The New CISO Podcast Episode 64: Management Training: Learning How To Manage Managers
Podcast Transcript | Air Date February 1, 2022
Listen to the Podcast | Read the Blog Post
Jeremy Sneeden (00:14):
Sounds good.
Jeremy Sneeden (00:29):
So my name’s Jeremy Sneeden. I am the director of security operations and engineering for Allina Health in Minneapolis. Allina Health is 12 hospital, 2,400 bed, plus a hundred plus clinics, pharmacies, and other things healthcare provider.
Jeremy Sneeden (00:51):
Absolutely. We have all kinds of things that we’re trying to deal with.
Jeremy Sneeden (00:55):
(silence)
Jeremy Sneeden (02:21):
Yeah. So all of the technical security folks at Allina report up through me. And so that includes threat and vulnerability, identity engineering, identity administration, security and access operations, medical device security. And I also have IT asset management, which is a newer thing for me. The pieces that I don’t have are really GRC and risk assessment. Those do not report up through me.
Speaker 2 (03:11):
[inaudible 00:03:11]
Jeremy Sneeden (03:11):
Yeah. I really grew up as a network administrator. And then as my career advanced, security became a thing somewhere as I was working as a network administrator and I thought it was interesting. So I moved into security.
Jeremy Sneeden (03:28):
I still view myself as a security engineer. I’ve been doing that for quite a while now. But I almost fell into management accidentally. Our manager left the organization and I picked up a few of her duties because I was the most senior security engineer. And at the same time we hired a new CISO. And one day he came to me and said, “Hey, you’re the manager now.” So I kind of backed my way into it. And I think it was somewhat reluctant, but it’s been really good for me. I’ve learned a ton of new skills, but I’ve also had to learn that management is not engineering. It’s a very different skillset. And as you mentioned in the beginning, part of my growth is trying to present better and trying to get out and in the community a little bit more as a manager director. So that’s why I’m here.
Jeremy Sneeden (04:28):
(silence)
Jeremy Sneeden (06:18):
It was just a normal day. I don’t remember the exact time of day. At first I told him he was being silly. And then he said, “No, I’m serious. I think you should take this role.” And then I was just terrified, to be honest. It’s scary. I never viewed myself as a manager. I had no idea what to do. And at least at Allina, we don’t provide a ton of manager training. We had a four hour course, and then they gave me a book called Being the Boss. And that was the extent of my manager training.
Jeremy Sneeden (06:54):
(silence)
Jeremy Sneeden (07:33):
Yeah, the training and the book, honestly, weren’t that great. And I think that’s a common problem. We don’t train our managers very well. We take our best technical people, and I’ve been guilty of this myself since I’ve moved to the director role. Take our best technical people, we move them into manager roles. We give them some kind of overviews, but we don’t get real specific with the things they should be doing.
Jeremy Sneeden (08:01):
And the training I got didn’t feel real great. Didn’t feel like what I had been doing that was making me successful. And so I started going out and trying to figure out what makes a manager successful. And I landed on a couple of people that resonate with me. Simon Sinek is one of them. I think his message of taking care of your people is how I got the manager role. I was doing things because no one else was doing them and they were helping the team out. I was also already that mentor figure. That’s what put me in the role in the first place. So I think finding a philosophy like that that matches your style and then embracing it and learning more about it is much better than the four hour course and Being the Boss book.
Jeremy Sneeden (08:52):
(silence)
Jeremy Sneeden (10:42):
Absolutely. Especially with the types of people that gravitate to being security engineers, kind of the older school dictating management style. It just doesn’t work. And if you really just take care of them, these people want to work on interesting problems and they want to work in security. They’ve made these choices, and generally they’re very bright people. If you can just get them in a situation where they’re working on something that they want to work on and keep everything else out of their way, you get really good results. Or at least I’ve gotten really good results with that type of philosophy. And my job has really become more of just getting things out of their way more than it is doing anything. They come to me and say, “Hey, I want to do X, Y, Z. Here’s why we need to do it before we have this problem.” And I just say, “Okay, what do you need?” And we go from there. And that, for me, works much better than me trying to dictate that, “Hey, we need to do these 12 things.”
Jeremy Sneeden (11:50):
(silence)
Jeremy Sneeden (13:15):
It can be a lot of things, but the primary ones at Allina are getting the tools that we want to work on and that can actually do the job. Part of that, just the acquisition process, getting the tools.
Jeremy Sneeden (13:32):
The second thing is eliminating the things that don’t bring value to that particular person. Daily huddles, for example. Some people hate them and they’re huge dissatisfiers. Other people like them. Trying to balance what each individual needs. So this question really varies from individual to individual, in my perspective.
Jeremy Sneeden (14:05):
Some people just can’t answer emails and don’t want to go to the daily huddles. And they just want to be heads down and do their work and they’ll report in when they’re done at the end of the week. Other people need that human interaction and especially with us being fully remote, they need a little bit more of the daily touch points and the manager talking to them and keeping them updated and checking off the tasks. So I think it really varies by individual. The one that’s consistent across the board is getting them the right tools to do their job.
Jeremy Sneeden (14:38):
(silence)
Jeremy Sneeden (15:48):
Yeah. Starting from very limited knowledge, because as the engineer, you’re right. You ask for something, you wait around for a few months and it either shows up or doesn’t. You don’t see any of the background. Learning how to get the things that you want in an organization, it’s a tricky skill. What I’ve found is that we do two things that are pretty effective. One is we talk in dollars and cents pretty much all the time. We don’t say, “Hey, this is high risk. This is low risk,” very often. We say, “Hey, this is high risk. If we have this event, here’s what it’s going to cost. Here’s what the mitigation costs.” That makes those decisions quite easy. In many cases, if the potential loss event is huge, the likelihood is fairly good and the mitigation cheap, we just do those things.
Jeremy Sneeden (16:42):
The second thing that we’ve done that I think is very, very effective, is partnering with our infrastructure groups. We typically want the same things. They don’t want to support ancient servers. They want to patch things and keep them up to date and keep them uniform. They don’t want random vendors putting stuff on our network because it creates headaches later. A lot of the things that we want, they want. And so we go together. We go together to get money. I need storage for logs. They need storage for file shares. We go get that together. So that partnership has been really, really important for us to get the parts and pieces we need.
Speaker 2 (17:50):
[inaudible 00:17:50].
Jeremy Sneeden (17:50):
Yeah. I have a really good CISO, and that’s really the answer. We started talking about here’s the things that we need, how do we get them? And he started asking me these questions. Well, how much do they cost? How much does it cost ongoing? How much risk are we actually mitigating? And can you quantify that risk?
Jeremy Sneeden (18:08):
And in the beginning, the answer to, “Can you quantify that risk,” was actually no, a lot of times. So we had to do quite a bit of work to get to where we could quantify some of our risks and understand the actual impacts to the business. It really meant getting a lot closer to our business, and that’s part of my development and my growth. As a security engineer, I didn’t really care much about the business. I knew I couldn’t make the doctors mad by blocking all their email or anything like that. But outside of that, the business didn’t matter to me that much.
Jeremy Sneeden (18:48):
Now that I’m a position. I am, we must support the business with everything that we do, whether the security engineers understand it or not, it has to make business sense. And most businesses run on dollars and cents. We’re a nonprofit. We provide a service to the community, but at the end of the day, if we don’t at least break even, we can’t provide that service anymore. So, we also operate on dollars and cents. So after realizing that, and I’m kind of summing up a year’s worth of struggle in a few minutes here. After learning all that, it became pretty clear. I need to be able to talk, I need to be able to talk finance and I need to be able to talk dollars and cents to get the things that I want.
Jeremy Sneeden (19:35):
(silence)
Jeremy Sneeden (20:39):
It’s kind of the old security story, know your assets, but with a little bit of a different twist on it. So we had to not just know our assets, we had to know how much or how important they are in a dollars and cents case.
Jeremy Sneeden (20:58):
So we have a medical record system. If that’s down, for example, we get hit by ransomware and it goes down. What does that cost the business? And some of those things are actually quite easy to figure out. Some of them are not.
Jeremy Sneeden (21:54):
Yeah, absolutely. And these things are never perfect. All of our dollars and cents are still estimates. We’re not down to the thousands of dollars even. But we get a general idea of the scope of our immediate threats and in dollars and cents way. And then what the mitigations would cost. And you’re right. And in healthcare, especially, everything is interconnected. Our EMR controls a lot, but it relies on 12 other systems to function properly. So it does take quite a bit unwind that.
Jeremy Sneeden (22:50):
Yeah. So when I was the manager, I had threatened vulnerability management and all of the security, the really highly technical threat people. When I moved to the director, I acquired IM medical device security, and I also about three or four months into that I also got IT asset management.
Jeremy Sneeden (23:11):
(silence)
Jeremy Sneeden (23:11):
Absolutely.
Speaker 2 (24:14):
[inaudible 00:24:14].
Jeremy Sneeden (24:14):
That’s putting it mildly.
Speaker 2 (24:26):
[inaudible 00:24:26]
Jeremy Sneeden (24:57):
Sure. So when I took over, the previous manager had been reassigned and the group really wasn’t, they didn’t have a coherent, anything, really. We have been trying to implement sale point. We’ve been trying to do some automation. We’ve been trying to reduce the staffing for several years. And we just hadn’t made the kind of progress that our CISO wanted to make.
Jeremy Sneeden (25:27):
So not only was I changing positions and taking over a new group that I didn’t know much about, it wasn’t the high performing group that I was coming from. So it was terrifying, just to be completely honest. I also didn’t have this strong technical background here. I didn’t know how to go into IQ and build roles. Where on the threat side I could do basically anything that my security engineers were doing.
Jeremy Sneeden (26:02):
So to start with, I sat down and I talked to every single person in the group, and I just asked them, “All right, here’s what your job is today. What’s wrong with it? What do you like about it? How do we improve this? And what are the easiest things that you see that you shouldn’t be doing every day?” And I stole some ideas from other people who know much better than me.
Jeremy Sneeden (26:34):
One of the ideas is called a focus funnel, and the very first thing is, should we even be doing this? And so I met with literally every person, we talked about literally every task. And we said, “Hey, should we be doing this? Is this the right thing?” If it is the right thing, is it a candidate for automation? And if it isn’t a candidate for automation, how do we do it more efficiently?” And that’s a long process that took six-ish months to start doing that work and figuring those things out.
Jeremy Sneeden (27:13):
Once I got there, we built a roadmap. I had a couple of leads in that people managers in that area. And together with the two of them, we built a little roadmap that said, “Hey, here’s the things we’re automating. Here’s the way we’re doing it. And here’s why.” And we went and got the dollars and cents. It costs us X million dollars to manually provision people. It costs us this much money for people to have to log in over and over and again during the day. And then we took those numbers and kind of went back to what we were saying. It turned into dollars and cents. If we spend a couple hundred thousand, we can save 2 million in waste.
Speaker 2 (28:05):
[inaudible 00:28:05]
Jeremy Sneeden (28:46):
Yeah, people can’t do it. It really is that simple. The more people you have involved, the more issues you’re going to have. And that’s kind of the philosophy we adopted. Now, in the last couple of years, we’ve been able to reduce this manual provisioning by about 60%. But 40% is still a ton of manual things that are happening in our environment. And so we still have a bunch of these issues.
Jeremy Sneeden (29:16):
IM’s also really interesting. In the TVM world, you just never hear from anyone. Unless there’s an active incident, you rarely hear from anyone. In the IM world, I started just being bombarded by just random things that weren’t going right, mostly because we had humans doing the work and people make mistakes when they do the same thing 10,000 times.
Jeremy Sneeden (29:45):
But there’s much more customer interaction, I guess, on the IM side. And that was something I didn’t even imagine. I started pretty much from day one, taking customer complaints and they’ve reduced, but boy, we haven’t eliminated them yet.
Jeremy Sneeden (30:03):
The other thing is the dollar amounts in IM, at least for us, were much larger than some of the TVM things. So it was really easy to get distracted by the waste we’re reducing and those types of things and not pay as much attention to TVM. But the big breach is always going to be more than any waste we’re eliminating. So I had to reconfigure that in my brain after the first six months or so.
Jeremy Sneeden (30:53):
Yeah. We didn’t have a great unit of measure, to be honest. This was mostly conversations with the staff, and we say things like when a new user comes, they get put into the HR system and then we figure out what their ID should be and give it back to HR. Should we be doing that? Or are we just adding one to the number? Can we write a script that does it? Can we figure out some way to automatically assign those? Those were the types of questions I didn’t have good metrics around. Hey, if it’s this much effort, we shouldn’t be doing it or we should be automating it. We did try to estimate effort once we got to the end of the process so that we could get the biggest, quickest things done first.
Speaker 2 (31:58):
[inaudible 00:31:58]
Jeremy Sneeden (32:56):
The final piece of the … Well, so, a little bit about automation. We had a bunch processes that we literally couldn’t automate because we just said, “Hey, what access do you want,” and let people type into a field. So automation does take some preparation. And that was really the focus of the question. Is this process to a point where it can be automated?
Jeremy Sneeden (33:20):
The final part of the focus funnel was to actually focus on the work and do the work. Our IM teams were really easily distracted and spent a lot of time chasing fires. And X, Y, Z doctor has the wrong access and can’t get in. We have a strike and we have a bunch of contingent nurses that need to come in and it has to happen right now. Those types of things, they spent most of their time chasing fires and not doing their work. And so we needed to reconfigure the team a little bit, get the fires under control, and then have some people that were just dedicated on doing the day to day work so that we had less fires.
Speaker 2 (34:05):
[inaudible 00:32:18]
Jeremy Sneeden (35:53):
Yeah, and it always moves slower than I think it should, too. Because it does, it involves the entire organization. So anytime we change anything on the IM side, it really does involve the entire organization. If we change how we do MFA, for example, we have to communicate and do the organizational change management. If we’re changing how people request access or even if we’re making it simpler, in many cases, we still need to do some organizational change management, because people have been doing it the same way for 10 years. And we had to fight a lot of that.
Jeremy Sneeden (36:31):
Your other point about having a team that does automation is something I learned the hard way. The people that are doing the stamping out, the putting someone in an [AD 00:36:44] group over and over and over again, aren’t necessarily the people that can automate that work. Even though they understand it can be automated and might even understand the steps to get it automated, they don’t necessarily have the scripting skills or the IQ skills or whatever skills are needed to make that happen.
Speaker 2 (37:02):
[inaudible 00:35:22]
Jeremy Sneeden (38:06):
If you’re going to be a great manager or director or whatever, and your people need to respect and almost love you. And I know that sounds like strong language. But the only way that happens is if you pay attention, you genuinely care, and you take care of them when they need it. And a lot of this comes from other people. But if you do those things, your people will do almost anything for you. And I think that is something that you don’t understand about your current manager, maybe, the amount of things that they’re doing to take care of you that you just never see. The angry customers, the complaints from other managers, all the stuff that you just never see. And then some of the things you do see are much harder than you may think they are. A promotion that employee earned sometimes takes an off lot of politics to get pushed through all of the hoops that it needs to go through.
Speaker 2 (39:19):
[inaudible 00:37:10]
Jeremy Sneeden (41:22):
I think it’s uncomfortable somewhat from lack of experience and somewhat because it goes against my personality to be out and seeking other people’s feedback and interacting with people outside of my immediate sphere. As a CISO though, I see my boss do this all the time. He does this on a consistent basis where he’s outside of his immediate sphere. He’s either evangelizing for security, he’s learning new things, he’s interacting with his peers so that we can work together to have better security posture.
Jeremy Sneeden (42:03):
And for me, it does not come naturally. This is very difficult and it’s something that I need to work on and get more experience at. I’m a big believer in practice. To get better at something you just practice. And so when we first talked about this, I said, “Hey, this is part of my growth and development plan to do things like this.” I’ve done a couple of other similar things this year, and I’ll continue to do them. I also to get in front of my organization more. I’m more than willing to let my CISO go out and do the evangelizing. I need to do that a little bit more just to get more comfortable with it.
Speaker 2 (42:46):
[inaudible 00:40:43]
Jeremy Sneeden (44:41):
Yeah. It does underscore the importance of having a strong mentor though. Without my currency, so I’d probably still be a senior security engineer and I’d probably be relatively content, but I would not have the skills that I have now. And those are very different skills. And I enjoy my position. I like what I’m doing now. I like the ability to take care of people. And I think we’re making good progress for the organization. And it’s nice to see something grow that you had a little bit more control over versus just doing the task.
Speaker 2 (45:26):
[inaudible 00:45:26]
Jeremy Sneeden (46:05):
Yeah, that’s definitely been one of the hardest parts for me, especially on the threat and vulnerability side. And especially during a crisis. When we have an incident we’re investigating, we have something that’s very important to the organization going on and that team is working on it.
Jeremy Sneeden (46:21):
The reason I originally got promoted was because I was good at doing those things. And so when I feel like I’m very good at doing those things, it’s very hard for me to stay away from them because I feel like I can help. Unfortunately, and it took me a little while to realize this, unfortunately, the director jumping in and helping, even though I don’t see myself that way, the director jumping in and helping when you have a manager and you have senior security engineers and you have the whole team still. The director jumping in and helping can actually undermine the manager and the team in general. It kind of signals that you don’t trust them to do it well.
Jeremy Sneeden (47:08):
And for me, that was not the intention, but that was the impact. And I really, it took me a couple of these incidents and it took my manager coming to me and saying, “Hey, you can’t do that. You’ve got to let me run the team.”
Jeremy Sneeden (47:28):
The other side of that is sometimes when I say, “Hey, please do this for this particular incident.” I mean, X and I get Y, and it’s very uncomfortable because sometimes we waste time. But that’s something I’ve had to learn to live with. And that has been very difficult. Being a level removed, you get a different type of information. And that information doesn’t always make me comfortable. I’d rather know the exact packet when something’s happening. Instead, “Hey, this is what happened. We blocked it. We’re not actually worried about it.” And I’m like, “Well, can I see the packet?” And the answer really should be no. Now, my current manager will humor me most of the time, show me the actual packets. But that’s something I’ve struggled with and I’m still working on, to be honest.
Speaker 2 (48:38):
[inaudible 00:48:38]
Jeremy Sneeden (49:48):
Yeah, it is easy to say and very tough to do, because the CISOs not looking to those managers or anyone else. He wants the report from me. And he wants me to be very confident when I give it. And for me to be confident, I need my manager and my team to do a good job communicating to me so that I can be confident when I communicate up.
Jeremy Sneeden (50:14):
All of us have had to learn how to do that, and it’s not something you get trained to do. It’s another one of these manager skills that we just kind of expect people to know without really training people on how to do it. And that is something that we’ve spent some time just sitting down and talking through, “Hey, this is what happened. This is how you communicated it to us. This is how we want to see it in the future.” Or, “There was too much information here. I couldn’t get to what was important. There wasn’t enough information here. I didn’t know what was important.” We’ve spent quite a bit of time on that over the last couple of years with all of my people managers, just so that both of us can be comfortable. And then when I go to my CISO, I’m confident. He’s smart. He knows when I’m not confident. If I say, “Hey, yeah, we might have this issue contained.” That that doesn’t fly.
Speaker 2 (51:39):
[inaudible 00:51:39]
Jeremy Sneeden (51:42):
Well, I know I have a lot to work on, learning more about the business and finance, doing more of the types of things we’re doing today. And then continuing to listen to my mentors, I think is doing me favors right now. And I think the other thing is continuing to take care of my employees has always reaped benefits. And I plan on continuing to do that.
Jeremy Sneeden (52:15):
Yep. Thank you. I really appreciate the opportunity.