Jim Newman, CISO at Capco. Jim joins us for the leader series to discuss developing cyber platforms in a start up environment, building a culture of security, and looking outside the box when it comes to building a cyber team. He also mentions the essential things that you should be doing when focusing on cyber and security and the ongoing battle of automation in cyber. Its important to think about cyber within a supply chain and the risk of third parties. Stepping into the CISO role at Capco in early 2023, Jim leads the internal Information Security Team, focused primarily on supporting business needs. With an eclectic background and diverse skills, Jim brings a distinctive perspective to cybersecurity, solidifying his image as a versatile, dynamic leader. An innovative problem solver, he has built high-performing teams, implemented cost-effective solutions and delivered impactful security programs for startups and scale-ups during periods of hypergrowth. Jim has spoken at a number conferences, tackling a range of issues including insider threat, incident response, the challenges of hiring cyber professionals in a demanding market and he speaks with passion about his advocacy for diversity and neurodiversity in the industry. Noted for his ability to distil complex technical risk scenarios into comprehensible terms, often employing unconventional metaphors, Jim has built trust and understanding with a broad spectrum of stakeholders. His capability to execute ambitious programs within tight timeframes and restricted resources have cemented his reputation as a progressive, dependable, and grounded leader. If you enjoyed this video, please remember to Like, Subscribe & Hit the Bell Notification Button.
Transcript:
David (00:02.253)
So when you come into these new organizations, have you got a particular methodology for how you kind of overcome the challenges? Because I noticed that in the last couple of organizations, you've obviously kind of come in to protect and put together these security platforms.
Jim (00:18.614)
Yeah, so as you rightly alluded there, I've been to a couple of companies that were in that startup scale up space that don't always work. And so sometimes, you know, in an economic climate like this, they struggle. And going into those companies, they definitely have a very, it's not just a little bit chaotic and lack of process and maturity. There's a real appetite for risk.
because that's how they're kind of starting up and innovating. So going into those companies, the first thing that I've always done is, okay, what's the current state of affairs? What does our security look like? So it'll be an assessment. So it's a broad and very wide risk assessment using things like, for example, the critical security controls or the NIST cybersecurity framework as a basis, but not using it as a slavish, here's the tool, here's everything that we need to do. But actually they've got a really good
basis for what should good look like. So the first thing is assess the company and a bit of a gap analysis against those controls. And with that gap analysis, you're then able to talk about what are the ways in which security needs to grow in line with the business growth and how do we make sure it's aligned with the business's risk appetite. Because everywhere has an appetite for risk. It's just where's the comfort zone and trying to get to that point with the business.
And obviously at that point, you're also having the discussion around budget. And when you're the first security hiring, um, in startup companies, that bit about budget is, is always the difficult one because they have no idea what it's going to cost, but it's definitely costing a lot more than they had envisaged they thought they could bring in one person, they would turn on a lot of controls and that would be it. Uh, I'm coming to Capco where we had already a maturity of process. I've still followed a kind of similar methodology, which is I need to know.
what the business is doing, what it's protecting, what are the crown jewels, what controls do we already have in place, where are the weaknesses, and then a path to kind of constantly and iteratively improve on where we are.
David (02:28.949)
Yeah, it must be good that there's certain rules that you've got that you can check through. I noticed it was interesting what you said there about budget. You know, obviously, when people think about startups, thinking about how they move forward with a business, and obviously the importance of cybersecurity. And you said there it's more expensive than people assume.
I guess it would be important now to kind of, if you were about to go and set up a start-up, you need to factor this cost in, because obviously everyone's going to ask for it. Is there like the cost of, you know, having an invoice factoring or, you know, I don't know, like you're having, hiring a certain amount of programmers or an HR manager or something. You know, I guess this is, this is a cost you are definitely, definitely going to have to have.
Jim (03:22.178)
So you're going to need to bear it at some point. And you can, it depends on how technical your founders are. Security is not just a technical discipline, but it depends on what your startup is, what are the things you're protecting? And that'll give you a what is the expectation that your customers or your investors, what's the expectation they'll have in terms of security and being able to meet those expectations. You can achieve.
David (03:28.792)
Yeah.
Jim (03:49.522)
You don't have to throw all your money at security tooling. Uh, vendors will promise you the earth and, and it's really easy to spend money in security. Uh, but when the budgets are tight, when companies are small and they've only got a certain amount of limited funding, you've got to stretch it and make it go as far as you can, you know, it's I've, I've run small businesses myself. I know that, you know, your iron, your cashflow is, is critical. So if you're starting out, it's getting the advice of somebody.
David (04:05.334)
Yeah.
Jim (04:16.218)
Even you don't need a CISO when you're starting your company, but you do need somebody who's got, uh, got the right mindset is able to identify these are some simple things that we need to make sure we're doing to protect the data as we're growing, you know, those real early startups stages, the people in your company are heavily invested in making sure that everything's a success. But as you grow, the people that you hire are less invested in your company. It's less tight. And so.
David (04:19.999)
No.
David (04:32.483)
Yeah.
Jim (04:44.382)
things get looser as you grow and you just want to make sure you get the basics in early rather than needing to change a lot of, a lot of things afterwards. It's that rework. And if you're an IT company that's, that's building product, you've got to get it right early on because the last thing you want is to launch the product and find that, um, find that it gets breached later.
David (04:58.966)
Yeah.
David (05:04.993)
And that's where things like DevSecOps come in. So you're kind of constantly developing in a kind of secure fashion, aren't you? Kind of with the eye on that all the time.
Jim (05:11.254)
Well, and for years we talked about shift left, get security in as early as possible. Yeah, absolutely right. Get engaged with security threat model before you start designing something so that you can say what might go wrong and what are the security requirements we bake into it. But it's not just shift left, it's shift everywhere. We need to get that in at the start, but you then need the whole process and pipeline to have security throughout. And you do want to run penetration tests. They might just be.
Jim (05:39.69)
viewed as well. It's a line in the sand stage gate, but it's the opportunity to really hammer the product and make sure that what you've got is as robust as it can be.
David (05:52.057)
So I guess there's two points there. So I guess nowadays having a CISO is a bit like, you know, it's like a badge of honor. If you got to the size of having a CISO, then you're one stage closer to being a global giant. But going back to what you kind of said there with regards to making sure you do the simple things and there's certain things you should do. Again, what would you advise for startups? Like you need to make sure you've got these things sorted. This is the best way to start.
Jim (06:19.93)
So the first thing is know what you've got, know what you're protecting. So, you know, it's not very glamorous. People often talk about, oh yeah, people need to get the basics right. And we say it with such confidence that it makes it sound like the basics are easy. The basics aren't actually as easy as they might seem, but know what you're protecting. So, you know, asset registers, what are the devices? What data have we got? Where is it?
David (06:39.801)
No.
Jim (06:48.67)
And then once you know what those things are, what are the controls we've got around it right now? What are the regulations that we're facing? And the questions that always we come up against are identity and access. It's not just what is the data and what are the systems? Who's got access to it? What users have got access to be able to change it or to be able to introduce other things that shouldn't be there? And the same thing applies with
David (07:06.583)
Yeah, yeah.
Jim (07:18.494)
all of your systems, why do you need, why does everybody need to be a local administrator on their laptop? How often are they actually needing that kind of control and why do you need 20 people having admin access to your office 365 and in small and growing companies. One of the things that I see every single time is people who are admin on particular SaaS platforms, for example. So they're configuring things, they're logging in, they're making changes.
David (07:23.906)
Yeah.
Jim (07:48.646)
a lot of the time they're not necessarily technical. They don't have a technical background. They've never been a sysadmin before, but suddenly you've got the founder or the financial director is running a platform and has configured it in a way, or they've got a customer who said, oh, we'd like you to federate your tenant with us and give us this access. And suddenly they're kind of creating these gating holes in their network and letting somebody in. You know, it's akin to having a fortress, but it's not.
David (07:56.441)
You've got kings of the kingdom.
David (08:15.201)
Yeah, yeah.
Jim (08:16.79)
but you've just dug a tunnel to the robbers' lair next door because one of them was wearing a suit.
David (08:19.594)
Yeah, that's right.
Yeah, and you talk about, I guess, like one of the things we talk about on the security side is getting kind of buy in, you know, it's obviously, like you said, it's not the most exciting thing, but it's one of the most important things. So, so again, when you when you come in, and maybe it's a new thing, and maybe they've been told by the investors that need to do it, how do you, how do you get that kind of buy in? How do you make sure that people kind of understand the importance of it?
Jim (08:48.243)
I haven't cracked it yet. So I'll tell you when I find out. Genuinely, having taken roles in really small companies where I was the only security hire or where it was me growing a team of two or three, where you really need to impress upon people the importance of security, you cannot do it with fear, uncertainty and doubt because you're just screaming into the void.
David (08:49.906)
Yeah, yeah, sure.
David (09:01.134)
Mm.
Jim (09:12.438)
You have to be realistic and pragmatic. You have to choose the hill you're willing to die on and you have to be able to demonstrate like, you know, beyond.
David (09:19.989)
So sorry, so Jim, when you say that fear, because I would always be like, if we do this, then the hackers will get in and steal our data and we're going to lose millions. Are you saying that's probably not the, because although it's likely, it's unlikely, it's not helpful, it's, you know, it's, you know.
Jim (09:32.718)
It's not helpful.
Jim (09:36.778)
It's not a helpful way of addressing it because let's say you are a savvy business professional and somebody comes along and says to you, we could get hacked. Look, here's a story of somebody getting hacked. The response is, we haven't been hacked yet. Show me where your last incident was that was related to this because the whole fear, uncertainty and doubt thing, like there are.
David (09:43.895)
Yeah.
David (09:51.741)
Yeah, yeah, I've never been hacked.
Jim (10:02.15)
loads of breaches. There's attacks all the time. Our systems are constantly being probed and under attack. I spent five years not working in technology. I worked in road safety. I did collision investigation, route course analysis. I specialized in motorcyclists, in how do we prevent motorcyclists from dying. And you talk to motorcyclists and you say to them, here are the things that cause crashes. You can't do fear and uncertainty and doubt. Every motorcyclist knows the risk inherent when they're riding their bike.
David (10:04.439)
Yep.
David (10:21.816)
Right.
Jim (10:31.446)
They know if they come off their bike, it's going to hurt or worse. And so you can't go and say to them, you could have a crash and you might die because they know that. So, but, but these are risks they're willing to take what you have. Yeah. So what you have to do is talk to them about, well, here are some things you can do that make it less likely, um, because here are some problems that happen and here are some things you can do. Um, and I view what we do in security in a, in a very similar manner, which is. Okay. What are the, what are the battles that we need to win?
David (10:40.053)
Yeah, yeah, the chances are one to two percent. So, yeah.
David (10:49.342)
Right, okay.
David (10:53.154)
Yeah.
Jim (11:00.994)
How do we demonstrate that it's not fear and certainty and doubt that it's the right thing to do? Occasionally, depending.
David (11:06.897)
There's always a chance that this may happen but the moment the way we're working or the way you're driving your motorbike it means that there's a 10% chance that you're going to die. If you do these things like drive within the speed limit, drive on the left hand side of the road, wear a crash helmet, then there's a chance you're going to die with 0.5% which is much better. Do you like those odds? I guess that's the same sort of thing isn't it?
Jim (11:16.619)
Yeah.
Jim (11:33.359)
Yeah, and, you know, and I've not looked at it in those terms, but, but your motorcycle helmet, your leathers, airbag jackets, these are, these are the resilience in your system. It's the, okay. So if our system goes down, we've got backups, we've got recovery, you know, okay, we've had this short term pain, but we can recover from it quite easily. And, and it's trying to get the business to the point where it actually is, is agreeing that there are
David (11:40.593)
Yeah.
Jim (12:00.642)
are the right steps sometimes and it depends who you deal with sometimes we I don't believe in department of no because it doesn't work we're dealing with human beings nobody likes being told no um and generally people will find a way around it you know I find myself in security because I'm a mischief maker by you know by that's just who I am and how I how I see things it's not that I'm a rule breaker but I will
David (12:20.766)
Well, okay.
Jim (12:29.406)
I will look for the, okay, what's the, what's the way around the thing. So there's no point in imposing rules where, where somebody can circumvent it because they'll just avoid you. It's much better to have people being open and honest and helping them to secure what they're trying to do. And by looking for those quick wins and finding ways of achieving what somebody wants to do in a secure way, that's the way that I get by in with other stakeholders and occasionally you have to pull out the regulation says we have to do it. I hate doing that. I'm sorry, mate. I want to.
David (12:56.105)
Yeah, yeah, yeah.
Jim (12:59.29)
I'd love to help you, but the regulators tell us. But occasionally it's the only way.
David (12:59.421)
Yeah, the FSA say, you know, yeah, yeah. And I guess in the financial services, it's a particular kind of key one, isn't it? Because you, you know, you really like if you lose your licenses or something like that, then that's going to be catastrophic for the business, right? You know, it's not just the kind of a nice to have. It's a they say we must have. Yeah, yeah. I believe you said that a few times, Jim, the way you just said that.
Jim (13:18.798)
it's mandated. You can't get around it. Yeah. I'd love to help you. I'd love to help you, but. But the thing is, if you've got that and if you have to do that, you then find the other bits that feel like a compromise. And it's not that you're compromising on your security. What you're looking for is, OK, we've got to do this thing, but here is something else we can do that's going to streamline it or automate it or remove some of that pain.
David (13:28.398)
This shrug.
Jim (13:48.31)
Like, you know, security systems cost money. They slow things down like our processes. We can't, we can't help it. It is just inherent to, so we just want to reduce the friction as much as we possibly can. You can't do it without friction, but you can reduce it.
David (13:48.788)
Yeah.
David (14:00.697)
But I think, you know, when it took IAMs and the investment you do, I do think that security product companies are definitely pushing the boundary in terms of the ease of use. They're thinking more about user accessibility with things like Face ID, 2FA as much, but we use like MS Authenticator, which to me is like a really class, that's really clever the way it does that. It's just like, you know, this is life changing, you know, it's kind of, you know, we don't, yeah.
Jim (14:19.522)
Brilliant. Yeah.
Jim (14:25.034)
Honestly, the password is such a hang up from the olden days and using kind of, if you've got your systems, if you've got to the stage where you can run with full passwordless authentication, like, uh, this is, this is what we need to be doing because I forgot my password. Well, you don't have a password. So, so you kind of forgot it. Can you reset my password? I mean, it saves IT teams like loads of effort. Yes. You've got the configuration and setup.
David (14:35.638)
Yep.
David (14:43.969)
Yeah.
David (14:51.343)
It's probably like 90% of the things they ask. I'm locked out because I forgot my password.
Jim (14:54.25)
Yeah. And, and when somebody sends you a phishing email and there's a login page and it says login with your username and password and you're like, hang on, like I can't, I don't have a password and nothing's coming up on my authenticator. Well, boom, there you go. You, you know, immediately, even if you fell for the initial kind of like, hang on a second. Um, yeah, I don't have a password. I can't give you my password.
David (15:05.177)
That's right, yeah. Yeah. There, it's not you. Yeah.
David (15:16.269)
Yeah, there we go. Exactly, we've broken the code. So as you kind of look forward for the next year, what are your main priorities? I think one of the great things, interesting things about cyber is it's constantly progressing, right? It's a constant battle between the good guys and the bad guys, the way I see it. So what are you prioritizing? One, in your new role, but secondly, as a CISO. Mm-hmm.
Jim (15:41.902)
Oh, God. Yeah. Having come here, we've only within the last couple of weeks, I've set out and had agreed what our goals are and what our targets, the things that we want to address and they're pretty common themes, improving our cloud security posture, include genuinely trying to generate a culture of security. Capco, the staff are really good.
actually the understanding of the need for security is very good. And we just need to build on that and start getting a lot of that kind of embedded into, into secure behaviors. The, so those are a couple of the pillars that we've got. We have that constant challenge of how do we, how do we handle it? And how do we address the kind of volume of work that comes our way? Because like everybody else, it's, we need to be doing more with, with less. So, and.
David (16:37.753)
Thanks for watching!
Jim (16:38.782)
And the volume of third party requests that come our way is quite significant. So trying to find ways of automating and improving, but, you know, one of the biggest things for me at Capco is demonstrating the value of what we do. And we need really solid metrics to do that. You know, at the moment, you know, we're building a program of, of kind of actually showing what security is doing and where the benefits are from, from what security is doing, because at the moment that's
David (16:52.707)
Yeah.
Jim (17:06.882)
That's something which hasn't been done very effectively so far. The, the reporting that's in place is solid. It gives people what they, what they need, but it doesn't really, I'm going to sound like a salesman, but it doesn't tell the story, doesn't tell the story of what security is doing and where it's, where it's helping. It also doesn't tell the story of what we shouldn't be focusing on the things that we shouldn't do in order to, to focus on the, on the bigger priorities.
David (17:19.958)
Mm.
David (17:32.105)
Yeah, it's always one of those things obviously that should be just rolling along in the background and no one really thinks about, right? You know, that's basically like, you know, payroll or whatever. No one ever wants to speak to payroll because you just got paid normally, didn't you? You know, that's how it should be, you know? No one ever speaks to the cybersecurity team because I never get hacked. So it's all good, you know?
Jim (17:51.238)
The number of times that I end up on a call where I say I'd rather be meeting you in more pleasant circumstances is Is is far it's yeah
David (17:56.789)
Yeah, yeah Far more than you'd like yeah, and you know what we've I mean we were recording this in July It's when we're doing an ashes time and that sort of thing. So the books disappointed with the rain, but um
From our from my side, you know, we've got One of our GCS connect cyber events kind of come out which is AI and cyber security We've got some interesting people just mentioned there with regards to you know the amount of tasks coming through and this is one of the reasons why we at GCS see this is such as an interesting and growth market really is because obviously the
the scale of threat is exponential, particularly when you look at AI. So from your side, one, do you see that? Do you see this is becoming, you know, if you, if you automate threats, that becomes exponentially worse. But then I guess you also have the, and if we automate defenses, that makes us stronger. So is that something that you're seeing or thinking about?
Jim (18:39.565)
Yeah.
Jim (18:56.846)
So we've been, to be honest, we've been seeing it for years that actually because of the number of events, the volumes of traffic going through companies. And like I say, working in product companies where it was significant volumes of traffic and working in product companies, certainly in some of those financial services where they were under significant and sustained attack that you need to be building.
on and using services that are giving you machine learning and some AI integration, because that's the only way that you can scale to meet the volume of what's hitting you. But it also works with internal that we need to be doing user behavior and analytics. And you can only do that through those machine learning models and being able to track and identify where there are risky cases. So we've been doing it for years with the products that we do use.
It's not something going back to that. You can't, you can't build it on the cheap yourself, but you can buy products off the shelf that are using a lot of AI and machine learning to support what, what they do and, and to scale the, the other side of it, though, is, um, you know, we've recently written our company policy on the use of, of gen AI, so using chat GPT and things like that within the business, because obviously
David (19:59.244)
No.
Jim (20:23.798)
those kind of large language learning models are extremely effective at doing a lot of things. And so people are very curious about how they can either use it to improve their work or to do other things. And there are then risks inherent to that. At the same time, we look at kind of all these requests coming in saying, hey, we need you to fill in this due diligence questionnaire, and you can't help but look at it and think we could probably use some of these tools to
David (20:26.167)
Yep.
David (20:50.741)
Yeah.
Jim (20:52.79)
to help us because they can be trained on our documents and they can fill this in, send it back and it'll give us the time back in our calendars and then we'll just get on a call with the vendor. So I think, yeah, and then come back to our chat bot with the follow on and then we'll put them both on a Zoom call and watch the ashes, like you say. But...
David (21:05.137)
Exactly and they could use their own chat bot to read the responses and then tell the person that's in there. Yeah, yeah, that's right. They probably sort it out perfectly or not. Yeah, yeah, exactly.
Jim (21:21.922)
But I think automation has been a constant kind of digital transformation issue within our lives. But you look at the volumes of things that we need to deal with, we have to lean into it heavily. You can't solve the problem by throwing human beings at it. We need improved systems. We need the ability to scale. And that's the only way that you can do it. And you know that obviously people who are carrying out attacks are using...
David (21:28.999)
Yeah.
Jim (21:50.546)
not just the new kind of large language models, but they've been using automation to probe and push. It's, it's how they're able to, to go to foothold in, in so many places. Um, so rapidly.
David (22:01.117)
Yeah, it's an ongoing thing. And then so kind of coming on from that, obviously, we talk about automation there. But I know, obviously, you know, just for those who are kind of looking through your LinkedIn background, you come from a recruitment background. So I guess you always look at this with a kind of a talent or a person based kind of element of this. So, you know, again, as you come in, and you're building these teams, and you're thinking about this in a very, very
competitive market, right? There's not enough people that can do these jobs. Okay. Um, what, what do you see as your talent strategy, you know, and, and we're taking aside the AI, you know, as you, as you look to kind of build your teams, what types of people you're looking for, you know, how do you make sure you don't lose out to competitors in a very competitive market? What, you know, obviously this is a real struggle for all kind of CISOs, I think.
Jim (22:29.489)
Yeah.
Jim (22:51.63)
So I think, yeah, you're absolutely right. So I've come to Capcom and inherited a team. So the team's already in place. But the last team I built from the ground up was, well, no, it was great. We've already got people. But the last team that I built from the ground up was while I was at Kitsaloop. And so we built a team of 12 within just over a year. And it was very much a, OK.
David (22:59.009)
Thank God.
David (23:08.566)
Yep.
Jim (23:18.186)
Everybody talks about the cyber skills shortages. So you just have to be intelligent in what you go looking for. Yes, there are some very technical roles in security where you need very technical, deep people who were, who were able to do those roles, but that's not all of the roles in security. And, and you can get people with the right skillsets and you just need to be. I was going to say, think outside the box. It doesn't matter how hackneyed it sounds. You've got to be looking at, okay, what are the, what are the things that I need within this particular role?
And where can I find candidates who have that? So the team we built at Kids Loop were a team that we recruited on the basis of attitude and aptitude. We wanted people who got the mission, were ready to get stuck in, and wanted to kind of learn and grow. So even if they didn't have all of the skillsets, we took some people who'd worked in security before for obvious reasons, but we also had people who had been sysadmins.
David (23:58.233)
sure.
David (24:09.282)
Yeah.
Jim (24:18.066)
So they were security adjacent, had a really good security mindset and were like, Oh, I've never done any security work before. Well, you have, you've been securing systems for years. You just haven't thought of it that way. And actually you've been, you've also been supporting with incident response when your systems have been under attack. You just haven't, you haven't thought of it that way. Um, and we recruited somebody to be our, um, security culture and awareness person who was, uh, she was a therapist. So she, she did counseling. That was, that was her thing. And.
David (24:25.209)
Thanks.
Yeah.
David (24:35.619)
Yeah.
David (24:44.026)
Okay.
Jim (24:47.926)
She was looking to move out of it. And we said, well, we don't need you to know security. We need you to change people's behavior. You know, you need to understand how to shift behaviors and do those nudges. And you know that better than any of us. And we can teach you the security things and you not being super technical and wanting to learn that is a good thing because you are much more aligned with most of the people that we deal with in our business and we're not because we're going, oh, like, I don't understand why this person has struggled with this concept.
David (24:54.197)
go to talk to people. Yeah, yeah, yeah.
David (25:06.807)
Okay.
Jim (25:18.234)
And by having Vessi on board, it was really easy because she was able to say, I don't get it either. So she could then communicate in terms that worked. So it's just looking and trying to identify. Yeah, you don't fish from the same small pool, right? I guess that's the recruitment angle of it. You know, when I started a recruitment agency, it was while I was leaving teaching. And there were not like right now, there were not many teachers. So you had to be intelligent.
David (25:24.377)
That's bullying.
Jim (25:47.206)
and kind of write what's the creative way for us to find the right people who is not already looking for someone in this particular category. So yeah, I think it's that. And then, you know, we had a very strong kind of methodology. We would recruit for people who saw themselves as lifeguards rather than policemen. So it was we're looking for people who were there to make it a safe place to be, but a...
but it's not about I am the law.
David (26:20.089)
Yeah, I think it's really interesting. And I guess like your background is a kind of leader as well. Like you're looking at people coming from different areas. I mean, looking again through your background, you've kind of taken that journey, haven't you? You know, you've come into cybersecurity. There's not kind of what you did your degree in or anything like that, you know. It's obviously something that interested you and you became more and more involved with it from an IT background, but.
I think that's one of the things that as recruiters sometimes that we struggle with in terms of, you get a job spec, the client wants you to tick every single box in the job spec. So you only look for a certain type of person. So you put a certain type of person down and you generally don't think outside the box because you don't feel that's your job. That's not what you're getting paid for, right? But I think if we were to do that more, that would probably help with the skill shortages that we've got. And it's kind of a...
Jim (27:04.761)
Yeah.
David (27:14.326)
supplier and customer sort of decision isn't it.
Jim (27:18.27)
Yeah. And, you know, actually that's, that's a really good point. We had somebody put a candidate in front of me years ago. This was as a developer and he'd applied for an apprenticeship that we had going and he wasn't eligible. And so, but the recruiter said, Hey, we think you should meet this guy. He's, he's really good. We think he, we think he might fit if you've got another job that you can give. And I met this chap and, uh, he
He didn't have a background in programming. Uh, he was working on the cheese counter in a supermarket, but he was learning to program in his spare time. And there was just all these things about it that were kind of like, okay, well, look, we'll give you a pump, give you a trial. And he was fantastic. And he was throwing all his time and effort into, into learning and, and developing his own skillset. Um, and, and it was just purely that the recruiter had said
David (28:08.633)
to that growth, yeah.
Jim (28:15.07)
Do you know, I think this guy might fit for you. He doesn't tick any of the boxes for the thing you're recruiting for right now, but I think you should meet him. And yeah, he turned out to be an absolute star.
David (28:17.805)
Hmm.
David (28:22.989)
Yeah.
David (28:28.385)
Fantastic. And on that happy note, recruiters being helpful, I think, is a great way for us to kind of bring this to a close. You know, Jim, it's been really interesting to kind of understand a little bit more about your kind of role and how well we can really kind of build these things without doing exactly, you know, spending all the money and hiring all the top level people, if you know what I mean. And I think that seems to be something that I'd take from this.
What you're saying is that you can construct a really, really strong basis for security culture without spending the earth.
Jim (29:11.062)
Yeah, absolutely. And, and you're right because security people can be really expensive, but actually at the same time, if you're bringing somebody from a security adjacent background into security, they need not be super expensive and actually they're coming in with a lot of experience and a lot of background with the sort of technologies that you'd, um, you'd expect. And yeah, there's, they're not coming in as, Hey, here's my lead. Kind of malware.
Jim (29:38.894)
uh, detection engineer necessarily, but it, cause there's going to have to be this kind of period of growth, but it doesn't mean you have to, yeah, doesn't mean you have to break the bank.
David (29:49.441)
fantastic. Jim, thanks very much for your time today. Enjoy your day. It must be too soon. Thank you. Cheers.
Jim (29:52.17)
No, very welcome. Great to meet you as well, David. Thanks.