We spoke with Lawrence Munro, the Director for EMEA and APAC at Trustwave SpiderLabs.
Listen to this interview to learn how research and down time play a key role in consultant happiness at SpideLabs.
Philip, of Dradis Academy (DA): Lawrence, who are you and what's your history in the InfoSec industry?
Lawrence: My name's Lawrence Munro. I'm a director for SpyderLabs. At Trustwave I covered the EMEA and APAC regions. I'm responsible for delivery of all penetration testing services within those regions. I define the strategy and look at all those kinds of surrounding points within the business. My background is quite technical. Previously, I've been a penetration tester and a security architect for various boutique firms and some larger organizations. My route into directing Spyderlabs was I came by KPMG where I was responsible for heading up the commercial penetration testing and red teaming services. Essentially, I built the red teaming service from scratch there and started taking the business through CBEST and CREST Star. I wrote most of the methodologies and worked on some quite technical points about building implant frameworks etc. and just all that kind of strategy. Prior to that, I built a small boutique practice within a larger firm, a company called Nebulas, where I was responsible for building and growing the business there. Outside of that, I've been involved a lot with the hacking community and the InfoSec community. I'm a director for BSides London and I run the annual event with two other co-directors that I work with. That's a bit about me.
DA: Thank you. What's been your experience with hiring within the business?
Lawrence: Hiring is always a very difficult challenge within penetration testing in particular and InfoSec on the whole. Really, there's a lot of ... there's a skills deficit, really. The quality of graduates that you get out of universities these days is quite varied in standard and experience. Really, it's a big challenge, it's probably one of my top three priorities, is acquiring and hiring new talent that comes into the market. You're all fighting with other organizations who do similar things to you all the time in terms of obtaining and retaining top talented people within the industry. It's very much a challenge.
DA: What are the qualities that you think are vital for someone who is going to be a top performer as an employee?
Lawrence: Really, it's a technical discipline. Most of InfoSec is technical. There's policy elements as well but, particularly in penetration testing or instant response and those kinds of disciplines, it is very technical. Raw technical ability is probably, I'd say, the primary requirement for those type of people. Having a broad knowledge of IT, as well, is also fundamental. A lot of people come into the industry and they think ... They turn up, teach me how to hack, it doesn't work like that. They need to understand basics, core basics, of how infrastructure works and how web applications work and how enterprises differ from the [inaudible 00:04:56]. They're two of the really key kind of things.
DA: Interesting. What sort of patterns do you see among people who have acquired that sort of broad knowledge? How do they tend to get that?
Lawrence: Really, it's the right mindset, having the right mindset for penetration testing or for these kinds of technical disciplines. You need an inquiring mind. You probably need to be, well, you almost certainly need to be self taught. A lot of the information that you get within the industry comes from other people, comes from working with people, comes from blogs, white papers, that kind of stuff. It is very rarely kind of handed to you on a plate. There's a few books and a few courses that you can do which will assist you in these types of things, but certainly it's something that you need to be self taught and driven, and also willing to share as well. You give and you get back, it's very community orientated, even within organizations. You get what you put in. I think tenacity, as well, is something that can never be underrated as a skill as a penetration tester. You often get situations where you just need to try harder and give more time to the problem and sit back and consider different things. It's just trying things over and over again because no one is an expert in every single area. It's constant learning that's required.
DA: What sort of qualities are more "nice to haves", things that just add to the core value of technical discipline and broad knowledge and so forth?
Lawrence: Some of the "nice to haves", I guess, good written English, I would maybe even say that was fairly vital to being a penetration tester. There's a big difference between hacking and penetration testing in that you're time limited and you have to convey your ideas in a common sense way. Good written English is very important. In addition to that, I'd say you'd probably need to be good at thinking outside the box, having a kind of different slant on things, and being able to solve problems in unique ways. Then, there's the management elements to it as well. Good time management, client management skills and good expectation setting with clients is always very useful if you're going to be in a kind of client-facing role in some aspects, which you'll always have to explain certain things to developers or internal stakeholders. Then, translating technical ideas into risk and high level concepts, that's quite a difficult thing that some very technical people struggle with initially. How do you put this in a business context, how do you explain the risk of XYZ technical vulnerability as well.
DA: I'm trying to take the perspective here of a pentester who is hearing this list of qualities and maybe has identified two or three where they know that they fall short. What would you prescribe as a self-study program for improving along these important metrics?
Lawrence: I think a lot of people focus on their technical skills, so I would look at your soft skills and think about how those can compliment your technical abilities. Really, there's a lot of things that you can do to work on those kinds of skills. Some organizations, a lot of large organizations sometimes, have internal courses. For example, the big four, they have tons and tons of courses that you can go on for your soft skills and client management skills. I think thinking about your priorities as well and organizing yourself, so looking at time management, that's very important. Lots of times you have overlap between jobs and you have to do multiple things at once and very very quickly. Managing your time is something that kind of comes with experience.
In terms of technical, you know, getting to the next level, I'd say attending conferences, attending events like, for example, DEF CON have different chapters around the world that they have meet ups. For example, in London, we have DC4420 that meets up once a month on a Tuesday. Attending those kinds of things and reading blogs and taking responsibility for your own learning as much as the organization that you work within as well. A lot of independent ... Seek the knowledge and think of yourself as a brand and build your own capabilities in that way.
DA: Interesting. In terms of making those capabilities know, should you have a website? Should you just rely on your CV or your resume? How do you recommend people do that?
Lawrence: I think, definitely, self-promotion is definitely a way to boost your own personal coverage within the community. Becoming well known is very very important. Big names always attract big salaries and big roles within companies. Certainly, a blog is a great way to promote what you know and even rationalize your own ideas. Sometimes it really helps you organize your thoughts around different subject areas and get some really good ideas. Then, other people will learn from it and word will spread. That coupled with submitting to CFPs for conferences and speaking at conferences, those kinds of places are really good for spreading your own ideas. Also, writing your own code and producing things and sharing them with people as well. I'd say a lot of it is community orientated. Definitely being active in that community boost your own personal visibility within the market as well.
DA: Back to the perspective of the firm or the company, what sort of qualities make for a really high performing team?
Lawrence: Really, I guess it's a good coverage of skill sets in different areas. What clients want is they don't want to go to twelve providers or create an RFP for every single requirement that they have. Having good coverage of skill sets and being able to say yes to your clients is a big strength. Any kind of niche skills that you can have, or capabilities, those are great. You get [inaudible 00:11:42] jobs, embedded systems, IOT is a very kind of buzzy area at the moment. Having the ability to test those different kinds of areas is very important. Typically, most people are classified as network or infrastructure penetration testing and web app testing, and that will be the core of what they do. Having these additional skills is definitely what's attractive for clients and makes for interesting work for the people who work within those companies as well.
DA: Interesting. In terms of ... Again, from the company perspective, what role does company culture play in serving clients and retaining talent.
Lawrence: I think the role that company culture plays is huge. Definitely defining your internal culture and growing that and, certainly, alluding to it in a mission statement and delivering on your core values is a really important thing for penetration testers and for anyone in that kind of technical market. I think getting buy-in, as well, to your vision and the direction that you're going in and it not being too corporate focused, at least in what's passed down to teams, is quite important. I think you need to look at how knowledge sharing is done. Look at how people view the company internally and the benefits that you give them in their role, whether you're very flexible around working conditions or times that they can work, flexible time, flexible location. A lot of testers a lot of the time like to work from home and enjoy that flexibility. I think that all adds to the internal culture but I would say culture is definitely on my top of my list towards creating that kind of environment in which people want to work. It's a tester's market, there's a skills deficit overall, really good people are quite hard to find, so you want to retain them. You do that by creating a good culture.
DA: Have you ever seen any sort of contradiction between serving the client and serving the employees? Does that ever happen or is that not a problem?
Lawrence: There's always issues between serving the client, what the client wants, what we can do, and what people think is fair internally, as well. I think that a lot of penetration testers in particular are predisposed to be anti-capitalist or anti-authoritarian in their approach. It's difficult to manage that agenda alongside a corporate agenda and making money. It's obvious that clients are the most important things to businesses, they provide the cash and make it churn. I think, often, that you get scenarios where by clients don't necessarily ask for things that make sense in the context of what a tester is going to be doing and they find it difficult to understand. Sometimes you need to reconcile the expectations of what a client wants and what a tester is willing to do or thinks they should do. You sometimes get instances where clients are resistant to changing things or they don't understand the full implications of these kinds of things, so it's just aligning those kind of expectations between the delivery teams and the clients as well. It's always a challenge.
DA: Have you found any tools that help with that or ways of doing things that help? I'm assuming the solution is not just to have more meetings.
Lawrence: Yeah, definitely not more meetings. I guess it comes back to culture, really. The more senior guys normally understand how it works, but the junior and mid-level guys maybe haven't had as much interaction with clients and get that kind of understanding. Again, it's setting the cultural tone that ... You give them certain freedoms around what they want to do and how they can act and what kind of freedoms they can have within the business to learn and do their own thing and be creative. There's also the flip side, reminding people that it is a business, it is there to generate money, and that is the core of running a business and they wouldn't have those kinds of jobs if people didn't pay for it. You need to reset those kinds of expectations and remind people that it is a business and that we have business goals. Definitely, getting that kind of buy-in from people and that understanding in a certain way is very important.
DA: Sure, right. It sounds like remembering that part of the work of running the company is communicating the larger picture. The context that we do have to make money to continue doing this to create this environment where we have these perks of time to invest in our own learning, that sort of thing.
Lawrence: Exactly. Exactly, yes. A lot of times people, penetration testers, you want to do the most challenging stuff all the time.
Lawrence: You want to do the most interesting jobs, you want to spend a lot of time researching and learning and things like that. It's not like a lot of other industries. I have friends who work in finance, for example, and they laugh at me when I tell them that all the guys want to do is go to conferences and learn more. From their perspective, that's normally the things that people hate doing. They don't want to go to a three day conference. They have more exams to pass or whatever. It kind of flips it on it's head. Having an appreciation of what they want and what people want to do to move forward, they're kind of very intellectually enlightened in that respect, to be complimentary to pentesters on the whole. It's definitely reminding in a kind of positive way that this pays the bills and sometimes you don't always do the most exciting job. They don't always get what you're saying and stuff like that, so it's a balancing act, really.
DA: Yeah, I think about it from the perspective of a freelancer who might have a little more agency over how they spend their time, but they would have to be bringing in clients and sending out invoices and all sorts of things that you would not be doing as an employee.
Lawrence: Exactly, there's a lot of admin overhead for that kind of freedom.
DA: Yeah. What are the primary talent or hiring related challenges that you see across the industry? What are many companies struggling with when it comes to attracting and retaining talent?
Lawrence: It goes back really to there being an overall lack of people to meet the demand. I think it's slightly improving but really the hardest thing that I find is finding the right people. I've spent a lot of time in all of my roles reviewing the way in which we find talent, the way that we source them. Do we get them by ... Time after time you normally find that referral internally is one of the best ways to do it. Attending conferences and speaking to people one on one who are doing the talks and engaging with them and trying to attract them that way is very useful. A lot of people feel a bit jaded by recruiters in the industry as some of them don't play by the rules and a lot of people get burned in pentesting. It can be a bit of a revolving door. Some people work somewhere six-months, they get offered ten, twenty, thirty K more to move down the street to the next firm and it can be a bit of a revolving door.
Certainly, finding the right kind of guys who have those skills, it's easy to talk a good game sometimes if you've been around the block a few times, but you need to get people showing you and demonstrating technical excellence in practical ways. A lot of organizations have capture the flag competitions that they like to run when they are interviewing or a box where they want people to demonstrate their skills. Finding those good guys is very very difficult, and then you're competing with everyone else to hire them in the market. Word gets out very quickly, it's a very small incestuous industry where everyone knows everyone and people tend to know when people come on the market, so you're competing against other firms to attract them. Money is not always the biggest factor but it certainly plays a part and prices certain people out. That's one of the big challenges, I guess.
DA: Have you seen companies successfully use their culture as a hiring incentive?
Lawrence: Definitely. It's one of the things that I use regularly as a tool. We're very flexible at SpyderLabs in terms of working location. We have a very elite culture, we have a lot of very good guys, some of the best guys in the industry, and people want to work with them. It's definitely an approach, one of the strongest approaches you can take with getting people onboard over and above money. The other things that people like are training, in training budgets, explicit training budgets, so they know in advance what they're going to be doing, whether they get a budget on an annual basis, whether they get internal training. I'd say culture remains something that's very important to attracting people onboard and the PR buzz around an organization helps as well. If you do a lot for the community, for example, SpyderLabs puts out a lot of research. We also run ModSecurity, which is very well known WAF that's a product that's out there that's completely run ... We develop it for free for the community. Those kinds of things make people interested, it's certainly something that's high up the list of what people want, I believe.
DA: Interesting. Are there maybe one or two other best practices that you've seen across multiple companies, in terms of cutting through the competition and winning that hiring game?
Lawrence: Money is certainly a lever that people like to pull. There are certain organizations within the industry who do outbid and I've certainly seen some crazy offers, I have to say, for people. They do it literally to get people onboard. Other people are more aggressive, some of the larger firms, certainly in the UK, tried to starve the market by exponential growth spurts every now and again to take people out of the market and drown out competition. Offering recruiters bonuses to recruit people out of specific organizations where they get paid more, I've seen those kinds of elements. It is very competitive and people try lots of different tags.
I think, overall, if you want to retain people, the culture is ultimately the element that is the key thing. Money obviously helps but if everyone is kind of paying market rates, the cultural fit is definitely a big draw for people.
DA: How else can companies retain talent, especially in such a competitive market? Culture, perhaps, is the number one. What are maybe the number two or number three things that a company could be thinking about to retain talent longer term?
Lawrence: One of the key things, I guess, with penetration testers is an emphasis on delivery. Research time is something that comes up over and over again. People want individual time, not just for research projects for creating new ideas or writing white papers and doing conference talks, although that is normally one of the main drivers, but also for their own learning. Obviously, part of the job is being very technically sharp and knowing what's going on and understanding when the new vulnerabilities come out or new techniques come out that they need to know them quite quickly and practice them and stuff like that. I'd say that research time and down time for people is very attractive, probably one of the secondary things that people look for.
I guess money and benefits package, the overall package that people get, is probably .... it varies between people. I think that the more senior guys, who have kind of been around the block, they know that money isn't the be all and end all, but it's still a driver, you still have to pay the bills. It's a very lucrative job and lots of companies offer bonus packages and things like that, or delivery bonuses. Certainly, money is definitely always in the top three.
DA: Sure. It seems like every InfoSec firm has to make a transition from being a bunch of hackers to being a real business at some point in their growth. Is this an accurate picture of what that challenge is like?
Lawrence: I'm not sure it is anymore. I think there's ... Penetration testing and InfoSec, in general, has kind of been around for quite a long time now. I think that clients have bought into the fact that these guys are ethical hackers. Ethical hackers and penetration testing is different from a guy with a hoodie that you see on the news or any of those kinds of hacking groups that cause problems for large corporates and governments, etc. I'm not sure that that's still a challenge now.
I guess for smaller businesses, I think formalization of processes and turning it into a business is quite a difficult challenge. I think for the smaller guys it depends how you start out. A lot of them are already quite senior consultants at bigger firms. They've been around a few companies and they decide to open up on their own. I think the big challenge for them is not necessarily the turning from a bunch of hackers into a real business. I think it's turning them from a bunch of guys who used to have other people who did all this business admin stuff and the realization that a lot more of their time is now spent doing admin and things like that. Changing into a leadership role or a business owner role, I think those are the real challenges that they face. Becoming confident with the reality that, if things go well, they may not be doing delivery. They may not be hacking anymore. Just through necessity and the way that the business is being driven. I think that that's definitely one of the challenges.
DA: Right. Can I ask a little more about that? I know that when a software developer becomes a team lead or technical lead or a manager, the biggest struggle is to stop coding and focus on managing people, which is what their job role now is. Is it similar in the context we're discussing now? It's just hard to give up having your hands in the day to day or is it more about acquiring management skills?
Lawrence: I think it's both, really. One of the biggest problems I see in the industry is the promotion of the best technical people into the management roles, which obviously isn't ... the best manager is not necessarily the best technical resource. It seems to be something that still persists. In pentesting, even the level that I'm at now as a director, if you don't have that kind of technical understanding and background, it's very difficult to get the respect of people. That you can guide the business in the right direction when you don't understand all these technical elements that they're doing. They're kind of ... depend on what it is that we do and what it is that we sell. That's certainly one of the challenges, I think it's definitely something that's an issue for people.
For myself, about five years ago now, I cut the cord in terms of technical testing. I think it's more difficult for pentesters then developers, I guess, because hackers like to fiddle. They always like to do these kinds of things and if you take that away, there's something that's not being fulfilled there for them. You often get people in the industry who go back, who take on management roles then they realize it's not for them and they move back in to more of a principle consultant type role where they're responsible for a small team, maybe, or something, but they don't have much admin. They define methodologies and technical things and they still test or they still do research. I think it is very difficult to let go and I think people don't realize, in advance of doing it, how much they'll miss it and how much of a difference it is in your day to day. How many niggles and client problems and those kinds of things that you will take on and you really won't have time or the inclination to do these things in your evenings because you'll be filling that with admin.
DA: Right, right. Is there a way that a company can evaluate whether someone they're considering promoting has that temperament to let go and become more of a manager? Do they just have to try it and see how it works out?
Lawrence: I don't think there's anything formal that you can do, really. I guess you can look at previous performances, a lot of people find the route into management, similar to myself, through management consultancy. Where, in a lot of organizations, a lot of larger organizations in particular, you have a hierarchy anyway. People will be managing small teams or they'll be responsible for one client or multiple clients or things like that. I guess that's kind of a transitional role, you'd normally expect anywhere between twenty to fifty percent delivery still in terms of actually doing the testing and the work for those kinds of people. I guess that transitional role is one that helps and people can kind of get a flavor for it.
The big difference comes when they make the move completely and stop those technical elements. I guess there's not much that prepares you for that because it's definitely a lifestyle change and a change in what you're doing going forward.
DA: Sure, sure. From the perspective either of someone who is in a director role in a business or in the trenches as a pentester, is there anything else you'd like to add? Any other insight you've had that you'd like to share.
Lawrence: I guess as a lot of people in other areas of IT who want to break into penetration testing, I would definitely give them the kind of message to teach yourself and get out there and do things yourself and learn and read articles and attend conferences and get involved. The community is huge and people are very willing to share, so even if you're quite new or you're trying to break in, just reach out to people and you'll find they're quite friendly and a lot of people are willing to share. I guess that's one of my key thoughts.
I guess, as well, with guys, you know the one man bands and the consultancies or people looking to transition into business, the business side of pentesting, I think you can gain a lot through living vicariously through what your team does and the exploits of your team. I think you'll enjoy that a lot more than you think. It's definitely a great opportunity to move into the business side of things. It's not necessarily ... You don't have to cut all ties. I'm studying at the moment and doing technical stuff in my spare time because I still enjoy it, even though the main part of my job takes up fifteen hours a day or whatever. I think it can be done and you can satisfy those curiosities. There's a lot of benefits from appreciating things that people in your team achieve and enjoying those kinds of wins.
DA: Are there, for someone who is in IT but not in the security end of things, are there one or two conferences you would recommend as a starting point?
Lawrence: Certainly. I guess that the big ones is probably DEF CON, if you wanted to go, which is in Las Vegas normally the last week of July, first week of August. It's a great conference, it's in Las Vegas, it's a bit difficult to get to if you're not in the US and a bit more expensive. That's certainly the largest event and biggest collection of talks in the world.
Black Hat is also very good but it's cost prohibitive if you're a one man band or if you're self-funding. That's quite difficult, it's in the thousands, the ticket, thousands of dollars. The ticket price I think is about three or four thousand dollars or something, just for the entry, plus travel expenses on top.
Within the UK market and within Europe on the whole, CONFidence in Warsaw, sorry, in Krakow in Poland is very good. BruCON, which is just outside Brussels in Belgium, obviously, and 44Con in the UK, and obviously BSides London, which is a free community event. In fact, BSides have chapters all over the world so you can check those out just by Google-ing BSides Security. There's lot's of different things that you can kind of get involved with.
DA: Lawrence, thank you so much for your insight and your time. How can listeners find out more about you?
Lawrence: Essentially, you can go to the company blog, which is trustwave.com/company/spiderlabs. That tells you a lot more about the organization and what we do. Personally, I have a blog amusingly entitled PenTesticles.com where I blog about all kinds of different things from organizational stuff to some technical stuff which I blog with an ex-colleague of mine, Ben Dewar-Powell. Then, there's the SpyderLabs blog as well which has a lot of technical content that I sometimes contribute to, too.
DA: Thank you so much, Lawrence.
Lawrence: That's my pleasure, thank you.