Interview with Martyn Rucks

How MWR InfoSecurity approaches hiring and developing talent with Martyn Ruks

We spoke with Martyn Ruks, the Group Technical Director at MWR InfoSecurity.


We wanted to speak with Martyn to learn what he knows about developing a company culture that helps attract and retain the best talent.

Full interview transcript

Philip, of Dradis Academy (DA): ​Hi there Martyn. Thank you for joining us for this brief conversation about attracting and retaining talent. I'd like to start by asking simply who you are and what your role is at MWR?

Martyn: ​My name is Martyn Ruks, I'm the Group Technical Director at MWR. What that means in terms of a role ... Obviously, Director, there's a kind of governance piece to that role in terms of running the company, and that kind of strategic oversight. On a more day-to-day level, my role is really about being responsible for everything technical that goes on across the company. [00:02:00] That really manifests itself in terms of me offering advice and guidance to people in the business across lots of different areas. For example, research direction, services needed by our marketplace, advice and guidance on how to shape our company culture, and all of those good things.

DA: For those who aren't familiar, can you talk a bit about MWR as a company. How big are you, what areas so you specialize in, if any?

Martyn: ​We're a company that now has a global footprint. Offices in the UK, in South Africa, and Singapore, and Dubai, and also a presence out in Germany. Across the company, we're about 150 people now, and we really specialize in offering information security, cyber security consultancy services, both in terms of consultancy, professional services, but also managed services, attack detection, security operations. Also a number of security products that are effectively there to help support our services.

​We offer a wide spectrum of security areas, from more traditional areas like penetration testing, and vulnerability assessment, across the whole field and breadth of industry sectors. Working in mobile and industrial control systems. Working with governance, with attack detection, with malware investigation. Really the whole spectrum there.

DA: Got you. What's the total head count of the staff?

Martyn: ​As I said, [00:04:00] we're probably about 150 people globally now. Still growing. New people joining the company all the time, and certainly the plan is to keep growing, to keep taking our services to people out in the marketplace that need them. It's certainly a really exciting time for the company as well.

DA: Sounds like it. We're going to shift away from you as the focus here, to talking about the issues of talent retention, and culture, and that sort of thing, in a moment, but in the mean time could you briefly walk me through how you got to where you are today? What were the high points? Were you always in security, or did you have a certain path that got you to where you are today?

Martyn: ​It was a little bit of a strange path, by the fact that my degree wasn't in anything to do with computing or security, it was actually in astrophysics. I was kind of seconded into the security industry before I got a chance to engage in that area. I started off in the industry as a consultant, and I kind of laddered as a security researcher. In terms of high points in my career, they were really initially centered around solving problems for clients to do with security.

​Unfortunately, given the nature of the work and the clients involved, it's not easy to talk about any specific instances, but one thing I was certainly vary proud of is some of my speaking in the public domain, and particularly presenting some of the research that I've been able to do. Working with clients, but also independent research into information security.

​Certainly one of the high points was being able to speak at DEF CON in the USA [00:06:00] for a couple of years, back in I think was about 2005, 2006. As anyone in the security industry will know, DEF CON is one of the most famous conferences, and being able to look back on being asked to present there is certainly a very proud thing for me.

​Now that I'm the Director of the company, I guess my high points have become a little bit different from how they were in the past. The majority of them are really occasions where the talented people on the team achieve success in what they're doing. That might be a headline grabbing piece of research that's been presented at a new conference. That may be an innovate new product like drozer and detect, and the things that we produce as software, or maybe in the creation of a new service like our Countercept service that really solves a problem that our clients are having.

​Each of these successes within the business is a high point to me, and my role in that, I see as providing the support structure within the company that lets all of the people do these things, and have those successes.

​I still allow myself the odd personal high note, and one of the things that I'm very passionate about, is every year in the UK we run a computer security event, called HackFu, and that's something I have a big part in running each year, and I've seen it develop over the past eight years now. Every year running that event and seeing the way that the participants and contestants engage with that event is certainly something that gives me a high point in the year [00:08:00] and is certainly something I look forward to.

DA: That's wonderful. I've heard that transition from, say a consultant to a manager or a director, compared to an orchestra, where you're no longer playing an instrument, you're the director, or the ... The actual word is escaping me right now, but you're directing the orchestra, you're now in a different role, and you can't do as much. You need to understand how the instruments are played, but you're not actually playing an instrument. Is that what it sort of feels like to make that transition?

Martyn: ​That's actually quite a good analogy, yeah, and I think that's also an analogy that's worth thinking about as well. That all too often, you can fall into the trap of, if you're conducting the orchestra and telling the members of the orchestra how they should be playing their individual instruments, and I think it's more than that, you need to be providing that support and encouragement to effectively get the best out of them as a group. Effectively empowering them with the responsibility to, in the case of an orchestra, to make fantastic music, and in the business, it's very much the same. It's about empowering them to have success for the business, and for themselves.

DA: What are the qualities that you see being just absolutely vital for the top performing employee, and that might be a consultant, or I suppose that could be a different role within the organization, but what are those qualities that really make someone a top performer?

Martyn: ​It might sound a little bit surprising to some people. Particularly those from within the industry, but I'll explain why my thinking is this way. I think the absolute musts in high performing employees are [00:10:00] passion, a passion for achieving success in your role, adaptability, the ability to adapt to new changes, particularly in an industry that's changing so rapidly at the same time. You also need to be very good at understanding what your clients need, and the real top performing employees are those who can start to anticipate what clients need without having to be told.

Also, what I observe right across the business is that the people who have success are smart people. The people who are aligned to the culture within the company, and who have the aptitude to contribute to that in a positive way. What might be more surprising to people is that we don't believe that specialist knowledge of a particular subject area is an absolute must when you're looking at top performing employees.

DA: I noticed that wasn't first on the list, anyway.

Martyn: ​Yeah. I say that in very general terms. There are some examples where that specialist knowledge is really important, and I'll give an example of that in a second, but we see time and again that if you have smart, passionate people, and give them support. Support they need in order to be successful, then you get the results you're looking for, and it's those results that effectively define the level of performance, both an an individual and also the business itself.

There are certainly some areas where specialist knowledge and actual job experience do make a big difference. For example, in an area like instant response. You're out there responding to something that's happened in a client's organization. It's a very fast-paced environment, there are lots of critical decisions that can have a big bearing on [00:12:00] the success of what you're engaged in, and in those situations, that knowledge and experience that comes from having been through that process before, enables you to really think on your feet, and gives you a solid grounding for achieving the results you need to, so certainly there are exceptions to the rule, but from our perspective, it's the passion and ability to engage in business culture that we see time again as the key things.

DA: I would like to know a little bit more about what you mean by passion. I think that word gets used in a lot of different ways. For example, if you look at the Silicon Valley startup culture, it's a code word for "You have no boundaries and you'll work obscene hours, because that's what we ask of you." There's that take on it. What do you mean when you say passion?

Martyn: ​I see passion as being really closely aligned to what the company's vision is, in terms of what is it looking to achieve, and people who see that as a goal that they share, in terms of the benefits that it will bring, the challenges that need to overcome to get there, and the rewards that doing so will actually bring.

As you've summarized, it's certainly not about people working longer. It's more about people working in alignment to what they believe and an end goal that they've bought into.

DA: So there's more of an element of a cultural alignment, or sharing values, [00:14:00] or these squishy weird emotional things that don't get discussed a lot, really do seem to matter, though, when it comes to rising to the top of the company.

Martyn: ​Absolutely, yeah.

DA: Interesting. Are there optional nice-to-haves that you would add to that list?

Martyn: ​I think there are some common traits. I don't know if nice-to-haves is the right way of describing it, but certainly other skills and talents that certainly aid people. The ability to communicate, whether that's with the person who sat at the desk next to you, or whether that's to your marketplace, to your clients, to other parts of your business.

Certainly things like your ability to share knowledge freely and openly. To work together. To spot issues and faults in the way that you and the company are working, and being able then to go through a structured process for for improving them. Those are the kind of things that I see as a secondary talents and abilities.

DA: I'm curious if these are qualities that, in your experience they either have them, or they don't? Can they be developed? Do they change over time?

Martyn: ​That is a hugely variable area from my perspective, and from my experience. They certainly can be developed as skills. There's certain nurturing you can do within the business to help people find those kind of talents, and to improve them.

There are also [00:16:00] challenges, where people have been operating for long periods of time in ways that go against those ways of working. That becomes then more and more difficult to get those people to change their approach, and to adapt their working style.

Also, another key thing to realize is that everyone has their own individual set of talents and capabilities, and the talents and capabilities that an individual has might not be the ones that you're looking for in your business, and it's really important to understand that. It's really important to help them understand that, in terms of what their talents are, and to find the right fit of those talents and capabilities into the roles that people are actually fulfilling.

DA: That's interesting. That's up to the ability of the hiring manager, or do you see some best practices about how to do that discovery, and find those strengths, and look for the match that's going to be the right match?

Martyn: ​There are some processes there that you can use, and the first one starts with actually understanding what it is you need from people in the first place. Your ability to understand the values that you want your business to live and breathe, and how that then reflects into the roles that you would like within that business.

Enables you to then start from the point of knowing who it is that you're going out and looking for, and I've seen over the years countless examples of when those things haven't been well understood that there was very programmatic approach to a job description, and therefore looking for an individual to fill that role is purely about academic skill, or particular experiences, and it's not then looking at those wider aspects to an individual, their talents and capabilities, and matching that back to the role. [00:18:00]

It also comes down to, as you said, the hiring process, and the people involved with that. That they then need to understand that, those talents and attributes. They need to understand how to find them in other people and how to spot them, and how to encourage the people they're talking to and interviewing to display those.

That in itself is past experience, but also about solid recruitment techniques, and solid theory in those areas.

DA: Is there some source for that information that you would point people to? Aside from yourself.

Martyn: ​There are certainly a wealth of books out there on how to build a company, how to look at what the concepts and ideas of your company need to be. How to actually go and find what your values are, how to describe them, how to communicate them. What I'd encourage people to do is to go out and read. I also caution people on making sure they go consult a wide range of sources for that information, because every time you pick up a book, or read an article, it's very focused on one particular area, on one kind of business, one particular kind of scenario.

I think it's really important to go out there, understand what the best people are talking about, what the best people are thinking about, and then take that knowledge and apply it back into your own business. There is no one size fits all approach to all of that.

DA: What does it look like if these qualities are not there? In other words, let's say that we compare this to an organization being sick. What are the symptoms of a need for improvement?

Martyn: ​The symptoms are usually really easy to spot. [00:20:00] I'll talk in a second about what some of those might be, but usually what happens is we as human beings accept the status quo as being normal and right, and therefore it's very easy for people within a business to continue doing things the way they've always been done, and to get into a little but of a rut in terms of thinking, acting, and operating.

The way to diagnose this is to go look at some key factors from within your business. Go talk to your clients. Are they happy, or are you constantly having to find new clients because the ones you're working with are leaving you? Look at your attrition rates. Are people leaving the business? Are people seeing the next step, the next progression in their career in other organizations? Are you innovating? Are you continually evolving your approach and your services to match the needs of the market?

Ask some really tough questions of yourself. Normally the answers are known, it's just that they're not being said out loud. Either because it's too difficult to think about what the solutions might be, or it's easier to just stick with the status quo and hope things will get better. That kind of real diagnosis is the first thing that you've got to do. You've got to understand where the areas you need to improve are.

Then it's about going and finding people who can then help to build on that. Whether it's people within your business now, or whether that's going out and finding talent in areas that you don't have it in your business to come in and help you in some of those areas.

DA: We've been talking about individuals, but those individuals at some point coalesce into a team, or a small unit in the business. [00:22:00] Is there perhaps a different set of qualities that defines what makes an excellent team, versus an individual?

Martyn: ​I think there are maybe not as many differences as you might think. I think certainly members of the team exhibiting all of the qualities that we've been talking about before is obviously a key part of that, but then there are some aspects to the team itself, and the way it works together, and the one thing that sticks in my mind is that a top performing team will always share knowledge amongst themselves, and work openly together.

​That is something that doesn't always come easily to people, and it's something that the culture of the organization that you work with will either support, or seek to destroy.

There are several reasons for this. One of the reasons is that historically, we've been educated that the knowledge we have as individuals is powerful to us, and our roles, and that we should protect that, and ensure that we have that unique knowledge, because that then effectively guarantees our place at the table, as it we're, because we're the only people with that knowledge. I think that's a really dangerous way of thinking-

DA: I see. We think of that knowledge as perhaps political capital, or money in the bank, that we need in order to secure a position in the firm, right?

Martyn: ​Absolutely, and what you'll usually find is that maps back to the way that company or business usually operates, and what it encourages in terms of behaviors. If the kind of remuneration, progression, development processes within a business reward people playing politics, and working as individuals, [00:24:00] and closing themselves off, then they are the outcome that you will see, and will result from that.

If you are in that situation in your business, then you will never truly realize the benefits from the team working approach. You need to really change the approach that you're taking and to have a culture stimulated in your business that then rewards the upsides of the kind of behavior that you want people to exhibit, which is that knowledge sharing and working openly.

DA: Allow me, if you don't mind, to play Devil's advocate for a moment. Let's say that I'm someone who can't see another way. Let's say I have a small firm and I see that my most knowledgeable consultants seem to get the job done best, and I just can't see any upside to them sharing information. What would you say to me that might change my mind, or at least illustrate something that I'm not seeing about the problem there?

Martyn: ​From the perspective of the business, I would say that the danger you have in that situation is that while everything is going fine, and you have very productive, very successful consultants, or people out there who are using that knowledge, working with your clients, that there's is a real danger that that knowledge is not something that you as the business hold. It's held by that by that individual. It's held in relationships that exist between those consultants and those clients, and then you as the business have no sense of relationship to those end clients.

There's a real danger there, that at some point in the future, something happens, that you have the potential to lose all of that acquired knowledge and capability within your organization.

There's a risk/reward there, [00:26:00] that you have to knowingly accept as a business. You may be quite happy to accept that, because the consultant's happy, you're earning money, you're profitable from them, that you accept that there's a risk that that could disappear in the longer term, and that if that happens, you'll go plug that with someone else, or some other capability.

That's a completely legitimate approach to take. It's not a particularly strategic approach, and it also does leave you exposed commercially, so you really do need to look at the bigger picture of your business in terms of understanding if that's the approach you want to take or not. Because, like I say, it will work for some people, and other situations it won't work.

DA: Right. It creates a small emergency if I lose access to that knowledge. That consultant moves on, something happens. From the consultant's perspective, though, they hold a lot of the cards, right? It's a source of power for them, so what's the downside to the consultant of operating in that way, where they horde knowledge?

Martyn: ​Usually the downside is that if you're spending that time hording that knowledge, and servicing clients with that knowledge, you're missing out on some of the benefits that investing that same amount of time and effort back into the business and into stimulating a knowledge sharing and information sharing culture, because any culture you create that is open and sharing information, you get paid back just as much as you put in.

If you're contributing your knowledge, others will more than happy to do the same thing. You will then increase your own personal capabilities and knowledge as a reward from that, and you'll benefit from being able to learn far quicker than if you had to go out and do all of that learning yourself. You're being paid back in time, as well, in terms of your ability [00:28:00] to go do more interesting things, whether that's innovation, or other things within the business that you might be interested in doing.

​There's certainly an upside to it, but it can't be done in isolation. If there's only one person that's happy to share that knowledge, then that whole approach breaks down.

DA: For an organization that's trying to transition towards this approach that you're advocating for, does it take a bit of trust, in that transition period, to trust that the results will materialize if we start doing things differently?

Martyn: ​It does take a level of trust, because in order to make that transition, you need to get buy-in from people, to actually go live and breathe this themselves. To go advocate it, to go tell others about the benefits of it. That means you do need to trust the people that you are empowering to go out and to actually start that process.

At the same thing, that trust is also borne out of having that working relationship with those individuals, knowing what their skills and capabilities are, and that understanding that if you empower them with that responsibility, and give them the support to go achieve what they need, that you will then see the returns from it.

DA: We're talking about company culture here. In your view, what role does company culture play in serving clients, retaining talent ... I suppose before I ask that question, what is company culture? How do you think of it? How do you define it?

Martyn: ​This is actually a really interesting question, because from my experience, this is an area that is very misunderstood, not just within the information security, cybersecurity industry, but widely across business as well. [00:30:00] Culture is in effect the collective values and actions of everyone within your business, and the way that they interact with each other, your clients, and everyone else.

That is a really critical area to the success of the business. In both of the areas of the business that you mentioned. In terms of serving clients, but also retaining talent within your business. The most misunderstood thing I see in this area is that people think that as an individual, a director or a manager within a business, you can create a culture, and by the pure definition of the word, that's not possible, because it is the collective actions and experiences of the people within the business.

What you can do, though, is you can help support and influence the culture within the business. You do that by setting out the values and principles that you want to operate with, and then you reinforce, or actually damage, the culture that you want to create, by making decisions that either support of contradict those values and principles. What then the culture is, is then the interpretation of your employees of all of those things that you've done in terms of setting out the vision and the values within the business.

DA: For a lot of business owners, that's got to be a frustrating thing to know, that the one thing they can't directly control is so important to their business, and it seems like there's this quality of a two way relationship, right? It's not just up to the business owner, and it's not just up to each employee. It's how the whole system works together, right?

Martyn: ​Yeah, but you can influence it. You can influence in a really positive way, that does then unlock that benefit that the culture brings. [00:32:00] You can do that by analyzing all of the decision making against the values and principles that you are setting out, and actually believe in.

Because people are smart, and as soon as you start making decisions, or tolerating behaviors that go against them, people will either see straight through you, in terms of this isn't actually the kind of values that you live and breathe by, because you're not making decisions by it. You can also positively influence it by going out and hiring the right people, and it's something we talked about earlier on, that if you understand the values that you want your business to be run by, you can go and recruit people who share those values, and are also passionate about upholding and developing them, and by doing that, you are creating an environment within which the culture that you believe is really important to your business to actually exist, and for it then to thrive.

DA: I've heard it said that there really are two company cultures at every company. There's the one that's the poster on the wall, or in the employee handbook, in those physical artifacts. What is is on paper, in other words. Then there's the actual culture.

Are there other things that help you create the actual culture you want?

Martyn: ​It really is about going through the process, and understanding the outcomes that you want within the business, and then from that understanding, what are the things you need within your business in terms of processes, environment, people, that actually support and reinforce what those are. There is no more important area than the area [00:34:00] of working with your clients, because all businesses are there to provide something to our clients. Without them, we don't exist. Yet the culture within the business is not always set up to do what's right for them.

This is a classic example of what the poster says, and what the reality is. You'll see businesses that say "Customer service is our #1 goal. It's our passion." That is effectively a line written on a piece of paper. What's not happening is that the client is not being put first in all of the thinking, where the right client outcomes are not being achieved by the individuals within the business. That isn't being looked at, and often in those environments, poor service to clients, and not delivering value to them is actually tolerated.

As soon as you begin to tolerate something like that, it then starts to become the culture. It becomes the accepted and expected way of doing things, whereas what you should be doing is understanding what those those outcomes you need for your clients to be, and then being absolutely passionate about achieving them. Making sure that everybody is supported in doing that, that where they're not being achieved, that you are going out and improving your processes, and the way you work with those clients, to make sure the right outcome's delivered at the time.

DA: To phrase this bluntly, what's in it for the junior employee, the mid level employee? Because it could sound like culture is all these things you need to not do, so what's in it for that employee?

Martyn: ​What's in it for the employee, is if you have the right culture, you have [00:36:00] an environment within the business that lets you go do interesting and innovative things. If the culture's not right, what happens is that your people are spending their time firefighting, clearing up after mistakes, spending time reworking, going back and doing things that should have been done right in the first place.

What that means that they're not doing, is they're not doing the innovation, they're not doing new and exciting things. That extends right from the top of the business right down to everyone within the company. I don't think that anybody is willing to accept that their job is a 9-5 thing that you do the same thing every day. I think everyone wants to have the opportunity to expand their horizons, to be inspired about new challenges, to go and achieve success. It's very easy to let them see that spending all their time clearing up a mess, reworking things, is not giving them that ability go and do those fun and interesting things, and it's a very easy sell.

DA: How does it look from the outside, though? If I'm looking for a new home, a new place to work, how do I assess the company culture from the outside before I've gotten in and become an employee?

Martyn: ​I think there are several ways that you can do that. One of the really important things, is for you as an individual to look for differences ... Is to look at what that gap is between what's written about the culture and the way the business wants to operate, and the way that it actually does.

It's really easy to find out the way the company believes it's operating. It's on its website, it's on its job adverts, it's on everything that it puts out. [00:38:00] It is in effect its brand, in its position within the marketplace.

If you are thinking about joining a company, you'll generally have the opportunity to engage with and to talk to people within the business. By asking them questions, whether it's an interview, or these days via social media, or any other communication mechanism, whether you're meeting someone at a conference, or something like that. Ask people straight up questions about the culture. Ask people about the things that the company says that it does and believes in, and people will tell you the truth. People will be up front and honest about that. And I think the greater the difference between what you're hearing back from people, and what you're seeing the company is saying, the more warning bells should be going in your head that the reality inside that business is not quite what it's portrayed to be.

DA: Would you encourage people to follow their gut if they're starting to hear conflicting signals back in a situation like that?

Martyn: ​Gut feeling is an interesting one. On the outside it can feel like a very intangible thing, and something that's hard to put your finger on what's actually driving it, but in reality what a gut feeling normally is, is you unconsciously picking up on those differences between what you're expecting, and what you're actually finding.

​What's really important, if you're having that gut feel, is to go through a process, try and drill down to what you believe the facts are that are actually causing you to have have this gut reaction, because what is normally causing it is that difference between expectation an reality. If you can make sure that gut feeling isn't from some inherent bias in the way that you as an individual can operate and interact in the world, then it can be a very useful tool for you to use. [00:40:00]

DA: That's great. As you look across the entire industry, what are the primary talent or hiring related challenges that you see?

Martyn: ​I think the greatest challenge that the industry is facing is advertising what we do to all of the smart people out there who know nothing about our industry, and the more I go out and talk to people in education and related, and even in non related industries, the more I see that the cybersecurity industry is doing a really bad job at saying what a great place this is to work, that it is an industry with challenge, reward, and the way that the industry is growing, a certain amount of security as well.

​I think the biggest challenge for us is going out and identifying the people with the talents and skills that we're going to need to solve the challenges that we're facing as an industry going forward. Most of the initiatives I see within the industry, center around the traditional areas of how do we go find people who can be pen testers, how do do we go find people who can do computer forensics, or data analysis.

DA: It almost sounds like you're dealing with a stereotype that outsiders have. For instance, I just pulled up the DEF CON website, and even the color scheme that's used sort of paints a picture of the type of person that's going to feel comfortable there, right? Is that what you're talking at, is sort of a perception from the outside of this is an industry that only accepts a very narrow type of person?

Martyn: ​Yes, and I think that's because many people in the industry think that that's the kind of person that needs to work within the industry. I think there's a huge gap in understanding [00:42:00] of the skills we do need within the industry, whether that's leadership skills, communication skills. There's a whole range of things that we need to do in order to go out there and actually engage with organizations that need the services that we as an industry deliver.

We need creativity, and clever thinking, and evolving the way that we deliver our services. In terms of new approaches to solving problems, in technology, and in the security aspects of that technology. You're not going to find people with those attributes if you go out looking for the same kind of people that you already have working within the industry. I think there is a big gap, still, between the kind of understanding of the skills and capabilities we need within this industry, and what I believe the actual reality is, in terms of the challenges we're facing.

DA: Interesting. From the perspective of someone who wants to build a strong consulting business, what do they need to be thinking about in terms of talent retention?

Martyn: ​This is a really interesting one, because anyone will tell you that going out and finding good people is tough, and if going out and finding good people is tough, there's a cost in doing that. Purely from that one angle of cost and time spent, keeping those smart people and that talent within your business is a really important thing to do, so talent retention is absolutely critical to building a strong business-

DA: You can think about it just from a profitability perspective, it sounds like?

Martyn: ​Just from that one angle, it's a very easy thing to get your head around. Then there's a whole [00:44:00] other range of more intangibles that you build into that in terms of the continuity, client relationships and projects. If you're retaining your talent, you can focus on hiring new people, new roles, and innovating, as opposed to having to backfill, and go back and effectively build backup capabilities that you already had.

Purely from that one perspective, its a real no brainer. But how you do that, in terms of retaining that talent, it's actually also reasonably straightforward as well. You've got to invest in your people. That means you've got to invest in their personal and professional development. To help them as individuals to grow, to help them be able to tackle new challenges, that they or your business might be facing.

​What you also need to, as well as looking at them as individuals, is to go make improvements within your own business. If you go focus on the outcomes that you're delivering to your clients, and if you improve the processes that deliver those outcomes, such that people's roles are easier, less repetitive, you then give them the ability to go do the clever, innovative stuff, as opposed to the business as usual and all of the firefighting that we've just talked about.

If you do that, you can give people challenges, and inspire them, give them a root in the grass, and then they don't need to look anywhere outside your business, and that in itself is one of the key ways of retaining that talent, because if you fail to do that, then what you'll find is that people will always be looking for the brightest and shiniest thing out there, and as soon one comes along that they like, [00:46:00] they'll be off, and then all that investment, time and effort, you put into that individual, into building capability within your company around that person, has just been lost.

Again, its a real no brainer in terms of the financial terms, and also the time and effort, to actually invest in these people, and to provide them with support, and challenge, and inspiration and all of the things that they really need.

DA: Interesting. There's an operations aspect of retaining talent, because you're not constantly rebuilding knowledge about how to operate the business, and there's a profitability benefit as well. Are there best practices that you would point people to, to get up to speed in this area, in terms of talent retention, are there things that should be learned, or core skills the business should acquire to get better at this?

Martyn: ​I think there are some really obvious areas, and areas that should be familiar to most people working in a business, around professional development within a business, and that's the appraisal process, the objective setting processes. The processes for providing support of those objectives. Reviewing people's roles. All of these are things that we should be familiar with within our businesses. The problem is that they often become a task to be completed, a box to be ticked, and I think where we should be making sure we're investing time is in those areas about talking to our employees, listening to what they have to say. Communicating within our business.

Because there are always opportunities to use our employees in new and innovative ways across different areas of our business, [00:48:00] and unless we're listening to them, understanding what they want to do, understand how they want to be developed, we can never put together the right processes, support mechanisms, to achieve all of that. I guess my advice in this area is to really look at the things that we all probably already do within our businesses, but go do them with the right outcomes in mind, which is how do we use them to actually retain the talent within our business.

In terms of improving the operations within the business to make people's roles easier, and more productive, and generally more fun, some of the things we've talked about culture, but also some of the books and reference material out there about continuous improvement within the business, whether it's something like a really famous example like The Toyota Way, which was one of the first real wide scale approaches to doing that kind of a thing in a business. Go look at those, go learn some of the key aspects of those things, and look at how you can apply some of the lessons from things like that within your own business.

DA: Wonderful. If I understand the history of MWR correctly, there's was a time when it was a bunch of hackers, and now this is very clearly a real business. Even if that's not true of MWR, I think that's true of a lot of consultants. They start out as some people getting a job done, and doing that very well, and then at some point they have to become a real business, and there's a kind of chasm between the two. What have you learned about navigating across that chasm, and more basically, is that really [00:50:00] an accurate picture of how it works?

Martyn: ​I'll answer that in a couple of different ways. Firstly, I'll talk a little about some of the chasms I believe we've crossed at MWR. I think that they might be slightly different, but I'll explain why. I also think that as the industry's changing and maturing, I think that chasm will be disappearing, and I'll talk through some reasons why I believe that's the case, and also some of the things that I think will happen at the industry matures, to actually help other businesses within the sector to not have to deal with that problem from the starting point.

I'll start with MWR. I think on one level, maybe that was the case, but we were never actually really at heart a pure bunch of hackers. There are certainly some businesses that start out where you have a bunch of people with great technical skills, who have been delivering services for their clients, who set out on their own course.

At MWR, we always had very strong skills commercially, and in effectively entrepreneurial skills in terms of starting a business from scratch. Going out, getting some funding, getting off and running, and starting to grow the business. That chasm as you described wasn't one that we had to cross per se, but we have had to do a lot of growing up as a business, and from a very small team to the company we are now, has had lots of challenges, but I think the one way that we've achieved the success that we have achieved, when you go back and look at the way that we've done it, is that again, these values and principles that are fundamental and core to the business, are the things that we've taken our time to maintain, to make [00:52:00] decisions that are in line with them, and that throughout the history of the company, you can see where, when we didn't make decisions that were aligned with them, that was when less favorable results were observed.

And when you go back and look at where we had the successes, you can trace that back to decisions that were made that were in line with these, so that would be my one overriding piece of advice in terms of if you're going to grow the business from a very small startup into a much bigger company, that that is the one thing you should really take time and effort to do.

DA: I am guessing that sometimes those decisions were not easy, to make them agree with the values.

Martyn: ​Absolutely. There are always really difficult decisions. There were decisions that we were maybe programmed to take, because we're taught that's the way you run a business. It takes guts sometimes to make decisions that stick to your values and principles, and the success you have relies on getting those right, having those foundations right, because if they're wrong, and then you start making decisions based on them, then you will be on a very slippery slope.

The other thing is that a lot of the decision making in a business doesn't just rely on getting people within your business to buy into what it is you're doing. There are always external stakeholders who have visibility over those decisions, whether that's the bank, whether that's investors, whether that's shareholders, when all of these people have their own opinions on what the decisions you should be making within the business are. And again, each one of those has their pre-programmed ideas about what the right decision to make in a particular scenario is, and so if I make it sound like it's [00:54:00] an easy process, you're absolutely right that it's not.

It does take a little bit of guts sometimes, to actually go with your values and your principles, and as I say sometimes you do make the wrong decisions, but I think if you keep applying the same sound logic over and over again, then you will have success.

DA: It sounds like if there's one theme that emerges from everything we've discussed thus far, it really is the importance of that clarity about your own company values, and what sort of outcomes you're trying to create from the client's perspective.

Martyn: ​That is in my mind the essence of what everything else springs from, and if you don't have that, or don't understand it, then it becomes very difficult to make decisions, and to keep the ship on a course that you want it to be on. It's very easy to be blown off by new ideas, and new initiatives, new thinking, and new ways of doing things, and to re-engineer things as soon as something goes wrong. Absolutely, those core values I think are absolutely key.

DA: Martyn, is there else you would want to add, as you think about these issues of culture, and talent, and hiring, and those sorts of things. What else would you want to add?

Martyn: ​I think the thing to add is really to look a bit further into the future, particularly in the cybersecurity industry, to see how it's changing, and see what some of the challenges are going to be in the future, and I think, reflecting back on your last question about a bunch of hackers turning something into a real business, the way we've seen things over the past couple of years, is that [00:56:00] cyber is this hot topic area. There's a huge amount of investment going into cybersecurity, and that's something that will I think certainly be maintained at the level it is now. That may even continue to grow. Who knows whether we're at the peak of this investment curve at the moment?

Whilst I'm sure there are some businesses who've received some money from investors without a real clear plan, we are increasingly seeing large sums of money being invested, and that doesn't happen without a solid understanding of what your business plan is, what your approach is, what part of the market that you're actually looking to go and capitalize on, and we will see a maturing of the market in that respect.

Anyone who's operating in the market now who isn't looking at that, and isn't looking at how they are responding, and reflecting on what they want their values to be, and how they want to grow their business within this marketplace, they really need to pay heed to this, and see how things are moving forward, and I think within that, there will also be some opportunities. I think what we'll see is the wave of businesses that have been growing, since the beginning of the industry, or certainly what is popularly seen as the beginning of the industry, those people will have been through the life cycle of their business, they'll have built it up, they'll have sold it, and they'll be moving on to their next challenge, and therefore we will have people with domain knowledge, cyber knowledge, but also business experience, being within the investment firms, being out there as mentors, offering advice and guidance, being able to set as executive and non-executive directors on businesses, and I think it's really important that people are looking to those sources of advice, and to benefit [00:58:00] from some of that experience.

I think that will stand you in good stead as the industry matures and continues to go the way it's going.

DA: Indeed. Martyn, this has been a fascinating conversation. I have all these questions I wish I had time to ask you, and I'm pretty sure listeners are going to be in a similar position. Where should they go to find out more about you, ask you questions directly, et cetera?

Martyn: ​There are a few places I can certainly recommend. Certainly, if you'd like to know more about the company, and what it is we're doing, you can follow us at all the usual places. Go look at our website, follow us on Twitter, LinkedIn, Facebook, and all these places. It's really easy to find us.

If you're really interested in this idea of developing talent, going out and identifying new people to bring into the industry, then we have created a hub for this, and you can find it on our HackFu hub website. The address is https://hackfu.mwrinfosecurity.com and over the coming months and years, you'll see this website really developing to contain a lot of the thoughts and guidance that we've been talking about today. Also other aspects of skills development and training within the cybersecurity industry.

What we've love is for people to actually contribute to that. Whether that's with their experiences, the things that have worked well for them, the challenges they see coming up in the industry. What I would say is please contact us. Use social media to communicate with us, and we'd love to have conversations with those people, and we'd love as part of that to build up this body of knowledge and these resources that are then available for everyone to take advantage of. [01:00:00]

DA: Great. Martyn, thank you so much for your insight on this subject, and thank you for your time talking to me today.

Martyn: ​Thank you.

Martyn Ruks, Group Technical Director

MWR InfoSecurity

Streamline InfoSec Project Delivery

Learn practical tips to reduce the overhead that drags down security assessment delivery with this 5-day course. These proven, innovative, and straightforward techniques will optimize all areas of your next engagement including:

  • Scoping
  • Scheduling
  • Project Planning
  • Delivery
  • Intra-team Collaboration
  • Reporting and much more...

Your email is kept private. We don't do the spam thing.