Tamir (00:00.002)

All right. So, hey, Markham, thank you for taking the time. Thank you for taking the time to join us today. And we're on the Hands -on CISO podcast and we're exploring the career stories and the market trends that different CISOs are seeing in the cybersecurity market right now. So I'll be happy if you could maybe start by introducing yourself and telling us a bit more about yourself and your career history.

Malcolm Portelli (00:02.683)

Hi, Damir.

Malcolm Portelli (00:28.411)

Sure. So, I'm Malcolm Portelli. I have been working in technology for over 20 years now. Started at a young age, always been interested in it. And throughout that journey, I started to specialize in security and I've been doing so for about 10 years or so. And I currently work for a fintech startup that has its...

challenges but also its rewards. But I'm passionate about security, so I actually am one of those few lucky people that actually enjoy what they do.

Tamir (01:11.682)

Yeah, you have a passion for your job. And you found it early on. That's good. Awesome. So maybe you could tell us a bit more. How did you get into cybersecurity in the first place?

Malcolm Portelli (01:14.171)

Yes.

Malcolm Portelli (01:24.027)

So that's actually a bit of a mistake. Like I said, I've been working in technology, so I've done systems administrator jobs, systems analyst jobs, network administrators, a bit of different things. And I was working at a relatively small company at the time. And that company, kind of the tech team used to take care of tech and security, as was the case with a lot of companies back then.

but they decided to invest more in security. They brought on Sizzle and we worked together. I would assist from the tech perspective and he would take care of the security. And we kind of had a very good relationship. And he kind of poached me from the tech team. He asked me, listen, I think you do well in security. I was always passionate about security. I was...

loved that area of technology. And he essentially told me, why don't you join my team as the first member of my team, because he was on his own. And I took him up on his offer. And the rest is history, kind of. I've been in security ever since.

Tamir (02:38.242)

Amazing, so you got scouted and poached and that's it. And that got you on the security route. Amazing. So if you're looking at your day -to -day job right now, what's the most interesting part of the day? What do you most enjoy doing in security?

Malcolm Portelli (02:44.351)

Exactly. Yeah.

Malcolm Portelli (02:59.547)

At the moment, I'm doing a lot of strategy. And I think that's interesting. It might not be exciting, but it's interesting because you get to see what have we done till now? What can we do better within the next year? And what do we need to start looking out for in the next three to five years? Granted, it's not the easiest thing to do because we don't know what's going to happen in three years, five years time, especially in the technology space because it's...

evolving rapidly. But it's interesting to read up on what other companies are doing and what you can do from a small startup perspective. That's interesting. And then, I mean, I still love the investigation part of the job. I don't get to do it as much as I as often as I would like because I've got a team, a small team that can help me with that. But sometimes I do have to get my fingers on the keyboard and kind of

analyze and investigate. And it's still to this day, it's still an interesting and exciting thing.

Tamir (04:06.37)

And how is it different for you to work for a small fintech startup now versus maybe working in a bigger company in the past? How does that affect your day to day?

Malcolm Portelli (04:18.107)

I think it's working at a startup means that you need to do a bit of everything. So it's not, although I am the sizzle, I don't only do sizzle things. For example, I'm also the Atlassian expert over here. So, you know, if you need a JIRA project or you need some customizations, I do that. If you've got questions on confluence, I do that. There are other technologies as well that we work with that I have knowledge on.

Tamir (04:35.458)

Malcolm Portelli (04:47.419)

because of past experience, like certain features in Azure, certain technologies within other SaaS products, and also general questions on products that may not necessarily be associated with security, but because I've worked with them before, or I have knowledge in, for example, the web design space due to a kind of side project that I work on, I help.

on that aspect from a web design and backend web CMS aspect. So it's interesting because you get to do a lot. It's never boring. So yeah, I think that's the main difference.

Tamir (05:35.17)

Interesting. So you're a Tachi and you're the JIRA guy or the security guy or sometimes the CMS guy. Nice. And how many team members do you have right now and how does the work, the security work is divided between your team members and yourself?

Malcolm Portelli (05:41.307)

Yes.

Malcolm Portelli (05:52.251)

At the moment, we're a team of three, including myself. From a division perspective, I try to take on more of the strategic aspect and more of the regulatory aspect of security. So, I mean, we mentioned Dora, for example, that's something that we need to be compliant with. And I'm heading up along with other heads of function, kind of an internal working group on that. So I have to focus on that. And the rest of the team, they...

take care of mostly the day -to -day as much as possible. Obviously, we work very closely with each other. We're constantly consulting with each other. They consult with me because I naturally have knowledge that they're still bringing in and they're still learning. But it's a lot of the day -to -day, certain project tasks. We create a project. They will work on the project.

We sit down, we discuss implementation and then they go away and implement. So it's fast paced, definitely.

Tamir (06:57.282)

So you're more the strategy side and there are more in the hands -on implementation side unless unless you have to get your hands dirty in the investigation Yeah, it's always like that you're the manager and you know it best it's hard to to get to Let it go and let other people do it

Malcolm Portelli (07:05.019)

as much as possible. On paper, yes, in reality it's not always like that.

Malcolm Portelli (07:21.051)

It's more on the aspect of they might not have the knowledge. So one thing I don't like doing is micromanaging. If I give you a task, you go do the task. If you have questions, come back to me. I'm not going to check up on you. It's with you. You have the responsibility, and I'm trusting you to do it. If you don't do it in the time I need to do it incorrectly, then we'll have to sit down and have a talk. But I don't need to sit down and have those talks because...

I have good people and they do what they need to do, which is great.

Tamir (07:55.298)

Yeah, nice. So let's get into some security stories. So to get started, do you feel like the bad cop sometimes in the company?

Malcolm Portelli (08:07.195)

Yes, to be honest, sometimes yes, but you have to be. I think because if somebody comes and asks, listen, I want this application and I look into the application and I don't like the look of it, I'm going to have to tell them no. And they don't always like that. Luckily they ask. So they do actually ask. They don't go behind my back and install it because that would be even worse and I'd have to be a worse cop if that happens.

Tamir (08:11.362)

Why?

Tamir (08:32.642)

Yeah.

Malcolm Portelli (08:37.339)

But sometimes I have to say no. It's just part of the job. I try to find a good balance to if there's something I really don't want, I will say no. If there's something that the risk is low with regards to implementation, I might say yes. Because you have to pick your battles really.

Tamir (08:57.794)

And how do you create a culture in the company that people actually reach out to you and consult you versus just, you know, go and do stuff and, you know, then you discovered that later and just find out about it when it's already too late.

Malcolm Portelli (09:15.963)

I think it's a kind of the best is an open door policy. I don't actually have a door. I sit in the open plan with everybody else. It was a choice. Other heads of function have an office, but I didn't think it made sense for me to sit in an office. I want to be there for two reasons. One, I want people to feel like they can just come up to me and ask me a question if they need to. And two, it's good to be kind of in the open plan because you can, you know what's going on.

And you can be aware, not spying, but you know, you can be aware of what's going on. It's helpful. But having that kind of open door and being understanding because somebody does not, not everybody has the same amount of knowledge on security that me or my team would have. For me, certain things are obvious because it's just the world I live in.

Tamir (09:50.306)

Yeah.

Malcolm Portelli (10:12.059)

or the people, it's not as obvious. So you have to be able to understanding if somebody comes and tells you, listen, I clicked on this link in an email, you know, these things happen as opposed to what did you do? What a mistake, you know, you're in trouble. That doesn't work. It's like, okay, no problem. Tell me exactly what you did and let's find the, let's find a solution. Let's see what, how we can, how we can resolve it. And like that, they both learn not to do it again.

And they also feel like they can come and tell me when something goes wrong or something looks odd or, you know, it's about that being approachable.

Tamir (10:54.178)

Are you doing something special in terms of the education or creating an approachability mindset in the company? Is there anything in particular you do when someone joins the company or during the day to day?

Malcolm Portelli (11:10.075)

So we do a number of things. One thing is as part of the induction, when somebody comes in, we've got a security induction. So within the first few days of joining, I sit down with the new joiner. I give them kind of the lowdown on this is what we do from a security perspective and this is how you can help us because I want to make it about them as opposed to you can't do this, you can't do that. Saying...

you can't, you can't, you can't, it doesn't always work. As opposed to enabling them with the knowledge of what they should be doing and why they shouldn't be doing certain things and how they can do other things better. So that's one thing that we do. We run monthly training, interactive training online with everybody. So from the CEO all the way down to somebody who's just joined the company at an entry level.

Tamir (11:41.506)

Yeah.

Malcolm Portelli (12:06.235)

The training is the same for everyone. And we're trying to keep it as short and humorous as possible because security for us might be an interesting subject, but for other people, it's not as interesting as this for us, no. And other things that we do, for example, is we create custom content. So we've created videos in the past. We basically took

Tamir (12:22.37)

Not so much.

Malcolm Portelli (12:35.643)

some policies and we created videos to explain what you should be doing. For example, locking your screen if you're getting off your seat, disposing of physical data in the proper way, not leaving papers in the printer, you know, clean desk policies, all of that. We recruited employees, they acted in this video, we did everything in -house, we filmed it, I edited it, and we released it onto our training platform. And that engages them even more because...

they are looking at themselves or their colleagues act out in the video. And it's funny because one person might not know how to act properly, so they create some humor. Stuff like that's great. We also do initiatives. So last Easter, for example, we did an Easter egg hunt where we hid answers to security questions all over the office. And people had to find them, put them into a form online.

and they get points for everyone that they successfully find. And at the end, you win a chocolate egg or something like that. We're constantly trying to do these fun things to keep security top of mind.

Tamir (13:40.77)

Yeah.

Tamir (13:46.21)

Nice, so you're also a director, producer, and actor manager on top of the JIRA and the security and the CMS. Okay. Yeah, you're wearing a lot of hats.

Malcolm Portelli (13:55.899)

It's right. It's startup. It's busy.

Tamir (14:03.49)

Nice. So no names, no companies. What's the biggest security fuck up you had to deal with in your.

Malcolm Portelli (14:12.907)

This is a difficult one. Mostly because I haven't had to deal with that many big ones, which is great for me, but to try and be kind to people as much as possible. I mean, I think there was an occasion where a third party got compromised, a relatively well -known third party, and essentially...

Tamir (14:23.746)

Yeah.

Malcolm Portelli (14:41.915)

It was a kind of man in the middle attack whereby they got access to that third party's email server and use the mailboxes to kind of place emails within a thread that was already ongoing between the financial controller and the company. And essentially,

Modified a PDF to change the the IBAN on the of the account that the money was supposed to go into Everything looked really legitimate. Luckily the financial controller was Smart and she's and she spotted that the IBAN was for a country that they wouldn't normally send that transaction to And Pointed it out brought it to my attention. I looked at it. I said, yeah, this doesn't look

right? But the email is correct, it's coming from the right domain, it's coming from the right person, the wording seems legitimate. So, I mean, what do you do when you're in this situation? You go old school, you pick up the phone, you call the company, tell them, listen, I got this, is this legitimate? And we were able to alert them that, listen, their email server has been compromised and they were able to take action. And luckily nothing happened, but

if the financial controller hadn't been smart about these things. And I think we have to take a bit of credit on that from the training perspective because we already started training people on phishing scams and fraud and all of this stuff. So that's one of the reasons I think I have no proof, but that's one of the reasons I think she was able to pick this out.

Tamir (16:26.87)

Nice, so that's how you stop wiring of money to like a Nigerian prince or something like that. Wow, but that's super, I guess, sophisticated, like hacking into the mail server, editing a PDF, changing just the I -Band. That's super sophisticated. Interesting. Yeah.

Malcolm Portelli (16:35.707)

Exactly, exactly.

Malcolm Portelli (16:49.051)

No, no, they're smart. They're really smart.

Tamir (16:53.762)

So tell me about your biggest challenge right now and why it's happening.

Malcolm Portelli (17:00.507)

The biggest challenge is probably workload. So again, small company, but a startup. So wearing lots of hats, like you said before. Lots of work for the team to do. Small team. Difficult to find additional team members. The...

There's a bit of a skills shortage from a cybersecurity perspective, especially in a small jurisdiction. We're based in Malta, very small population. So relatively small talent pool from an information security perspective. So those are, I mean, the main headaches at the moment. Luckily, they're all...

They're all something that we can get over and continue forward. And they're not long -term problems. They're short -term problems. So you can kind of see a light at the end of the tunnel.

Tamir (18:09.634)

Yeah. And so when you say workload, does that mean like really too many projects or initiatives that the company wants to move forward and you don't have the people for that? Or does that mean more in like the day to day we're getting so many alerts, we're getting like all those notifications from different platforms and we need someone to digest them and process them.

Malcolm Portelli (18:32.763)

I think it's just, it's because it's a small company. So you have, you have to take care of the day to day. You have to take care of, regulatory compliance and upcoming regulation and making sure that you're still in line with current regulation. And then the regulator comes to you and ask for something else. And then the auditor comes and asks for something else. And then somebody else internally comes and asks for something else. So you have your, your pool of tasks and it's constantly building up.

on top of each other, but there isn't enough time to finish that pool and then move on to the next one. You have to be a bit dynamic.

Tamir (19:12.098)

Yeah, and are you hiring just in Malta, just physically?

Malcolm Portelli (19:17.499)

At the moment, yes, I am a fan of operating on a hybrid approach. Remote is a bit more complex, fully remote, because of the current state of the company. As we grow, that's something we'll probably have to look at. But at the moment, we're focused mostly on hybrid working as opposed to fully remote.

Tamir (19:40.354)

Gotcha. And so if you're looking at the general security industry, what do you think is one blind spot that other CISOs don't pay attention to and they definitely should from tomorrow?

Malcolm Portelli (19:56.667)

I think it's bringing security to the masses. So in the sense that internal to the company, I know a lot of companies are running training platforms on a security perspective. I know that there are a lot of bigger companies, they run yearly security training, which in my opinion is not enough. I think the people aspect of the people process and technology is slightly neglected.

Not everywhere. I mean, I've met other security leaders that they are really focused on the people aspect, the training aspect, the awareness aspect. But in my opinion, not enough. And you can, I always say the same thing, you can invest billions and billions in the latest and greatest technologies, you know, and spend hours creating processes that are immaculate. But if your people are not informed,

If your people are not empowered, you're going to have mistakes. And we've all seen the studies, the biggest entry points are people. So I think more focus needs to be placed on the training and making security top of mind, making it something that people will think about, not because they have to think about, because there's a policy they need to follow.

but they'll do it because they know it's the right thing to do and they know that if they do it, they're protected.

Tamir (21:29.25)

So if we're speaking about people and specifically in the startup environment, a lot of CISOs I've spoken with, they tell me, my people are like top people. They know everything. They're very smart. They don't do any mistakes. They don't have to worry about them. What do you think about that approach? How do you see that in your startup, for example?

Malcolm Portelli (21:51.099)

I mean, I don't agree with that in the sense that everybody cannot be fully knowledgeable about security. We're humans, we make mistakes. So I think the key is habit. It's creating a habit as opposed to creating a culture or creating a kind of awareness about security. It's instilling habit. We are...

As humans, we love habits. It's something that we pick up without even wanting to. And security can be one of those things. I can give you a real -world example. One thing that we did was a lock screen. Many people, they get off their desk and they leave their laptop unlocked. That's a big security no -no. So to create that habit,

One of the things that we did was set up an initiative whereby if somebody leaves their laptop unlocked and somebody else in the office notices that they have my permission to go onto the laptop, go onto Teams, and type a message in a specific chat. If they're able to do that, then the person who left their laptop unlocked has to get some treats for the office. And the person who was able to do it can choose what treats they are.

it, that creates habits because you will only be caught once you won't be caught again. and it's, it's, it's a testament to how it works because we, in the beginning, you know, we had quite a few occurrences where somebody would leave their laptop unlocked and, you know, that have to bring trees to the office. We haven't had an occurrence since September of last year or something like that. So.

Tamir (23:25.634)

Yeah.

Tamir (23:48.258)

Nice.

Malcolm Portelli (23:49.403)

it's something that actually worked. So these... And it creates... It's kind of gamification in the end of security. These kind of things, they do work. And people will remember them. So it kind of keeps security in front of mind as well.

Tamir (24:10.946)

Nice, gamification of security. That's something I really liked what you said right now. Do you have any other examples of gamification of security?

Malcolm Portelli (24:20.955)

One thing we did last October, for example, is it was cybersecurity month, so we created a quiz. We basically did one quiz every week for four weeks for the entire month. And we had a leaderboard. So people were encouraged to go in. This is really, I mean, it's relatively a low -cost thing. It didn't take a lot of time. It didn't cost any money because we used the tools we already have in place.

And what we did was people go in on a weekly basis. At the end of the week, we show the leaderboard where people stand. And they'd go, you know, it would become a bit not overly competitive, just the right amount of competitive. You know, people would go in, try to answer, you have to answer the questions correctly. They're obviously all security -related questions. They were linked to the training videos for that month. So if you watch the training videos, it's an incentive to watch the videos. You'd have extra knowledge to answer the questions correctly.

And at the end of the month, once that was done, we tallied first, second, third place and they got prizes. Not massive prizes, you know, they were decent prizes, but the company didn't need to spend thousands of euros to kind of get these prizes done. I think the budget was like a hundred euro or something like that. So it was something low cost, low effort, but it, you know, again, it's gamification, it works.

Tamir (25:34.978)

Yeah.

Tamir (25:38.85)

Yeah.

Tamir (25:47.298)

And sometimes the effect of a hundred euros on some training or gamification of habits or creating habits is better than putting a tech system that costs like 50 ,000 euros, right?

Malcolm Portelli (25:59.163)

Exactly, exactly. I mean, you have to have all three working together so people process technologies, but I agree with you. You can, instead of spending tens of thousands of euros on some flashy system, you can do these small initiatives and it might have a similar effect.

Tamir (26:19.458)

Yeah, nice. So what's the most unexpected obstacle people don't know about when they get into cybersecurity?

Malcolm Portelli (26:31.483)

I think this is really for any profession though. It's kind of the expectations of management who may not have an understanding of the industry. So for example,

they would be looking at education, which is great. It's good to have, you know, qualifications. But from my perspective anyway, I think experience and knowledge in that aspect, sometimes it trumps certifications, for example. And when you see a lot of job descriptions of people looking for roles in security.

You know, they're mentioning you have to have CISSP, CISM, you have to have some SANS GX certification, you have to have, I don't know, ITIL, whatever, you know, all of these acronyms everywhere. Whereas in reality, certain positions, you don't really need all of that stuff. It's good to have, but experience in the field is so much more valuable than a certification.

that I think there needs to be more emphasis on that. And one thing I would say is that does tend to be an obstacle sometimes because you might be really good at what you do. You've got the experience. You've implemented a lot of these different systems. But because you don't have a master's degree, they're not even going to sit down and talk to you.

Tamir (28:16.29)

Yeah, so yeah, I think certifications can also take a long time to achieve, right? It's like six months or 12 months, some of them.

Malcolm Portelli (28:25.403)

Yeah, exactly.

Tamir (28:27.49)

So yeah, it's definitely, it's a, I guess it's kind of like crossing an obstacle you don't really have to cross. You could sometimes go around it and just get your first job and get some experience and take it from there, I guess.

Malcolm Portelli (28:43.803)

Yeah, and maybe do things in parallel. So, working and instead of taking six months to get a certification, it will take you a bit longer, but you can still get it. Like I said, certifications are useful. Not all of them, but some of them are useful. But I think experience is more useful.

Tamir (29:01.666)

This is.

Tamir (29:05.762)

Nice. So how has it been a hands -on CIS or CIS of a small team different than working in a big team or in a big company?

Malcolm Portelli (29:16.571)

I think when you have a small team, some things are easier in the sense that communication is a lot easier when you're a small company. So certain initiatives that I can implement here as a CSO in a massive corporation probably would not be able to implement, or if they will, they'll have to implement it on a much lower scale in terms of the capabilities of the initiative.

So there are some pros. The cons obviously are I don't have a fully scaled out sock to help me with any incidents that come through the doors. Just me and somebody else working on it, which right now is manageable, obviously, but as the company grows, then that's something we need to start looking at for an implementation.

the top of my head, those are probably the main pros and cons and differences between being Cezo in a small organization and one in a massive one.

Tamir (30:25.058)

Yeah, really just having the big team that can be more, do more, get more done and help out more, I guess. That's the main difference.

Malcolm Portelli (30:35.163)

Yeah. Yeah. And, and, and give you the, the, the ability to focus more on the strategic aspect of the business. Because when you're a small team, a small company, you, you can dedicate a small amount of time to strategy, but there's the rest of the day to day, the, the smaller projects that you need to be involved in. which is both a pro and a con from my perspective, because it's a pro because it keeps things interesting, but it's a con because it doesn't give you the bandwidth to, to focus on strategy.

Tamir (30:41.25)

Mm -hmm.

Tamir (31:05.73)

Yeah. Okay, gotcha. And so what do you tell people who think the only role of security is running them about phishing emails?

Malcolm Portelli (31:16.186)

That's a good one. I mean, I wouldn't politely, I wouldn't know what to tell them. I tell them, you don't know what you're talking about probably because security is not just phishing. It's so much bigger than that. And I think these days with all, unfortunately, when there's a massive fire,

Tamir (31:27.202)

Yeah.

Malcolm Portelli (31:46.267)

you might learn about the place where the fire was. The same thing is happening with security right now. There are huge data breaches, huge ransomware incidents, huge companies getting hacked. And that is putting a spotlight on security, which, granted, it might be negative because of the attacks, but it's also positive because companies are realizing

the importance of security, what an important role it plays in the organization. And when somebody tells me that, I tell them, go on Google and type in latest tax. And you'll see that security is not just about phishing. There are massive corporations with more money than some countries that are actually getting infiltrated. And it's costing them.

Tamir (32:30.53)

Yeah.

Malcolm Portelli (32:45.083)

a lot of money. So you know and you know go see that and then come back and talk to me and we'll see if it's just fishing.

Tamir (32:51.106)

Yeah, recently we could just say snowflake security and see what happens.

Malcolm Portelli (32:55.771)

Exactly. Exactly.

Tamir (32:58.946)

Nice. So what do you think the security, how do you think the security field is going to look like in a few years?

Malcolm Portelli (33:08.891)

I mean, I think it's going to grow. It's already been growing over the past 10 years, even less. So it's going to continue to grow, both in terms of people joining security, so people specializing in security or moving to the security field and the investment that companies are going to put into security measures and security teams. So I think it will evolve.

in a positive way from a size perspective. But also I think security, I don't know if it will, but in my opinion it needs to, it needs to evolve sideways as well in the sense that not just teams growing bigger, budgets growing bigger, so on and so forth, it needs to evolve in its skillset. So we're looking at emerging technologies like AI is the hot topic right now.

teams need to be more aware of what AI can do, both from a use case, so how can I use AI to defend, and from an attack perspective, how are attackers using AI to get into my systems. And also, let's take quantum key encryption, for example, looking at what quantum computing will do to the security world, again, both from a positive aspect and from a negative aspect.

We can use quantum for secure communication. There's actually a local company here in Malta that's working on that. I went to see it. It's pretty cool. And there's also obviously the quantum key encryption area whereby people can store now and decrypt later. So we have to be aware of, although we're 10 plus years out from a commercially viable quantum computer, probably, we need to start thinking about how we can start protecting our data.

Tamir (34:47.042)

Interesting.

Malcolm Portelli (35:07.355)

from when those computers actually come into fruition. And one other thing is the soft skills area. So sometimes we forget about this, we forget about our soft skills, our people skills, and I think security needs to start thinking about that for two reasons. One,

the security awareness and training and education aspect internal to the company and to the users. So to customers, especially on the retail aspect, teaching a lot of financial services companies and FinTechs, they're doing it already. You get an email or a push notification about phishing or about fraud or scams or they're already trying to push that out. But also from a marketing perspective,

Now this is, I mean, I mean, I know marketing and security, what do they have to do each other? But security can be used as a marketing tool whereby companies can justify the investment in security solutions and security teams by using that as a tool to market their product. If you go to a, if I, all right, I'm a security professional, so I'm a bit biased, but if I go and look at a company solution, I'm going to look at.

How secure is this company? Should I partner with this company? Should I buy this company's product? Is my data going to be safe? Are my funds going to be safe? All of this stuff. And there's an increased, I feel there's an increased mindset from a general population perspective that people are looking at this stuff more. So if a company can use their security features as a marketing tool, they'll need the SISO to help with that. So.

we need to, security teams and security leaders need to be more aware of how to communicate what they're doing, not from a fully technical perspective, but on a more lower level perspective that a non -technical person can understand.

Tamir (37:26.914)

Yeah, and I can totally relate to what you said. I know we're in the process of getting SOCTO and ISO certification for our product. So I can see how this is going to raise the level of all the companies once people start to understand the importance of security and get the certifications. It gets the bar higher and it creates higher standards, I think.

Malcolm Portelli (37:55.515)

Exactly. Exactly. And it puts you kind of above the rest as well, like that you can show that you're doing the right things. And for that, companies will be more willing to partner with you or purchase your product.

Tamir (38:10.274)

Yeah, I've actually found out that it's easier to sell a company for like, I don't know, like five times or 10 times more than the, more than the basic, like selling enterprise version versus the basic version for five or 10 times more. Just, if you just have the certifications or the SOC 2 report, then people are willing to pay for that, for that SOC report. And I think a lot of people don't really realize that it's, it's actually a...

a thing that helps moving sales and marketing forward.

Malcolm Portelli (38:39.903)

Yep, I agree.

Tamir (38:44.898)

Cool. So what keeps you up at night as a cybersecurity professional?

Malcolm Portelli (38:46.299)

So what did you act with, right? Was it slightly security or was it...?

Tamir (38:54.594)

Yeah.

Malcolm Portelli (38:59.611)

perfectly honest, an element of self -doubt in that you think, did I implement the right controls there? Did I give the right instructions on how to do that? Are we properly protected in this area? That's the main area, I think, and I have a feeling a lot of, not just cybersecurity, but a lot of leaders will like

will agree with this, there is an element of self -doubt. A lot of the time, it's not... It's not... What's the word I'm looking for? It's not justified, that's it. It's not justified. You doubt yourself for no reason. And then after you realize you're like, I mean, yes, I made the right decision or... I mean...

Tamir (39:45.09)

justified maybe.

Malcolm Portelli (39:59.739)

although I thought it wasn't the correct way of implementation, thinking about it, yes, I was right, I did it. There are other times where you say, no, I could have done it better, or we can do this better, but you can always fix your mistakes. So there is self -doubt, and as opposed to are we protected, it's more a fact of are we protected enough?

Because we're protected, but what more can we do? How can we plug as many holes as possible? So that's the main thing, I think, if I'm being honest.

Tamir (40:41.122)

Yeah, thinking what else can go wrong that you haven't thought about. And so how do you deal with that? What do you do? You try to learn, you're trying to, you're speaking with others, see what you're doing to overcome that.

Malcolm Portelli (40:44.667)

Exactly.

Malcolm Portelli (40:58.651)

I think it's a mixture of learning and discussions in turn. Communication is really important. For example, if there's something we're doing from a technology perspective and I feel we might be able to do it better, but I'm not quite sure what that better is, I will sit down with the CTO and we will just discuss it. We'll talk it out. We'll see. I have more knowledge from a security perspective. He has more knowledge from a technology perspective.

So combining that knowledge, we're able to say, okay, this sounds like a good plan if we do this. Now, the how, let's sit down with some other experts internally. We don't have anyone expert internally. Let's find somebody external. We'll sit down with them. We'll discuss people's experience and people's knowledge is invaluable because it's really good to learn. And I, and I, I spend, you know, a decent amount of my day.

as much as I can anyway, trying to understand what's going on out there. What are the latest hacks, latest vulnerabilities, latest exploits? How can we make sure we're not, we're not affected, all of that stuff. So that's the learning aspect, but the communication aspect and the bouncing ideas and the leveraging other people's experience and knowledge for me, that's the best way to deal with it.

Tamir (42:21.858)

Nice. So as we wrap up, what's the most unusual advice you've given someone starting a career in cybersecurity?

Malcolm Portelli (42:32.859)

Don't box yourself in.

kind of don't specialize, which is an odd advice. But the first thing that I would do is like, what's the end game? What are you looking to do? Do you want to move into, you know, sock analyst roles? Do you want to work towards leading a team? Do you want to, you know, do pen testing? Based on that, the advice I give is,

On the high level the same, don't box yourself in. So do not go into a one direction and close yourself off from everything else within the same industry because you're going to get stuck. So you might get stuck doing the same thing for the rest of time. Or if something new comes in and it piques your interest, it's going to be a lot harder to shift into that area.

then if you kind of kept your options open and continue to learn about different aspects of the security industry as opposed to just one area.

Tamir (43:50.754)

So yeah, being a generalist more than a specialist in a single field. I hear that a lot from other CISOs as well, speaking about like a T -shaped security person that knows one thing very well, but is also proficient in other things versus being like very specialized in a single field and that's it.

Malcolm Portelli (44:09.627)

Exactly.

Malcolm Portelli (44:14.843)

Exactly. It doesn't work for everybody. Some people prefer specialization, but I think the majority, that kind of it's a good and the T shape is a good way to go about it.

Tamir (44:29.858)

Amazing. Anything else you want to add before we wrap up?

Malcolm Portelli (44:35.579)

I don't think so. I think we've been through all the different areas. Thanks for the conversation and the questions. They're very different to other podcasts that I've done and other conversations I've had. They're interesting. You're looking at different aspects of the job, which is fantastic.

Tamir (44:56.738)

Yeah, amazing. Glad to hear that you liked it. And yeah, so thank you very much. And we'll be in touch. Thank you.