Episode 12 of The Cyber Talent Series is now live!
Join Thomas Rogers, Co-Founder of MetaCTF, co-host Phoebe DeVito, and cybersecurity industry veteran, Rob “mubix” Fuller. On this episode, Rob shares the importance of establishing interview rubrics and tips on transitioning into a leadership role as someone who also loves being “hands-on-keyboard”. Their conversation also explores mentorship, community involvement, and why curiosity and humility remain essential at every stage of a cyber career.
Tune in now with the player below, or check it out on the MetaCTF YouTube and Spotify channels!
Phoebe DeVito (00:00)
Welcome to the Cyber Talent Series where we explore how organizations are closing skills gaps, accelerating onboarding, and building high performance cybersecurity teams. My name is Phoebe DeVito. I’m joined by my co-host, Thomas Rogers. And today we are talking with Rob Fuller, Vice President in a Cybersecurity role. Rob, we’re so grateful to have you here today.
Rob Fuller (00:17)
Thanks for having me.
Phoebe DeVito (00:18)
Awesome, so to kick it off, do you mind just telling us a little bit about who you are and what you do?
Rob Fuller (00:23)
I participate in a cyber collegiate defense competition, CCDC for colleges. I have a startup that does training and things for Black Hat and other corporate events. Like you said, I’m a vice president in a fortune 500. just actually recently finished my CISM, and I’m working towards being a CISO. I just got invited into Carnegie Mellon CISO program. I have three degrees. I have a bunch of certs. I help and participate as an advisor for MetaCTF/Skillbit and United States Marine.
Phoebe DeVito (00:54)
That’s awesome. Super comprehensive. Thomas, you look like you had something there.
Thomas Rogers (00:56)
Yeah, I mean like, hard to narrow down and like hone one specific area of expertise, but one thing we talk about all the time is like, yeah, within your professional roles and like your career, you’ve done a lot of hiring, interviewing, mentoring.
Whether as a part of like your actual job or kind of on the side, like you mentioned the CCDC stuff. would love for you to share just a little bit about your philosophy around like interviewing. I think interviewing, is an art in some ways and also just, you know, something you can build experience on.
I do think a lot of the professionals that I talk to that move into people manager roles for the first time, they’re not quite sure how to do it well. So if you could shed any light, experience gained through the years of what works, what doesn’t work, that kind of thing.
Rob Fuller (01:41)
So as the interviewer, one of the hardest things to get out of people, I mean, you can ask technical questions. You know, there’s the default. What port does Telnet run on? The trick question of what port is ICMP? There’s all these trick questions that you can kind of understand a little bit of the technical insight. For me, as interviewing specifically for red teamers, but this applies outside of it. I feel like you have to have rubric. And what that means is I ask in my interviews, eight questions, it’s been the same eight questions for 10 years, 20 years, somewhere on there.
And the cool thing is that the same eight questions, even though the technology has changed, even though the skill sets have changed, even though the roles that I’m interviewing for are changing. And the reason why that works is because it’s a point system that goes on how well you know these different things and how you respond, and you can get enough points in different sections to get there.
The super important thing about making a rubric, making a point system for your interviews and not being super subjective and just be like, I like them more, I remember that I like them more, is when you get down to having to fight for the person that you want, like just as an example, I was in a situation where there was an individual who scored really well on my rubric. But they did not have a master’s degree. They didn’t have I think, six years of experience when the requirement was four, but it was recommended six. And they did really well. And our HR partners and recruiting team was like, hey, why didn’t you pick so and so and so and so? This person has a PhD. This person has a masters and 10 years of experience. Why am I going to pay for this person who has none of those things? And when I go in front of them and show them, well, this is the point score. This is how they did. They’re flabbergasted. They asked for a copy of I’m like, nope, I’m good.
The cool thing about that is I go with receipts, as you would say, right? And instead of, I like this person more because. And so interviewing someone, you’ve got to figure out what your questions are and keep them very broad. But for the specific types of roles, you want to really have those questions in mind. And then it’s repeatable. Then it’s so easy to say, well, the 17 people I interviewed, not one of them got a score in this box and I really need this box. So we need to look for more. And that’s important because you’ll have HR partners or people who are trying to hit their metrics with the recruiting and say, hey, well, you’ve had this rec out for six months. We’re going to close it off. Well, give me better people because this is what I’m looking for and you’re not filling that role. So you have to be systematic in your questions and you have to be systematic in your setup, or it’s just a bad game of do I like this person’s face better? And I honestly like that’s what it comes down to me. And that’s one of the things I hated when I first started interviewing people was after the interview, initially, like I was on board interviews and stuff like that. It’d be like, so what do you think of this person? Well, I thought this person that and that person that, and I’m like, okay. And then the next person comes along and it skewed differently based on what the last person was like. I hated that. I can’t even imagine if I knew that was happening to me. I’m like, can I just interview last or first instead? It’s just a broken setup.
Thomas Rogers (04:56)
I think there’s these studies about psychologically, like in movies where like the first character you see you’re rooting for that person. (Rob Fuller: Yeah) I feel like there’s something similar in interviews.
Rob Fuller (05:04)
Yeah, I mean, usually the first person that you interview is someone who’s been recommended. Like that’s, that’s why our entire industry or even at large people generally who get recommended get in the door and get the job because they probably hit that.
Thomas Rogers (05:21)
What did it take for you to get to the point where you had the rubric that you felt good about, because I imagine you probably made some mistakes early on?
Rob Fuller (05:29)
Well, first off, I was doing the interviews and was really subjective and just, this is a character flaw in myself. When I see something that is inefficient, I will hyper-focus and fix it. So I took two months of not doing a lot of actual work and trying to get this thing fixed.
I built it and I’ve done a few tweaks over the I wouldn’t say any specific mistakes in it. But that’s a good question. I guess mistakes I would say is sometimes someone would talk about a specific subject or a specific answer and I wouldn’t have a point score and I would add it the wrong spot and maybe had to move it up or down based on my own subjectivity that everyone should know these, but my mistake would be that initially the rubric was heavily weighted towards what I expect people to know.
Thomas Rogers (06:20)
Yeah, so mistake one is not having a rubric. Mistake two is like, misweighing different parts of the rubric, and then you just refine it over time. So it’s still is like a, you get reps, and then you also see people on the job and you’re like, okay, that person, that was a good hire. How did they cross-referencing like what the rubric actually had them at? I don’t think I’ve asked you this question before, but I’m curious cause you mentioned the data-driven approach where HR comes to you and says, this is a perfect candidate on paper. You’re able to defend it based on the data you have. Have you applied that to actually creating job reqs? Because I assume at certain points in your career, there’s probably times where people are like, do we really need to hire a new role? Do we really need to create a new role? Or maybe not. But yeah, curious if you’ve used a similar approach to actually fight you know, like get a job posting in the first place.
Rob Fuller (07:05)
So, getting job postings is a very different beast than hiring. that’s usually something that even as a VP, I have very little control over. I can fight for job postings, but at the end of the day, it’s an org decision that is sometimes based on finance, based who looks like they need the most people, so at the end of the day, the thing that I would express on that particular point, but to get the positions, you have to be okay with showing failure. And that’s something that a lot of people have a hard time with, and that is the only way that you can guarantee that people are going to be sent your way or your leadership is going to send people your way. It’s like, hey, I’m underwater. Like, I can’t get all of this stuff done that you’ve asked me to. These seven people that I have under me can’t get it done either. Like, we’re not hitting our metrics over and over and over again. The problem is you have to be trusted that you’re doing a good job or at least trying.
And so, politically, you have to have good trust that you’re trying to hit those marks and just failing at it. And the problem that we have in cybersecurity is that we, and many people in all kinds of industries, they don’t wanna leave something unfinished. So they get it done anyways, and they sacrifice home and family and other things to get the job done, which is a valuable trait when it’s actually needed. Like when stuff is hitting the fan and it’s make a break time, sure. Like I understand that. But when you’re spending 16 hour days on reports and metrics like meetings that don’t need to be meetings, like that’s, that’s when you’re failing. So that to answer your question again, long winded, but the thing is, you gotta be okay with failing to get those roles posted.
Thomas Rogers (08:58)
I love that. I never would have expected you to go that direct- it’s like vulnerability. But like, warranted vulnerability, and like earning the trust to, display that. That’s super cool.
So, I think one of the things about cybersecurity that’s really interesting and unique is there are a lot of ways to like quantify capabilities or skills. It’s not perfect, obviously, but, in an interview process, it’s not holistic because if you only focus on, you know, a person’s capabilities or skills or knowledge, you could be missing a lot of other stuff that’s really important to like, are they a good team player? Are they a good cultural fit? Are they a good problem solver?
But I’m curious, do you agree that cybersecurity is uniquely a field where skills and capabilities are, more quantifiable than others?
Rob Fuller (09:41)
I would say that no. I mean, I think that in many fields, you have an easy way to quantify skill set and capability. Some of it’s a lot more defined even than cybersecurity, right? Like we have certifications that kind of go along that route. But as far as like, I don’t know, like the eight questions that I have actually do a really good job at quantifying both curiosity, which is something that is very needed in cybersecurity, technical skill set, as well as your ability to kind of think outside the box and be a team player.
But I would say that my particular interviews are generally technical and curiosity and out of the box thinking, whereas I tend to have my team interview for team fit. I know that not okay in many HR fields. You should never interview someone who’s above you. You should never interview someone your same peer. All of these faux pas but honestly, like I think that if you don’t meet the people you’re going to be working with, that is a huge problem. And I tend to ask for forgiveness when I do that. Because I really need the attitudes, the personalities to all jive. And if they interview, and it’s a big red flag that like there was an argument during, I’ve actually had this- An argument during an interview, yeah, I don’t care how good you are technically, like it’s done.
Phoebe DeVito (11:10)
So it’s funny you say that. I have been in a position where interviewed with all the peers that are going to be on your team and agree like I can recognize the limitations and I think it did lead to a lot of team cohesion and helped us, you know, maybe dodge a couple bullets. And so one thing I’m curious about going back to kind of the psychology of it. Another psychology that I noticed myself in those situations sometimes falling victim to is just that kind of like group think. And that was because in this particular situation, we would do a little bit of like a round robin debrief. So I’m curious, like, how teams can strike that balance, you know, if you are in a position where you are going to be interviewing with a team and, you know, they’re disseminating that information back to you, like, do you do that in kind of a group meeting, one on one, curious to hear your thoughts on how you can kind of avoid some of those psychological pitfalls.
Rob Fuller (12:00)
Yeah, I know this is going to be posted and someone’s going to, from my team is probably going to hear this. So I apologize ahead of time. And if you hear this, we can talk. But, I tend to just listen to how individually they talk about the person and kind of ignore some of their decisions about the person.
And so someone can be saying, yeah, they’re not super technical, but they were kind of fun, they were interesting, and then they, not specifically those words, but when you’re talking about someone that you interviewed, you can get a vibe on how that person did in the interview, even if they’re technically didn’t succeed, right? And so I tend to talk to people one-on-one about that just so I can get their honest feedback.
But I that group think in particular cases is good because if everyone’s kind of the same lines, you know what? I’ll take that back. I think that sometimes, normally I do just have people all talk to me after they’ve all talked to themselves, like reviewed afterwards. And I don’t know. I don’t know what the better option is. I think that there are probably people that I’m leaving out of the conversation that had an opinion but didn’t feel comfortable saying it in the group. And I probably am just missing out on that. I’ll do better.
Phoebe DeVito (13:22)
I think too, like you’re really inspiring me with the rubric idea because I think that could even be a solution. You know, the times when I did go into those conversations, and I had even taken notes, it was a lot easier to stay authentic to my initial reaction. And sometimes kind of interesting, I think there is a value in saying like, well, you know, I kind of read them this way, but now that you say that maybe it was because I was the last interviewer, and it’s great to hear that other people didn’t have that experience. So yeah, I think there’s room for all of it. And you know, there’s like humaneness in all of it. So I appreciate that. (Thomas Rogers: Bring the receipts. Yeah.) Yeah. Bring the receipts.
Thomas Rogers (13:56)
Rob, I’m curious to hear your thoughts on how AI has changed interviewing. Like, has it changed it for you?
Rob Fuller (14:02)
This is anger coming. I find interviewing, so as an interviewer, I think that AI can help build interesting questions for you to ask. I personally don’t want to ever have AI in the room as it’s happening, either side of it.
Because I think that that removes the personhood of it. I have had people that I interview absolutely reading from what the output is of an AI. I have very small bits of training in reading prompters for Hack Five, and I’m okay at it. It takes a lot of skill and practice to be good at reading a prompt and speaking naturally. But it is very obvious if you are reading from an AI prompt when you’re doing an interview, either side of the fence, right? It’s an immediate turnoff for me.
Because it’s no longer me interviewing you, it’s me interviewing ChatGPT. And that’s just not like, I’m not hiring them, I’m hiring you. And, so unfortunately, as it is right now, I’m sure that opinions or actions will change as we grow through this technology, but if I can tell that you’re using AI, I’m not going to hire you, period. Like it’s just not an option.
Because you didn’t trust yourself. You didn’t know enough or think you know enough to come into it. Honestly, I think that if you don’t come in as your authentic self, you’re already one step behind.
Phoebe DeVito (15:29)
Awesome. I love that. So transitioning from hiring and interviewing into managing teams. One thing that has come up with a handful of our guests on this podcast is just the mindset shifts that happen when you’re moving from an individual contributor role into a manager role. And so I’m curious if there’s anything specific when you reflect back on that journey for you that were, you know, key learnings along the way or advice you would give to someone who’s trying to transition into a leadership role.
Rob Fuller (16:00)
Yeah, my one career regret and biggest regret was, and I’m going to take you down a little bit of a story, but while I worked at General Electric, I had an amazing opportunity. My boss was leaving. I was red teamer at the time, along with one other senior red, and my boss was like, one of you two is gonna take my role. We’re looking internally only really. So let us know if you’re interested in doing that. I’m not exactly sure how fast my peer said yes, but I was really quick to, nope, I’m good. I was like, I really enjoy being on keyboard. I don’t wanna do all that managerial stuff.
I have no experience in it. And so immediately went for obviously the only one who was applying for the role internally at least. And the reason why it’s a regret is because that night I went home and my wife who knows everything, I was like, yeah, my boss Craig, he’s moving on but, they were going to hire internally, and I said no don’t have the experience to be there. I want to be a good leader. And she’s like, what do mean you don’t have the experience? I’m like, I mean, I’ve never been a manager. And she basically slaps me upside the head and it’s like, okay, you were in the Marine Corps for eight years. Did you not lead anyone then? I’m like, yeah. You built NoVA hackers from scratch.
You always complain about how many of them you have to handle. There’s like 900 people there. So you didn’t lead any of them? Yeah. she starts off naming all of these other things like CCDC and so on. So what you’re telling me is that you have the leadership experience, but you just don’t think you do for some reason. And I was like, yeah. And then like, honestly, that team was like a family to me. I still talk to them to this day so many of them and every like GE was a great experience. And I think that my peer, Dale, he’s awesome at his job, and like I would love to have seen how that would have shaken out, but man, not going for that role was a gut check. And the reason why it was a gut check is because it became infinitely harder to try and transition from an individual contributor after that because I didn’t have the experience. And everywhere I looked for jobs in leadership after that, they were like, hey, we need at least five years of managerial experience. I’m like, uhhh I don’t have it on paper, I have these things that my wife told me about.
And it was never good enough until another person gave me a chance. And unfortunately, was not me doing it. I mean, I did the effort to build my group enough to get that opportunity. So I did do the work in there. I’m not taking that completely for granted. But yeah.
So I would say my biggest offer up for people looking to transition from individual contributor to leader is take the leap, take the chance. Anytime someone says, hey, try this leadership thing, do it. Take that experience. Also listen to your spouse. They know better.
Thomas Rogers (19:01)
I feel like everyone we’ve talked to has been in some sort of leadership role in InfoSec and everyone has expressed some sort of like pain in that transition, whether it’s like, I did it too late or like maybe some people even be like, I miss it. Like I miss the individual stuff. Like I appreciate the managerial side and the responsibility that comes with that, but it was a tough decision no matter what.
Rob Fuller (19:27)
I want to fight you back a little bit on the I miss it part. I hear that a lot managers and I have never, once in my life needed my job give me something to do. Like, I do CCDC. I do all of this stuff outside my job. And hands-on all of, like I have a lab that you can’t see that is 25 servers, right?
And if you look at my GitHub, I have been coding a freaking storm in the last month. And I hate that cop out. I really do. Because you can absolutely be hands on keyboard even though you’re a manager. Sorry.
Thomas Rogers (20:06)
I feel like it’s like me saying I used to live in Chicago and being like, and it’s December. I miss Chicago. And it’s like, if I was in Chicago right now, it’d be like five degrees. It’s like, I don’t miss it. (Rob Fuller: You missed parts of it.) Yeah, exactly. So I was going to ask, you mentioned all the side hustle stuff you do and not even side hustle, but like stuff you do for the community. you do so much. I’m curious, how you’ve applied that to your actual like how you apply what you’ve learned there and management or mentorship, stuff like that.
Rob Fuller (20:30)
That’s a good question. So I will say that CCDC, just going back to that again, is hands down the place that I learned the most stuff about red teaming, a million percent. Because one of the things about CCDC is you have to be invisible to blue teamers who are staring at that whole weekend.
And, if I can be invisible to someone staring at the screen, I can be invisible to a SOC any day, an enterprise SOC any day. And like that, that was the challenge I needed to really hone my skills on the Red teaming side. Leadership side, volunteering, so I’m actually helping with a GMU, George Mason University team doing a cohort like end of year thing. I can’t remember the name of it, but working with and volunteering with ShmooCon, doing and working with NoVA hackers, like all of this other stuff really has you doing the people side of things and handling people. So outside of the paperwork for HR stuff enterprise-wise, like I can pretty much handle any situation.
It also gives you empathy. That’s one of the big things. When you are volunteering where you have zero authority to push something onto someone, you really have to figure out what’s driving them, why they’re doing the thing that they’re doing, and how to get them to do the thing that you need them to do without any authority at all.
And so when you can do that with a little bit of authority once you’re a manager or senior manager and a little bit more as a director and a VP, you wield knife a lot softer and a lot easier when you have the experience and know that, know, everyone’s for the most part, everyone’s trying to do a good job. They might just not have all the information or they have something else going on in their lives that you gotta handle and understand.
To get back to your question, all of this stuff, anything that I do outside of work just intermingles with all of the other stuff. There really is no discernible line in between them.
Thomas Rogers (22:30)
So one other sort of side quest, if anyone’s questioning like how much other stuff you do that you didn’t mention, but you posted about yesterday is Silicon Valley. (Rob Fuller: Yeah.) So advising that show, did that experience help you in any ways? Or was it just kind of a fun thing you did?
Rob Fuller (22:47)
It made me remember how much I hate shift work. And so I actually helped design some of the set stuff too for the automated refrigerator, and I coded all of that up while I was at Smooch on getting ready for a talk because they needed it because they were recording that day. (Thomas Rogers: That’s Incredible.) Like, so I will say that like just to answer your question, I hate shift work. I don’t want to ever do that again I’ve done my dues there. I’m good.
Phoebe DeVito (23:15)
Awesome. Well, one last question, Rob, that we ask all of our guests who come on, another kind of big one. But if you were starting your career in cyber now, what is one thing that you would tell yourself?
Rob Fuller (23:29)
I was getting into cyber right now, what would I tell myself?
I would say drop the ego way faster than I did.
I came into cybersecurity in 2005 and I thought I was the hottest thing since sliced bread. I thought I knew everything, and I broke some trusts, and I broke some friendships because I did stuff like that. And yeah, I would grow up a little faster.
Phoebe DeVito (23:53)
Fair enough. Fair enough. Awesome. Well, Rob, thank you so much for coming on. Before we wrap up, is there anything else you wanted to share that we didn’t get to?
Rob Fuller (24:01)
Yeah, I would say just if you’re listening to this, reach out to people. Cybersecurity folks are pretty awesome. There are some bad eggs, but very few. We all like to learn. So if you are struggling at getting a job, if you’re struggling at finding roles and opportunities, this network, this small group of cybersecurity folks on this planet are all pretty awesome people in general.
Like I would say 80-90% of the folks in cybersecurity are pretty awesome so connect to someone on LinkedIn, say, hey, looks like you work here. I’m new to cybersecurity. Any suggestions? And like they will probably respond if you’re nice about it and do a little research. So that was what I’d say is make friends.
Phoebe DeVito (24:43)
Awesome. Love Thank you so much, Rob. Thanks again for your time here.
Rob Fuller (24:46)
All right, thank you. Have a great day.
Thomas Rogers (24:48)
Thanks, Rob.