.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
How Do I Get into Cybersecurity?
In this episode of Unspoken Security, host AJ Nash engages in an insightful conversation with Karla Reffold, Chief Product Officer at Surefire Cyber. The episode dives into the nuances of cybersecurity careers and leadership. Karla shares her journey from a background in recruiting and corporate governance to her current role in cybersecurity, highlighting her expertise in risk assessment and leadership.
Karla discusses the importance of confidence and humility in career advancement, recounting stories of successful career transitions and emphasizing the need for clear career goals. She also reflects on the evolving nature of cybersecurity and the critical role of continuous learning and networking.
AJ and Karla explore the significance of understanding risk in cybersecurity, with Karla underscoring the value of practical experience and networking over formal certifications. The episode concludes with a discussion on the challenges faced by women in the cybersecurity industry and the importance of resilience and self-belief.
Unspoken Security Ep 19: How Do I Get into Cybersecurity?
Karla Reffold: [00:00:00] When you're too humble, when you're too, when you're saying, I'll take a step back, I'm not there. I need to learn. People do want to hear that. But also you need to give people confidence that you can come in and do the job. so the ones that are going, Hey, I'm going to come in and I want to be a director and I can do that. The right person will buy that and as long as you can back it up and you'll do the work. I'm sure we all know some people who are in jobs they shouldn't be in
because they knew the right person or they did the right thing at the right time and maybe they're not the best person for it. The best person doesn't get the job.
It's not a total meritocracy. Sometimes it's the person that pushed a little harder.
AJ Nash: [00:01:00] Hello, and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I spent about 19 years in the intelligence community, mostly at NSA, but building and maturing intelligence programs in the private sector for about eight years now. I'm passionate about intelligence, security, public speaking, mentoring, and teaching.
I also have a master's degree in organizational leadership from Gonzaga University, Go Zags, and I continue to be deeply committed to servant leadership. Now, this podcast brings all of these elements together with some incredible guests who have authentic unfiltered conversations on a wide variety of challenging topics.
It's not your typical polished podcast. My dog makes occasional appearances. Riley is in the room today, so there's a [00:02:00] good chance he'll show up. People argue and debate. We even swear here. I certainly do. And that's all okay. I want you to think of this podcast as the kind of conversation you'd hear.
We're over here, frankly, at a bar after a long day at one of the larger cybersecurity conferences. These are the conversations we usually have when nobody's listening. So today I'm joined by Karla Reffold. She's Chief Product Officer at Surefire Cyber. It's a company that's redefining the incident response model by delivering a swifter, stronger response to cyber incidents, such as ransomware,
email compromise, malware, data theft, and other threats. Karla is also a friend of mine. And I appreciate her taking time to be here with me today. I have friends that are all way better than I am. So she has a remarkable background in recruiting leadership, personnel and security that I'm really excited to dig into.
Normally I do more in the intro, but this is a big part of today's discussion. So I'm holding back. But she also has a bachelor's degree in ancient history and an MBA. So she knows a lot about a lot, basically. Karla, is there anything I left out that you want to add to that?
Karla Reffold: I don't think [00:03:00] so. A lot about a lot is maybe a little about a lot is more accurate, but yes,
AJ Nash: She's also incredibly humble. You do know a lot about a lot. Listen, I'd love to talk more about ancient history sometime. It won't come up today, but I'd be interested to know more about that. Frankly, I mean, ancient history to an MBA is that's a lot about a lot. That's just how it works.
Karla Reffold: You don't want to talk to me about history. I make, I ruin Rome for people. I ruin ancient Greece. Like I'm very boring.
AJ Nash: Oh, well, I've been to neither, so you know, we'll see if someday maybe I can get to one and you can ruin it for me. But today, so the topic today, I think is really interesting. I think it's fabulous to have you here because of exactly the path we just talked a bit about here today. We're going to talk, you know, the topic is a question I hear a lot.
I know you do too. And the question is, how do I get into cyber security? Like I've been hearing about this as long as I've been out here. Now, you know, how do I get into cybersecurity? How do I get into intelligence? Another one, obviously, is an Intel guy that I run into a lot. And to be honest with you.
It's a tough question to answer for a lot of people, for me specifically, when [00:04:00] people ask, I'm like, well, I'm, I came through the military and I did defense contracting. I'm not necessarily the right person to ask cause I don't really know how most people break into this, but then I got a friend like Karla who does.
So that's what I really want to focus on is let's dig into your background first. Right. So, you know, I mentioned it in the open. You got to back on our recruiting and you've done leadership and you've done security and all these different things, but let's dig into that a little bit. Like, how did you, where'd you start, you know, you didn't show up one day and become Chief Product Officer at Surefire.
So, you know, where'd you start? Like, how, what was your path?
Karla Reffold: I started doing sales-based roles, recruiting real estate, and I was in a recruiting role, recruiting for corporate governance. So my background was. Risk, business continuity, disaster recovery and I have a view on how cyber should really fit under those topics. But I knew I wanted to have my own business and setting up a recruitment [00:05:00] business felt like I was young.
It felt like a very easy thing to do. I say that now, but it just seemed really easy. So, that's what I did. And very early on. This is what you should really look into this cyber thing. I think it's going to be big. And so that's what I did. And it kind of, you know, a little bit of understanding what it was.
I already knew a lot about information security, but cyber was becoming this buzzword. And so then we just doubled down and all we did was cyber. And we kind of dropped the other things and we hit the timing, right? You know, we hit the timing when cyber was the buzzword and teams were growing. And you know, actually I didn't realize it at the time, but we became the biggest cyber specialist recruitment company in the UK and then expanded into the U S so like a very different background from a very different role from where I'm at now.
AJ Nash: Yeah but really interesting, right? So, I mean, first of all, you, I love the youthful, ah, this would be easy. I'll just set something up. That's, I wish I still had that, frankly, [00:06:00] everything seems so much more difficult when you see all the obstacles, when you're young and smart and don't see the obstacles, it probably does seem easy.
Right. But you went in there, right. And so you're gonna do recruitment and. Whoever it was, I don't know if you want to call them out by name, but that steered you to this, to the concept of cyber. Yeah, they were right. It looks like cyber is probably going to stick around. It seems like it's got a, got legs as a, as an industry at this point.
So that was nice. But I think it's interesting that, so you go down that path, you decide to go into recruiting specifically focused on cyber and then you make. Obviously a successful company out of this, as you said, you're the largest, you know, cyber focused recruiting organization in the UK which is really impressive.
And so when you're going through that right in that process and you're recruiting and you're bringing a lot of people and I don't know if you want to talk at what level was that everybody was that somebody with hands on keyboard all the way up to C levels you know, but you had to come across a lot of interesting people.
You know, and I'm going to guess, I don't want to put words in your mouth. I want to ask, but what did you learn, you know, through all of that, you know, did you steal bits and pieces? Did you learn about cyber? Did they give you, you know, [00:07:00] tips and advice on things to study? Did you just have to learn a bunch?
Cause you have to understand the requirements in order to fill them. Were you forced to become smarter in the industry and the security as a whole? Is that how it all came about?
Karla Reffold: Yeah, I think you do. Like you just naturally learn when you're, you know, you're interviewing people to assess. Are you the right fit for this company? I think it's one of the things people misunderstand about recruitment as well as your employer is the company. You're finding the right people for them, not the other way around, not finding jobs for people.
So you naturally learn a lot about what they do, how they fit. It was a time when teams were small and they were growing. So just knowing. Cyber was enough. I think if you do it now, you have to niche down even further. You have to be, I recruit for cyber vendors or I recruit for CSOs or something, you know, we didn't have to have a niche that cyber was the niche.
So yes, you do. You learn a huge amount. You learn about how different businesses think about risk as well. I think that was my big takeaway, and maybe where I [00:08:00] feel quite strong these days is I understand. Risk assessment, maybe even more than I understand technical security requirements, and you get to see all these different organizations and how they approach it and how they have to think about it, you know, what challenge does a drinks manufacturer have over a bank, what different regulations, and so You know, a lot about a whole load of different things.
And it wasn't until I came out of that, I realized how valuable that was and how few people actually get that breadth of understanding. So it's a great place to start and to learn
AJ Nash: Well, I mean, it's a really interesting point, right? Risk, right? So as an intel person, we talk a lot about this too, right? Risk. We talk about, you know, threats and vulnerabilities, right? Opportunities. And that's, you know, sort of your risk model. Sort of, I mean, there's a lot more to it. Sure. You'd go into depth on it, frankly.
But I think it's important, right? You were, that was a big chunk of what you're saying was your role. As you said, you worked for the company, your job was to find people to fill the role. So you had to take the time to learn and understand. So while you, to my knowledge, at least you can correct me [00:09:00] if I'm wrong.
It's not like you ran off and decided I'm gonna go get a CIS SP, or I'm gonna go get a bunch of, you know, risk certifications or all these things. But in order to be successful at your job, you had to understand this because it was the fundamental thing. And I think it still is the fundamental thing companies are trying to solve for, right?
I mean, all of security really comes down to risk assessments. You know, what do we have to do to lower our risk to what we consider to be an acceptable level? And then of course, nobody actually really accepts risk. Everybody thinks it's an acceptable level until something bad happens. And then they're very upset because we didn't want this to happen.
And apparently nothing is truly acceptable. But I think it's really interesting, right? That you, so you were able to glean that because that's what people kept talking about, right? And then you were forced to do it. So I'm going to guess, but still an awful lot of self study, right? I mean, I assume you probably did a lot of reading on the materials that go into certifications and training.
You just didn't need the formal work, but you had to understand risk, right? I mean, somebody had to either teach it here. You had to go learn on yourself. I assume there were a lot of self taught, you know, requirements in order to be able to understand risk. To speak a language and to put people in the right positions [00:10:00] to be successful.
Is that right?
Karla Reffold: To an extent. LikeI do, I read a lot. You know, I probably read a hundred books a year, something like that. So I read a lot. That's the way I like to learn. But like, I've never read a book on how to pass the CISSP or like any of that kind of stuff. But you also go to a lot of conferences, you know, you need to be there to network and meet people and then.
You sit, you want to hear what that person says. You could talk to them about it afterwards. And you suddenly, that's a great way to learn because you're being taught by the best people in the industry. So I think like one of the things, you know, there's maybe a gap between like, how do you do the work and then like knowing the outcome.
But also after a period of time, you've really seen that evolve, like how scenario planning for tabletop exercises went from being about specific scenarios to general. Themes, like what happens my website goes down is a theme rather than what happens if this group takes out my website with a DDoS attack, like, [00:11:00] you know, it's an evolution of the industry that I guess I got a front row seat too, and that's where the learning came from really is the people around me.
Like, and I truly believe, your network is the number one thing you can do for your career.
AJ Nash: Yeah, I mean, I agree. Obviously, I'm accidentally a networker. I didn't realize it. And at one point I woke up and just kind of figured it out. I talked to a lot of people, but I still listened. I don't know if everybody knows that, but I listen to people occasionally. And it's amazing how much that matters, you know, just.
It's a people industry. People think, I think some people think this is a technical industry. It's a machine industry. It's a technology industry. It's still a people's industry. Like ultimately it's somebody someplace has a problem to solve or a fear or a concern or whatever it might be. And machines can't, Make people feel better about those things.
Like they can be part of the solution, but it's people, right? People have to talk to people and people have to help people. And I'll tell you what, if you build a bad reputation, as you know, I mean, I'm sure, especially in recruiting, I can't imagine, I'm sure you've run into people who are just poisonous to either recruit [00:12:00] for, or to try to get placed someplace.
amazing how small the industry becomes. Once you have a bad reputation all of a sudden, nobody likes you.
Karla Reffold: oh yeah there's a couple of people and people talk, particularly women in cyber, there's a network where, you know, we talk to the really bad people, we know.
You reveal yourself anyway, but yeah, we know.
AJ Nash: Well, that's good. I mean, that's how it has to be. Right. So, you know, people take care of people and it's definitely a people industry. So I'm going to ask, it wasn't one of the questions, but you said you read a hundred books a year. So, I'm going to put you on the spot and I'm sure you've got a couple at least, but can you name a couple?
That you think are really important, like fundamental, like, Hey if somebody today said, I don't want to learn about risk, I want to learn about cyber, I want to learn about, you know, pick one of the core areas, right. Do you have a book that immediately comes up and be like, these are the three books I recommend you read right away.
These are found to make foundational fundamental books. Do you have any go-tos that you recommend to folks?
Karla Reffold: I read such a variety of stuff. I would say the one thing that is maybe a competitor in a way, but the Recorded Future [00:13:00] Intelligence handbook, like. That's a really good summary. They did a really good job with that. Like, that unlocked a lot for me. So, that's a really good one.
AJ Nash: Oh, good. Shout out to them. I know the folks who wrote it. And yeah, it is good, listen, it's good it's a good resource. No doubt about it. You know, I often talk to people about, you know, intelligence community directives are also good to ICD 203, 206, 208, which are unclassified and readily available.
That's like 15 pages. You want to learn how. The government does intelligence like, you know, it's amazing how fast you can learn in just like those 15 pages. But the more in depth piece, I think that's a good resource. You know, the recorded future piece is really solid. You know, they put good work in it and they're smart people.
So, and I think that's readily available to folks. I'm sure you can go to their website and download it. You're welcome RF.
Karla Reffold: Yeah, I think it's free. This is how they tell me the world ends. That's another really good one
for like a good background in cyber. Yeah.
AJ Nash: That's yeah. That's a really good book. I read that on a plane a while back. This is how they tell me the world ends. I read it years after it came out. Of course, I'm way behind the
Karla Reffold: same, me too. But it's very well written.
AJ Nash: Yeah, that was a really good one. I [00:14:00] don't, there's a couple others that come to mind.
I'm curious if you know how to measure everything I believe is out there. And then there, there was a fall and it was like how to measure cybersecurity risks specifically, which I'm not going to lie for anybody who's ever read this book. I still haven't finished it. It's, I, it's just hard. I'm not.
Good enough at math apparently. So I read it in chunks. I find it to be good, but too good for me. So I don't know if you've come across those but how to measure everything I thought was pretty easy comparatively. Yeah, so I was curious if you had, I'm sure you have others that will come up and we can, you know, find some others.
If you're reading a hundred books a year, I don't know how you'd remember every one of them, right? That's,
Karla Reffold: Sadder ones stick out. Yeah. But I read a variety of stuff. Like I'm reading a lot on quantum physics right now, which
AJ Nash: quantum
Karla Reffold: maybe cyber.
Quantum light reading, huh?
philosophy is what I'm realizing. So, yeah, that's,
AJ Nash: Phenomenal. It's, it sounds like some light reading. Just, you know, a little quantum physics before dinner. That's
Karla Reffold: Yeah.
AJ Nash: That's not really what I'm up to. Like I said, for anybody who's just joining late I have people, friends are much, much smarter than I am, clearly. I I don't read quantum physics. I have Stephen Hawking's book on a shelf someplace, but it's just [00:15:00] because it makes me look smart.
I've never opened it. Somebody gave it to me as a gift.
That's
Karla Reffold: all you need.
AJ Nash: That's what I gave it to me as a gift. It's not the book I read generally. So, you know, jumping back into the conversation a bit more, and I know you touched on some of this, but I want to dig a little deeper into, you know, the things you learned from all the years working in recruiting.
You know, the specific things you did pick up that might be good things that we could teach folks, if you wanted to pass on to others, you know, trying to get that foothold in cybersecurity all these conversations, you said, you know, you went to the conversations, you listened and you learned from all of these folks.
I think, you know, measuring risk certainly is one that we've talked about, but are there other things that you took away from that and said, this is something, maybe it's a perception of how people see their problems or their solutions, or maybe it's a specific technology or a specific, you know, risk or threat.
Like, what are some of the things you learned in those conversations in placing folks and trying to help fill roles that might be beneficial to somebody saying, I'm trying to break into the industry.
Karla Reffold: So this one is, it's not a cyber specific thing. And I'll tell you, I'll tell you a story of two people. They're both called Mark. The first Mark came to me and he [00:16:00] said I want to go from a manager role to a c-level role. I want to double my salary. I want a bigger organization. And I sat there. This is not going to happen.
That is not the move you make. There's a couple of moves in between there. Like, no. Sure enough, I see him six months later and he's done it. And he continues to do that a couple of times, you know, big moves, doubling salary time.
And he's amazing and incredibly knowledgeable.
And Mark has wanted to move for 10 years and he still hasn't moved. And he doesn't really know what he wants. He knows he wants to move. He knows what he doesn't want, but he doesn't know what he wants. And that is like the difference there is you just, one Mark knows what he wants and he went and got it.
And when I joined Surefire and I was thinking about moving on, I wrote down that I didn't really know what I wanted. So I wrote down half a dozen things that I knew I wanted. I want to be in a company that's growing. I want to be in a company with purpose. I want to be challenged. I want to be learning.
And that wasn't a job title, [00:17:00] but when I kind of joined Surefire and I look back, I was like, I got all those things. Cause those were the things I knew I wanted. I didn't realize, you know, some other talent, like There were days I've regretted wanting a big challenge, but you know, challenge is there.
So I think the big thing I really learned from like, you know, I've placed hundreds of people in different roles is you've got to know what you want.
AJ Nash: I think that's, I mean, it seems simple when you say it, but it isn't simple. Right. As you're saying that I'm thinking to myself, have I done this before? And I've, I think I've been both marks quite frankly. You know, I think it's different in saying, you know, what do you want? Well, I want to be successful.
Well, that doesn't, that's not a plan. That's not defined. You know, I want to be rich. I want to be famous. I want to be powerful. I want to be retired, whatever it is. None of those things are planned, right? They're, they don't. They're not defined whether this is, you know, how do you want to get there?
What do you want? You know, I think you made an excellent point in there about, you know, making it more granular. How do you break it down? What are the things you care about? You know, do I want a big company? Do I want a small company? Do I, you know, want a specific industry? Maybe as opposed to [00:18:00] saying, I want to, you know, I just want a thing, right?
I want a big thing, right? Or I'm just unhappy. I just don't want this anymore, which I hear a lot of people say, you know, it's just, I don't know what I want. I just don't want to do this anymore, which I, Can relate to but I wouldn't recommend picking up and moving on that. And I can't imagine as a recruiter that's a really helpful bit of information to be handed is what do you want?
Well, I don't want to do this. I don't imagine that helps much.
Karla Reffold: no, and you know, I'm gonna blow my own trumpet. I think I've been very good at seeing people's potential and seeing Between the lines where they could fit not many people can do that. People want to know I'm an intelligence director and I want to be an intelligence director in this type of firm. That's super easy.
And if you've done it before and it's a really easy fit even better when you're saying, I want to jump, people get nervous. That's hard. Like you have to, then you've got to go create those jobs for yourself. Those are not coming to you from a job board. They're not, no one's knocking on your door for that.
So, it is hard. It is hard to know what you want. [00:19:00] Sometimes starting with what you don't want, like, I don't want a boss who annoys me great. This type of boss would not annoy me. Like, you know, it gives you somewhere to bounce off from. But I think you do. I think you have to define what I want.
AJ Nash: Okay. And so applying that to the, you know, point of this conversation today, right. About breaking into the industry, right? So somebody is in a different field altogether. They're I got a story, a very small one too years ago now somebody reached out to me through LinkedIn and he was a manager at a restaurant actually and said he wanted to move into, you know, he's moving into cybersecurity and wanted some advice, which I was surprised.
I was the person he reached out to. I was flattered. And so we started having some conversations and he was already He made some commitments. He had some ideas. He was in school. He was, you know, he was finishing a degree but he didn't know what he wanted to do and what the world was going to be.
And so my advice to him at the time was, you know, I said, I think he's got a good chance. There's plenty of work to be done. I said, but you know, you're a manager at a restaurant right now. You won't be a manager in your new job. Like, you know, I, we want to prepare him for that. Like the ability, you know, the [00:20:00] ability to take a step back and say, listen, you're accomplished and experienced in prison and business, but some of that, a lot of it may not apply to what you want to do.
Are you comfortable? Coming in as an entry level SOC analyst, you know, and are you going to be okay with that? And he was, and so we started having that discussion and it did sound a little bit like what you're saying. This was somebody who did know, like, I definitely want to be in security. I definitely want to be in tech.
I want to, I want a place where I can grow. He had some interest in, but then we did have some of those discussions about, well, what do you want to do to start with? You know, he didn't come and say, I want to come in and be a, you know, a manager. I don't want to run a team. Like he knew better. But if he hadn't, I probably would have disabuse him of the idea.
It was going to happen too, because you're just not going to come in that way. Right. And you don't, your experience is valuable. You may escalate and you may grow quicker because you have maturity and experience leading people, but you don't know any of the technologies right now. You're just going to be straight out of school.
Right. And so in his case, I think it was great because he was saying, I know what I want, but I don't know what I want. And I know what I'm willing to give, which I think is another big piece of this, of, you know, what are you willing to give or give up? You know, we're talking about people trying to break into the industry and I worry about that sometimes, you know, when somebody is young and new and they're out of college [00:21:00] and they're just going, that's one thing, but people want to switch careers, you know, people who have established someplace and say, I want to switch careers.
Do you find that they more or less understand? That they're going to have to take a step back or do you find a lot of people coming in saying, well, I, I was a director in some totally other industry and now I want to be a director in cybersecurity, you know, do you find people that come in that are unreasonable about that?
And how do you handle some of those discussions? How do we set people up for success there to say, Hey, if you want to break into the industry, you may be taking a step back and make sure they're comfortable with that.
Karla Reffold: So, you know, I have kind of a different view because I think those unreasonable ones are the ones that make it. The ones that are like, I've been a director here. I want to be a director in cyber, even though I've never done. They've kind of got the naivety and the tenacity, I think, to go make it work.
Because When you're too humble, when you're too, when you're saying, I'll take a step back, I'll, you know, I'm not there. I need to learn. People do want to hear [00:22:00] that. But also you need to give people confidence that you can come in and do the job. so the ones that are going, Hey, I'm going to come in and I want to be a director and I can do that. The right person will buy that and as long as you can back it up and you'll do the work. I think I'm sure we all know some people who are in jobs they shouldn't be in
AJ Nash: Oh
Karla Reffold: because they knew the right person or they did the right thing at the right time and maybe they're not the best person for it. The best person doesn't get the job.
It's not a total meritocracy. Sometimes it's the person that, Pushed a little harder.
AJ Nash: Ooh, well, that's going to be the sound clip. I assume that we're going to be used to promote the show. The best person doesn't necessarily get the job. It's not a meritocracy. Sometimes it's the person who pushed harder, but that being said, I think that's great. I mean, listen, you just totally contradicted me, which is good because that's why I have you here.
Cause you're an expert and I'm not, and my perception clearly isn't universal reality. If not wrong entirely. But I think that's an interesting point then. So one of the things. People need to know getting into this. You know, we talk about breaking in is [00:23:00] what I'm hearing you say. And correct me if I'm mischaracterizing it, but you gotta have some confidence, right, that there's a line I'm going to ask you, like, where's that line between confident and cocky, right?
But it does sound like you have to have some confidence and give some people some reassurances you're capable. And that you're confident you'll be able to do it. How do you do that without crossing that line though? And is it. Subjective. I'm sure I'm asking a question. I probably know the answer to, but depending on who you get, you know, for every person who's good with that confidence, is there somebody who's insulted by it?
Hey, listen, I spent 12 years doing this. You've been doing, you've been selling tires and now you think you're going to run a cybersecurity team, like, how do you gauge that and read your audience and find that level of what's confident versus what's cocky, or is it just, you got to read it and
Karla Reffold: I think you do. You've got to kind of hope for the best. Like you'll find your people, right? Like the right people will find you. You'll find them. You know, you know, I have that in my role now, right? I've never been a Chief Product Officer. I've worked for an intelligence organization for three years before this, but I've never been a threat intelligence analyst.
Like there's a big gap [00:24:00] between what I'm doing and what I'm building. And everyone knows that I've been very upfront about that. I've sat there, you know, like. You only have to look at my resume. It's not not a, not a secret. You know, but it's, well, what can I do? Well, I can build businesses.
I can build relationships. I can learn quickly. I can see solutions. I can bring people together. I can bring a different point of view. So it's, you know, I'm not suddenly saying that I've had the confidence in that all the time. Like it's, There's been days, but you know, so there is a line, but I think more people go the other way.
Like for every confident person, yeah, there's a cocky one, but there's 10 that don't have the confidence that they should really have and what they can do.
AJ Nash: Well, I think that's really interesting. And so you talk about the Intel piece, like anybody who knows me personally or professionally or follows me or anything like that, I'm notorious for smashing people who are in Intel positions who have Intel titles who don't have Intel backgrounds, like I'm. I'm pretty rough on it sometimes.
And it's because I've seen it too many times. There's too many companies. We're gonna start an Intel team and they promote somebody [00:25:00] whose whole career is an incident response or, you know, sock, you know, analyst, network engineering, something like that. All brilliant people doing great, important things, but with no Intel background.
And. Almost universally, they build failing Intel programs because they don't have Intel backgrounds. There's exceptions but not a lot of them, frankly. I'm not saying you have to come out of the intelligence community in the military and be an Intel, you know, a 10, 20 year Intel pro to do it. You can go to school, you can have, you know, SANS courses and, you know, a lot of hands-on work and get there.
But for those who are wondering why I don't smash Karla, it's not because we're friends, although we are Karla has never claimed to be an Intel analyst or an Intel professional, right? Her last job was at an Intel company. We've been friends since even before then. And she gives Intel briefings and they're good ones.
Those are, if you haven't seen her on LinkedIn, I recommend following her. She gives some pretty good presentations and briefings on these things, but she's never claimed to be an Intel professional. And that's, there's a fine line there, right? She's been up front. You've always been up front and said, You know, you're capable of reading, you're capable of understanding.
You've done research and you know, some of these things, but you don't claim to be an Intel professional. And, you know, as a result, I think that, that. [00:26:00] You know, that transparency and that humility comes through because of this is what we understand. This is what we know. A lot of times I know you're working with other Intel people too.
And you're presenting work from people who do have those Intel backgrounds which also is really helpful. But now, as you said, you're Chief Product Officer and for anybody who reads your resume, you're you've never been in product before. So, I mean, here's somebody who's done Intel briefings, who doesn't have Intel background, who's been a Chief Operating Officer.
And that's because, I mean, you've run a company, you've done a bunch of things. The Chief Operating Officer seems to make a lot of sense. And now you're Chief Product Officer having not worked in product organizations before. I don't know how much you want to reveal there about how that's gone, how that, you know, the challenges of that, the excitement of it, you said, you always want these challenges and then sometimes, you know, like many of us, I We regret, why didn't I take the easier job?
But you know, that's an interesting piece that you've been able to make that move. What, and this wasn't one of the questions we prepped, I apologize, but what made you decide to go, you know, I, I want to do product. I want to be a Chief Product Officer. I want to be responsible for developing the next solutions and technologies.[00:27:00]
And maybe more importantly, tied to this conversation, how did you convince somebody else that you should be?
Karla Reffold: Maybe the bigger question, right? I've known the CEO, Billy at Surefire for a long time. So he's very background is and strengths and weaknesses. And we were talking about, you know, what could exist for me at Shorfire, what were their gaps? What are my strengths?
And so this role was kind of created out of, these are the things that I want us to do that I don't have time to do. going, that's really interesting. And actually like, I've got some details to figure out, but I know how. I see this, I see the path. I know what we can do. And a lot of the product role here is we're building new service lines and we're building new things.
I've built businesses. I've sold to like, I can build things and put that together. And I know where my limits are. Maybe not always, but I think I know where my limits are. I know when I need a threaded cell analyst who Can run scripts and scrape stuff and [00:28:00] has a different way of thinking. And I run my stuff past them.
And sometimes, you know, like I said, I've read a lot. I've been around these people for a long time now. You start understanding how you think and actually everything in business, I think comes back to that risk piece. If you can understand how I assess risk, which is what you do as a business owner all the time, then you can start talking the right language and that's What you need to build products.
How do I help someone fix their risk? How does this help somebody else or what do I need to do to build that? So, yeah, you know, I think I've got some of the core components and yeah, there's nothing hidden. There's no pretending and courses and, you know, hiding it or trying. It's just being very authentic and very confident in what I do bring.
AJ Nash: Well, and I think you, you bring, first of all, for anybody wondering, sitting here in my head, running back, I phrased the question, you know, how did you convince somebody? Listen, Karla doesn't convince anybody. If you've met Karla, if you've worked with her at all, if you know [00:29:00] her, yeah, it's pretty easy to say, yeah, she could do anything she wants.
Like, I'm not suggesting it was hard to convince somebody to hire you to be a Chief Product Officer. It was more about why did you want to and what were you going to bring into it? But but I think you, you also made a couple of really interesting points that I really respect you. You know, again, anytime somebody is stretching into a different area, right, that isn't necessarily. They don't have an obvious path there, right?
Is that, as you said, I know my limits and you leverage people with depth, right? And in a C level position, sure. It's great if you're the CPO and you're also capable of coding and you can, you know, you can dig all the way into the, but you're not gonna have time for that anyway, like it's not gonna be your job, right?
So, you know, being able to build a business, as you said, being able to understand strategically what needs to be accomplished being able to You know, reflect what the CEO thinks the company needs to, where they need to go and how to build something and then being able to leverage the people who have that experience, that hands on piece that, and then trust them.
Of course, you get good people and you trust that what they tell you is the truth. I think that's like knowing you. I think that's where you excel. And it sounds like that's a big part of this, right? And having that humility too. [00:30:00] I've worked with a lot of leaders. Not all that humble. If I'm gonna be honest, I work with some that are great, but I find the ones that are certain they know the answers to everything tend to be really frustrating to work with.
But you just said it like, you know, find the people that are depth of knowledge. If it's an Intel question, let me talk to an Intel analyst and bring some things in if it's, I'm sure you do the same thing in product and development and you know, whether it's UI UX, for instance I know brilliant people in that space, I talked to him and I just tell him, Hey, this is what I wanted to look and feel like.
Now you tell me what that is and if it's possible, right? So I think that's a big piece that, you know, to me, it seems like that's probably a big compelling piece to watch. Somebody would say, yeah, Carlos, good for this role. You understand how to fill them. You said risk. And then you leverage people and you do it with humility.
But as you pointed out, also confidence, like that fine line, right? You can't come in and say, well, maybe I can do it. I don't know. We'll see. I don't, you know, nobody's going to hire that person. I would assume. But you never say no, but you don't come across as cocky. I've known you for a long time.
I would say you're remarkably humble. But confident you've seemed to have, you seem to have [00:31:00] solved that riddle. I guess that's the question. It should have been, how do you solve that riddle? How do you find that line between confident, cocky and too humble? You know, not that I want to speak to it, but I will just cause this is how our industry works.
I think it's harder when you're a woman in this industry as well. I think the whole industry makes it much more difficult. The whole world probably does, but I know where industry does confident women get, get labeled differently than confident men, which I think is shitty, by the way, for anybody who's listening just to clarify my position on that one.
So, but you've managed to find that spot, right? Where you're confident and not cocky. You're willing to stretch and go out there and do things beyond what might be traditionally your background but you've leveraged the right people. So, I mean, It's impressive. Obviously things are going really well.
If anybody, like I said, if you don't know Karla, if you haven't looked at her resume on how we recommend it she's just great to work with too. So, so
Karla Reffold: Let's like, I just want to stick on
that second. that that asking the right people and that putting yourself out there. Because in this role, I've had to do that. I've had, I've reached out to other Chief Product Officers and said like, Hey, I'm new to this. Could you know, can we chat?
I want to, you know, [00:32:00] if people say yes, more than you realize. And I think that's a really key thing for how you break into security is to reach out to people because Very few people reach out to me and ask for my time. When they do, I say yes every time.
AJ Nash: You're gonna get a lot of them now.
Karla Reffold: Well, maybe. And it brings me back to like, do you remember how we met?
AJ Nash: I do remember how we met. Absolutely.
Karla Reffold: I love this little story. So like, I was new to the U S and new to the area and I sent a message to, I'm sorry. You weren't the only one to a couple of dozen people saying, Hey, I'm new and I'm lonely. It's. And I want to meet more people. Would you be open to having a call? And a couple of people subsequently have told me that the message was really weird.
Like it was mail order, bride kind of vibes. I, you shouldn't send that to people. And I was like, do you know what? I met three or four people from sending that message that are now really good friends of mine. The right people found me cause I was, [00:33:00] you know, Authentic. So, you've just got to be okay with putting yourself out there and that some people are not going to like it.
AJ Nash: Yeah, I think it's a great story. I'm glad you mentioned it. And I think it's a great point. Right. You know, I have the same experiences, right? You know, people do reach out to me occasionally. I think it's remarkable to me how surprised they are when I respond. Almost always very quickly through there.
I mean, I'm on LinkedIn more than I care to admit. So, very often I'm responding moments later. Sometimes it's not. So if you do ping me and I don't respond for a week, don't take it personally, but usually it's pretty quick. And I'm always surprised at how surprised people are. First of all, I'm not important.
So I'm always surprised by that alone, but I think you're right. People usually say, yes, it seems like more often than not. I think people want to connect. People want to help each other, not everybody, but I think most people really genuinely want to help other people. And it's flattering if somebody says, Hey, you know, I'm trying to do something, you know, do you have time I'm like you, I make the time.
There are very few times when I say I don't have time, at least for a call in your case, when you reached out I wouldn't call it weird. I did take a moment. [00:34:00] But listen, if I'm going to be really honest, I took a moment because of the bias that comes with this. If it were a guy, I probably wouldn't have.
It sounds terrible, but I took a moment because of course, I'm in a relationship at the time as well. I have a woman who I don't know who is saying, Hey, do you have time? And I think we went and got coffee together actually, too. I drove into DC if I remember correctly. So, I mean, there was a moment I paused, but then I was like, well, that's ridiculous.
This is a professional, great resume. This is somebody who wants to get to know somebody. I like meeting new people and you know, gender is not part of the equation. It certainly shouldn't be. But there's a bias there, right? So you give it some thought. You weren't creepy, like nothing you said was creepy.
And I was flattered. I was like, yeah, let's meet, let's talk and let's, you know, let's see what's happening. Right. And I'm thrilled, you know, best cup of coffee I've had probably in a long time. Like it was, it. Spawned a great relationship and a great friendship out of this. And I appreciate it. So I think you're right though.
I think just saying, Hey, don't be afraid. It's okay that I was one of a couple dozen people. It would probably be weird. Or if I was the only person, your
Karla Reffold: That would probably be weirder.
AJ Nash: That would be a bit creepier. Yeah. If it was just me alone, a couple of dozens, a good number, I think. But I think you're right.
I think being able to put yourself out there and say, Hey, listen, I'm [00:35:00] just, you know, I'm just trying to meet new people. I want to learn new things. I think. You know, you're mentioned that, you know, Chief Product Officer. So you're reaching out to other Chief Product Officers. That again, is that humility that you don't often see and courage.
Like I should put these two together. Really? It's not just about being humble. It's courageous to say, Hey, I'm new to this. I'm not sure of everything I'm trying to do or accomplish yet. I want to learn from people who've been here. I think a lot of folks, the fake it till you make it concept, they take it too far.
And then they just refuse to say, Hey, I don't know the answer to this. You know, they're afraid that they'll come across as weak or incapable or something like that, as opposed to just coming across as authentic and saying, Hey, you've been doing this a long time and I admire your work. And I think you're successful at it.
Any tips you want to give? And I think people are surprised at how often. The answer, but yeah, you know, let's make time. Let's get on a call. And so, yeah, I've had a lot of those same experiences. I'm always surprised by it. Like, I'm not gonna lie. Every time somebody rings me up or, you know, sees me at a booth or whatever, I'm always surprised that anybody even knows who I am, let alone cares what I have to say.
So, I will tell anybody out there with imposter [00:36:00] syndrome that lasts forever too, I think, and yeah, get used to it. None of us knows anything or thinks we do, so, you're either an imposter syndrome or you're a narcissist, I think. I'm sure you've a bit of both in the
Karla Reffold: Maybe a bit of both. Yeah,
AJ Nash: Yeah, they happen occasionally, I'm sure you've met some.
It sounds like, from what you're saying, the narcissists probably do alright finding jobs, though. They don't problem confidence. Yeah, but true. All right, cool. So we cannibalized some of Fairmont, actually the third question through the rest of this. So we'll figure out what else we're going to chat about here.
Cause the third question officially, and I guess we can get into some specifics, but we cannibalize some of it. You know, what tips or advice do you have for people looking to make The move into cybersecurity from what we would call non-traditional backgrounds? So I know we talked about a bunch of things, but the non-traditional background piece specifically, I think we can dig into it.
Let, so again, you started in recruitment. You ended up funding, you know, founding your own company because you didn't, you were too young to realize how hard that should be for most people, or you're too good to not be good at it, I guess. And then for you, it seemed like, sorry about that. No, you're good.
I forced [00:37:00] Karla to come on sick because I really wanted her on. And I, and she's filling my time slot. So we'll probably cut it out or we won't, it doesn't matter. But I, in doing that from the recruitment side, like, obviously there were some advantages we talked about, right? You met a lot of people, you got to know a lot of people and you learned an industry as a result, but let's assume somebody doesn't have that advantage, right?
And they just want to break in from nowhere. So, you know, tips or advice. I think we talked a little bit about being bold, you know, being able to reach out to people and ask them and don't be shy and don't assume people will say no you know, what about things like on the education side, on the training side, on the, you know, what do you, how do you feel about internships, for instance, how do you feel about, like, what other tips do you have or advice you have for somebody who wants to make a career switch?
A dramatic one to cybersecurity. I would've said be willing to take a step back. Maybe that's a bad answer. Now talking to an expert. So what other tips or advice come to mind for you on somebody who wants to make that move?
Karla Reffold: I mean you might have to take a step back. I'm not saying you never should. I'm just saying like the ones that you know the ones that refuse probably You know, [00:38:00] get at it a little quicker. But yeah you do, you need to demonstrate your interest. So whether that is saying, Hey, I listen to all these podcasts, I have read these books, I go to these events, like what doesn't even have to be courses or like expensive courses where.
Everyone has an opinion on what courses you should take, and what are good and what isn't, and what qualifications are good and what isn't. So,
Karla Reffold: There's no good answer to that question, apart from show your interest, show you've put some work in, show what you're doing. And, You teach people how to see you.
Like, I do my threat videos twice a week. That means most people see me as a threat. Like, that's, I'm teaching people what I'm doing and what I want to be known for. Anyone can do that. Start blogging, start writing, and teach people what you want to be, no one's going to come and get you.
Give it to you, like, particularly if you don't know what it is, [00:39:00] just cyber and everyone's going to come and knock on your door and give you that opportunity. You have to teach people this is who I am. So you have to put some of that in. And like, for me, it always goes back to the network. That is the number one thing.
AJ Nash: Yeah. Oh, I think, I mean, so teaching people how to see you. I think that's a really interesting point, right? That I think a lot of people talk about it as like personal branding Now, you know, I hear a lot of that. And surprisingly, I've hate people ping me on that too and say, how did you build a brand?
And I didn't realize I had, but . So, but I think. It's a really powerful point. Teach people how to see you, right? Like, so I, I watch your videos, right? And again, you know, we know each other. I know your background and I remember watching them thinking, yeah, these are pretty good. These are good.
You know, this is good content. Like it's consumable. It makes sense. It's valid, you know, it's based on good materials, but yeah, for somebody who doesn't know, you don't know your background or anything. Absolutely. I'm sure that's what they see you as this is somebody who gives threat briefings a couple of times a week.
This is who this person is. They're a threat. And it's earned, I mean, you're, again, the content's really good. But I think it's a really interesting point to make. Tell people, [00:40:00] teach people how to see you, right? You get a chance to frame yourself in people's eyes. However you want to, you know, I've got a friend who's blogging.
It's a good example. You mentioned blogging, you know, and he and I talked, he's, you know, having some challenges right now. It's a tough industry. And for whatever reason, he's not finding the role, which I don't know why at this point. But you know, he's been doing some work on the side. And I said, just keep doing that, man, keep blogging, keep writing, keep doing the analysis you're doing and putting it out there.
It's a, it's a. It's a place, right? And it says, this is what I do. And this is who I am and what I'm good at. It'd be better if somebody would pay him to do that. But I think it's an interesting point, you know, teach people how to do it. So if you're changing career fields, you know, I've talked to people who didn't look on paper, like they were going to be a fit, but I was like, all right, let's have this interview.
Let's see. And you find out they've built a home lab. And you start having this discussion, you realize, well, this person's a little crazy, frankly. I mean, they spend 20 hours a day working on that. They are crazy. Maybe the wrong term. I apologize for anybody who was offended, but this person's very passionate about this.
It didn't show up on their resume. The resume says they've been doing retail work and they're in community college, but you find out at home, this is what they do. This [00:41:00] is their passion. They live this and you unlock that. And you see all these things. That you didn't see in that person, which, by the way, for anybody wondering, if you're that person, get a resume writer to help you capture that because you may not get the interview.
If all it says is you work at Footlocker and you're in community college, they may not know this. So if your passions aren't showing up in your resume, I strongly encourage you to get somebody to help you write a better resume. It doesn't have to be certifications and college and experience necessarily.
Those are great. But if this is what you do in your time, as you mentioned, Karla, you know, if you go to conferences, if you go, if you're reading books, if you're taking online courses, it doesn't have to be the CISSP, it could be LinkedIn courses. It could be Udemy. It could be Google has free stuff, you know, there's a lot out there.
Right. So, but I think it's interesting to get all those things captured. And that passion is a really big thing, right? Because. If you're going to make that transition, the person who's going to interview you in my opinion, at least they need to know why are you just doing it? Cause you don't like your job is doing it.
Cause there's more money in cyber you heard about, you know, or is it something you're really passionate about? And you're, you know, whatever you do here, free time tells me a bit about [00:42:00] what your priorities are. If you're building a lab at home, that's you're more interested in this than I am, frankly.
So, but you're certainly passionate about it. You're probably somebody who do all right in the sock. And you can probably talk in detail. Like, were there other things like that you. you know, experience when you were working with folks who were making some of these moves, Karla.
Karla Reffold: Yeah, definitely. Just those things. I think a lot of people go, what course can I take? What's the course that unlocks the door? There is no course that unlocks the door. The thing is doing the work. And, you know, when I say, teach people how to see you, like, there are some people out there that have built careers and brands.
not very much substance because they've built a brand, not a set like I'm not advocating that
AJ Nash: I feel attacked now. I feel attacked now, Karla.
Karla Reffold: Well, you're the opposite of that. You know, your brand does not show the substance away. So like,
AJ Nash: I appreciate that. I was really going for that compliment. I appreciate it. Go ahead, go on.
Karla Reffold: It's not faking it. It's not, you know, you know, there are some people out there doing that. This is, [00:43:00] Show people what your substance is because there are far more people out there who are doing all this stuff who really are interested and passionate and they're not showcasing the substance or they don't think it's enough. I haven't done a job.
I haven't got the course. I haven't got the CIS doesn't matter. You've, you know, you're in it, you're doing it. Like I'm talking to someone right now who wants to get into Intel. Tons of courses, but it's a lot of content for other people's websites. That's doing it, you're writing threat briefings, that's part of the job.
You know, like, show that, you know, this isn't, there's not some secret, you're doing it already.
AJ Nash: Well, I think that's a good point. Maybe that goes back to the discussion earlier about some people are too humble, right? And they don't think they've got what it takes, right? They look at their resume and they look at other people's and they say, well, I don't match up, you know, people, a lot of times grade themselves really harshly.
You know, I know a lot of people who are. Brilliant. And you wouldn't know it if you talk to them, cause they certainly won't tell you. So, people tend to really make it hard on themselves. I think a lot of times, or they [00:44:00] think this is a bigger obstacle maybe than it is. You know, this isn't the world's best time to have this discussion.
I mean, the industry is contracted a bit right now. So, I mean, there are people with great experience who are looking for new opportunities right now because of all the layoffs and changes in the industry. So it's not the world's best time, but in general, still, it's not some insurmountable obstacle.
There are still a lot of vacancies in this industry that need to be filled. And most people I talk to. They're looking for people that are passionate and want to do it. You know, and I know some organizations, we only want players. And I'll tell you, by the way, I'd love your opinion on this. I shouldn't say mine first, but I'm gonna cause I'm stupid.
But I think that's the dumbest thing ever. When somebody says all we want is a players, I actually think it's one of the dumbest things I've ever heard. It's like saying you're going to build a basketball team and all we want are five superstars. Somebody's got to pass the ball. Like you can't build a sports team at basketball's probably listen, Karla, as many probably heard is British.
So I'll speak in soccer terms you know, or footy you can't have everybody try to be the striker, right? Somebody's got to [00:45:00] be a halfback. Somebody's got to be midfield. So if you try to build a team out of all superstars, I think you're ridiculous. But I think that means people have to understand you don't have to be a superstar necessarily either.
You have to be passionate and care and want to do it and prove you're going to, you know, you're going to grow and care. But I'm curious. I'm going to ask you, like, how do you feel about the, and I'm sure you've run into them being in recruiting so long. The person was like, I only want players. I only want superstars.
Like how toxic of an environment does that create? It was just my thinking. Am I wrong?
Karla Reffold: No, I think there's a story, and I think it's, I might get the company wrong, I think it's about Enron, how it was all about, we only want A players, we get rid of our bottom performers. You know, you have, and it built this culture where people had to be Amazing and do amazing things, which meant they went further and further away from ethics and integrity.
So, there's a chance that leads to a really toxic scenario, but yeah, like, you know, soccer terms, you have a star that you play around. You have into Miami has messy that they play around
Who you pass the [00:46:00] ball to. So, I think where you need a players is in your behavior.
AJ Nash: Yeah.
Karla Reffold: In the values alignment, people who have the work ethic, you know, they want to be A players, whether, I mean, what does an A player even really mean?
AJ Nash: Nothing. It's subjective. Certainly. I don't know the Enron story. I will say, I do know that was a big challenge at Google. I know Google's process used to be that they automatically wiped out like the top, the bottom, I don't know, 15 percent or whatever. It was just a known thing every year in annual reviews.
If you were in the bottom 15, you were gone and they brought in new people and it created this. Yeah, toxic environment. I think they've changed their HR processes. I don't work at Google. I just know what I've read, but I guess they changed and they kept most of the rest of the processes, but they dumped that piece.
Like they wasn't the automatic you're out the door. I mean, everybody's got organizations where people need to work and improve. That's the norm. Right. But if it's, you know, If it's such a high standard and it's all or nothing, you're in or out. Yeah. You create this cutthroat environment. And like you said, what's a player, you know, it's [00:47:00] subjective to begin with.
So it just becomes whatever you think it is. I've seen organizations that go that route and people will do some very unethical things. If they can't make themselves better than somebody next time they'll make that person worse you know, instead, and it's really ugly. So I think, you know, having team players matters.
And that's one of the things I have told people trying to break in as well as, you know, it's not just about how good you are, it's about how good you are to work with. You know, we're gonna spend a lot of time with each other. I'll take B talent, A people over A talent, B people any day or C people or D people, which we get a lot of.
I just want to work with somebody who I think cares and will try and will be responsible and will be ethical and will be authentic and will be, I can trust if they made a mistake, they'll own it right. You know? And I think that's, I don't know how you get that in an interview. I'd be curious if you have any thoughts on how to present that well in interviewing, because I think that can make a difference too, especially for somebody transitioning industries. I've got to have other reasons to want you.
I got to know, or have some confidence you're going to be a good teammate. You know, is that something that also comes up when you have these discussions or not so much?
Karla Reffold: I think [00:48:00] that's the values alignment. And there are behavioral based questions that you can ask around that, you know, like, When were you working on a team? And when were you working on an underperforming team? And what did you do? Like, there are questions you can ask, but yeah that's the values alignment.
That's where you need your A players. You need people who are truly aligned to your values. And then the hard skills around that, as long as they've got that humility to go ask, you can, and you've got. The right skills at the right level, then you can work with that, but you've got to have, when it comes to a player and the best people, it's got to be the people that match your values and your work ethic.
And that goes back to that network piece. You know, how do you, if you know somebody cause you've met them at events and you've known them for a little while, You know, you can work with them. That's a really easy person to bring onto your team when the opportunity arises. And that's why so many roles go through to people's networks because you take away that risk factor of hiring someone that doesn't match your values and your behaviors.
AJ Nash: Yeah, I mean, that's a great point. [00:49:00] Like a great resume is just a resume, right? It's flat and you know, most people I know don't end up getting positions at corporations because they submitted to an open rec. I mean, to be honest with you. And you know, if they did, it's because they also still have a contact who knows somebody who's going to have a discussion. It's people worry.
I think a lot. You talk about risk, right? All three of us, we talk about risk, there's risk in a bad hire. And I don't think the risk in the bad hire is that they're not talented enough. I mean, for the most part, that stuff can be learned, right? The risk is, are they going to be a terrible person to work with?
You know, they're going to a brilliant jerk. And those things are harder to deal with. It's hard to get rid of those people. And they're toxic and they ruin environments. And it's hard to know from a resume. You know, who's that, right? Nobody puts on their resume. I'm really good at this and I can code that.
And I'm an asshole to work with. You know, I think I know one person who actually put something like that on their resume, but they were so brilliant. People took them up on it anyway, and they weren't lying. They really were an asshole, but most people won't do that. Right. So I think you're right.
That, you know, that networking piece, getting to know people, it's [00:50:00] amazing how much somebody changes their opinion of you, if you've shared a coffee with them or a drink with them or a meal with them. And suddenly your B talent becomes a talent because, you know, They want to work with you. So getting out and networking is another one of those things that, you know, I know you've mentioned a couple of times and yeah I think it's invaluable right up to, and including just sending out messages to people you'd never met before to see if they want to get coffee and talk to the new Brit who's joined you in DC.
It worked out pretty well,
Karla Reffold: And it's keeping it going, like when you say networking, you know, it's not just connecting on LinkedIn and like, you know, actually it's building a relationship. It's talking to that person a second, third, fourth, fifth time. No one's giving you a job because you talked to them for 15 minutes Like, and what always amazes me is, the people that do reach out and maybe I'm just terrible to talk to, but very few of them come back to me a second time.
So like that might say more about me, but I think it says more about actually how people view building relationships. And it can be hard. Like I want to [00:51:00] offer something. I want to add value. I don't just want to be noisy. Like it can be hard to have something to say, but that's the skill. And that's what, Cyber is hard to break into these days.
It's much more competitive than certainly when I started. So the skill does come in. Actually, how do you keep that going?
AJ Nash: I can tell you knowing you, like those people are, it's them, not you. You're actually really easy to talk to and a joy
Karla Reffold: I think so.
AJ Nash: You're a joy. I think there are people who I think, and maybe that's the reflection of it. People who've heard networking and how important networking is.
And so they try to do it in volume, right? It becomes net fishing for them and they get out there and they meet a bunch of people, meet, you know, they message them once or twice. And then that's it, you know, okay, now they're in my network. I'm onto the next and now they're building this network.
And six, eight, 12, 14 months later, they ping and say, Hey, you remember this time we talked? No, I need help getting a job. And you're like, well, all right. We didn't really talk much. You just, you kind of wanted to add me to your network or you wanted to use me so you could get to other people.
And, you know, I'm a sucker. I still probably help people anyway, but there's a difference [00:52:00] between networking. Just trying to collect, right? We're not Pokemon cards. I'm just trying to collect as many people and build up your numbers. I don't have 10, 000 followers. I probably could. There's people I reject because I don't know them.
And they don't really reach out with a reason. They just want to connect. Right. And. It's not that, you know, it's not a statistics game. Having authentic connections. When I say networking, it's authentic. I have thousands of connections. I won't say I'm as close to everybody as I am to you, Karla, or, you know, they're not all that close, but I don't think there's anybody in my network.
I haven't had a conversation with at least several. And that's different, right? The people who are just net fishing, they're not really networking. They're just collecting. Right. And they're hopeful that'll be enough out there. And it's not the same, right? So I think that's important. Like you said, to build relationships, not just to make a connection, you gotta be able to do a bit more than that.
And maybe you can't do it. Everybody, like I said, I have thousands. They're not all equal, but I certainly have hundreds that I would consider to be friends that I've actually spent real time with. That's a true network. Those are people that we can count on each other and I've helped people out and they've helped me out.
You know, the other thousands that are [00:53:00] in there, you know, it's, I probably still would, cause I'm a sucker, but most people probably wouldn't run to help them and they won't be at the top of my list necessarily. All right. Cool. So listen, we're coming up on time. This has been fantastic. I hope everybody listening thinks so as well.
You know, the question comes up all the time. How do I break into cybersecurity? And I think your story is a really good one, right? From a totally different industry and a totally different, you know, coming forward business wise and that ancient history background, we didn't even talk about that, but you know, from recruiting to getting into, you know, the cyber side of things and then the operations and now being a Chief Product Officer.
I think it's a good story. I think you've Hopefully I've learned a few things, so I hope others have as well. And I really appreciate you coming on and sharing. You'll probably get a lot more messages now that you've welcomed them. Karla is very easy to find on LinkedIn and definitely worth chatting up.
I highly recommend it. As she's also, you know, Surefire cyber certainly a good company to take a peek at as well, cause she's gonna be a big part of building some very cool things that they're working on there. But as we close out the show. We always end the question, the show with the same question, you know, get a free pass just because you're a friend.
The name of the show is Unspoken Security. And [00:54:00] with that in mind I'd like to know if you can share something that from your life that you've never told anybody something so far that's gone unspoken.
Karla Reffold: I struggle with this cause I tell everyone everything. So there were, I couldn't really think of anything, but I, you know, going back to the humble, confident, cocky, I rarely tell people this is I have a really high IQ. I consistently score in the 95, 97th percentile on IQ scores. So yeah,
AJ Nash: not a surprise. It's a good, I mean, listen, it's a good thing. I get the point about it being unspoken. Like, it's very hard to, it's hard to tell people you're intelligent, right? People, it's hard to seem humble while saying it. I've known you long enough to know I'm not shocked at all. Like, I would
Karla Reffold: Oh, there's people that will be shocked. I promise you.
AJ Nash: Well, that's insulting. I don't know who the hell they are. They don't pay attention. That's incredibly insulting. I find you to be remarkably intelligent. But I understand it's not something that's said much, right? So, [00:55:00] this isn't supposed to be a question about me, but oftentimes I end up responding with my own.
And I've had this discussion before. I also have to be somebody who scores well, right? That's just how it works. I haven't since I was a kid. And I've learned how difficult it is to have that conversation. So I rarely do, because, you know, from my standpoint, I'm curious if you think the same way I've always told people, listen, it's not a brag point.
It's nature. It's like being proud of having blue eyes or being six foot four. You didn't do anything to earn it. I didn't do anything to earn whatever the IQ source say, like, thank my parents. Thanks. You know, thanks science. Thank a little bit of luck. It's what you do with what you're given. Right.
You know, it's, I'm more proud of the fact that I'm not homeless or in prison, or both could have been options, I suppose. You know, and that also includes a lot of luck by the way. I'm not proud of the fact that I'm intelligent, but when you tell somebody that. It just comes across as bragging and arrogant and you know, people have a visceral reaction sometimes, which is probably why it goes unspoken mostly because the thinking is just be who you are.
And people will know. I mean, I'm not shocked. You're very intelligent. I would have assumed as much as I asked me to guess your IQ. I would have picked a pretty high number. But it makes [00:56:00] sense. It doesn't get talked about because people can brag about a lot of things. But even if you're not even bragging, you just mentioned it.
It's just a statistic, right? It's just a thing. You know, you're where you are because you're really good. You know, you're good at what you do. You're good with people. You're you're you. You're always learning and adjusting and adapting. I'm sure some of it does tie to just being naturally intelligent, like, you know, adapting to things quickly and being able to assess things it's ingrained into that.
But yeah, it doesn't get talked about much because people just. Do you have the same feeling, by the way, do people react? I mean, I don't know if you say it much if at all, do people react poorly if you tell them like Yeah, i'm kind of bright like I mean, there's I don't even there's no nice way to say it basically like How do people react?
Does it come up much?
Karla Reffold: I think there are two people that know that
AJ Nash: at least four now that's on show. I got
Karla Reffold: there
AJ Nash: So
Karla Reffold: So I don't really have an answer to how people react, but generally people, I think, underestimate me. You know, I am, maybe it's that women in security. Certainly, you know, I started a business when I was very young.
People literally said, you're very young. [00:57:00] So, you know, like, yeah, I guess I've been underestimated a lot. So it's kind of nice to be able to know. Do you know what, like, I know what I'm working with? I know. Yeah, we can back this
AJ Nash: yeah provides a foundation of confidence. I'm sure. And I don't doubt, I don't doubt some of it is cause you're a woman, unfortunately, like this industry is full of it. I have several brilliant friends who happen to be women. And to a woman, I've never had one tell me otherwise yet. They all have said people underestimate consistently.
I so rarely hear that with guys, frankly, like people overestimate us. If I'm gonna be honest, I spent a lot of time saying, I don't know why these people think I can do this. I've never done it before. I'll figure it out. I think they're overestimating my skill set. So I, yeah I'm certain some of it unfortunately is tied to that.
I think people still underestimate women in our industry as a whole, but yeah you're pretty goddamn smart, frankly, and and very good. Like it's not just that you're smart, you're hardworking, you're good with people, like you're where you are because you, you earned it for no, you know, no doubt about it.
So, it's unfortunate that it still comes up, but we're getting better at it. I think, you know, [00:58:00] slowly, but surely I know some brilliant women who've done really well, but people need to stop underestimating anybody who's based on anything. Also, if they're just mild mannered, if they're just humble, you know, there's an assumption there, the blustery, which tends to be dudes.
A lot of times the blustery person who comes in and tells you all these things with great confidence seems to draw a lot of attention in a positive way. And a lot of times they're just full of it. I know. Cause I've been that person. So, hopefully I'm not anymore. So anyway,
Karla Reffold: Well, this has been a great Karla appreciation hour. Can we do this again next week?
AJ Nash: Yes, I think we should do this. Probably not on camera. I think I will have you back on the show. I don't know if people want this to turn into just the Carlin AJ show. But I mean, we certainly can have a call next week. We talk somewhat regularly and we can just keep. You know, pumping each other up and making each other feel great.
No, I appreciate this. I appreciate you coming on. I really do. I know you're a little under the weather. So all the more that you were able to make time to handle this topic, which I couldn't have thought of a better person for it, frankly. So I appreciate that you were able to make time to do this.
Is there anything before we wrap up, are there any last [00:59:00] thoughts, anything you want to, do you want to plug the company? Do you want to talk about any last tips for people, whatever you want, you know, you got a few seconds here, if you want to throw something else in on the end, before we close her out.
Karla Reffold: Well, I probably should plug Surefire like instant response. So, we're doing really great things and I'm always open to connecting on LinkedIn and I'm really excited to have come on. I've wanted to be on this show for a little while. So thank you for having me.
AJ Nash: Absolutely. And we'll definitely have you back on. Yeah. And everybody who's listening definitely check out Surefire. You know, Karla's fantastic to work with she's easy to talk to and she's really bright, obviously, and she does good things. So, you know, she's there, I'm sure what they're doing is going to be very interesting stuff.
So, definitely check them out. And with that, I'm going to close it up today again. Thanks. Thank you for being here today, Karla. Thank you everybody for listening or watching, please like, subscribe, whatever you're supposed to do. I don't know, give reviews, hopefully positive. If you have complaints, keep them to yourself or you can, it's okay.
I'm AJ at unspoken security. com. You can scream all you want if you'd like to. But until the next time, thanks again, everybody. This is another episode of [01:00:00] Unspoken Security.