Tackling Cybersecurity Staff Burnout with Val Dobrushkin

AJ 00:15
Alright, everyone, welcome to another episode of the To Comply or Not to Comply podcast. I'm your host, AJ Yawn, founder and CEO of ByteChek, the only all-in-one compliance solution in the industry. Super excited to have my friend Val Dobrushkin here, who is the Director of Risk and Compliance at Noname Security and someone that I've gotten to know well over the last year and some change. Super excited to have a great conversation with a security leader. Val, thank you for joining us.
Val 00:42
Hi, AJ, thanks for having me. I'm really excited to speak with you because I've been following you a lot online and on social media. I really appreciate how open and transparent you've been about your journey as a startup founder and also, the really great material that you and your team often share with a larger audience. It's really helpful to the industry and the security and compliance folks around the world. So, I'm really excited to talk about this, I have about 20 plus years in IT, mostly around security, different variants of compliance from DOD side and transition and more into the private sector and FedRAMP, SOC 2, and ISO and lots of other kinds of acronyms. What really excites me about the compliance space in general and security too, is that everyone I meet is so dedicated about doing the right thing, and has a very strong ethics and values. The compliance piece is what holds it all together to ensure that we do our due diligence, we help ensure that companies do the right thing. It's a really exciting field to be in. I also appreciate the fact that you're very open and transparent about mental health and just supporting each other because there are different types of studies, but it feels like, even
in half the industry, people are feeling the burnout and struggling with mental health. With the security and IT field, I think it's mainly populated by introverts, so a lot of people like myself, we hold a lot of things in and it's difficult to share and open up. So, having someone who's a leader like yourself, being open about the challenges, and inviting the conversation, I think it has been really helpful. I'm here for you, whatever you'd like to ask, or talking about compliance or non-compliance related. So, I'm really excited to get going.
AJ 02:34
Yeah, I appreciate that and really appreciate your support on the stuff I share and the stuff the team shares as well. I think one of the key components of us just being better security professionals, is folks being willing to share information and educate the community. I think that's what it really is. But yeah, I mean, you've been doing the security and compliance thing here for 20 years, and you mentioned a lot of those acronyms out there, FedRAMP, SOC 2, ISO etc. In your experience, what's the framework out there that you've enjoyed the most working with, from a compliance perspective, that allows you to really show value to folks inside of the company?
Val 03:12
I'm a little bit biased towards SOC 2. I think it has enough customization to really meet any business need, but it also has enough due diligence and enforcement on the CPA side vetting the controls to ensure standards. Typically, if I manage a third-party risk management program, I look at SOC 2 reports as the gold standard for what I want to see from my vendors and I read those reports in great detail because the one challenge of having the customization of SOC 2 is it could be all kinds of really important controls that the company decides not to audit against, or the auditor doesn't write up that well to highlight. So, while I may see no deficiencies or exceptions noted in the report, it doesn't Tackling Cybersecurity Staff
necessarily mean that the company actually does the practice that they need. Or, in some cases, people forget that we need the service to be available, but the SOC 2 report only includes the security and maybe confidentiality criterion, not the availability criteria. So, that's important. And I guess the other one, I'd say ISO 27,001 as more like international standard. Also very customizable, but I think it's a little bit more prescriptive than it needs to be and generally requires a lot more overhead than a SOC 2, with from my perspective, the value that SOC 2 provides. I think, especially if you're a young company, or startup, where you don't want to invest everything into a really comprehensive compliance program, but you want to do something right from the ground up and then expand as you go along, SOC 2 is the best standard to go with.
AJ 04:45
Yeah, I agree on SOC 2. I think the customization of it is one of the most powerful things with SOC 2. I think, to your point, that makes it really important that people know where to look in the report and I found, even you just describing the difference between having a SOC 2 report with security and confidentiality, when you're thinking about availability, some people just don't even know that. I think that's why the value of SOC 2 has went down over the years, where people are like, "Hey, it's just a check the box exercise," because folks aren't actually educated on how to read the report and how to digest the information. What has helped you in your career to learn where the important parts are? Is it just a matter of diving in and getting your hands dirty and reading the SOC 2 reports? Or, were there good resources out there that have helped you learn where to dive in and actually see where the value is in evaluating your vendors?
Val 05:35
I think it is having the opportunity to work very closely with security leaders and professionals, and not stepping in from the outside as a compliance individual, but more inside seeing how the security teams enforce the controls, test, deal with the incidents, the risks that they see and mitigate every day, and interpret that into what a good security program should look like, what the controls should be. So, I don't think there is necessarily a shortcut. I think looking at Nest, obviously, as the golden standard for what an ideal security program is, I think that would be the best place for someone that doesn't have the experience of being inside of a security team for a long time that I've been fortunate to have. That could be a really good quick ramp up to understand the security controls. And the other thing to remember is to think about the business. Just because all these controls, or all these recommendations NEST has in there, or another standard that you may decide to pursue, doesn't mean those all apply to
your company and the particular risks that you may have that you want to see addressed by the vendor that's providing the service. So, it has to be really focused on the value that you're getting from this vendor and the kinds of risks that they have and associate that with your experienced, or relevant Nest controls that would apply to that, and try to see that those controls are covered in the SOC 2 report.
AJ 07:06
Yeah, 100%. I love what you said there about tying it to the business because I think that's where, just security professionals in general, get into trouble, where they only think about security in a small bucket, but are not thinking about the business impacts of what we're actually trying to do. Unfortunately, most companies are not in the security business. I know you and I both are at companies now that are security companies. So, naturally, there's a care of security, but most companies are building other things, and security is a part of the organization, but it's not the business. It's not the thing that's bringing in money to keep the business afloat. So, for you to get buy-in from a security perspective, you have to be able to tie things back to the business. How important has it been in your career, from a security and compliance perspective, of being able to translate all of the stuff in your lane to the business side of the house and make sure that they're bought into the activities that you have to do from a compliance and security perspective?
Val 08:02
I think it is critical. We cannot be successful as security or compliance professionals without working very closely with the business and helping the business understand how what we do supports their needs, because ultimately, the risks are up to the business to decide whether they will accept them, or follow the strategies we recommend for addressing them. We think they're above the the harm threshold, whatever settings we put in place. So, it is also about building relationships and understanding the other side, the reasons why people are doing certain things. What I like about compliance, one of the things I like the most, is that we often identify things outside of security that can benefit the business. There's a lot of room for building efficiency, bringing teams closer together, the collaboration and knowledge sharing, enforcement on documentation and training, and the effectiveness of controls, and the monitoring and learning that goes beyond security, but really tying it to KPIs that make sense to the business, I think that that all ties it together. Without selling security or compliance to the business, there's no way to be successful. We will always want to be a partner with the business. So, for instance, I look at security, at least from a product perspective, as part of quality control. It should not be a separate thing. If you care about releasing code that doesn't have bugs, it's the same thing. You're releasing code without security bugs in it. So, security is just part of quality control. So, my role as a security compliance professional is to help engineers and developers understand that and find ways how we can be involved in their existing process, instead of being another hammer or the scary thing, or something that they don't see any value in. We're trying to help you release your code or deploy your service without these bugs, which include vulnerabilities or things that could take down your service. So, it's really a quality of service matter that they should care about.
AJ 10:06
Yeah, 100%. I've been public about saying GRC is a great entry point for people to break into
cybersecurity and a lot of the reasons why I believe that is because of the things that you just described there. It's about collaboration, it's about more than just security. The thing that I love about compliance, and the reason why I've parked myself in this segment of the cybersecurity industry, is that it does touch everything, that you get to interact with all of these different areas of the business and bring a different perspective. I think, if you're working in a different field, if you're working in accounting, if you're working in HR, if you're working in sales, and you're like, "I really want to get into tech, I really want to get into cyber," those collaboration skills, the ability to get people to buy into what you're talking about, the ability to bring people together and understand and show some empathy to what they're going through, and then being able to pull it back to compliance, I think are some of the most important skills for compliance professionals. But I have got some pushback from people on that statement that GRC is the best entry point for people to break into cyber, I'd love your thoughts on it. Do you think GRC is a good entry point? And if so, why? If not why?
Val 11:15
Absolutely. Maybe I don't know enough, but from what I've experienced, I agree with you that GRC is the best entry point because there's so many positions, so many functions that a junior person can fill, that we can easily train and help them grow on the way. There's a lot of standard steps or work that can be a bit of a grind, that when you rise up the ladder, you may feel like those things are just too tiring from having done that for many, many years. It's not something that I want to overburden or burnout a junior person with, but it's those things that are easy to pick up. They're easily repeatable, and a very quick intro and say, "Hey, this is what this does for the business. There's some value in it."
Val 11:57
There are all kinds of ways. If somebody, like you mentioned an accountant, if somebody is good at numbers, they're probably good at using Excel sheets and creating metrics, KPIs, that's fantastic. We can help them use Excel or use Tableau or some kind of tool to start monitoring compliance and monitoring security metrics and leverage what they've learned to do that. Or, even like a sales or marketing professional, again, that collaboration, getting to understand other teams and how they do things is crucial, and there are a lot of risks depending on what the business does in marketing or in sales, and especially doing business with the European Union, or Brazil, or Singapore, or other regions where they have very strong privacy data protection laws. So, understanding how sales functions or how marketing functions can really help a GRC professional to guide them in the way that would meet the business needs, but reduce those risks from being materialized into fines or other kinds of problems for the company.
Val 11:57
Like, for instance, third party risk management, there's no reason why we can't take somebody that could have been a construction worker or a nurse or a call center person, and just help them understand tha this is our process and if you're looking at SOC 2 reports for instance, here's a set of controls that we find important for the business, the service, make sure that's listed in the SOC 2 report. Make sure there are no non-conformities, and just give them like really quick guidance, but also help them understand why we're doing that, because the last thing we want to do is give somebody tasks where they don't understand the why, how it benefits the business, how it benefits really the world. We want to make sure that we're doing business with security companies that care about the data and the privacy of the data for the users, so we want to encourage that and enforce that through our third party risk management practices.
AJ 13:52
Yeah, 100%, and I love those examples that you gave there, too. So, hopefully, some of the listeners out there that hear this, folks that are trying to break into GRC, can see from Val's examples, there are ways that you can take those transferable skills into this field. I think, as we look out at the landscape and we see all the news about cybersecurity shortages and not being able to hire enough people and all of that stuff, I think we have to start giving people a chance. We have to start finding roles like that, that third party risk management stuff, or other areas where we're not looking at traditional backgrounds. We're not looking at trying to find this unicorn entry-level person with five years of experience. Those things just don't go together, and I think as soon as more professionals, more leaders like yourself, take the mindset that you have, we're gonna be able to solve this problem and we're gonna be able to solve the skill shortage that supposedly exists out there. But I'd love to get your thoughts, as a cybersecurity professional, someone that's in a leadership role, how do we solve that problem? How do we solve this problem that exists of not having enough people in this field?
Val 14:54
I think it is about recognizing it as a problem. That is important for the world and especially for this country, and for the company, that we're not just doing a service globally or to that particular individual, but we are doing a service to the company as well, because somebody that we invest time in, they're going to be much more likely to perform above normal, or to really go all in because they will feel that appreciation. They'll be excited to learn new things. So, chances are they'll probably perform better and produce more, than someone who's done that role for a long time and maybe feeling a bit of a burnout and just tired of doing the same thing. They're also more likely to stick with a company that invests in them and appreciates them and trains them. So, it's a win-win.
Val 15:41
It's a matter of, I think, working with the executives and structuring the budgets and the teams that there's opportunity to bring in interns, or bring in very junior people, and train them on particular roles and have vision and some roadmap that this is where this person may be in a year, or in two years. I think it's part of an overall view and leadership structure, where you don't want to hire people that are going to be doing the same role for five years. At least the people that I've met, for the most part, that doesn't make them very excited about their jobs, and there's always a lot more we can do in security or privacy or compliance, there's a lot more to learn. So, there are set deliverables we want to deliver for the business, but at the same time, we have a lot of open room to grow and learn. And so, when we hire somebody, we can give them a set title, a set function. At the same time, we also have to leave them room where they can grow and do something more, something better, something different, maybe
leverage the skills they've learned in different professional, or provide different point of view, to give us that extra value in their current career.
AJ 16:50
Yeah, 100%. I think, like you said, we've got to acknowledge it. Leaders have got to acknowledge it, and then start figuring out ways to change the approach. You mentioned at the beginning about how I post a lot about mental health and something that's really important to me as a human, but also important for me as a leader, to make sure people are taking care of themselves. We talked a little bit about how cybersecurity is known for burnout, we have a lot of people in cyber that are burning out. Why do you think that's the case? Is it just the nature of the stress of this field? Or, are there other factors at play that we're not seeing of why most cybersecurity professionals are feeling that they're burnt out and not able to take care of themselves?
Val 17:27
There probably a lot of reasons. I think part of it is, just like IT or the standard IT, security is not usually appreciated. Things go wrong, and then security is often blamed for not fixing things beforehand, or not building these things right. There's always a lot of pressure because you may be even a big company, like Microsoft, but there are nation states out to get you. It's really hard to compete, even if you're a billion-dollar company. Especially when it comes to startups and smaller companies, you just don't have a lot of resources, but the expectations are, especially if you're doing business with 1,000 customers, that you are performing just like a fortune 500 company, even though you may have a 10th or 100th of the resources that they have. So, it puts a lot of pressure on security professionals to do things right. I
think the other thing is, hopefully, with the SEC requirements, we get more security conscious board members, but we need the board to understand the value of security, of privacy, of compliance. We need the board to force auditing on the company itself to test how they're doing internally from their security and privacy practices. We need people to really understand that this is so important. Everything is so interconnected; all our data is out there. The more it goes on, the worse it's going to be when we have a data breach. So, we need to give more support to our security teams.
Val 18:58
A lot of it is also that security is not often seen as delivering value to the business. If you're in sales or marketing, or maybe an engineering, you're building something that company sells or you're helping to sell that service, so you bring money in. When things get tough, security can often be the thing that gets cut, or if you have to ask for more resources to expand the security program, the business might decide to invest in building a new feature, or hiring those extra sales folks, or marketing to get a bigger share of the market. It's tough to compete with other business units that, on the surface, deliver more value and they do, in terms of clear financial funnel, but at the same time, if you get breached, you might lose all your business, you may be fined, you may be hit with lawsuits.
Val 19:53
So, I think we just have to do better in security with selling ourselves as business value, in terms of how we deliver, how we can promote the company as a secure vendor for all these major customers, how we can demonstrate that security those compliance practices, and remind the business of the real risks that are there. But also, I'm sure we can do better as professionals in building those relationships and not be seen as just this scary monster that hides in the closet and comes out every once in a while, to yell at people for doing things wrong. We have to be more active and engaging with the business and building relationships and being there as a guide, rather than this enforcement tool, so that people feel comfortable to come to security, and being open about, "Hey, I did this thing, is this bad? How can I do
this better?" So, every time we have an incident, or we have a big situation in the company, we treat it as a learning exercise that will help the business to do better, as opposed to telling the business, "Well, this was really dumb, and you shouldn't be doing that," kind of like taking that, "I'm smarter than you approach," because that's not helping anybody. We want to be seen as a guide, a mentor, a really big support, that the business should be leaning on, not a scary thing that they don't want to engage until they really have to.
AJ 21:15
Yeah, and I think that's why it's so important for cyber professionals to protect themselves, to take care of their mental health, to take breaks, to try really hard not to internalize the stresses and the other dynamics that come with this job. Because, like you said, sometimes it's very hard to feel the impact you're having, but you are having a big impact because if you weren't doing the things that you're doing, the company could have financial and reputational damage that sometimes can be irreparable. Breaches sometimes cause companies to go out of business. A day where nobody hits you up in security can feel like you're not being appreciated, but it actually means you probably are doing really good job. I think cybersecurity professionals especially have to protect their mental health. I think men, right now, really got to protect their mental health because we've been kind of conditioned in our culture
that we gotta be tough, we can't share emotions, we're not supposed to cry, and all these other things, but we're human. Whether we're men or not, we're still human and we still have all of these feelings. Before we even started recording, you talked to me a little bit about a recent mindfulness thing that that you've experienced. Talk to me a little bit about your journey with mental health and your journey of understanding the importance of taking care of yourself as well as others in your organization.
Val 22:32
I learned the hard way. I burnt out and went down a really deep rabbit hole for a while. I struggled with depression for several years. It was really tough to get out of bed or, or even when I was doing things I really enjoyed, that's when I realized I hit the bottom because I was doing the things I loved, but I still felt so empty inside. I was not feeling the joy as much as I should have been doing. Part of it is because I grew up in a totalitarian regime and emigrated to the US as a teenager. A lot of the early times after immigration was about surviving and doing the things that my family needed, or I thought society expected of me, and I didn't think about my own needs, or desires. I ignored that for a long time until it really hit me. And then, it became really difficult to recall what it was that I enjoyed, what it was that I liked. Who was I outside of all these layers I put on or that others have placed on me?
Val 23:40
On the bright side, it really led me to this self-learning, spiritual mindfulness journey, and a lot of it was due to my wife, who led me to my first meditation exercise retreat. I've done a lot of reading and have been fortunate to meet some really wise and amazing teachers, some Buddhist monks and people that just felt like they were walking on air with just their love and their wisdom, just the magnificence of being their presence. Over time, I've learned that I don't need to have a sole purpose to have a meaning of life, or have it all figured out. It's okay to trust the universe and I'm here to make the world better, I'm here to try to be a better human being every day, and if I can make a tiny bit of difference to anyone in my life, then that's worth it. So, I've focused on that and the little mindfulness webinar that I led
yesterday was very therapeutic for me. Also, to get the feedback from others that they felt better, they felt less stressed, they felt happier, they felt more love, and the really most valuable thing for me was the feedback that my compassion and love for them came across, despite it being a virtual session. So, that gave me a lot of hope that maybe I could do more of those things in the future.
Val 25:13
Definitely within teams, too. That something that I love more than anything is mentoring and making people feel like they can be open with me. I learned early on in my career, when I when I had my first subordinates that, when people were underperforming, it wasn't because they were bad, or there weren't skilled, there was something else going on. Once we're able to figure out what that something else was, then they performed well above my expectations, and just really amazed me what they could do. So, that's the attitude that I want to have and I try to have every day in the workspace. If I can, organize soccer leagues, for instance, as a way to bring different teams together, including from other companies that are competing with each other, different types of volunteer events or other ideas that we can really spend time together. I love what you mentioned about leading a mindfulness webinar at work, maybe on Monday, that sounds amazing. I think we need more space for that, more reminders for people that those resources exist, these people exist, and just even to sit back and step away from
that hamster wheel. It's okay. It's okay to take a pause, it's okay to listen to my heartbeat, or to my breath. Come on in and just relax. Everything will be okay.
AJ 26:32
Yeah, no, I really appreciate you sharing that. I've had moments in my last couple of years where I realized that this mental health journey that I've been on, it's been a lot for me. It's been beneficial. There're people that told me that the things I talk about and share have helped them, but a lot of it has been help for myself. I've been on my own personal journey of going through and relearning who I am. To your point, I've been in those depressive states where I don't want to get out of bed. I'm just completely sad and empty, regardless of the wins that are going on around me or the cool things that are happening, I've just felt empty, like you said. I think the realization that you came to is the same realization that I've come to at those times, where you're more than the external things you put on. You're more than the things that other people are saying you are, you're more than your job title, you're more than your accomplishments you have and all these other things. You're more than all of that you have your core. When you go back to: Who am I? Who actually am I as a person? What are the things I actually care about? You start to realize a lot of the stuff that you've put on yourself are pointless, they actually really don't matter, and a lot of that is what's causing that depression. I'm a big stoic reader. I consider myself a modern stoic, I read Marcus Aurelius often and Seneca and Epictetus, and a lot of those old really wise philosophers. Stoicism is all about putting things into two buckets, things you can control and things you can't control. It's very hard to do. It's very hard sometimes, because you find yourself stressed and depressed, or sad about things that are really outside of your control, but when you're able to step back and sit and go through that shedding of those external factors, and then you find out that little kid that enjoyed all those things that you used to enjoy, you still are there. It's a beautiful journey. I really appreciate you sharing that. I think this conversation, this piece of the conversation, is probably the most impactful not just for the listeners, but for me too, because it's always a reminder when I have conversation with folks that are willing to be vulnerable and share their journey that we all are going through similar things. It's not just me that feel certain emotions. It's not just me that's going through this, but like you said, just stopping and pausing, hearing your breath, hearing your heartbeat, taking that break, taking that little break for meditation or mindfulness, it means the world. It kind of changes your perspective, I definitely appreciate you share it. Val, I appreciate you as well being on the podcast and having a great conversation about compliance and mental health and all things here. Before we hop off, I want to just give you the floor to share anything else with the listeners that you think would be beneficial. At the end, tell them how to find you and reach you.
Val 29:23
Sure. Well, one thing I didn't talk about yet, is API security, which is the reason I joined Noname, my current company. We do everything from development testing to misconfiguration inventory, identification of all the API's, and finding active attacks and helping customers block them and monitor for them. What I find really interesting is that we are playing catch up. API in general, I think, has been an overlooked elephant in the room, or ignored or forgotten. We're invisible elephants because everything is done through API's, but when it comes to compliance, it doesn't really translate well into our existing controls and standards. I often wonder if maybe we need to come up with an API compliance program or add API specific controls into SOC 2, or ISO, or Cloud Security Alliance, or something along those lines. I think a lot of times, I've seen it from the inside, I've seen it from the outside, you look at how auditors look at SDLC practices, for instance. They look for how you test your
code, how you deploy your code, how you scan for vulnerabilities. They generally just look at standard software deployment, not as API service. How does that practice translate to how you manage your API's? I've never even seen a conversation about it from an audit perspective, so that's something I don't have a solution for, but I hope if we get a lot of great minds, like AJ and others, in the industry to talk this through, maybe we can get a lot of really good wise people together. That's something I would like to see addressed because I think it's going to be a pretty big pain point for a lot of us with our data all being connected through API's. Hopefully, we can fix that and we can audit, comply, certify against that, before that ever happens.
AJ 31:19
Yeah, absolutely. Shameless plug here. In a couple of weeks Val, my Director of Compliance at
ByteChek, Tara Cook, and myself will be on the National Association of Black Compliance and Risk Management Professionals webinar, talking about API security and compliance and how it's the missing piece. I'm in compliance because I wholeheartedly agree and think we either need to figure out a way to get it into SOC 2 as soon as possible, and make it as a required component of interconnected SAAS apps and what are we doing to protect ourselves or like you said, maybe there's a chance for another standard here. We'll have a great conversation. I'll make sure the show notes include a link for folks to register to see that webinar or just get the recording if they can't make it. Val, this has been amazing, man. I really enjoyed this. I know it's taken us a little bit to get this on the calendar, but I really appreciate you taking the time here with me and I'm excited for the listeners to hear this and excited for us to continue to get to know each other and build our friendship. So, thank you again for coming on. It's been a blast.