasizes the importance of psychological safety to allow for open lines of communication to avoid burnout and encourage collaborative conversations about career growth. Joe reflects on transitioning from an individual contributor to a leader and the importance of “letting go” and trusting your team to take on new opportunities.
Tune in now with the player below, or check it out on the SkillBit (formerly known as MetaCTF) YouTube and Spotify channels!
Phoebe DeVito (00:00)
Welcome to the Cyber Talent Series where we explore how organizations are closing the skills gaps, accelerating onboarding and building high performance cybersecurity teams. My name is Phoebe DeVito. I’m joined by Thomas Rogers. And today we are talking with Joe McCallister, Senior Manager of Cybersecurity at Trade Desk. Thanks Joe for being here.
Joe McCallister (00:28)
Yeah, thanks for having me. I’m excited to chat with you.
Phoebe DeVito (00:30)
Awesome. So to kick it off, would you just tell us a little bit more about who you are and what you’re working on now?
Joe McCallister (00:36)
you said, Joe McCallister, I’m at the trade desk with which is an advertising technology company based out of California. I myself am actually in Colorado, we are a globally And I’ve kind of come up through the traditional IT background. The start of my technical journey was in the traditional IT and had a mentor of mine say you should do security because you’re already doing it. You just don’t know And from there
had a couple of stints at like some MSP realm, some consulting, and then went to the in-house realm of security. started out as the solo engineer here, and now I run a team across a whole bunch of different kind of domains and disciplines in security and have a lot of fun just talking about security, not taking myself too seriously. to get out in the elements if I can when my schedule and the kids allow.
and otherwise just kind of trying to live this thing we call life.
Phoebe DeVito (01:25)
Awesome. so, heard you on the future of security operations podcasts and loved listening to you talk there a little bit about your journey and your transition from sales and retail into cyber. And would love if you could give just a really brief kind of overview of what that looks like for you and how you knew, you know, cyber was the path for you.
Joe McCallister (01:44)
Yeah, always like to tell people that there’s no typical way to get into security and there’s no typical journey, for cybersecurity. And I also like to say I’ve lived kind of two professional lives. I made the pivot from retail and sales. always like to also toss in that I sold BMWs for eight, nine they’re a blast to drive, but selling cars is not game, but between
sales and retail side of things, what I really learned a lot about was communication, de-escalation, what smart goals are, actual realistic goals. There’s a whole bunch that kind of carries through that you might not think on first blush. And I’ve actually found even in hiring, I look for people that have non-traditional backgrounds that have some sort of weird little bullet point in their resume that’s just kind of fun to hear more about. I’ve actually got a couple of folks that we learned after the fact.
worked at Best Buy in college like I did. But essentially what happened was I got a little burnt I thought I was going to live my life after high school as a retail manager and started to see lot of friends do the same and a lot of friends, unfortunately, you they do the annual reorgs and retail is a very volatile space, especially Amazon was going after retail spaces. Circuit City had closed a few years earlier.
And so saw a lot of friends lose their jobs and thought maybe this isn’t as stable as I thought. Went over to the geek squad of all places and just started toying around. And I always liked video games and all that fun stuff and just decided to kind of really run with it. I used those customer service skills to further my career and into the technical, started doing some online support, malware removal. Thought that was really interesting. I love knowing how things work, but I think I like more so how they break. And so that kind of…
kickstarted my technical interest and went to school, got into enterprise and that’s where I started the MSP journey and drank from the fire hose. If anybody out there is working at an MSP or has that history, you know, it is a whole lot of experience and a very little bit of time. I think we were servicing over 250 clients and running help desk over there and then went to what we call the road warrior and user support, go into sites. That customer service background definitely served me well there.
able to interact with clients and represent the business as a kind of third party. And then as I mentioned, I had a buddy that looked at me and said, you’re already doing security. You should think about this. And he me to get my CISM I was even, you know, kind of technically ready, worked together. He did classes. I went to the ISACA on the weekends, got my certification the rest is a little bit of,
I’d like to say the rest is history, but then there’s six plus years here at the trade desk where I came in as the first engineer kind of built a team and took over everything from third party risk management and contracts to application security and platform security. So feel like I could talk about that for two, three hours, but I will hand it back.
Phoebe DeVito (04:22)
Hahaha
Thomas Rogers (04:25)
OK, cool. So Joe, you mentioned you’ve covered like so much different stuff, and I feel like the experience that you’ve gotten kind of outside security, seems, is like really influenced the way you’ve, you know, grown your career and manage teams. Like, how does that influence the way you mentor, hire, evaluate, you know, early career talent? And yeah, especially as you’re like leading a cybersecurity team now, what do you talk to your
team members about in terms of where to focus and build their careers.
Joe McCallister (04:53)
a phenomenal question. And I appreciate it because I do try very hard to bring some of that like early career. try to think of every interaction and even tell my teams, whether they work for me or if it’s a colleague that’s struggling with a manager, let’s say, I like to tell them, you know, I’ve had good managers and bad managers and they’ve all taught me something. So there’s a lot of things that I bring along, from those managers. there’s even, the review cycles and the things they look for as positive indicators of performance.
retail is kind of interestingly applied to technology and security. Thinking about things like integrity is really important to the security industry. We have to have that. I like to tell my team to always look for, and when I’m looking for talent as well, always looking for that curiosity mindset. there may or may not be a right answer, I love when I’m in an interview and we pose some sort of technical question or even a hypothetical and I get an answer and then they say, well, what would you do?
It’s always an interesting throwback to say, how would you approach the situation? there’s very rarely, unless it is those binary Jeopardy-style, the port number questions, which don’t make great interviews anyway, there’s always multiple ways to approach the problem. And I also instill in my team that those communication the soft skills just cannot be overstated in their importance in cybersecurity. What I’m
Thomas Rogers (05:55)
you
Joe McCallister (06:07)
with my security and working with engineers and developers is we can’t just go and drop a stack of papers on their desk and say, you need to fix all this, or this is how you’re gonna do your job from now on. No revelations there, right? That’s a lesson that’s been learned in security a million times over. But when you’re on the ground, it is so much more important to build the relationships. And I like to say like my job right now is mainly diplomacy. It’s shaking hands, kissing babies, like making friends with managers and engineering.
executives to understand what their priorities are and how we can stay out of the way or instruct them safely or give them the paved path towards a more secure and compliant deployment or securing our next release to make sure we don’t fall flat on our face when we open source something or release something that’s going into a customer’s home. And we get that one security researcher that busted open and goes, look at this code. It’s terrible. So
Those are the big things, the curiosity, the communication, lot of it’s all soft skills, honestly, has gotten me much further than any bit of my technical knowledge at this point. It’s not, not, important, but it’s definitely.
Thomas Rogers (07:06)
We’ve been hearing curiosity a lot, been doing some customer interviews and just trying to understand better, like how they interact with our product and use it. And we had a conversation yesterday with the head of security operations who said that he tries to kind of measure for curiosity. And it’s funny, cause you don’t think about curiosity as like a, you know, a tangible, measurable characteristic.
but it’s fascinating how important that is in cybersecurity. So I’m sure it is helpful to have some sort of quantifiable, measurable, or at least a framework in understand, is this person, maybe it is binary, they are curious or they are not. But yeah, there’s some careers where you can just say, here’s the process, we’re just gonna do it a million times and it’s not gonna change that much. And in cyber, it’s very different.
That curiosity is really important.
Joe McCallister (07:59)
Yeah, it’s always interesting when we get folks I interview from larger, more established firms or kind of more conservative industries, I’ll say in the way that like, you know, we’re again, we’re ad tech, it’s kind of wild west out here, but like we get finance and healthcare folks. And we’ll find, we’ll definitely find amazing candidates, but we also will sometimes have to start pulling threads to help them open up that curiosity just a little bit. Programs that have been around for 10, 15 years and all you’re really doing is running playbooks and pressing buttons.
Not exactly what we’re looking for here. So we have to try to kind of say, well, what if that didn’t work? Then what do do? ⁓ I don’t, that playbook always works. Well, that’s not the right answer. Like start asking more questions about the incident or the, the event we’re seeing and let’s figure it out together.
Thomas Rogers (08:40)
How do you do that on the curiosity side? going back to I would assume it’s a somewhat similar process encouraging team members to be curious, or maybe they already are curious when you bring them encouraging them to remain evaluating a new prospective candidate or something. have you learned there in terms of finding people that meet that characteristic?
Joe McCallister (09:04)
It’s kind of a tough question to get a good answer out of just because what I try to do is as a manager and as a leader, encourage that curiosity by ensuring they know, instilling humility across the team and saying, I don’t know if I know the right not a traditional AppSec person. So I rely on my AppSec team and I will play the idiot in the room and say, okay, what’s IDOR? Tell me, can we walk through what you’re seeing in this instance that tells me that it is truly a
10 out of 10 and we need to go pull people into a bridge to fix this or can we slow down and kind of think about things a little bit differently. But it is a challenge to keep that curiosity going. It’s about giving the freedom and the space to be curious. And we talk a bit about, know, the buzzword term of psychological safety, but it is really important that they feel like no question is a dumb question. Like they feel like they can partner with somebody they always have.
resources available to them. And we always make a lot of space for learning. It is part of the job. And we’re one of the few teams at our organization that it is a kind of a pillar to where we say we have to not only know what a security principle is, but we have to know fundamentally how to set up Kubernetes and then how to break it. So we need to not only know what the new with AI and all the other technology coming out, right? We have to be
up to speed very quickly. So we try to make room for that and understand the more that we learn, the less we truly know. And that allows them to get a little bit more curious, spend a little bit more time, thankful to the organization as well. They allow us the resources. Like we can go out and just grab an O’Reilly book or a Wiley and read it together and set up study sessions for, I’ve got a couple of folks doing the OSCP. So they have their own study session on the
to work on it together and start looking at it as, I wonder if we’re vulnerable to this in our organization. They’re finding really cool bugs that way.
Thomas Rogers (10:47)
It sounds like you do, you know, dedicate time. I think that’s so important like work can just kind of consume. And it’s like, you know, it’s a busy job. can be really high, stressful at times. So, yeah, what have you done that’s like help to make sure that time is blocked? And I.
Again, that goes back to your psychological safety. I feel safe in knowing that manager cares that I want to develop in my career, learn new things. But curious what sort of things you put in place to allow for that.
Joe McCallister (11:17)
been a hard lesson to learn myself. I’ll use SANS as a direct example. Like I took a SANS on demand course and it is not how I learned a million miles, I should just go to the course, get in that room and talk to the people that are in the room. That’s the value. But I have other folks can do that. And what we’ve done with my learning, which was I was doing the SANS course and I just kept checking email, I just kept checking Slack. there’s a ticket. I could just close this out in five minutes,
your context switching, you’re getting out of it. By the end of the week, was like, I, what did I actually learn and retain here? That’s useful for me next week and next month, next year. So we, using my failures, I have instructed the team, like you, you’re in charge of your own time. You’re all adults. You need to focus on, if you’re going for a certification, if you need two days, three days, the whole week to study, block your calendar. You’re in control. We can shift priorities around.
we can ensure that deadlines are communicated and we can just work with it. It is just as important for us to be able to give good advice, to be able to give good consult and advisory to our stakeholders and also be the expert in the room when people need it. So we can’t do that if we’re just leaning on like my schooling from seven, eight, nine, 10 years ago is still fundamentally applicable, but also woefully out of date with what’s out there today.
Phoebe DeVito (12:30)
That’s awesome. Yeah. I was going to on the psychological safety aspects. So many folks that we bring on have said one of the main things they assess in interviews and in, you know, team members growth is that curiosity and the humility to say, like, I don’t know how to do this or, know, I want to go find out. But I love that you kind of hit on the manager’s responsibility or the organization’s responsibility to make that a safe thing to do and like set that tone. So I love that.
One thing I was thinking about when you were talking about evaluating candidates and just different ways of up-skilling. So you’ve got a lot of great certifications and I’m curious when you’re, you know, hiring a team member or building a team, what’s kind of the role that certifications play and how you’re evaluating that.
Joe McCallister (13:14)
Such a hot button issue. It’s such a like hot take ready topic. I like certifications quite a bit. I asked my team quite often, know, are you thinking about going for anything? In general, it’s a good way to put that stamp on, know, that well, it certifies that you know the things that you’ve just been studying for. I don’t think it’s the end all be all, but when I’m looking at a resume as an example, it is a really quick.
pulse check on just kind of what they’ve done, where they’ve been. I even think, you know, I would not necessarily hot take, but if you’re in security or looking to get in security and you’re going to go get your A plus, I wouldn’t necessarily encourage like saying that’s the one you should go get, but seeing it on a resume, I’m like, cool. mean, they, get the literal physical connections. That’s great. Like, and they saw something through very similar to, a formal education and a bachelor’s degree, right? You started something.
Thomas Rogers (13:59)
Thanks
Joe McCallister (14:02)
sizable and admirable and finished it. And that means something. Typically, it’ll be paired up against like some sort of quick knowledge check. I don’t do the technical interviews, but I’ll ask about the experience too. Like how was, you how was yours? I don’t have my CISSP. I have my CISM. How do you find the CISSP? How did you study for it? What were your challenges? What was your weakest areas? Always a fun, like, you know, you have the different domains. Where’d you score the lowest? Because mine was like physical security. I don’t know the
kinds of doors and fire extinguishers anymore, so I don’t need it.
Thomas Rogers (14:31)
within that interview process and as you think about like building teams. just the role that you see, guess, know, certifications obviously play a role in that, but like the capability side of things, like how do you, how do you assess like these are the capabilities that we need internally?
a people’s standpoint, from a tooling standpoint, when you’re evaluating holistically, this is the type of program we want to build and this is where we are today. How do you do analysis focused on both the talent and the technology?
Joe McCallister (15:03)
It’s exactly that gap analysis, in my mind, as you were asking, I was like, he’s, he’s talking about our skills inventory, which is something that I have. And I wanted to make it not sound so systemic and cold, but it is essentially, you know, how are we doing in our cloud service provider incident response knowledge and realms, right? Like we’re great in AWS, but how’s GCP? I know they’re fairly applicable, but if we’re looking for a candidate, maybe we look for somebody that’s maybe been in an MSP or has worked across multiple.
cloud service providers or we operate in China. Has anybody done incident response in China relating to legislation regulation applicable over there or even interacting Olly cloud in that region? But it is all about getting the inventory of what we have today and understanding much like your systems, right? Like what does the job, what are we missing? What could make us operate a little bit better? Are we missing somebody that has extraordinary
customer service, customer facing skills. Today we’re in a great place. We don’t have anybody that is in the deep forensics knowledge. Today our incident response is largely recover and write up your report and move on, but we’re not gathering deep artifacts and able to work that to its inevitable end. So that’s on our sheet, on our punch list for our next hires as nice to have.
And we’ll typically build those into our job descriptions as well so that candidates hopefully know like, here’s a bullet that’s kind of what we’re looking for. It is largely not associated with tools. Like I’m not interested in if you’ve used rapid seven versus Qualys versus all of this. Like if you get the concept, you can learn the tech pretty quickly. So that’s always one thing I keep in mind is I’m not looking for somebody to just slot in and be our CrowdStrike pro.
Thomas Rogers (16:39)
How much of that evaluation is qualitative versus quantitative? It seems like you mentioned, the skills inventory? So that sounds quantitative. So yeah, how are you doing that?
Joe McCallister (16:48)
It’s as close as I can get to quantitative, right? It’s like, I’ve gone far too deep. have absolutely rabbit hole on this and gone down like the NIST, nice framework, use DOD job descriptions and, case stats, gone that deep to say like, how do we start assigning archetypes to our people? And then I started to kind of think I’m going way too deep on this.
Like it is not this difficult. So there’s a healthy mix. It’s about, I find that one of my talents I’ve had to refine as a manager is discretion to say, we’re getting way too in the weeds, even myself, I’m getting way too in the weeds on this. I need to just back up and say, how are we on cloud, on-prem, Kubernetes? Like, let’s look at the fundamentals. Let’s look at our crown jewels, right? Can we defend those? we respond to those? And how are we, when it comes to
identifying rogue agent, agentic AI in the infrastructure. Like not great because it’s fairly new. So maybe we need somebody that is on the cutting edge of that. So it is a healthy mix. It’s just kind of an internal barometer of I can put a check in the box, but are we getting too far down the road? And do we want to get the right person? It’s always about, the right The right fit for the team is there to help everybody learn and is really big for us.
Thomas Rogers (17:54)
So it sounds like it’s an aggregate sort of calculate. I don’t know if you even use the word calculation, but an aggregate evaluation. you doing like project performance, performance reviews even, are you using like training and certifications as a part of that evaluation or?
Joe McCallister (18:12)
We So I do weekly one-on-ones with my direct reports and then I that are like one level lower than me report into like our incident response chain. we do some checks. Most of the time they’re very casual. I just ask like, how are you? What’s up? Do you need me to unblock anything? What can I work on? But I always do try to ask those questions. like, what are you kind of refining? What avenues are you going down? And it gives me a really good picture the engineers themselves want to go. I’ve got
One that is going down the OSCP route and I’ve got another that’s going down the forensics route. They’ve decided those on their own, but there are gaps that we have. And we’re kind of in a nice place where we have kind of green field of you can go do this. And we would never say no to two experts in those fields. don’t a formula that comes out to here’s what we need next or a depth chart like some of them playing a little bit too much Madden and NCAA football to say like, here’s my needs, but.
Thomas Rogers (19:01)
Yeah.
Joe McCallister (19:03)
We do have a good idea of what we need. And we also do look at what projects we have on our roadmap for 26 and beyond say what skills are we missing that can help us accelerate those projects, hit our deadlines, or maybe get them done sooner. you know, do we need somebody that comes from software engineering as opposed to the security to help us build some infrastructure to support our tooling or to support developers a little bit better? Or do we need somebody that’s worked in an organization that has those?
processes and playbooks already and can help us spin what we’ve Roughly documented, know, back of napkin stuff. Can you get that into a workflow for us?
Thomas Rogers (19:37)
think that the way you’ve have seemed to approach it seems the right way to do it instead of sort of the inverse and being like, I assume it allows you to be much more proactive where we are, where we want to go. It’s really difficult to build a gap analysis, obviously, if you just have the end state without knowing where are we at today. also to the point where you actually know where we are today.
probably took a lot of time and thoughtfulness. guess if you were talking to another person in the industry maybe a first time manager or something, who was trying to build that gap analysis, you recommend about getting a good grasp of this is where we are today?
Joe McCallister (20:15)
Yeah, I think my first advice is always going to be listen, just chat with the teams and understand because they’ll tell you. Hopefully you’ve established that psychological safety and depending on the scenario, right, if it’s a first time manager that’s coming from individual contributor on that team, they probably already have a good idea of who’s good where and what the opportunities are. But if they’re brand new hire from the outside in, you should always spend that first 30, 60, I would almost argue the first 90, like if you’ve got the runway.
to really just absorb and listen, try not to shake anything up. I’ve made that mistake before of even, you know, trying to introduce one medium to large size change and it falls on its face because don’t have the foundation. And I didn’t understand that had significant gaps in our process and our forms and our intake that allowed us to fall on our face a little bit. We picked ourselves back up and had very candid conversations with the team. know, there was a lot of frustration and
on my sword a bit of saying like, I know better. should have just waited, listened and instituted the right thing. So it’s always going to be listened. And then once you listen, you should be able to kind of think a little bit more you have to raise your point of view from, when you’re used to doing the tactical down on the ground, just getting your tasks done and shipping projects, you have to start looking, thinking in systems, think how your projects feed into each other, what team this might affect.
One thing that frustrates my team all the time is that first order thinking, right? What devs only going to worry about the project they’re on, the feature they’re shipping and nothing else. And so when they make a network change and it affects all of NetOps or bring something else down, they’re like, sorry, sorry, it’s not good enough. We got to think about this. This is important. A little bit of a tangent, but it is something I like to make sure you’re getting into management, thinking a lot more globally is vital.
Thomas Rogers (21:49)
Yeah.
I assume has that foundation helped with regard to evaluating like AI adoption, AI tooling, just sort of like AI strategy in general.
Joe McCallister (22:05)
the benefit that I did not see coming from, that approach and thinking globally, but also using the community, like the stuff that I’ve talked about already, my communication and just diplomacy has been we are getting more people coming directly to us with concerns and questions. We are having more interactions that are extremely valuable that I, a year ago, couldn’t imagine happening, but because we now have friends and colleagues and lunch table discussions and people are, know, engineers are smart.
Your talent acquisition people are smart. Your HR folks, they’re really smart and they know when they see something that doesn’t look right. And so now we have people coming to our public cybersecurity channel in our Slack saying, Hey, I’m seeing something weird. we’re like, awesome. DM me, let’s chat about it. So it’s been an unintended, I shouldn’t say unintended. Of course I wanted that to happen. I’d love to take credit, but one thing about building relationships is you have the relationship and now people come to you with things that they know or even think you might be interested to hear about.
and it can really start to some good breadcrumbs to fixing big problems at the organization.
Phoebe DeVito (23:02)
That’s So you talked a little bit about how just your role or alluded to how different like your role is now in leadership. And so just curious how your experience as a practitioner kind of shaped the way that you think about leadership and cybersecurity.
Joe McCallister (23:18)
I mean, the joke I can make is probably about timelines and due dates. Like I can at least set realistic timelines and due dates as opposed to like we did this yesterday is not a, not an answer I typically give. but I think what also informed me again is a bit more of the soft skill of management, which is providing air cover for my team, being sure that my stakeholders understand what they’ve got on their plate. One thing I’m working through right now, just as a very pertinent example is just being able to display for executives and leadership, how many pieces are on the table.
Phoebe DeVito (23:23)
you
Joe McCallister (23:45)
who’s available, you know, we have, get security reviews, technical assessments, threat models, pen tests, and we have projects. And so we’ve only got so many resources, and we prioritize what comes in first. know, a developer comes up with a feature that’s potentially revenue enabling or touches something that makes the company money. We’re going to focus on that. That takes us away from a project and then IT wants to fast track this project. I would love to help you.
but I’m a little bit handcuffed and that leads to conversations, do you have enough resources? I’m glad you asked, no, I don’t, I never do. And I could use more budget as well, but we’ll get to that conversation later. But it is all about figuring out where, again, everything comes down to gap analysis for better or worse, these risk management terms, it’s figuring what to do when.
Thomas Rogers (24:28)
was that transition for you initially when you sort of moved into that people manager role? I know on the engineering side, it’s a tough one and probably one that most people struggle with. Even people who want to move into management, it’s like, when’s the right time? Maybe it’s not the right time. So yeah, what was that like for you?
Joe McCallister (24:46)
It was rough. mean, it really was because I can tell, and I’ve seen it in my managers that I’ve promoted as well. The hardest thing to do coming from an IC and a practitioner perspective is let go of that individual contributor work and truly learn what effective delegation is and trusting that people will do the job in their own way. It’s actually funny enough, speaking about Best Buy and kind of parameters they had.
I remember it from 15-ish years ago, they had four managers or supervisors. was a bullet point in the box. So don’t know how I recall this, but it always stuck with me that says, trusts others to do their job in their own way. And it’s something that I think really stuck with me because I need to remind myself that everybody’s here for the right reasons, assuming positive intent and knowing that I trust these people. I need to actually show that I trust them, give them the work.
And what I found is really interesting is the folks that are hungry for the work take I like to try to delegate effective things that isn’t just like, need you to go write this report. That doesn’t help anybody. Things that will have an outcome or an impact on that individual, have them learning something new. And also I try to delegate almost too far. Like I delegate down to a level that
I feel comfortable and then I look to see if I think I can go one more down. Can I give this to a junior and is it a really cool opportunity for them to kind of prove themselves? And if they don’t do it right, like they’re a junior, let’s coach them. Let’s figure out like, here’s what I’m looking for. Here’s what I’m thinking. I’d love to see these kinds of data points as well. Can we get these fields added? That’s where I still get to do my nerd stuff a little bit, found it hardest to really let go of
stuff. But once I did, I really saw the team be enabled, more effective. I saw the passion. I saw more of that curiosity coming out every single day. And we were getting stuff done. So it feels great to put check marks on things, be able to tell my boss, like the team did this. I could selfishly say I did it, but no, we did this as a team because we’re working effectively as a team. When you become the key man, it sucks.
Like you can’t take a vacation, you can’t do, you you also get this inflated ego of this place will sink without me and I don’t think that’s healthy anything. Again, a little bit of a tangent, but my personal beliefs, I don’t believe in the key man.
Phoebe DeVito (26:46)
Thank
Thomas Rogers (26:57)
That’s a lot of pressure, lot of weight to put on one person. So you mentioned one-on-ones earlier and how important those are and just as a tool to have a strong pulse on where you are today, but also as a development tool, how often are in those sort of one-on-one conversations are you talking about like professional development? I’m sure it gets pushed sometimes when
Things are really crazy, but yeah, how often are you trying to be intentionally, you know, bringing those things up?
Joe McCallister (27:23)
my one-on-ones are actually entirely employee driven. So I tell them, this is your time. If you want to talk about tasks, we’ll talk about tasks, but we have project update meetings for that. I’m to say no, I’m here to help and enable like, especially if you just want to vent about a project, like, yeah, let’s get into it. Cause then I can actually hopefully fix some things. I keep that stuff confidential. You know, we’re not going to start any fights or anything, but we’ll, we’ll figure out. I let them also.
typically respectfully challenge, but they can cuss me out if they want, that’s fine. If I’ve done something that isn’t exactly vibing with how they’re feeling on project, but I do try to set a lot of time aside and ask them what their next step is and how they want to get a really good exercise for me was when somebody mirrored that back to me, but it was what is my next step and how do I get there? Because it had me going back through our documentation and our career path and our job, you know, all the,
pretty confluence docs we can write all day long, but at the end of the day, can I answer that question for a junior, I see a senior, a manager, like do we have a clear path and the very clear expectations that are, you doing this? And are you doing, you know, we typically look for folks that are starting to stretch a bit and do the job above them and then they become promotion candidates from there. typically like those weekly ones, it typically comes up, the bi-weekly ones, it definitely comes up for the folks that are.
for my managers, they usually just want some feedback or you know, they’re, find people love to hear they’re doing a good job. So it’s a much more fun for me to say, you’re doing awesome. Here’s where I see you. I definitely think there’s possibility in the future like this road’s open for you.
Thomas Rogers (28:49)
that clarity’s gotta be super helpful for them. And you can almost in that case be like a coach for them, or, you know, accountability buddy, like, hey, you said you wanted to do these things. Me, you know, what do I care? Like it’s your career. I can just kind of hold you. I can just say like, hey, you said you were gonna do this and you didn’t, what’s going on? And it might be project-based or whatever, but on top of that,
You mentioned like the stretch like taking on more work or taking on the work of like the next level as like a really good way to grow in a career. And in addition to like doing the work that they were hired to do, how do you think about like the extra stuff, like the extracurriculars? Obviously that comes from curiosity, like they have to want to do it, to the SANS courses or the training sessions or even just like doing
CTFs or stuff outside of work just to try and build add-on skills. How does that play into the equation in your mind?
Joe McCallister (29:43)
Pretty heavily in all honesty. love, we talk quite a bit. We’ve got a few kind of casual channels in Slack where we talk about everything from like one guy that posts news all the, he’s, don’t know how he stays up on it so well. He’s an animal, but he is essentially our unofficial threat intelligence guy because he’s just all over, you this week it’s Claude Bot. It’s talking about how to figure that out. And then our detection guys jump in and say, this is really cool. Let’s figure out a way to do this together.
And I view that as like, asked him to go do that stuff. Nobody asked the detection folks to go figure out how to detect this brand new threat that is potentially out there. Do we know where it is? Can we answer the questions quickly? I applaud anybody that can go and do those things because it can get really easy to just do the tasks and close the alerts, move on to the next incident, move on to the next project.
that’s part of the reason that we’ve built in that time to say it’s always okay to say I have to take a break because I’m going to go learn some stuff or next week I’m myself I’m going to a conference here in Denver and I want to go see some people learn some real tech nerdy talk to some folks, hopefully get some best practices and come back and share that stuff. That’s the expectation is when you go to SANS, what’s the coolest thing you learned? What didn’t quite click? Can we figure it out together?
because that tells me that they’re still really curious. They’re still really engaged in their career. you know, it also depends on seasons, right? Like in those one-on-ones, I like to just check on how they’re doing and say, like, where’s your kind of, we call it the burnout barometer. Like, where are we at? Like, I know I’m asking a lot of you where security is always understaffed and under budgeted. you feeling? Like, are you freaking out? Are you feeling kind of numb?
really good sign you need a day off. we’ll kind of give them some space to just take an afternoon off, go read a book, don’t look at a screen, like do some stuff, but they come energized because otherwise if we just, you know, if we start to see them just checking tasks off, we start seeing less input, less chat, less attendance at in-person events, never mandatory, but always kind of like, hey, is everything good? Or you can kind of tell in tone. Somebody might just have a, I’ve had them.
I’ve had times where I’m like, just need to take a day. I need to just go up to the mountains and take one big deep breath of those pine trees. And I’m usually pretty all right after that.
Thomas Rogers (31:50)
Denver is a good place for that. But yeah, I feel like the having that space is obviously really important. think one thing that’s so unique about cybersecurity is conferences are often they feel like just it’s almost more just about the community than anything else. And there’s obviously the big ones and there’s there’s places for vendors and
But even the vendors in a lot of cases, I think the ones that do the best job are the ones that are really in the community and they’re just sort of there and have an understanding. think probably a big reason for that is because a lot of the vendors were started by former security practitioners, so they get it. But yeah, the conference is just the ability to commiserate with people who are dealing with the same crap you’re dealing with just at another company is.
So valuable, mentally.
Joe McCallister (32:38)
yeah,
the interaction, I tell you, I wish I could take, and I’ve floated this idea a couple of times. We have one of our C-suite executives here in Denver, our strategy officer, and I’ve thought, what if I took her to Rocky Mountain InfoSec or West Hack and Fest when they’re out here? Because I truly think our conferences are wildly different than any other, definitely different than an advertising conference and definitely different than a product or a UX or even a developer conference.
They have a different feel. The community is very tight. There’s so much resource and information sharing, but I do think the most fun is always lobby con, right? Like seeing your friends, lots of hugs. This is why I get sick after going to see, we had a company get together last week and I’m a little scratchy throated, it an amazing event from the corporate events team, but the best time was lunch, dinner, breakfast and coffee. Like just being able to.
Phoebe DeVito (33:17)
Mm-hmm.
Joe McCallister (33:29)
see how people are doing, getting to check in in though through the screen it works pretty well. like to say the one-on-ones are effective, but there’s nothing that beats quality time together. And I think that’s true of our conferences too. I get to see a whole lot of friends, different companies doing different things, everybody’s doing exciting stuff out there. And I think sometimes it’s also a good reminder that nobody has it figured out. Like we’re all still trying problems that we thought were going to be fixed 10 years ago.
The job never ends, but we got to stay optimistic.
Thomas Rogers (33:56)
For sure. I mean, I think coming out of COVID, it’s like we’re still sort of readjusting to it’s like, yes, actually being, you know, with other adult humans is a good thing in person. Like we have, we’re a fully remote company just feel, I feel guilty cause I’m like, when I was 23, 24, was like, I was in an office five days a week, nine to five, and you could get lunch with like a supervisor or something and just.
Joe McCallister (34:07)
Yeah
Thomas Rogers (34:22)
by osmosis, you learn so much more than when you check in over Zoom a couple times a day. It’s just completely different.
Joe McCallister (34:30)
Yeah, we go in three days a week. So we’re Tuesday, Wednesday, Thursday, and I’m in the Denver office here and I’ve got one of my incident responders next to me. And for the longest time, my wife actually works from home and I was like, I’m jealous. I wish I could like got a nice little setup. I’m comfortable. Just get coffee whenever I want. Like the dogs are here if I get bored. And then I know he came on and we get a couple of lunches, get some coffee. It’s just nice to be able that he can spin his chair over and be like, have you ever seen this?
of me, you know, was so upset. were going RTO a little bit and then part of it’s like, dang it, they’re kind of right. Like I get it. I’m still kind of in the middle somewhere. So at least we have the flexibility for a couple of days, but I do see the benefit of, of being into your point, me being in that. That, MSP office is where I met my, my mentor in security, where he was able to say, you’re doing security come study with me and kind of gave me some of that launch pad. So as much as I.
I don’t love the 45 minute commute. On the best of days, it does serve me pretty well.
Thomas Rogers (35:25)
Yeah, pros and cons for sure.
Phoebe DeVito (35:26)
Yeah. And I think, you made a really cool point. One thing I’ve seen is, I think there’s just an additional layer of like intentionality that you need to bring into the online spaces. Cause like you said, in an office, it might be easier to bump into one of your teammates and say like, Hey, you’re looking like really tired. Like, are you feeling okay? I’m like kind of the walk to the, you know, water container or whatever, but online, like, I think you do have to be so much more intentional on both sides. I think that.
know, folks starting their career now are probably having to really learn to advocate for themselves and, you know, build that like relationship and it doesn’t come as naturally when you are in the virtual environment or the hybrid environment. So I like how you touched on, you know, the ways that you intentionally bring that into your one-on-ones with your team.
Joe McCallister (36:11)
Yeah, think a discussion to be had around, how much of yourself can you bring to the job, to work, and how much is too much to I’ve always felt like, you know, I’m sure we’ve all been on these meetings and maybe even customer calls or whatever it might be. Like you put the mask on and you’re doing the show business and then the call ends and you just like slump. you’re like, ⁓ that was exhausting. By the end of it, you know, you have eight.
of those back to back all day or 16 of them if they’re 30 minutes or whatever the case might be, you’re just spent because actor and you’ve been putting on the show for so long. in the office, it’s a little easier to see like, know, just had your headphones all day, everything good? Like you’re usually real chatty and you didn’t eat lunch, you good? Like, come on, let’s go grab a snack real quick or something. But yeah, bringing that into the…
the one-on-ones, being able to make those connections and be able to trust that they’ll tell you the truth is a thing. And some people, I’ve had this as well, where we have an individual, we have a great relationship, have a conversation, something seems off, you’re good, yeah, I’m fine. You don’t have to tell me anything. Like you really don’t have to share or overshare. trust you and I also am here if you need something. can tell me anything, it can stay between us, you don’t have to tell me a damn thing, we can get back to
If that’s what you want, let’s go do that. So it’s really for the managers and for the people leaders, just being able to dial into that EQ, that empathy. And sometimes it’s really hard for ICs and engineers in this new role. Like, I just want to write the code. I just want to ship the product. Like, yeah, sorry, that’s not the job anymore.
Thomas Rogers (37:37)
You
Phoebe DeVito (37:37)
100%. Awesome. getting close to the end, although I feel like we could talk forever.
So Joe, the last question that we like to ask folks is if you were starting your career in cybersecurity today, so knowing everything that you know now, what is one thing that you would tell yourself?
Joe McCallister (37:53)
Something that I think my wife has kind of drilled into me is that everything’s going to be okay. Like you’re going to figure it out. It’s the worst piece of advice to get by the way, when it comes to children, when it comes to your career, everything’s going to be okay. You’re going to figure it out, is something that I, I constantly, you know, I will be very candid and say that, you know, every once in a while I check LinkedIn jobs. Then I remember like I’m a member of an amazing team. I love leading the people I lead.
Phoebe DeVito (38:02)
Hahaha
Joe McCallister (38:19)
I love the company I work for. get to meet cool people every and there’s a lot of work to do. Like I’m very, very fortunate. And, are there days where I’ve slammed the laptop shut? Sure. But there’s never been a day where I’m regretting, where I’m at or what I’ve done. And so I’m very thankful. And even in the jobs I was very frustrated at, I needed to remind myself it’s going to be all right. Like you’re, you’re smart, you’re capable. Like you got to pump yourself up.
you can do this, everything’s gonna be all right. Get out there, make some friends, have a conversation, get some coffee. You never really know when it’s gonna turn into something amazing.
Phoebe DeVito (38:52)
I love that. Well, Joe, thank you so much. It’s been so awesome having you on.
Joe McCallister (38:56)
Yeah, thank you so much. really enjoyed speaking with you.