Data governance strategy in 2021

This episode we welcome Rita Gurevich, CEO and founder of Sphere Technology Solutions. She talks about what it’s like to start her own company, why it is important to know your assets when setting policy, and what skills and experiences set applicants apart when they look to hire. Plus, she has plenty of data governance strategies to chat about.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 - Intro
  • 2:47 - Origin story
  • 4:51 - The creation of Sphere
  • 7:14 - Working solo at Sphere
  • 9:12 - What would you change going back?
  • 10:30 - Pricing your business activities
  • 12:36 - Average day as a CEO
  • 13:32 - Favorite parts of the job
  • 14:50 - What is data governance?
  • 17:40 - Factors driving data growth
  • 19:28 - First steps to form data strategy
  • 22:07 - Data governance best practices
  • 23:40 - Time frame to get a master inventory
  • 25:17 - What does good data governance do
  • 26:12 - Skills I need for data governance and management
  • 27:47 - Importance of collaboration and mentorship
  • 30:26 - Skills and experiences for Sphere candidates
  • 32:48 - Tips to get into cybersecurity work
  • 34:06 - Outro

[00:00:00] CS: Today on Cyber Work, my guest is Rita Gurevich, CEO and founder of SPHERE Technology Solutions, and the topic is data governance strategy. Rita tells us about starting a company during the crash of 2008, the importance of knowing as close to 100% of your assets as possible when setting data governance policy, and what types of candidates stand out on the sphere resume pile. That's all today on Cyber Work. 

Also, let's talk about Cyber Work Applied, a new series from Cyber Work. Whether you want to learn how cross-site scripting attacks work, we want to set up a man in the middle attack, or get a blow-by-blow recap of the Equifax breach, expert infosec instructors and industry practitioners will teach you these cybersecurity skills and show you how those skills apply to real-world scenario. Best of all, it's 100% free. Go to infosecinstitute.com/learn or check out the link in the description below and get started with fun hands-on training that keeps the cybersecurity skills you have relevant. That's infosecinstitute.com/learn. And now, let's begin the show.

[00:01:11] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about the latest cybersecurity trends, the way those trends affect the work of infosec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry. As the CEO and founder of SPHERE, Rita Gurevich is charged with leading the strategic growth of the organization in providing business critical governance, security and compliance solutions to customers spanning multiple geographic locations and industry verticals. 

Gurevich founded SPHERE after gaining a massive amount of experience in a short period of time during the Lehman bankruptcy, economic downturn of 2008, and the enhanced regulatory environment that dominated the industry. Being in a unique position from this experience, Gurevich founded SPHERE as a single contributor and worked strategically to grow the company into the entity that it currently is today. Gurevich is the recipient of multiple honors and awards including recognition for from her entrepreneurial skills from Ernst and Young and Smart CEO, along with being on the 40 Under 40 List in 2017. In addition, Gurevich sits on the board of directors for the New Jersey Technology Council. 

So this week's topic is data governance strategies in 2021. So as more of us, what we do goes online and goes into the cloud. And as more people need access to that information, making sure that entrance points aren't more accessible than they absolutely need to be is going to be more important than ever. So today we're going to talk about the issues around this topic as well as job strategies for people who want to do this type of work. Rita, welcome to Cyber Work.

[00:02:41] RG: Thank you very much. So I'm very excited to talk to you today. 

[00:02:45] CS: Great. It’s my pleasure, I think we're going to have a good time. So I always like to start out finding out how our guests got into cybersecurity and computers and tech in the first place. So I see you studied computer science and mathematics. So it's been with you at least since college. But did you have a computer in the house growing up? Was it something that was always interesting to you?

[00:03:03] RG: I'm going to blame this on my Russian parents. 

[00:03:06] CS: Okay. 

[00:03:08] RG: I think there's a trend with Russian parents and definitely immigrants to this country had to focus on this line of work. I'm very grateful, because I am a numbers person. So it came pretty intuitively to me. And obviously, I've been able to leverage that and build a successful career.

[00:03:25] CS: Did you get a sense that they sort of saw computers as this sort of wave of the future, or this is where all the jobs are going to be and such?

[00:03:33] RG: Oh, 100%, they all saw it coming. And they encourage their children to focus on it. And obviously, being a woman, none of my friends that were female, were remotely interested in the field. So I definitely stood out a little bit amongst my high school group of friends. But like I said, the world is changing. And I'm very grateful that I ended up choosing this field.

[00:03:55] CS: Yeah, yeah. What was your first computer? Like what were what were some of the first things that you did that really got you excited about it?

[00:04:02] RG: You know what? I'll never forget. I took like a programming course in school, in high school, and it was around building a game. So it was so archaic, the systems we were using, the machines we were using. But I thought it was so fascinating that you can put letters on a program and watch things move on the screen because of it. So I kind of realized, as my parents did, that this technology makes the options of the world quite limitless. And that was intriguing to me.

[00:04:31] CS: That's really cool. Yeah, I did that kind of thing too, but it was just like out of the books and you would type like 800,000 lines and then like a ball would just kind of like bounce across the screen, because I'm ancient. It was a Commodore 64. But yeah, no, I love that. And then you were able, unlike me, you’re able to understand the language and the theories behind it and stuff like that and move through, which is awesome. So I wanted to sort of talk about your company. In 2010 you founded SPHERE Technology Solutions and have been the CEO ever since. So I know a lot of our listeners are interested in what it's like to run your own company and so forth. Can you tell me about the creation of this company?

[00:05:11] RG: Absolutely. So not to downplay the difficulties experienced by my peers during the financial crisis of 2008, but for me personally, it was an incredible experience. During the bankruptcy, I was on the technology side, and I was essentially put on a SWAT team. We had to start disaggregating all of these IT assets. So almost overnight, all these different entities that bought parts of the Lehman umbrella, and we had to figure out who gets what. So we started with identities, with an active directory. We moved on to unstructured data. Then we started to look at all the server landscape and all the other applications of platforms. And I learned skills that I still use to this day. And it's probably an experience that it’s hopefully once in a lifetime. And it's not just fascinating to me. I mean, there were books written about what went on during this time. Movies were made. Big screen hits. And in some ways, I am grateful. So I shared that experience with a lot of people. And the Lehman community of technologists is very strong and spread across all of Wall Street. And I consider myself fortunate that I'm in this group of very talented, innovative people that have done great things with their lives post the bankruptcy.

[00:06:29] CS: Now, did you have a sense in the moment that it was happening that this was going to be this kind of historic moment? I mean, where people really like, “Oh, my God, it's all changing now.” Or –

[00:06:39] RG: I was a little bit young. So I was 24 years old. I didn't experience what some of my friends did. I didn't own a home. I didn't have children. I didn't have college funds to secure. So for me, it was more of a moment of “Whoa! What is going on?” and just being very reactive on a day to day basis. But I'll tell you, I remember walking down the halls of cubes and seeing people crying and very scared. And those are images that are going to probably live with me forever.

[00:07:12] CS: Sure. Yeah. Now, your bio noted that SPHERE started as a company of one, if I'm reading it right anyway, and that you strategically made moves to grow it into this successful company that it is now. And like I said, we've had several episodes talking about startups and people who their whole job is helping other people start startups. And so it's something that's always intriguing, but also a little mysterious. Can you talk about the process of starting this company and then the things you did to keep the company on an upward swing when it was just you at the head?

[00:07:42] RG: Sure. So starting was interesting. And I got some early advice from a friend who had started a business years prior. And he said, “Write a business plan.” That sounds pretty intuitive. Well, I had no idea what a business plan was. So I went to good old friend, Dr. Google, downloaded a template and started filling it out. And it's funny, a few years back, I actually found it. And we're moving our offices, and I looked at our plan. And wow! Some of it was pretty funny. But I will say my intuition and general theme were pretty accurate. So execution obviously changed a little bit. You don't know what you don't know. But the general idea of why I was doing what I was doing and what I should focus on is pretty consistent with what I did and how I applied my knowledge that I learned from that data segregation program during the Lehman bankruptcy. 

And as for kind of the ongoing growth of the company, in the initial years, it happened very organically. I just knew that if I did good work, and people continue to ask me to do more work, then I'm doing something great. And I knew I would succeed and everything that I would need would come to fruition. And that's how I focused for a very long time.

[00:09:04] CS: Now, I love hearing that you went back and looked at your old business plan, and there was some pride, but also a little cringiness. Now, is there anything – I mean, apart from just the inexperience of youth, was there anything that you – Any moves that you made on the business plan that sort of like experienced Rita of now says like, “Oh, I would have done it completely different, or that might have changed the direction of this.” Can you give any advice in that regard?

[00:09:28] RG: And I'll tell you a little bit of a funny story actually. So one of the interesting parts of the business plan that I didn't think of before I downloaded that template was how to price what you do. What does it cost to the client? And when I wrote the business plan, I very much itemized everything. I'll give you an example. I knew that people needed help cleaning up their file system. So I created a price per folder, which was pennies. And I learned early on when I started to interact with prospects that vendors don't price pennies per folder. That just doesn't make sense in a real-life scenario. So there are all these fun little tidbits that now did make me cringe a little bit. But the general idea I think was corrective, price based on volume.

[00:10:22] CS: Yeah. I mean, it's something you hear a lot too. It's like one of the big problems with people who start freelance or start their own company is that they may be kind of undervalue their services. Did you have a sense of whether you were sort of market appropriate in terms of like what you were pricing? Because you always hear like, “Well, I'm just starting out, so I'm going to market way too low,” and then you sort of end up undervalued and people don't want it or you don't have any sense and you're like, “I got to make my money back.” So you charge it too high. Did your numbers seem like right to you in retrospect?

[00:10:52] RG: I did have a little bit of a leg up, because I did procure software and services as a Lehman employee. So I had a general idea of appetite within the banking industry. So that helped me for sure. But at the same time, when I was starting my company, I was 25-years-old, and I'm was pitching to managing directors that had been in industry for 20 plus years suggesting that I could do it better than then they were able to do these projects. So I took some interesting risks in terms of how I got paid, especially in the beginning, where I suggested, “Let me do all this work, and don't pay me until it's done. And if it's not done, don't pay me at all. And we'll part ways and nobody feels that there were dollars wasted.” And I did that for a number of years just to prove myself. Just to be able to show that I am committed and this business isn't going anywhere. It's not a risk for you to procure from me. 

But then I naturally started also get a general idea of appetite in a more, I guess – In a more generic way, but also in terms of how long projects take. How to price it? And then we also started to build our own software. So it was interesting to understand what the appetite for automation was back then. But, again, everything happened very organically. And because of the Lehman bankruptcy and all these folks that I worked with for so many years scattering across Wall Street, I had friendlies that I was able to turn to, and ask for advice, get feedback. So I was very lucky in that regard that even mistakes I made were forgiven.

[00:12:28] CS: That's great. Yeah, that's the best possible scenario for the first years of a company like that. So whether people are working as helpdesk, or as the CEO of a company, our listeners are always hungry to find out what your average workday or workweek looks like. Can you tell me about your average workday as the CEO of SPHERE Technology Solutions?

[00:12:49] RG: Sure. I mean, I do a little bit of everything for sure. My week – And I'm going to include weekends in there, because if anyone tells –

[00:12:54] CS: Okay. So you’re on-call all the time? 

[00:12:56] RG: Oh, 24 by 7, but I'm an Energizer bunny, so I don't mind. But, obviously, I divvy up my time between operations, service delivery, research and development. I personally love the client interaction side of things, that part of my role. I always find time to talk with customers. It keeps me very grounded. And I always like to ask what are the good and what are the bad things that you’re noticing within the function that you brought us on to do? So that way I can make sure that we're constantly improving, right?

[00:13:32] CS: So what are your favorite parts of the job? And what's the part of your job that stresses you out on a Sunday night as you get back into your work week?

[00:13:39] RG: So the fun part, I love the client side, as I said before, interacting with the customers. And that's everywhere, from executive level conversations, all the way down to the engineers that the analysts that have their feet on the ground, hands on the keyboard. I'm fascinated by the full end-to-end side of it. What stresses me? I would say nothing and everything.

[00:14:05] CS: Yeah, just a way to the world of being an owner of a company, I imagine, huh?

[00:14:09] RG: Yeah. I mean, listen, the reality is I'm always worried. It's what keeps me sharp, focused. I make sure that, of course, I channel that energy into productive tasks. I think it's also very important not to sweat the small stuff. It's a lesson that probably took me very many years to learn. I'm still not great at it. But what I try to do is just to stay very even-keeled. Try not to get too emotional. And be practical when you're trying to solve a problem. Think about the short term, of course. But also the long term plan to make sure that you're not repeating the same mistakes over and over again. 

[00:14:51] CS: Right. So as we mentioned at the top of the show, for our listeners who are considering cybersecurity as a profession or transitioning over in cybersecurity from another career. We always like to start at the beginning, because we don't know what people don't know. So we're here to talk about data governance strategy, which is obviously a pretty big umbrella to stand under. So just so everybody's on the same page, what are we talking about when we talk about data governance strategy.

[00:15:14] RG: So data governance is definitely very broad. But we focus very much on the access control side of the requirements. So understanding the lineage of data, the lifecycle of data, very important, but we think that you should focus just as much of your energy and understanding who has access to the data. Where is that access inappropriate? Where is that access dangerous? And we talk a lot about least privileged access. Making sure that only the right access exists for the right person for the role that they're in. We decided instead of going very broad and being a jack of all trades that we were going to be a master of one. And when it comes to data governance, the entitlement space is where we excel. 

[00:15:59] CS: Okay, what does that mean the entitlement space?

[00:16:01] RG: So all of the permissions across all of your data. So that includes your traditional group drives. It includes all of your SharePoint sites. It includes all your mailboxes and your public folders. It includes the data that gets created by applications on a local C drive. We very much look at it from not just what data exists out there, but are you managing the entitlements correctly? And where are you at risk?

[00:16:30] CS: And I guess the idea of that is that if one of your employees gets hit by a malware or gets hit – And there's only so many places that they can go because they don't have access to everything. Is that the idea?

[00:16:43] RG: Exactly. And you'd be shocked at the gaping holes that exists at these large enterprises when it comes to entitlements, and it absolutely is a major problem when an intruder does enter your four walls and having open and excessive access exacerbates the problem. And the reality too is the internal threats of internal people doing bad things with the data is also top of mind for a lot of CIOs and CSOs and board-level individuals, because there are disgruntled people at these companies, right? Maybe you didn't get the bonus you were looking for, or maybe – It could be a million reasons, right? So it's not always some nation state attacking you or some smart kid in their basement figuring out a way to get inside your four walls. It could be your very own, unfortunately. So you have to protect the company. 

[00:17:39] CS: That makes sense. So with the rise in data growth over the last few years, how does this change the process of data governance? And what are the factors driving this data growth? Is it just the natural, unstoppable outgrowth of a culture that increasingly lives on live in the cloud? Or is it something else?

[00:17:55] RG: I think it's a constant exercise of knowing you have to expand coverage and focusing on exposure security. So you need to know everything that's out there. How it's used? By whom? For what purpose? And you have to highlight the risks in terms of people being able to see data that they shouldn't see. Like I mentioned before, we talk a lot about these privileged access. And what's interesting about the cloud, specifically, is we've seen a 1 million percent Mach speed journey to get the data into the cloud. And the pandemic, of course, drove that. And what's fascinating for a company like ours that focuses on the access control piece is, with everyone being locked down and working on their couches or kitchen counters or wherever, you don't have the natural deterrent of your manager being down the hall or somebody walking by your cube and looking over your shoulder. So even if you had very messy entitlements before the pandemic and when everything was on-prem, those natural deterrence are now gone. And with everybody debating a hybrid remote work environment, or maybe completely doing remote-first, this problem is going to become even more massive. So we think that it's harder than it's ever been to get your head wrapped around all this. But it's much more important than ever before to understand your entitlements.

[00:19:28] CS: So I'm assuming most companies with an IT department have some notion that a data governance strategy is at least a good idea even if they haven't put it in writing or implemented it professionally. But if you're realizing that your company has been kicking the can down the road for a long time, what are the first steps in tracking and documenting your data assets in order to set strategy? Like how do you put your arms around such a big task?

[00:19:52] RG: Of course you need the capability to collect from the source system. I think that's obvious. You need a technology that can grab the information and metadata from the file system, SharePoint, email, all those places that I've mentioned, where end users create and store data. But that in and of itself isn't going to get your head wrapped around the problem. We believe that you have to organize the information into meaningful buckets. Organize it in a way that can be digested by outside individuals. Not just technologists, but also by the business community. All of these large organizations have BISOs, business information security officers. They have compliance and risk teams that sit outside of IT. You have to be able to show the information in a way that they can digest and consume, and you can make action plans around. 

Now we've seen so many times that people will pull reports from tools, and it's millions of rows of information, just static lists of locations and entitlements. That's not actionable. What are you going to do with that information? And the other thing that we've learned is the answer doesn't all live in one place. There're all sorts of referential data sources that you have to analyze as well. For example, you have to figure out who owns the data. It's not the technologist’s decision. It's not IT or information security to decide who should have access, or if data is still needed, or whatever the case may be in your data governance checklist. You have to have accurate ownership. And that means you have to look at all the different books of records and all the CMPB's and make sense of all this information. 

The last part that we stress a lot is you have to do this in an automated fashion. Because if you try to do it manually, you're going to hit every edge case, every nuance, you're going to struggle. And by the time you finish, that information and that analysis you did becomes obsolete. So we very much focus on the data quality side of all the information, collecting from all the referential data sources. Making sure you have a framework for doing things like an ownership catalog that's accurate and up to date, and most importantly, doing this in a repeatable fashion.

[00:22:06] CS: Yeah. Now, are there any particular sort of best practices around data governance that you're like kind of amazed to find that aren't more universal than they are that seem obvious to you, but just aren't sort of natural people?

[00:22:20] RG: Yeah, you need good housekeeping. You can't let things lie and you can't brush things under the rug. We spend half our time fixing those data quality issues I mentioned, like the ownership catalogs, and the realization also that this is not a static problem, especially when it comes to the entitlement space. You need to handle obviously. You need to understand what's going on today. But the reality is entitlements change on a daily, hourly, moment basis. The obvious examples are you have summer interns, or people change roles, or people leave your organization, enter your organization. And the repeatable aspect that I mentioned earlier absolutely applies here as well. 

And then, of course, also, something that's also overlooked, is taking the time to clean up what's there now, and at the same time building out an evergreen process. We've seen a lot of organizations, when they're thinking about this, almost pick one of those two. And what ends up happening is you have these very disparate processes and disparate policies for all this legacy information that's sitting out there still actively being used while maybe you stop the bleeding on new data that has to get created, new locations that have to be up and running. And it creates more confusion than fixes the problem.

[00:23:40] CS: In terms of the actual sort of logistics of getting your arms around this and things of that sort of ownership record and everything, like what is the timeframe on – I mean, depending on the company size, but like what on average do you think does it take people to sort of get a master inventory of what they have and set their priorities that way?

[00:24:02] RG: Everyone, when we work with a customer, there's always a different starting point. Sometimes we come in and the customers did a lot of the very manual grunt work. So we have a little bit of a head start. And obviously it depends on your scope and size of organizations. But I would say don't underestimate it. You've seen every edge case, every nuance, you can imagine that people had no idea existed within their environment. And they had gaping holes in what they thought was a complete set of inventory and analytics. And the reason these things take time is because it's that last 10%, 20% that's really complicated. But that's where you spend the majority of your time. And if you don't do that, you're going to be missing big, big areas of risk. And we very much feel, “Get to as close as 100% as possible if you really want to reduce your risk.”

[00:24:54] CS: Also, it’s that last 10% that's both complicated and also the part you are most eager to never think about, right? You’re like, “Oh, please not this.”

[00:25:03] RG: Well, this is one of the reasons I started this company, is it's something that people have to do, but they don't want to do themselves because it's hard. It's complicated. And we find it very rewarding. But I can understand why –

[00:25:14] CS: Yeah, and it’s what you do. 

[00:25:16] RG: Yeah, yeah, exactly. Exactly.

[00:25:18] CS: So can you talk about the ripple effect of good data governance? I imagine having processes and procedures around access management doesn't just protect your assets, but probably can be a huge benefit for any sort of compliance regulations you might run into.

[00:25:31] RG: Oh, there are so many downstream goodies when it comes to good data governance. The obvious one is risk reduction. You're limiting exposure, all that good stuff. But people also are starting to share ROIs on doing this. The operational efficiencies that are gained by getting yourself organized, by automating things like entitlement review, like automating the joiner, mover, lever process. So not only is it good hygiene and makes a technologists like easier, but there are clear and wonderful case studies on how this actually saves money for companies.

[00:26:11] CS: That's awesome. So speaking to people who are interested in doing this type of work who might be listening on the podcast land right now, what are some skills that you should have and areas of interest to start a career working on data governance and data management? You obviously have a great computer science background. But does this require extensive technical background, computer science degrees? Or is the tech something that you can learn as you go?

[00:26:35] RG: So that's a great question. And we debated this internally when we started to grow and started to recruit and looking for people that had this kind of skill set, which is rare. Not a lot of people know how to do the things that we do. And we always find that folks that come from an infrastructure background have a leg up. Understanding the storage systems themselves, the messaging platforms, how end users collaborate. I mean, that's where I personally started as well in my professional career. And it made it much easier for me to expand my horizons, and truly and deeply understand what a security vulnerability was, how entitlements work, because I understood the technology itself. So I would recommend anybody that's interested in security that’s maybe unsure or wants to maybe give something else to try, go work in an IT shop. Go manage an infrastructure. Go work on a storage team or a network team. You'll learn so much naturally and organically about data, about governance, about security. And it becomes so applicable as you start to help companies build policies that are achievable and practical.

[00:27:47] CS: Okay. So to that end, as you said, you kind of want to be looking over the shoulder of people who do this kind of thing. Can you speak about the importance of collaboration and mentor-mentee relationships in cybersecurity in IT?

[00:27:58] RG: It's very, very, very important. We are a small group of people in the big scheme of things. And cybersecurity is still a pretty new field considering how long technology's been around in general. So it absolutely requires a lot of mentorship. It absolutely requires a lot of apprenticeship. I also think it's great to give it a go on the vendor side. We call that in our office – And kind of get a lot of flavors, right? You have huge labs. You could tinker. A lot of our companies like ours and in our ecosystem have innovation labs. We have built out training programs to get people acclimated quickly. So it's a great place to get your start in security. And then it opens up a lot of doors and a lot of options.

[00:28:51] CS: I mean, it's something for people to make note of, because I think there's a lot of a lot of advice for other types of cyber security work where they say, “Buy yourself a lab, go home, practice your networking, practice your lab work,” but it sounds like here, like the emphasis is more on get to know someone who has a lab and get to know that there's this infrastructure out there already. And if you talk to the right people, you become sort of ingratiated into this culture of learning. So whether you're in the middle of nowhere, whether you're in the middle of the big city, like it's probably more important that you sort of know people who do this stuff rather than feeling like you have to take the weight of the world on your shoulders. Is that accurate?

[00:29:32] RG: Yeah, and the beautiful part about what's happening in the world right now with remote work is a lot of companies are also expanding their minds of where they can recruit from. So you may have grown up and live in the middle of nowhere, as we call it, right? You have now people that are recruiting you. If you're interested in these type of roles, it's no longer the fact that you have to live in Silicon Valley or outside of New York City to be a part of an innovative company in cyber. I know, ourselves included, we've hired so many people across the country now, where traditionally years ago, we really did focus on local talent. So I think there's going to be a natural shift. And I think it's great for people that don't live in kind of the main metropolises of the country that are interested in becoming more advanced in this space.

[00:30:25] CS: Well, that leads perfectly to my next question here. Obviously, in reading your bio, you're clearly very proud of what you call your team of diehard SPHEREians who work with you. So what are some traits skills, experiences or other things that you look for when looking for new team members at SPHERE? Like what would what would stand out on a resume and move that candidate to the top of the pile?

[00:30:45] RG: Yeah, we have a lot of nicknames, SPHERE nations, SPHEREians, your experts. We have a lot, yeah. From our perspective, obviously, we're looking for talented, hungry, motivated-driven individuals, but we very much are a culture company. I'm very proud of the fact that over 11 years, I made it. So that hasn't changed. And my intention is for that not to change as we continue to grow. Because I believe that happy people produce the work, feel good about their day, go home and tell their friends and family the goodies that happens throughout their nine to five. And it encourages people to think outside the box. Not be scared to offer ideas. And because this is still a very new space, we need those hungry minds to share what t their perspectives are. So we very much look for independent thinkers, outgoing individuals. Not that everyone has to be talkative and wildly and crazy, but hungry for information, hungry to learn, hungry to help others. Those are the types of characteristics that we look for.

[00:31:54] CS: How do you get a sense of that if you're looking at a potential candidate. Like what is it that you see in their like past experience that you say, “Oh, yes, that’s definitely – This person is clearly like going above and beyond.”

[00:32:06] RG: Yeah, I always look for – Let's say somebody was at a company for a handful of years that they tinkered in a lot of different areas. For me, that's very interesting. Obviously, we always pay attention to folks that didn't stay too long in any one company for many, many roles. But they're always, sometimes very good reasons for that as well. But I love it when I see somebody that was at a company for five years. Spend some time working in identity access management, and maybe honed in on their privileged access skills, or then maybe wanted to tinker network security. So showing longevity, loyalty, all those good things, but also hungry for information, hungry to learn, hungry to expand their skills.

[00:32:48] CS: So as we wrap up today, for people who are sort of feeling stuck in their current job, or not really knowing how to sort of take the next step, do you have any tips or recommendations, things that someone could do tonight right after they turn this podcast off that would get him closer to doing this type of work?

[00:33:03] RG: So I would say read, read, read, read, read. 

[00:33:07] CS: Okay.

[00:33:09] RG: The nice part about cybersecurity is there're so many companies that are propping up all the time, right? And we are a community of information sharers. And we very much are excited about publishing our viewpoint, blogging about what we're learning. And more often than not, it's real information coming from practitioners. It's not all marketing fluff that's nonsense to a technologist’s mind. It's a lot of people that just want to educate what they're seeing, what they're feeling, how things are going. And I think that type of research will really help people get their head wrapped around what are the important areas that are being focused on? And where should I pay attention to? Where should I focus on when I start uploading my resume to job boards and things like that?

[00:34:06] CS: Nice. So thanks again for your time today, Rita. It's been great. As we wrap up today, tell us a bit about some of the things with SPHERE Technology Solutions that you're especially excited about going into 2021. What are some new projects or software's or tools or initiatives that you're doing that you want to tell people about?

[00:34:24] RG: Sure. So like everybody else, we're excited for the world to open up, hopefully sooner rather than later. I've actually started to see clients in outdoor settings, of course. But I'm excited to do a lot more of that this year. Also, we're doing a lot of interesting changes in our go-to-market. We are a company that started as a services organization that built product based on needs that we were seeing our customers asked for. We self-funded and productized a lot of those requirements and became a software and services company. And last year, we partnered with ForgePoint Capital. They're a venture capital organization that exclusively focuses on cybersecurity companies. And that's allowing us to do some really cool, cool, cool work. 

We're very proud of a new offering that we came out with called SPHERE Soft Serve, like the ice cream. That's how you'll remember it. 

[00:35:28] CS: Yeah. Right. There you go. 

[00:35:31] RG: But essentially, it shows the world that you need software for some things and you need services for others. Automation is great, but it's not everything, and not everything can be automated. So we're excited to share with the world and our customer base what we've learned over 11 years of what's the right practical methodology that can be deployed to finally solve this age-old problem around entitlements and specifically as it relates to data governance.

[00:35:58] CS: All right, one last question. For all the marbles, if people want to learn more about Riga Gurevich or SPHERE Technology Solutions, where can they go online?

[00:36:05] RG: Sure. So I've been doing a lot of vlogging, and interviews, and writing. I'm a LinkedIn crazy person. So reach out to me. 

[00:36:14] CS: All right. Love it. And your company’s website is? 

[00:36:19] RG: Www.sphereco.com, S-P-H-E-R-E-C-O.com.

[00:36:26] CS: Beautiful. Rita, thank you so much for your time and insights today. I appreciate it.

[00:36:29] RG: Thank you so much. This is great.

[00:36:31] CS: And as always, I'd like to thank you all at home and at work for listening and watching today. New episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video at our YouTube page and on www.infosecinstitute.com/podcast, or on audio wherever find podcasts are downloaded. Don't forget to check out our new hands-on training series, Cyber Work Applied. Tune in is expert infosec instructors teach you a new cybersecurity skill and show you how that skill applies to real-world scenarios. Go to infosecinstitute.comlearn to stay up to date on all things Cyber Work. 

Thank you once again to Rita Gurevich, and thank you all for watching and listening. We will speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.