We are now live with episode 17 of the Cyber Talent Series!
Join Thomas Rogers, Co-Founder of SkillBit (formerly MetaCTF), and co-host Phoebe DeVito as they connect with Jose Ramos, Head of Offensive Security at Uber, to discuss transitioning from hands-on technical roles into leadership. Jose shares his approach for mentoring talent, understanding burnouts, and knowing when to hire. He also shares his perspective on how to balance build vs. buy decisions in a rapidly evolving landscape shaped by AI and new security tools. Throughout the episode, Jose reflects on the importance of resilience, continuous learning, and embracing failure as a foundation for long-term growth.
Tune in now with the player below, or check it out on the SkillBit (formerly known as MetaCTF) YouTube and Spotify channels!
Phoebe DeVito (00:00)
Welcome to the Cyber Talent Series, where we explore how organizations are closing skills gaps, accelerating onboarding, and building high performance cybersecurity teams. My name is Phoebe DeVito. I’m joined by my co-host, Thomas Rogers, and today, we are speaking with Jose Ramos, Head of Offensive Security at Uber. So Jose, thanks so much for joining us!
Jose Ramos (00:28)
Thank you. The pleasure is mine.
Phoebe DeVito (00:30)
Awesome. Well, to get started, would love if you could just talk a little bit more about who you are and what you’re working on now.
Jose Ramos (00:35)
Sure. Jose Ramos, as you head offensive security at Uber. Now a little bit about my background, I have over 20 years in tech, primarily in the offensive security space, which primarily is pen testing, hacking, bug bounty, and cybersecurity and defense.
Phoebe DeVito (00:51)
Awesome, and going back to kind of early in your career, believe you started as an IT risk strategist in the US Navy. And so we’d just love to hear a little bit more about that and how your early experiences have kind of shaped the way that now you lead teams.
Jose Ramos (01:05)
Sure. So yes, early career, I did start off in the Navy. Believe it or I actually joined the Navy as an Ordnanceman, which is basically dealing with weapons. After doing that for a little bit of time, I transitioned into the IT field. And from there, I started to really follow the IT team and tech to get my rate transitioned from the ordinanceman to an IT person. And eventually I did achieve that.
Thomas Rogers (01:37)
That’s awesome. I feel like if there is a common path in cyber, which I don’t think there really is, yeah, I feel like kind of that Navy military background, intelligence background is, is one that we hear over and over again. I’m curious for you someone who clearly loves to still be the mix and, and knowing what’s going on in the world, what that transition has been like for you throughout your career from like that individual contributor into more of a manager and how that transition throughout your career has sort of played out.
Jose Ramos (02:07)
Well, I would say ideally, I always strive to learn more. mean, every single technology I would want to break apart. I’d want to understand what happens under the hood versus reading a book, hearing someone else’s examples of this is how items work, or this is how systems work.
So what I did in every single element, whether it network architecture or dealing with pen testing or security, I basically sat down and pulled things apart to really understand how the systems operate, how protocols communicate. By doing that, I started to be recognized for understanding the technologies. And then from there, it turned more into feeding back. So I would understand the technologies. I sit down with teams. I would explain exactly how I understood the technology, the work, and that feedback loop slowly started to transition me more into a management.
Thomas Rogers (03:01)
Do you think that’s something communication, is it something that came naturally to you or is it something you had to work on?
Jose Ramos (03:07)
So I’m an extrovert. So when it comes to communication, I love to speak to people. I love to share my thoughts. I love to gather feedback. I usually tell my teams if I’m wrong, tell me I’m wrong. Challenge me. I promote that as a leader. And I feel that feedback loop is very important.
Thomas Rogers (03:26)
I think in hacking and OffSec, there’s obviously a great community sharing always want to know what’s going on. think there is probably a good mix of introverts and extroverts in the space. How do you manage those different types of personalities? how important is it to be a good communicator?
Jose Ramos (03:45)
Well, the first thing I do with my team members is really understand their career path, understand what they want. And this goes very well with what you said. There are introverts, there are extroverts. There’s also individuals who want a subject matter expert in their particular field, never want to touch management. There’s others who want to be managers and they don’t know how to bridge that gap.
So it comes down to the communication of learning who you work with, learning who your partners are, understanding what’s important to them, and then starting to build them to achieve what they want to be. So maybe an introvert eventually wants to speak on stage, but they don’t really understand how to cross that line to achieve that goal. So that’s where mentoring, coaching is, you know.
Maybe it’s that they never spoke on stage, even though they aspire to be that, but you could start with, hey, why don’t you pitch your ideas to me? Explain to me, technically. And then you ride in that audience. So they have that stage. And eventually, under good leadership, essentially, They could achieve what they want to set out to be.
Thomas Rogers (04:53)
often manager, if someone is coming to you and saying like, I’m stepping into my first management role want to encourage people to, know, mentor people the way you have, how often are you having those conversations with your direct reports? Or is it like kind of a continuous thing where they bring it up when they’re ready to talk about it? Is it something you’re seeking out or yeah, what’s the mix there?
Jose Ramos (05:14)
I always gauge the people that I work with on what they want to be, what they want to achieve. I routinely set up one-on-ones to get a better understanding, and then I keep a pulse on it. As I mentioned, if they inspire to speak on stage, how do I bridge the gap to get them where they want to be? If they want to be a subject matter experts, what gaps do they currently have that’s serving as a blocker?
think of it like a alley. job is to make sure that I’m the bumpers for you to achieve where you want to be of the lane, essentially.
Phoebe DeVito (05:47)
That’s awesome. I love that too, because so many of the folks that we’ve had on here, you know, we ask a lot of people about their transition into leadership. And almost everyone has mentioned something about a mentor who really encouraged them to try something that they hadn’t done before. So it’s really cool to hear you kind of giving back in that role.
Thomas Rogers (05:48)
Great.
Phoebe DeVito (06:04)
So you mentioned being extroverted. One thing that I’m sure plays into that and also is part of your role as kind of a leader in the space. Based on your online presence, I know you’re really active in different industry events and connecting with other kind of leaders in this space. And so I’m curious how that experience goes for you and how you kind of learn from other leaders. And if those are situations where you take things back to
your team.
Jose Ramos (06:29)
Absolutely. So I find those very beneficial for me to get a different perspective of what other people are doing in their industry, in their space, because they all differ. I mean, I’ve been in the entertainment industry and that differs from the financial industry versus the mobility industry.
Each industry has different challenges that they have to overcome. Some could be their main priority is DLP, while others is really just protecting their sensitive data. And others are just really customer management and customer facing. So understanding their challenges. Sometimes I could provide insight of something that I’ve been through on their spot and give them recommendations. While other times it
opens the door for me to think about something that I never even considered. And a lot of times, believe it or not, I go back to the drawing board. even as a leader and even seeing so many different perspectives of people in this space and how to handle technology, technology changes every single day. If I go to sleep this week and I sleep the entire week, I wake up next week, technology is going to change.
Believe it or not, you look at hugging faces, how many different models do we have sitting out there? And check it again next week, see how many new models are put on the site. So technology is changing rapidly than we could keep up with nowadays. So as much insight as I could get from different perspectives is very important for me.
Thomas Rogers (07:57)
So yeah, really interesting you sort of relying on the community stay up to date. How encourage your team to do the same? Because I assume some of the ways that you’re staying in touch happening in tech and in AI and others is coming from your direct reports. It’s people who are really interested in doing research on their own. So yeah, what’s that blend like?
Jose Ramos (08:18)
I believe it’s promoting the culture wherever you’re working. Having that safe space where no one’s going to feel like, I saw this article on Reddit. I’m curious about how this attack pattern works. Or did you see the latest news that came out on their X-post? If you promote that culture where the information is constantly circulating, then team members get excited.
When they find a new attack vector, they want to show and not only show, but really showcase how they worked on it in the lab, how they executed it. And having that shared it’s really how you strengthen your team internally. then obviously I could provide from a leadership perspective, what I’m seeing as well. And promoting everyone to challenge each other to really push their education.
Thomas Rogers (09:03)
Yeah, it’s like such a, I think it’s a misnomer for probably people earlier in their career that they think their managers often like have everything figured out. I think it’s probably sort of like kids with parents where they think, oh, my dad knows everything. It’s like, no, that’s not the case. So having like the humility realize, not perfect and…
so much information going out and I’ve got a lot of responsibilities. So I need to make sure that I listen to the people that I trust and I know are smart, which, know, if you hire well, that helps a lot too.
Jose Ramos (09:34)
Absolutely.
constantly have those conversations with my team and I make it clear. I don’t know when I do suggest something, I promote my team members to challenge me. Challenge me on how we can do this better. And not only is this, you know, inspiring your team to speak up, but it enhances communication. And that’s also bridging that gap going back to the previous question that you asked, like,
How do you push your team? How do you bridge the gaps between, you know, where they are versus they want to be? And for me as a leader, what I care about is just seeing the growth in the individual. Seeing that is what gives me pride. It’s not the promotions, it’s not the advancements, it’s not people knowing my name. It’s pushing and giving back and then watching people grow and…
you know, knowing that you helped someone in their journey. That’s really important.
Thomas Rogers (10:28)
That’s super cool. I’ve got more questions for you about that. think some of that is related specifically to cybersecurity as a field, but to step back to what you said about you asking your team to challenge you, and this is like a general management kind of topic, but how do you create and facilitate that psychological safety for your team to feel comfortable with that without having to worry about?
Jose Ramos (10:51)
It takes, it does take time because as I mentioned, I, I’ve managed quite a few teams and every single time that I’ve either taken over a new team or built a new team, no one really wants to challenge you off the back. You say something, you’re like, Hey, if you don’t agree with it, please let me know. Credits. No one wants it, but shaping the way people think sitting with them.
Thomas Rogers (10:51)
you am I going to get in trouble?
Jose Ramos (11:17)
on one-on-ones, letting him know that you care, sharing about yourselves, showing that you’re not just there to be a dictator and say, this is the way things operate, this is the way we go. But building a community where it’s, you know, we build together, we are a team, we push together, I might be the face that, you know, the organization sees, but all your ideas, everything that you suggest, it matters. And it really does matter. I always say,
This is a military thing that the people with the boots on the ground always have the best perspectives. They understand what’s going on in the day-to-day operations. And if you’re not there, then you can’t give full guidance. You could give recommendations. But if you don’t have that collaborative insight to say, hey, what’s going on here? Here’s my suggestion. And if they’re basically just, yes, no problem, then
You’re not going to evolve. You’re not going to grow. And that’s why I promote, hey, when I say something, if you feel something’s wrong, say something. And that eventually leads to having that strong collaboration. And I’ll tell you, even where I am right now, three years after, there’s not a person on my are just a yes person. They’ve established that trust in each other.
be like don’t agree with it, but I always say back it up by evidence. I don’t agree with it. This is why, this is why I’ve tested this. I’ve looked at this solution. There’s a better way. There’s a better path. And let’s have the conversation.
Thomas Rogers (12:37)
Yeah.
I love that. you said earlier about like having the one-on-one conversations, some people, you know, it is going to be a process over time. Like you’re not just going to run into a team meeting of, know, maybe 20, 30 people and people aren’t just going to say like, Hey, I actually have a problem especially in a remote environment. I don’t know how much of this is happening in person, people want to be off camera and on mute and that
feel like you facilitate the trust in the one-on-one environment to say, hey, it’s okay. and I need you and sort of building that like ownership in the team so that people know my work, my work really matters. think the, the concept of like a team of yes people is really boring. It’s not fun. It’s what’s the point? It’s yeah, very dictatorial, like you said. So, like how you create a team that’s got like a good culture.
everyone’s perspective is, is heard. think we’ve talked a lot how teams, can communicate, how they can feel safe, how they can be honest with each other. and then you as a manager, how you can, you know about your team.
how do you take what you’ve learned as a manager about your team and apply it to deciding when it’s time to hire or making decisions about how to staff your team on projects, things like kind of breaking that into two, sort of making like talent decisions based on knowing your team really well.
Jose Ramos (14:05)
So I think from a manager’s perspective, you always know where you could have additional staffing. You always know where you’re falling short. I keep a on burnout. In the event I start seeing individuals burning out because either they’re pushing too hard or maybe they’re not optimizing their time, that’s where I sit down with them and I get a better understanding of is the workload too large?
Or is there something I could do to move forward to help you out on your day to day? And if they are optimizing their time, they’re the speed that they want to move at, and there’s still that gap where the workload is not being achieved, that’s where you start looking at additional staffing,
So as a manager or a lead, as long as you understand what your team’s doing, what their capabilities are, what’s being delivered, and what the business needs, you’ll easily be able to identify when you need additional staffing. That doesn’t always mean you’re going to get it, but it’s easy to identify when you need it.
Thomas Rogers (15:05)
So it sounds like it’s a process of communicating well, understanding how people are feeling, what they’re doing, workloads and things like that, and then translating it into a more quantitative, maybe a business case of some kind where you’re making the case for, we need this head count for these reasons to do this. Is that kind of the flow?
It sounds like so with that first part that maybe is a little more qualitative. Have you tried to apply any kind of like quantitative metrics around? You mentioned burnout, like keeping a pulse on that or, you know, staffing, things like that. it more of a gut feel or is there any sort of frameworks you’ve applied to that?
Jose Ramos (15:46)
So from an operational perspective, we have set deliverables that we have to in our KRs, we set obligations of what we’re going to commit to quarterly by the half by the year. And to meet those target deadlines or deliverables, we work as a team to achieve those obligations.
And that’s where I’ll start noticing gaps where, perfect example, you have an assessment of a certain product or asset and the team’s like, hey, I misscoped it. It’s way larger than what I expected. I can’t deliver this in the current week or two weeks, whatever allocated time that there was. So you give them an extension. But then if you start noticing that there is
many extensions that are being requested. Mathematically, the weeks are overlapping into the other weeks, the chances of you meeting those deadlines or those commitments starts to diminish. So that’s where, you know, as a leader, you need to step in and say, like, what’s going on here? First thing, my recommendation, roll up your sleeves, see what you can do yourself. If it can’t be done, see what you can automate. If it can’t be automated,
then start pulling the data, start pulling the metrics, going to be your use case that you’re bringing to attempt to get that additional head cap. I say attempt.
Thomas Rogers (17:04)
Yeah, that
makes sense. curious with that because obviously a big part of someone in offensive security or generally anyone in security engineering and IT, a big part of the learning that they’re going to be doing is going to be on job. going hopefully have enough of a background to where they have some intuition about how to do
something, but then there is going to be an element of like, hey, you’re going to have to sort of figure this out. I’m curious you as a manager, what your perspective is on. can’t just rely on the on job training. Like you as an individual need to seek out other sources. And I’m sure some of that comes inherently because cybersecurity people are really passionate about what they do and curious by nature. But is there.
sort of framework that you use for encouraging people to supplement their, own job development?
Jose Ramos (17:58)
So it’s a mix. So ideally, mean, this really starts at the interview process for me. When we bring people on board, and this is throughout my career, it’s not set to a specific organization. When I choose to bring people on board, I look for a certain detail that they have that background hunger, that they want to learn. That’s one of the key.
elements that I look for in someone that they’re thirsty for technology and that they want to learn and expand. that as a core requisite is the primer for what comes after that. So once I bring them onto whatever organization I work for, then I feed them the knowledge that they want, whether it’s individualized training, whether it’s CTF events, whether…
If it’s speaking on stage, whether it’s engaging in Black Hat, Def Con, whatever their interests are, as long as they had that hunger, I wanna be the fountain to start feeding them and growing. And generally, aside from what I could provide as a leader, that hunger, they’re chasing it on their own. They’re getting it fed through here. And then they have the on-site.
that they’re getting from the business. So it’s just constant growth. that’s, like I said, it starts from the people that when I bring them on board, I’m looking for that.
Phoebe DeVito (19:21)
I’m curious, how do you evaluate that in the interview process? Do you have like a rubric or way that you kind of quantify that or there certain interview questions you found really kind of reveal that curiosity maybe something on a resume? Just kind of curious how you gauge that in the hiring process.
Jose Ramos (19:38)
So that’s a very funny question, because I am a very unorthodox interviewer. I could have a set of 10 million questions. I won’t use them. What I do is I look at a person’s resume, I start pulling things off of their resume. And it’s essentially like a choose your own adventure. You say that you’re a specialist in active
Phoebe DeVito (19:50)
You
Jose Ramos (20:03)
pulling NTDS files, I’ll start with one line on your resume and pick your mind of how you take on the challenge, how you evaluate things. And based off of your responses is what my next question is. And the way I think about it is I keep on tightening going a little bit deeper,
to understand where their curiosity lies. Because as I mentioned, that’s one of the core things that I’m looking for. I want to know how curious they are. And if I could back them into, I don’t want to say a box, back them up can’t use the tools. Let’s say that a famous tool is Responder that people use for testing and evaluating networks. And it’s like, oh, well, I start listening on the network.
I wait for my responder hashes to come back in, and I’m like, OK, well, let’s your particular engagement, you can’t use responder. And basically, what I’m doing is I’m stripping the tool that they’re very familiar with. And what that leaves them is they have to think outside of the box at that point. So they understand what they need to do. They understand that they’re trying to capture some password hashes.
But the one tool that they’re very familiar with, I took off the table. So now what I want to see is them thinking outside of the box. OK, you can’t use what you’re familiar with. OK, what other bag of tricks do you have? And that’s where I start doing it. like I said, it’s every interview I do, not canned responses, because you could Google those. You could AI those. But what I do is I have them challenge theirself.
and see strengths really lie. And it’s amazing. I’ve had the greatest conversations on interviews. And I learned a lot too. I’m like, wow, this guy is sharp. Or this girl is don’t know. I love it. And it’s the way I prefer to conduct interviews.
Thomas Rogers (21:55)
That’s cool. Yeah, I feel like the concept and Phoebe was hitting on the curiosity piece. It’s something we’ve heard the last three or four interviews we’ve had is how important curiosity don’t know if you said this exactly, but my takeaway was like creativity. Like how do you, can you think on your feet and can you think outside the box? So like that concept and problem solving.
not the easiest things to quantify, but for you if you know, kind of know what you’re looking for, or it’s sort of like, you know, when you see it, of paints the picture of someone who’s going to be successful in an open-ended and stressful, job.
Jose Ramos (22:32)
Absolutely, because I feel like all the other items, certain systems, certain technologies, being proficient in Linux, being proficient in Windows networks, all of those items can be trained. Anyone could learn those. People could read a book. People could learn the technology. You could build a lab. thinking of how do I do this and thinking
differently. That’s a rare skill. That’s a rare trait. It’s not following the herd of, this is the way everyone’s doing it. It’s saying, everyone does it this way, but I want to do it this way. And if you think about it, that not the case? Developers develop applications. Developers develop all these solutions.
because they care more about user satisfaction. They care about user experience. It’s very important to them. A hacker thinks differently. What they want to do is they want to break into systems. They want to manipulate these systems. So what they try to do is circumvent the thought process of a developer. So what I need is someone to circumvent processes and understand how to think differently.
And if you think about it, if you have 10 people in a room who completely think differently than everyone else, imagine the thought processes that are communicated in that room. Imagine the ideas that come out of people. And if you layer that on where you have that communication feedback, everyone is just growing each other.
Thomas Rogers (23:59)
Totally. I feel like it’s kind of the iron sharpens iron type modem there. But I also think it’s got to be so challenging. I think about newer managers who don’t have maybe the intuition you have. There’s not a blueprint. There’s not like, this is the type of person you need to hire from a background perspective or maybe more traditional like kind of HR talent perspective.
hey, just get someone with this on their resume. Like that doesn’t cut it. So yeah, what would you say if you were speaking to somebody who’s maybe in their first people manager role and needs to build out a team? How do you develop that intuition or how do you like circumvent some of those like manager points you build the muscle?
Jose Ramos (24:41)
I would say a manager, you need to understand technologies you want to assess, the jobs you’re trying to complete, and what you’re trying to commit to the organization. Work backwards. Understand what you need to do and what you need to achieve. And then start looking for individuals who carry that skill set. And understand the person the interview process.
One thing I’ve noticed with a lot of interviews candidates always know And a lot of people, when they’re nervous, they forget things. So even if they understand the technologies, it’s like, ⁓ But as an interviewer, if you could level set that and really make the person calm, calm them, let them know, listen, I’m interviewing you. Let’s throw that out the door. We’re two technical people having a conversation.
set expectations that you’re a normal person, then you knock down that barrier of fear. And once you get that barrier of fear out of the way, then you can have a normal technical conversation with a person. And that’s where you’re gonna start noticing what the person’s thought process is on things, what technologies. I mean, they might even say, I have no idea. I never touched that technology. That’s a checkbox for me right there.
It just showed me that the person is easily communicate when they don’t understand something. So you’ll start noticing these signals, but as long as you have that, that fear barrier, I like to call it up. staticky to see, like to really get the signals that you want. So remove the fear, make sure that the candidate’s comfortable, have the conversations and then, understand what you need as a manager.
and then you could piece it all together. It takes time. It’s just like, you’re not gonna get it the first time, but the more you do it, you build that muscle.
Phoebe DeVito (26:22)
That’s awesome. yeah, I totally agree with that. And I think that’s like really cool to establish that psychological safety that we talked about on your team, like as early as the interview process. So I think that’s great. one question I had going back a little bit. So I know we talked about how you kind of identify, like additional staffing needs on your team with regard to bandwidth. And I’m sure that’s something, you know, all managers are familiar with. And like you said, it’s like,
whether or not you’re going to get that extra head count knowing when you need it. I’m curious if you have a way that you identified that gap with regard to skills. So whether that’s, you know, needing to upskill folks on your team or kind of encourage them in that professional development, or if you need to, you know, bring a new team member on to fill a skills gap on your team. Just curious. how you identify skills gaps on your team and kind of how you go from there.
Jose Ramos (27:11)
So I think it comes with understanding the really pairing individuals, I think when there’s a gap and you observe it, if you have that skill set on your team, then it goes back to pairing them. A perfect example is from an offensive security perspective, you could have someone who specializes in
mobile and then you could have another individual who specializes in network or web apps, microservices. And let’s say you put an individual on a mobile application and you might have known that they were great at testing Android applications, but you happen to throw them on an iOS application. Then you look at the responses and you’re like, they really understand what they were doing? You know, we discuss having that collaborative feedback where, you know,
you have that conversation in the one-on-one and they’re like, Jose, this was tough. ⁓ So once you have that, it’s really building them. So providing them solutions where they can learn that iOS and really expand on that. if you have that on your team, someone who specializes in that, pair them. As long as they have that going to pick it up.
As I mentioned, all technologies, they can easily be learned and picked up, especially when they have that hunger inside them. And you also have other team members that are willing to teach and, you know, building that community within your org. And I say this because an organization could have not the greatest culture. I know managers out there would be like,
well, you know, that’s not the culture in my organization. They don’t promote that. I want to say you could build it internally within your team. It doesn’t have to come from the wider organization. build that culture, build that within your team and, know, everyone will grow together.
Thomas Rogers (28:57)
Great. I’m going to shift a little bit. I love the talk you know, managing teams, kind of the full cycle we’ve talked about so far of like hiring promoting, staffing. One question, thinking about like where we’re at in 2026 and some of the new challenges, know, newest challenges that exist in your type of role.
know, we’ve talked to other people who, you know, their, their cyber orgs 70, and their tech stack enterprise wide. It’s even bigger than that. And a lot of companies and, know, there’s what 15,000 cybersecurity tools out there. what kind of challenges does that,
create for organization like yours, the tool explosion and whether it’s like adopting new tools for your team or like other teams adopting tools that then you have to sort of like that and make sure are gonna fit well in the tech stack and then obviously AI is a big part of that, but kind of challenges, that created?
Jose Ramos (29:56)
So we go back five years, seven years, all you heard in every single headline was AI is going to be revolutionary. Everyone get AI inside of your organization, push it. It’s going to automate. It’s going to help move things faster. It’s going to push revenue. And you heard all these great responses.
did everyone do? Everyone moved AI in their organization. And now we start seeing challenges where, you know, LLMs are being poisoned. AI agents having too much control over items that, you know, you didn’t want them to have control biases these AI agents. And now I feel like the industry has shifted from
everyone push AI to, are we securing this correctly? And then that’s where I started to see, from my perspective, a huge vendor boom where every single vendor now has some type of AI solution that’ll scan your agents, test your agents, evaluate your solutions, everything better within your organization. And the truth is, some vendors have achieved quite a bit of this, but
It’s still a challenge. And why I feel that’s a challenge is some of these tools work, but to integrate them into your environment could be more of a hurdle than not having the tool, versus building the skillset. I mean, if you’re going to get a tool that needs to be integrated, but you have to map out the entire tool that takes six to eight months to deploy and it still has blind spots, then you start worrying about full sense of security within your organization.
And then after you get the tool inside of your organization, you still need to train your team to make sure that they know how to use the tool because a tool is only as powerful as the administrator or the person teching and evaluating it. So it’s really piecing all these things together at this point, understanding the tool that you’re buying or building the skillset internally so that the individuals know how to test and build and automate a lot of these solutions.
It really comes down to identification. Where is the risk? How is it being identified? And then you would move on to remediation. I could speak on this topic for hours.
Thomas Rogers (32:08)
Please.
So I could too, how do you balance that for your team specifically with regard to like adopting tools for your team? Because I think that is an interesting parallel between like your team and the rest of the business. just said technology’s evolving all the time. There are some really cool new tools and features and things that are coming out like
constantly, not just from the big, obviously, like the OpenAI and Claude and constantly shipping new releases, but there’s also new startups. How do you balance between keeping up with things and avoiding tool fatigue sort of keeping up with that? Is that something you’re doing? Is your team bringing it to you? Is it a combo?
Jose Ramos (32:49)
It’s a combo. I would say it’s a way larger combo where our team is building tools. They’re building solutions. They’re passionate about, you know, identifying these risks. So they’ll come to me. They’re like, Hey, look at, look what I built over the weekend. What do you think about this? And I’m like, wow, that that’s amazing. And, know, if you start looking at a lot of the tools they have now with
vibe coding, everyone’s coding these tools now. You could go to Erser, could go to Claude, start crafting tools, front-end interfaces, back-end databases, and it makes it easier. So I feel like many years ago, pen testers or offensive security many of them really focused on scripting and malicious payloads.
But when it came to the developer aspect, there were a handful, but I wouldn’t say they were at like 90 % of offensive security folks who really had that developer background. And now with being able to utilize these tools and build your own solutions, tide has changed. So lot of people are developing their own things. And I promote that within my organization where, you know, if you could build it and you could find a solution, it.
But I mentioned it is hybrid. We also use third party solutions. and we’re also very involved in the space to understand what’s, what’s trending, what, what are other people doing? So that goes back to your other question of when I meet with other leaders in this space, I, you know, I speak to them about their challenges and what tools are they using? What solutions do they have in place? Does it make sense for me to look into that solution or.
is it something that my team already built.
Thomas Rogers (34:30)
How much of that plays into, like, let’s say there’s a gap on your team some tool that you hear someone else has purchased at another company that you think would be really good for you and it’s not something that you can build yourself or you don’t think it’s worth it to build yourself. the calculus around like, you know, making sure that we can adopt this and get value and use it guess,
business term would be like time to value, but like how quickly can people like ramp up and actually like be good at using this tool and start using it in the right way? Yeah, how do you evaluate that?
Jose Ramos (35:01)
⁓ So it’s the build versus buy question at the end of the day, where it’s like, do we build this solution? And if we do, how fast can we get it up and running and start utilizing it versus is it easier to go out on market, buy a tool, and do that? So I like to approach it from two different perspectives. Internally, I like to put together an abstract.
write out an entire timeline. If we did build this solution, what does it look like? What does it take? What are the dependencies that we need? Can we do it ourselves? Do we need external teams? Do we actually have the skillset to build it and deliver a full solution? I sit down and I ask these questions. And if many of them check out and it’s yes, then I start really shifting towards the timeline. Can we deliver this?
not only deliver it within the given timeline, but deliver it within the given timeline with the existing workload that we have, because that plays a major part where if you’re shifting gears towards heavy development, are we still going to be able to maintain our day-to-day operations? So I take all of these items into account. And if it does make sense, all of it on paper, then we would start building the solution.
Phoebe DeVito (36:15)
Sounds great. All right, awesome. Well, the kind of last wrap up question we like to ask all of our guests is if you were starting your career in cybersecurity today, what is one thing you would tell yourself?
Jose Ramos (36:27)
Only one? I have to put myself in journal.
Phoebe DeVito (36:29)
You can give a couple if you want.
Jose Ramos (36:31)
I would say you’re gonna fail and you’re gonna fail a lot. You’re gonna fail on interviews, you’re gonna fail on exams, you’re gonna fail learning objectives, you’re gonna fail leading your team. You’re just gonna make mistakes, but that’s what’s honestly gonna make you stronger and build resilience on yourself. So, embrace failure and just keep on pushing forward.
Phoebe DeVito (36:53)
Awesome. I love that. I think failure can be the scariest thing when you’re starting something new and like the most valuable. So I love that you said that.
Jose Ramos (37:01)
Awesome. Well, this was fun.
Phoebe DeVito (37:03)
Yeah, thanks for coming on.