Episode 11 of The Cyber Talent Series is now live!
Join Thomas Rogers, Co-Founder of MetaCTF, and co-host Phoebe DeVito as they connect with Mike Takahashi, Director of Security Engineering at BetterHelp and AI Red Teamer. On this episode, they discuss hiring for real-world skills, building teams grounded in curiosity, and developing talent through autonomy and trust. He shares insights on AI security and the risks and opportunities of agent-based models. Although credentials are important, Mike explains why hacking, building, and experimenting matter even more in the age of AI.
Tune in now with the player below, or check it out on MetaCTF’s YouTube and Spotify channels!
Phoebe DeVito (00:11)
Welcome to the Cyber Talent Series where we explore how organizations are closing skills gaps, accelerating onboarding, and building high performance cybersecurity teams. My name is Phoebe DeVito. I’m joined by my co-host Thomas Rogers. And today we are talking with Mike Takahashi, Director of Security Engineering at BetterHelp and AI Red Teamer. Welcome Mike.
Mike Takahashi (00:30)
Perfect. Thank you so much for having me really excited about this. I just want to say at the top that my opinions are my own. These are just my own individual opinions. They don’t represent company that I work for.
Phoebe DeVito (00:40)
Awesome. Perfect. Thanks so much. Well, we’re so glad to have you on.
So to get started, mind just giving us a brief background on who you are, what you’re doing now, anything interesting about how you got there?
Mike Takahashi (00:51)
Sure, definitely. So, way back in the day, I would say 10 years ago now, I was interested in cybersecurity and I learned about this concept called bug bounty. So bug bounty is where companies will pay researchers. They don’t work for the company. They’re just random people on the internet, hackers, ethical hackers, and they will basically pay for vulnerabilities. So typically web vulnerability.
So when I first heard about that, that’s when I started getting deeper into cybersecurity. And I would basically spend all my spare time on that. And then after that, I started to get a full-time job in cybersecurity at Stanford University. And then from there, I eventually made my way to BetterHelp, where I work now. And I’m the head of the security engineering team here at BetterHelp, which encompasses the Red team on the offensive side, blue team on the defensive side, and then of course, application security.
Phoebe DeVito (01:40)
Awesome, super cool. One quick question. So, I noticed that you originally had a BS in chemical engineering. So I’m curious what drew you into cyber from there.
Mike Takahashi (01:49)
You know what I feel like if had more opportunities to explore cyber earlier on in my life like as a teenager in a university, I think I’m like instinctually drawn to cyber security. So I think I would have, I’m very passionate about it. I feel like, yeah, if I had just known about earlier, so I think it’s good that with podcasts like these and the work with MetaCTF and everything. I think that the more people that know about this industry that really needs talent, like good talent in various different niches, I think the better. I said, I would have gotten into it way earlier. I probably would have gotten a degree in something related to cybersecurity or computer science.
Thomas Rogers (02:29)
But I feel like with unconventional backgrounds in cyber, but I think that kind of is what’s conventional with cyber careers is the fact that they’re unconventional. But kind of taking that and then like pairing it with, you know, what we talked about at the start with Bug Bounty. I don’t know how has that shaped the way you think about advising people, hiring people, evaluating what kind of skills, interests, capabilities they have. cyber is a very like, figure it out yourself and like, you know, get creative and be proactive, that kind of thing. Yeah, how does how does all that like shape the way you think about that stuff?
Mike Takahashi (02:56)
Yeah so at BetterHelp, at least on my team, we don’t hire based on degrees. Like the degree certainly helps, but there’s no, we don’t have like a line item that says must have this particular degree. So I think as the industry has shifted and just like all of society, I feel like has shifted, especially with like the tech booms, that it’s like a meritocracy in a way. And it’s like, what can you do? What can you build? What can you hack? Like these are the things that are important. It’s not a piece of paper. I mean, the piece of paper can help, especially like if you’re learning along the way. you do need to prove to employers like that you can do something. So it does help. But I feel like just building something, like putting a tool on GitHub or like Bug Bounty, like you can say, I’m on the hall of fame of this big company. Like I found a real at this company, they paid me for it. They put me on their leaderboard. Like I think that speaks volumes. And there’s so many options now. Like back when I was in university, I don’t even, Bug Bounty was probably barely a thing. Now it’s everywhere. almost every major company has it. And there’s a lot of opportunities. It’s more competitive as well, but it’s also, there’s so many ways to prove that you can do something. And you can start in high school or even middle school. Like you don’t have to wait to university age to start getting into it.
Thomas Rogers (04:18)
Thinking about you as a people manager and like a hiring manager and stuff, I’m sure bunch of people now building out managing teams and everything. because you do have to take a pretty holistic point of view, I’m sure as a hiring manager in cyber get a good picture of does this person have what it takes to do the job.
In addition to like, are they a culture fit and all those other important things? but like have you thought about that? What type have you built about evaluating, people?
Mike Takahashi (04:47)
I think that no matter what the role is, I have a preference for people that have an security think no even in a purely defensive role if you have a strong understanding of the actual attack paths that can happen, then you’re you’re going to be a way better defender. Because I’ve heard a lot of cyber security people talk about various theoretical all the, like the various things that they need to defend and like what priorities, like, we need to patch this. We need to implement this best practice or whatever. But then my question is always like, well, how does that stop a real attack? Like what, what are the top practical scenarios where like you could actually get attacked? Like if you’re going to get breached this year, what is likely going to be the reason and let’s reverse engineer from there and, and mitigate every step of those attack paths. Let’s prioritize those and better even if they can actually do it. So if they are a blue teamer, but they’ve done pen testing or they’ve done bug bounty or they’ve done some sort of offensive security, it makes them like a much stronger candidate to me.
Thomas Rogers (05:49)
If you’re running a hiring process, you typically do a case study or a hands-on assessment or something? Or do you just talk through it the way we just did?
Mike Takahashi (05:57)
We do both. we typically have earlier interviews that are conversations and question and answer. And then we also do technical interviews as well. in content based on whatever the role is. So it basically will mimic something within the responsibilities.
Thomas Rogers (06:14)
this is like a really interesting, one of the reasons why I wanted to start having these conversations and like actually record them, because very curious about like how people this. And often, you know, the thing you hear is from people who have hired a bunch of people is, I just like, I know what to look for. And especially who gets promoted from like an IC into a hiring manager for the first time, like how do you build that intuition and without making mistakes and, just going through the pain of that. So did you figure out what works for you all?
Mike Takahashi (06:44)
I mean, I’ve done a lot of interviews. So that’s part of it. I think just getting practice is going through a couple different roles. I think a hard part is you have to realize like there is a bit of rolling the dice. Like you’re never going to be sure if someone’s going to work out. Like some people interview well and they put on a really good face and some people interview badly. Like you could have a really good candidate that just doesn’t like they get nervous or anything like that or they just don’t articulate like they normally would. So I try to see past those things. Like I try to ignore like the superficial stuff and try to stick to like, okay, how do they answer the questions? Like, how do they do on the technical? Like I try to focus on those as much as possible and try to also like assess their background. did they build, like, did they do something that’s provable? Did they build something? Are they on a leaderboard? Like even a CTF, like, did they play a tie on CTF? Like, I think these things are a bit more obvious and you’re not having to like make as many like judgment goals.
Thomas Rogers (07:38)
That makes sense. That’s really interesting. I feel like kind of just like creating like a process. what’s real and what’s not. I feel like, yeah, it’s like the bad test takers. Like people who are really smart, but just can’t sit and focus for like four hours. It’s like that doesn’t mean they’re not smart.
Mike Takahashi (07:53)
Yeah. Well, so like with like a university exam, right? Like there’s no job mimicking. That’s just like trying to see if you memorize some knowledge. But so that’s why with like with our technicals and also just the questions we try to get as close to the real thing as possible. it’s not going to be one to one, but close.
Thomas Rogers (07:59)
Right. Switching gears slightly because this I feel like this is connected, but you’re a great social follow. A bunch of people on your team are really good social follows, too. But like the thing that I take away from like reading, reading a lot of your stuff and people on your team is there’s just a lot of like curiosity and you guys just are constantly like finding new stuff to be interested in. Is that something you like is really intentional with you like finding people like that and encouraging people to be really curious or is it just something that happened? Yeah, how did that come about?
Mike Takahashi (08:46)
Yeah, I would say 100 % of the people on my team are curious than always researching new techniques, attacks, extremely passionate even outside of, just the day to day work. Like it could be late at night or, know, there could be a conference or something, and we’re going to be diving deep into something that maybe is outside of the normal duties, but you know, in six months, it might become part of the duties. You get good at something, know, AI security, for example, like is a new thing. And it’s get good at it, you might end up doing something that uses those skills later on. yeah, would say 100 % of the people on my team are very curious and, and also passionate about it’s fun to work with people like that. Like you can trade, tips that you heard or articles or just like have deep discussions innovation in cybersecurity.
Phoebe DeVito (09:34)
Awesome. think it plays in probably more naturally to a team that is full of really curious people, but I’m curious how you, as you’ve moved from, you know, individual contributor to managing people, how your perspective has shifted on continual growth and, you know, creating growth paths for people or what some of those conversations look like with your team, whether it’s, you know, how do you identify where you want to go next in your career or what are the concrete steps to get there?
Mike Takahashi (10:02)
Yeah, it’s a it’s a always asking people to ask themselves like they have to look within like what what do they want out of a job? I mean it could be anything. It’s different for different think that’s the first thing like just advice in general. Good advice like you’re talking to your manager like tell them what you’re thinking about, even if you’re only on the first step along that path, just say hey, I’m interested in this becoming an expert this or this more senior role or becoming a manager or like whatever, whatever goal you have. And even if you’re not 100 % sure about it, I think at least vocalizing it helps to manifest it like both yourself, but also like people you talk to like they’re like, Oh, I know that they’re interested. This, you know, training thing is coming up or this conference is coming up, I’m gonna have them in mind now to send them And
At least on my team, try to give them a lot of autonomy. I try to, we try to hire people that we’re hiring them not just for their abilities, but their ability to assess the security posture and make judgment calls. It’s like they make judgment calls all the time about like how to use their time wisely. And so some of that also manifests as side sometimes,
they’re super interested in a side project. They’re like, hey, I’m willing to work extra hard to like carve out some time to do this, even though it’s not part of my day to day. And I try to encourage that as well. So it doesn’t always work out, but whenever possible, we try to stretch a bit and explore like these, like outside the comfort zone.
Phoebe DeVito (11:26)
Yeah, absolutely. I think it’s so, it’s such a good lesson in just starting that conversation. I feel like that’s hard early in the career. know, some, some people feel like they don’t want to bother anybody, but it’s like having a mentor or someone on your team manager that you can just talk to. We’ve had a lot of guests on here who so much of their career trajectory was shaped by the ability to just, bounce those ideas off of someone and learn what it means to be able to identify for yourself, where you want to go next.
Mike Takahashi (11:53)
Yeah. Something that’s interesting too along those lines, which is like, yeah, that’s for sure true. But I think people don’t realize some random idea they have maybe there’s like someone that’s in application security that wants to try a pen testing or something. or, you know, someone that’s in pen testing that wants to try some sort of application security.
They think in the moment, oh it’s just this random just having a weird thing today, but in six months, it might become their career. I think you should treat those thoughts seriously. If you’re having a real idea, explore it. Go try it. Go do a side project even outside of work, go on a weekend, go run a tool, go do a bug bounty. What starts out as a random interest might turn into like if work on something every day, it just grows and grows.
Thomas Rogers (12:37)
Sure it feels super intuitive to you and probably pretty natural, don’t think it is for a lot of in your position, your level, but how do you facilitate giving people the confidence to do that stuff want to do that stuff?
Mike Takahashi (12:52)
Yeah, I think just providing support like just making sure you have their back they need to carve out some time or They need sponsorship to do some sort of research or go to a conference or something like that. Just I would say just being as supportive as both, you know. Person to person like hey, I’ve got your back like I really support what you’re doing. I know it’s not your day to day, but like I really think it’s worth spending some time on. I think that also helps people.
keep people engaged, like even if it is outside of their comfort area, like I think it make them more engaged with their day to day as well, because they feel like invigorated by it. I think work, you know, even if you’re passionate about it, it can get mundane if you just do the same thing over and over again. I think being able to switch it up and explore and expand knowledge, I think is important, like constantly, especially in all the time. Like the whole industry shifts in like three months or sometimes. So if you don’t also do the same thing, you kind of become extinct over time, I feel like.
Thomas Rogers (13:46)
Kind of continued on that, but, we talked about this a little bit earlier, do you think about, uh, you know, people being, you know, specialists first generalists, you you talked about understanding offensive and defensive, curious your thoughts on app sec or, even like, I don’t know what relationship you have with like developers, you know, people building, you know, testing software,
How do you think about all those different types of people developing themselves and also working together?
Mike Takahashi (14:12)
Yeah, far as like a specialist versus generalist, I think more knowledge and skill is always better. think typically companies are hiring you for a specialist, for a specialist role. Like the smaller the company, the more generalist it’s gonna need to be. But even then, think generally they most, at least like we do, we typically have a specific task in mind. It’s like,
Okay, the reason why this role opened up is because we have this like heavy demand for this some sort of operational need that’s that’s usually very specific and it might grow over time and shift over time. But there’s there’s usually like an impetus to their their job posting. So I think that’s important to be strong in and it’s like, so I think definitely having at least one niche where you’re super, super strong in, I think is is the best but also there’s tangential knowledge that’s useful specialist role. Like I said, with like a blue team, it would still be good to know how to hack because then you know how to stop a hacker. It does play into it as well, but yeah.
Thomas Rogers (15:12)
Have you seen around? I mean, it seems like y’all have like a pretty good culture curiosity thing and know, new stuff. I assume that also can lead to, you know, people finding things that they didn’t know that they liked as much as they So yeah, have you seen, what kind of success have you seen with that stuff? Whether, you know, at current role or, you know, people you’ve gotten to know in the industry.
Mike Takahashi (15:35)
definitely. We’ve definitely had roles. Like like devs into application security, for example. I think, especially if there’s a lot of overlap and then there’s the skill-based skill set you need and then the interest, like, okay, I’m a developer. I know how to code and then, but I’m also like super interested in cybersecurity. Like I think you can work your way into like cybersecurity roles, for example. I think any technical role works well with cybersecurity roles. I think
You know, IT developer. could be anything. It could be machine learning. Like there’s there’s so many. Areas that get attacked by hackers that there’s usually a cyber security role that’s also there.
Thomas Rogers (16:12)
I’m curious, being that you’ve been in same place for a while and have moved up to managing more people, type of manager are you do one-on-ones? constantly chatting with people?
Like what kind of manager do you see yourself as? then we’d love to hear anything you could share about like your philosophy on that side.
Mike Takahashi (16:37)
I would say I’m the opposite of a micro manager, so I try not to do that as much as possible. I believe in hiring people that are trustworthy and effective at their jobs and can make judgment calls and believe in empowering people even no matter what. If they’re junior, mid level senior like it doesn’t matter like
they carve out a thing that they’re good own it, and then you can trust them to do I do that as much as possible, so I try to give people autonomy. Also, my team is we’re up to like 12 or 13 now, so I really don’t have time to micromanage, even if I wanted And I think people, enjoy their jobs more if they have autonomy.
Like if they feel like their decisions, like they can make decisions and they are they can own something and really like see it to fruition. I think that’s really important for like job satisfaction. I think people get burned out quickly if they’re just constantly being told what to do and they can’t like go outside of that. They can’t express their own ideas or their own, you know, trajectory where they want to steer things. So I try to encourage that as much as possible. There’s I mean, there’s there are times and places
You have to pick your battles and you have to say something. You’re like, OK, this is like a major shift like that that I need to like provide some guidance on. But yeah, like I said, I typically try to hire people that are trustworthy and. Can do their own thing and everyone brings a different perspective like just because you’re manager doesn’t mean you’re like omnipotent and you’re going to know everything everyone has a different viewpoint. They’re going to notice something and it might be really crucial to the security posture of the organization. it’s like, if you don’t trust them, going to have a blind spot.
Thomas Rogers (18:11)
Totally, and I feel like manager doesn’t need to, I think it can have like almost a negative connotation in some places, like you said, where the micromanagers come play someone could take the approach of just sort of being the person who holds you accountable and make sure it doesn’t have to be like that. It can be more of like a career coach almost type and like a guide. So yeah, I think that distinction is important and like it totally depends on the company and the person, hear. I’m curious also like are individual people coming to you like asking for advice career development? Stuff like that. I assume it’s a case-by-case basis. But yeah, how much of that are you doing proactively versus the person coming? You know your your direct reports coming to you for that
Mike Takahashi (19:02)
Yeah, that definitely does happen. think the more early on in their career, less of a specific direction they have decided. they are definitely looking for more guidance or just general ideas and tips and things because they haven’t been around the block yet. So I think the more senior roles, it doesn’t happen quite as much because they’re either just they’ve already found what they want to do or they have some sort of idea.
But it can also happen there. I will always ask. There’s certain things that I always will ask about, at least periodically, every six months at least, or every few months. And some of those are along the lines of what you’re saying. Do you have any specific goals that you want to achieve? I think sometimes, especially if someone’s newer at a company, they don’t have the confidence to say something like that, like to bring up like, I want to do this or they think they’re like encroaching somehow, I think can happen where it’s like, I don’t want to bring this up because they’re going to think like, I’m not happy with my job or something. And, or I don’t know, there’s, have whatever their apprehensions are, will make it so they, they don’t bring it up. But if you at least ask them specifically, they might answer the question. it gives them like the permission to like bring it up because you’re specifically asking. So I do think that that’s useful, every now and then.
Phoebe DeVito (20:19)
That’s awesome. And it seems like that plays, you know, really well hand in hand with that culture of curiosity as well. I’m sure if you, you know, encourage one, it would kind of encourage the other as well.
Well, pivoting a little bit, Mike, I know you’ve done some AI red teaming research, would love to hear and talk a little bit more about that.
Mike Takahashi (20:38)
Definitely. So, like I mentioned earlier, like I definitely encourage people to have side projects, that kind of work, just to constantly explore and improve your skills. And I definitely do that as well. So I do, ever since ChatGPT came out originally, I’ve been playing with it, both to augment cybersecurity, ability. So like you can use it to, summarize things or parse through information very quickly.
And as well as attack the models themselves. A lot of these companies have bug bounty programs. So like Anthropic, OpenAI,
there’s also an organization called Odin, which is under Mozilla. And they also have a bug bounty program that encompasses basically all the AI models. it’s like a coordinated disclosure and bug bounty program where they work with the companies and tell them about like different like model specific issues like jailbreaks. So I’ve done work with Odin and Anthropic and various other.
AI bug bounty programs and just general research. Like I’m just constantly playing with other models. Like I think that’s my biggest piece of advice is like just prompt as much as possible because every, every time you prompt and use it, like you learn something about how the models work. and especially these days are giving the models more and more power. Like, you saw OpenAI just came out with Atlas, the browser, which basically has like an agent that can control the browser and then like the comet browser and all these different like integrations and CPS etc. So I think it’s a I think it’s a good area to be good at. No matter what your own cybersecurity is, because these like if you’re on the blue team, for example, your company is going to start implementing all sorts of AI powered tools. Maybe there’s even like blue team tools powered by AI as well. So it’s like. it affects basically every part of cybersecurity, like not only like on the product side, but as well as like just internal tooling as well. It’s like, if you look every single SaaS company is coming out with AI tools. So it’s like, you got to really pay attention to what’s going on and what the capabilities are, but also the risks.
Phoebe DeVito (22:32)
Yeah, a hundred percent. So, as you’ve continued doing that research or encouraging others to, and just kind of playing around with it, like you mentioned, what is exciting to you about it? Like I think he hit the nail on the head, like the more and more you prompt and you you get smarter, the tool gets smarter. It’s an exciting kind of feedback loop. And so I’m curious what about it kind of excites you.
Mike Takahashi (22:53)
Two things is the power of it. it’s able to do so many things that in two seconds that we would normally take like hours to like code up some sort of script or something. Like it tear through all kinds of tasks in minutes. Like it’s shocking to barely seen the tip of the iceberg, I feel like these models, you unlock different abilities every time you prompt them and different prompts come out with different responses. And there’s, you know, a nearly infinite number of prompts. So I feel like there’s so much unexplored territory and even just specifically within cybersecurity, like there’s so many ways you can use it. I think that’s the most interesting thing. I think also like the non-determinism of it makes it like, it feels like magic sometimes, like sometimes you’ll get a response that you don’t expect.
You’re going to see the same thing over and over again. So it also makes it more dangerous. So a lot of like AI red teaming is based on this principle. Like you can, even if you do the exact same prompt more than once, like sometimes it will break the model even if you say the same thing. So it’s like, it’s just an interesting problem to solve.
Thomas Rogers (23:42)
Yeah, I mean so many exciting parts of that. Any downsides you’ve seen or things to be aware of? Kind of taking the other side of that.
Mike Takahashi (24:05)
Obviously the privacy aspect like, okay, so you’re sharing this data in the problem. Are you sharing sensitive data or files or integrations? I think there’s like a privacy and security risk there with just like, you know, the data itself. Also now is for a while the chat bots were just chat bots so the security risks were pretty limited. Now that the agents are coming out and like your basic consumers, devs with their IDEs, and as well as like these browsers that are coming out, the risks are directly proportionate to the power that they’re given in the access. each time that they’re given more data or more ability to act on data or tools, it just opens up more attack paths.
And like I said, hard to police the actual models themselves with guardrails because they’re It’s not like normal cybersecurity where you can just patch a vulnerability and it goes away. You do that with a model and it will work 90 % of the time, but there’s still a 10 % of the time where different things can happen that you’re not expecting, different prompts that you’re not expecting. So I think that’s the biggest thing that we need to watch out for right now. So if you’re at a company and you’re trying to some sort of agent that has all these powers to do all these different things within your environment. Just know that if you allow a user to put a prompt in there somehow, it could be a document, could be a chat bot, that can be used as an attack vector to get to anything that the agent has access models are easily tricked and so everything downstream from that can be hijacked.
Phoebe DeVito (25:34)
So, Mike, just to wrap up, one question we ask everybody is if you were starting your career in cyber now, what is one thing that you would want to tell yourself?
Mike Takahashi (25:43)
Oh, that is a good question. I would say don’t underestimate what you’re doing if you’re not really doing anything, you’re probably wasting time, like go do something, go hack something, go build something. It doesn’t matter what. And also don’t underestimate it because that thing, that little random side project that you have that seems like trivial could become your career in like six months or a year
years down the this tiny little concept or interest in your brain can blow up into something massive the road. Like when I started doing Bug Bounty, was just a fun little side bounties were super small. Like I barely knew what I was doing. I was fumbling around and, then I had no idea whole career would follow that. So yeah, I would say believe in yourself. Don’t underestimate.
the little things that can add up and, just also like hack, build, like break and build things like right now, like go do it. Like don’t, don’t just like read about it and wonder about it. Even if it’s small, do a a bug build a security tool and put on GitHub and share it with the community, like engage with the community. think all of those things are super impactful and you’ll be shocked later on if you keep doing that, how big it can become.
Phoebe DeVito (26:54)
Awesome. Great answer. Well, thank you so much for coming on today. It’s been such a pleasure.
Mike Takahashi (26:58)
Thank you so much for having me and anyone’s interested at working at BetterHelp on my team, we have some open roles, at least probably when this is posted, they should still be there. So go ahead and go on betterhelp.com/careers if you’re interested.
Phoebe DeVito (27:12)
Awesome. Yeah, check it out everyone. Perfect. Thanks so much, Mike.
Thomas Rogers (27:15)
Cool. Thanks, Mike.
Mike Takahashi (27:15)
Thank you