Secret CSO: Josh Yavor, Tessian

Is the security skills shortage affecting your organisation? “… I believe that the perceived security skills shortage is driven largely by outdated and unrealistic hiring, and management practices - not an actual lack of capable candidates.”


Name: Josh Yavor

Organisation: Tessian

Job title: CISO

Date started current role: August 2021

Location: Ann Arbor, MI, USA

Josh Yavor is the Chief Information Security Officer for Human Layer Security company Tessian. Before joining Tessian, Yavor acted as the CISO for Cisco Secure and, prior to that, he held the role of Head of Cloud Security at Duo Security and Head of Corporate Security at Facebook.

What was your first job? My first job was as a lifeguard at a local municipal park and, in retrospect, I suppose it was my first foray into risk management.

How did you get involved in cybersecurity? The concept of cybersecurity as a career space didn’t really exist when I was younger, but I’ve always been someone who tinkers, often breaking things while taking them apart to try and understand them. This applied to computers, networks, and applications eventually as well. By the time I was done with my first career, as a 6th and 7th grade Social Studies teacher in Kalamazoo, Michigan, I was running an IT and managed service provider business on the side and had gone back to school for a Master’s degree in cybersecurity. I was lucky enough to then land a job at a security consultancy, iSEC Partners, which was my first formal step into the cybersecurity careers space.

What was your education? Do you hold any certifications? What are they? BS, Social Studies from Grand Valley State University.

MS, Computer, Information, and Network Security from DePaul University.

Explain your career path. Did you take any detours? If so, discuss. I have a less traditional career path, but I am thrilled to see that such paths are becoming more common over time.

In my first two years of college, I struggled to decide between pursuing education or computer science. I ended up choosing to prioritise education, while completing a minor in computer science, and my first career was as a middle school Social Studies teacher in Kalamazoo, Michigan.

Throughout college and while I was teaching, I ran an IT consultancy as a side job. This gave me early experiences in areas including web application development, infrastructure security, and compliance. As my time in education came to a close, I had completed a master’s degree in cybersecurity and was fortunate enough to be hired into iSEC Partners as a security consultant. At iSEC I performed a variety of services for clients, including penetration testing, security assessments, and incident response. Additionally, I conducted security research that culminated in presentations at Black Hat and DEFCON in 2013. I joined Facebook to build out the first security program for Oculus shortly after the acquisition.

My path within Facebook also included infrastructure security and vulnerability response and ultimately, I became responsible for corporate information security for the company. With this final role at Facebook, I became a happy Duo customer and eventually found myself moving home to Michigan to join Duo. At Duo, I built out the Corporate Security function and by the time Cisco acquired Duo, I was leading almost all the core security functions. At Cisco I helped create and then led the security function that supports the Cisco Secure portfolio.

Earlier this year I met the team at Tessian, and I immediately found myself drawn into the culture and the broader mission and vision. In my role at Tessian, I am currently focused on the early foundational build out of the security program.

Was there anyone who has inspired or mentored you in your career? Yes, there are so many people who come to mind. I have been extremely fortunate to learn from and be supported by many others throughout my career. Specifically in the areas of team building and people leadership in security, I’ll highlight Jamie Tomasello, Dana Hehl, and Jenn Henley.

What do you feel is the most important aspect of your job? The most important aspect of my job is enabling Tessian to be a trustworthy product and organisation.

What metrics or KPIs do you use to measure security effectiveness? I’ve come to prefer the evidenced-based capabilities model described in “Accelerate” in conjunction with frameworks such as the NIST Cybersecurity Framework to provide a measurable foundation for security effectiveness.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? With few exceptions, I believe that the perceived security skills shortage is driven largely by outdated and unrealistic hiring, and management practices - not an actual lack of capable candidates. Hiring only within existing professional or personal networks, setting inflexible requirements for years of experience, and discounting the transfer of relevant skills from previous non-security experience are common examples.

For my teams, the most difficult roles to fill have always been management roles. This is not because of a lack of candidates, but rather the criticality of hiring people managers who can help me build and foster a sustainable and inclusive work environment that will attract, grow, and retain top talent.

Cybersecurity is constantly changing – how do you keep learning? First, I have accepted that no one can individually keep up with the rate of change across all of cybersecurity. I lean on my team in their areas of expertise, and I leverage a number of information sources to keep up with what's happening in the industry. Twitter is great for following recent events and trends. I’m a fan of tl;dr sec for curated content and analysis, and podcasts such as Risky Business for more in depth conversations with guests.

Finally, I find that my most useful learning occurs outside of the cybersecurity space. In the last few years, the most useful learning has come from focusing on general business acumen, management practices, and communications.

What conferences are on your must-attend list? It depends on the audience and what the objectives are, but generally I think that for professional development and networking, focusing on smaller security conferences and any that are local is a safer bet than only prioritising the super large conferences. Local DEFCON chapter events, nearby security bsides, and regional conferences such as THOTCON offer more approachable crowd sizes, quality content, and more accessible participation options.

I also think it’s useful for security practitioners to prioritise attending conferences that are aligned to their roles. For many this means considering conferences such as PyCon and Google Cloud Next.

What is the best current trend in cybersecurity? The worst? Best: Prioritisation of effective and delightful user experiences that help real people with real problems.

Worst: People are still bombarded with conflicting and overly complicated messaging regarding cybersecurity that often results in increased risk.

What's the best career advice you ever received? This wasn’t explicit advice, but the example set by some of the leaders I’ve reported to heavily influenced how I thought about long-term success in people leadership. Specifically, learning to lean into helping people grow even when that means that their next step takes them outside of the team.

It turns out that attracting new team members is easier when your team is well known as a place to learn and grow.

What advice would you give to aspiring security leaders? Understand the needs of the business or organisation that you support and let enablement of those needs inform prioritisation and sequencing of security outcomes.   

What has been your greatest career achievement? This will always be the ongoing growth and success of the people who I have had the privilege of supporting on my teams. Seeing people and teams learn and grow, and then take on new challenges as their careers progress is the most rewarding aspect of my work.

Looking back with 20:20 hindsight, what would you have done differently? I would have listened to my own advice from (13) much earlier in my career, and invested earlier in developing core business acumen and product development strategy knowledge and skills.

What is your favourite quote? '); DROP TABLE Students; -- - XKCD 327

What are you reading now? I recently changed roles, so I find myself pulled back into classic Peter Drucker as well as The First 90 Days by Michael Watkins. I also recently finished The Field Guide to Understanding Human Error by Sidney Dekker, which I found to be highly relevant for security teams, especially those with incident response and disaster recovery responsibilities. Finally, two of my evergreen book recommendations for security leaders are Accelerate by Nicole Forsgren, Jez Humble, and Gene Kim, and Peak Performance by Brad Stulberg and Steve Magness.

In my spare time, I like to… Be outdoors - cycling, walking or running.

Most people don't know that I… can teach them a better way to tie their shoelaces!

Ask me to do anything but… fix a printer.