Voices of the Vigilant S2 EP8 | Three Pivots In
In This Episode
Courtney Hans, VP of Cyber Services at ANV Cyber. joins me for Voices of the Vigilant Season 2, Episode 8!
You can learn more about the conversation and the guest below.
Tune into the audio version of this episode by clicking the player below:
Tune into the video version of this episode by clicking the YouTube player below:
VIDEO: Voices of the Vigilant S2 Ep08
Three Pivots In with Courtney Hans, VP of Cyber Services at ANV Cyber.
About the Guest
Courtney Hans, the VP of Cyber Services at ANV Cyber. Courtney brings a uniquely diverse background to the podcast, blending a decade of international travel guiding with a decade of high-level information security strategy. From leading tech startups as a former Head of Security and IT to now building right-sized cyber solutions for ANV's policyholders, Courtney’s superpower is using curiosity to solve complex, human-centric security problems.
Full Episode Transcript
Jess Vachon: 00:33
Hey, welcome back to Voices of the Vigilant, the podcast where we go beyond the tools and the tactics and get into the people, the philosophy, and the past that are actually shaping cybersecurity. I'm very excited about today's guest because every now and then you meet someone in the industry who is delivering proof that there is no single road into it — and that the roads you wouldn't expect are often the ones that produce the most interesting practitioners. My guest today has led travelers through some of the most remote corners of the world as an adventure travel guide. She earned her MBA. She built security programs inside a fast-moving SaaS startup. And now she's Vice President of Cyber Services at ANV Cyber, where she's helping policyholders actually use their cyber insurance relationships to reduce risk — not just survive an incident. Three pivots in, and every single one of them made her sharper. This is Courtney Hans. Welcome to the show.
Courtney Hans: 01:31
Thank you so much for having me. I'm excited to be here.
Jess Vachon: 01:34
Yeah, it's great that we could connect. We were talking briefly before we went live, and you were out this weekend doing some hiking. Is that true?
Courtney Hans: 01:43
That's right. I just went out with my husband and a couple of really good friends to attempt a summit of Mount Shasta in Northern California. Some of us summited, some of us didn't, but that's mountaineering. It was a really incredible trip — gorgeous weather — and it reminded me that consideration of risk exists in all walks of life, not just cybersecurity. I had a great chat with a 23-year-old guide who was phenomenal, by the way. Quick shout out to Shasta Mountain Guides, who was talking about risk consideration as we were traveling up and down a fairly sketchy part of the route. The risk versus reward conversation, the likelihood of incidents happening — I was like, yep, that's my day-to-day. So glad to be doing this on the weekend too. It was a fantastic trip. And like I shared, I'm a little bit, shall we say, sun-kissed from that adventure up on the snow in the high altitudes.
Jess Vachon: 02:36
That's awesome. All right, so let's jump right in. The career arc — very interesting. Because when I read your background, I genuinely did a double take: adventure travel guide, then MBA, then product strategy, and now you're a VP.
Courtney Hans: 02:51
Yeah.
Jess Vachon: 02:51
Walk me through how those dots connect.
Courtney Hans: 02:53
Sure. I'm a huge fan of the career pivot or building the career pyramid. And I will talk to anybody about this, especially folks who are considering a switch into cybersecurity or really any field. I started out of college and got a job because I had studied abroad in Italy and spoke conversational Italian — it's really rusty now. Through a friend, I discovered a company called Backroads Active Travel. They're still in business, still amazing. They were looking for guides to lead all over the world, and one of the areas they were looking for was people who spoke Italian and could lead trips there. That's how I found out about it, interviewed, and started — way back out of college — and spent the next nine or ten years just traveling the world. I had the best flip-flop tan because I was chasing the perpetual summer.
But it really was just me, this 22-year-old kid out of college — they hand you the keys to the van and a company credit card and say, "Go be our brand in the field. Go lead these very type-A, super fun, accomplished individuals on these incredible adventures" — hiking, biking, all over the states, all over different parts of the world. It was phenomenal. You really have to think on your feet. Hindsight is 20/20 — you can connect all the dots when you look backwards pretty easily. But it prepared me in ways I couldn't possibly have fathomed at the time, not just for later careers but certainly for the cybersecurity field.
Being able to take in a lot of information — anytime you went to a new destination, you really had to study up, get your KOA (knowledge of the area) up to par so you could answer questions. This was before the era of smartphones. If a guest asked you a question — "What's that plant over there?" or "Why do they paint their doors a certain color?" — you had to either know it or very charmingly say, "Well, let's discover that together." I used to guide trips in Yosemite, and there are so many interesting things to talk about — natural history, cultural history, flora and fauna. I would just go deep into the geology of the area because I found that particularly fascinating. If a guest asked me a question about trees, I could easily pivot: "Oh yeah, we see that up here, but notice it's perched on this type of rock" — and steer toward an area I knew a bit more about.
You had to not only know your stuff but know who you're speaking to — which we know is so important in the cybersecurity field. You have to know how to resonate with your audience, connect with them, connect with their concerns. That was something I learned right off the bat. Also, being able to listen — we would start trips with intros and an overview, and we would always ask: "What brought you on this trip? Why this trip? Why now? Are you particularly interested in wine? Are you particularly interested in biking? What brought you here, and what are you most looking forward to?" By leading with that, I would tell the guests: "Tell me what you're looking for now. Because as much as we value the feedback post-trip, if you tell us what you're looking for now — what's missing, what's not hitting — we can make it better now."
After ten years of that — national parks, the Natchez Trace in Mississippi, Italy, New Zealand, Norway, Vietnam, all sorts of very cool places — many pairs of flip-flops later, I decided it was time to not travel all the time. I would like maybe a plant, a pet, or a partner. So I thought, "All right, let's think about what's next." I realized I had a lot of really transferable skills for a more conventional job, but I wasn't sure how best to translate them. That led me to start considering getting my MBA. So I went back — Go Bears! I went to UC Berkeley for undergrad as an English major. I speak English every day — look at me out here using my major. Then I went to UC Davis for my MBA, and that really helped me put the right vocabulary to things. I had a really different experience coming into that program than a lot of the folks in my cohort, but it was a smaller program — maybe 65 folks or so — with a really supportive and diverse background. We all brought a lot of strength to each other and to the program.
Then I went right back into experiential products. I went into the wine industry, pulling on my experience guiding cycling trips around wine country and connecting people with wine and the stories behind it. Then I went to work for REI — that's what brought me up here to the Pacific Northwest. I went to work at REI headquarters in their adventure travel program. I was more on the operational side, but because I had been a guide for so long, I was really able to connect with those field operators and understand how to marry their needs and strengths with what our guests were looking for.
I spent seven or eight years at REI in that role and a couple of others — managing a team of customer service specialists who were so dedicated to making sure people felt comfortable and prepared for experiences that might be a little outside their comfort zone. We were helping people get ready for their first backpacking trip ever, or their first international trip possibly. People have a fear of the unknown, so we tried to help them around that.
Out of that role, I moved into what was probably one of my favorite pieces of work to date — a two- or three-person team that was entrepreneurial inside the co-op. We called ourselves "the tender off the cruise ship" because REI is a large organization that can take some time to pivot and try new things. But the three of us were like, "Let's just try this — a small format shop in a climbing gym, a boathouse" — and we started looking at what it would look like to develop campgrounds. REI was first chartered to help people get quality gear at affordable prices, but that's not so much a problem in the outdoor industry anymore. So we started asking: what are the real hindrances to people getting outdoors? Is it access? Is it knowledge? Is it space? We started re-envisioning what REI's future path could look like.
In that work, I got to dig deep into my MBA roots, prepare P&Ls, build out business cases, and pitch to the C-suite to get them to adopt our vision of the future. Again, all the dots connecting — in cybersecurity now, being able to speak to the board, being comfortable and confident talking about your ideas, pulling forward those skills I developed in my early 20s of making high-powered individuals think my idea was their idea. That's a skill. I used it at REI — building consensus, building support for my ideas — and I bring that forward into the work I do in cybersecurity as well.
My third major career pivot came in 2020 — we all know what that was like. I already had quite the workforce reduction. I was in a different role at the time, and that role got eliminated. That was my fourth career layoff. To anyone who's listening — if you've ever been laid off, I'm sorry. And if you've been laid off multiple times, maybe you'll agree that it gets a little easier. I don't wish a layoff on anyone, but with subsequent ones, you start to disassociate the personal part of it. Everyone says it's not personal — that's bullshit. It feels personal; it is personal; it's your life. But with each subsequent layoff, you can remind yourself: "I've been here before, I can climb out of this, I can do hard things." That's why I go mountaineering — to remind myself I can do hard things. This is not going to set me back permanently.
Every time I've been laid off — all four times, because I tend to work at startups or in entrepreneurial settings — I found myself in a better situation with a role that better aligned with my values and goals. In this case, that 2020 layoff led me to decide to go to a boot camp and learn how to code. It's something I had dabbled in in college and hadn't touched for a long time. What better time? So I signed on to go to a boot camp — lovely folks, great program. At first I was just going to do the quick intro. Then I told my husband: "I think this is what I want to switch to — I want to do this full six-month program and go all in." I got a lot of support there.
I had just finished the next part of the program when the same school launched a cybersecurity engineering program, giving out scholarships because it was new. I thought, "Free is free. I'll see if I can get a scholarship." And I did. I chose to go into the cybersecurity engineering program. If I didn't like it, there was nothing to say I couldn't go back into programming.
I loved it. Two weeks in, I was like, "I can see how I can bring value here because I have such a strong understanding of business fundamentals and objectives and how to move through enterprise, how to move through startups." I can connect the dots. I didn't come up through the technical side, so when studying for the CISSP — they always talk about how it's hard for folks who came up technically to get into that management mindset and not just look for the best technical answer. Because I didn't come up that way, that wasn't the lens I looked through. That was really helpful for me.
As I was getting to the end of that program, a good friend of mine — one of my best friends from high school — said, "My husband is at a startup right now; they need someone to do security." I said, "He knows I'm brand new at this, right?" She said, "Just talk to him." So I did. We chatted about two days after I finished my program. I told him, "Listen, I'm brand new." He said, "Yeah, I know, but I know I can trust you." We'd known each other a while. He said, "At the beginning, it's going to be a lot about vendor management." I said, "I've been doing vendor management for decades, so I feel pretty comfortable doing that." I told him the thing I was most nervous about was letting him down or damaging his reputation. He said, "Don't worry about it. We'll bring you in as a contractor, and if it's not working out, it's easy — just part ways." Two weeks in, he said, "We've got to get you full time. This is great." And it was.
That's how I got in as the first security hire at a startup where the founder didn't come from a security background but was security-minded. I didn't have a security professional to mentor me, so I really had to build my outside network and board of advisors. Between building that outside network and getting to do all the things at a startup — wearing 14 hats — I got so much incredible exposure and support. Because I didn't come solely through a technical pathway, I was able to relate with folks across the business — in finance, in HR — making sure they saw me as someone on the same side of the table, trying to co-build with a security mindset.
I'm really proud of the security-first culture we built there at Carev, which was the startup, because people felt like they were part of the security team. That let me do so much great work and build phenomenal relationships — because we are managing this work through influence so much of the time. Making sure people understand that you're trying to help them achieve their objectives, not just your own, was critical.
I was at Carev for a couple of years and have now been about two years at ANV Cyber, which is cyber insurance. My role at the insurance company is to help our policyholders not just transfer their risk with an insurance policy but actually look at their security posture and make some changes. I have great conversations that aren't about convincing anyone to buy a $100,000 SIEM system. It's about figuring out where they are and what the next steps can be — low cost, no cost, thoughtful things that support their business objectives and can help them grow their business.
Jess Vachon: 19:23
That's terrific. There are so many good pieces of knowledge you just dropped through that whole conversation. I hope when people listen to this episode they stop, go back, and listen to that first 20 minutes again — because there are so many things you shared about what you learned along the way that lead people down the path to success.
Jess Vachon: 19:46
One of those things is confidence. But you didn't just show up at 20-something years old and decide you were going to travel around the world. Let's go back. Tell us — what kind of kid were you growing up? What was the influence of your parents? Because as you spoke about your 20s moving on, there's a lot of confidence there that allowed you to establish the experience to build your success in your career. Tell us what that foundation looks like.
Courtney Hans: 20:12
I have an identical twin sister who was also a Backroads leader. She started leading, I think, one or two years after I did. I bring this up because our entire extended family was probably flabbergasted that our career path out of college was adventure travel guide. Because we weren't incredibly outdoorsy kids. We camped with our family and stuff, but we were bookworms, both of us — mostly straight-A students. I did some academic competitions in high school — academic decathlon, actually. That's how I became friends with one of my current bosses; we ran the academic decathlon team together.
Two of the biggest things that built up my confidence as a young adult were: first, doing that study abroad in college. I took off for a solid semester, finally got some distance from my twin — we went to the same college and fought a lot at the time, though we get along great now. Being truly out on my own taught me: "If I can handle this in another language that I'm just barely grasping, I can handle this in English — easy, no problem." That gave me a big boost of mental confidence.
Then, for about three months after I graduated college, I did a NOLS semester — the National Outdoor Leadership School. Before I did NOLS, I had never gone backpacking. I'd gone camping — car camping — but not far from civilization. This NOLS semester was three months in the backcountry. We did winter camping in the Absarokas up in Wyoming, about a month of backpacking through the North Rim of the Grand Canyon — 28 days backcountry with 65-pound packs. We did about three weeks of rock climbing out in the House Range in Utah. Then three or four weeks of rafting on the Dolores in Colorado and then Desolation Gray — rafting and whitewater kayaking.
That first day, I woke up sleeping in the snow for the winter portion and thought, "What have I done? Why did I do this to myself?" That was the only time in those three months I had that kind of thought — because after that, I loved every second of it, even the hard parts. It reminded me: "I can do hard things. I can put myself in uncomfortable situations and come out the other side" — whether that's being laid off, taking a job I don't feel all the way ready for, or speaking to CEOs who I feel must be smarter or more talented than me. People are all people.
Those two experiences set me up in ways I still draw on now — that I drew on three days ago climbing up a mountain. That confidence, I think, comes from finding your way through hard things.
Jess Vachon: 24:44
Yeah, and it sounds like you developed resilience along the way as well. Confidence and resilience — two very powerful things to have in your pocket as you're moving through life. I enjoyed listening to you talk about waking up in the snow. I've done that as well. The first time you're like, "This is cool — it's cold, it's weird, but it's very cool."
You helped remind me of a time when I was in the Marines. We'd been hiking all day long, well into the evening. When you have a 65-pound or heavier pack on your back, it's not just the incline, the decline, and the terrain — it's that constant weight. So you get to the end of the day and you sleep really well. I remember we sat down — I don't even remember how we got to where we were. It was a clearing in the woods with a lot of rocks, and I just passed right out on the rocks. I woke up the next morning with rain coming down on me, my limbs sprawled over different rocks — but it was beautiful in that moment. I said, "Wow, this is something I never thought I could do or would do, but I've done it."
Each of those items, as you were telling your story, I could hear you building up the skills you would need later in life. Because when you've done things that a lot of people don't do — or that you didn't think you could do — sitting in front of a CEO or a board of directors is just: "I've done harder things than this. I've been in situations of real possible physical danger, and I can deal with this."
I appreciate you taking us way back, because I knew you didn't just show up in your 20s ready to go. And you talked a lot about not following the technical route. A lot of people who have studied different languages, done coding, or pursued activities outside of their regular work come into information security and are very capable of moving quickly from start into it. I'm not surprised that someone picked you out of the crowd and said, "You had the courses, but you are a whole person — you communicate well, you have confidence, you have resilience. Let's give this a shot." That's an important part of your story to highlight for people listening — especially people newer in their careers or wanting to do a career pivot — because cybersecurity from the outside can look very daunting. But as you noticed when you got into it, it's a lot of communications, a lot of influence, a lot of having confidence in what you're saying. Because we don't own the endpoints, we don't own the servers, we don't own the customers. The only lever we have is trust and confidence to get others to do the work that we need done.
Jess Vachon: 28:16
Has there been a time when that skill set wasn't working so well for you? And if it wasn't working so well, how did you work around that?
Courtney Hans: 28:27
That's an excellent question. There have been times where I've had to go back and, for lack of a better word, start over a bit with a conversation. There was a time at a previous role where the HR team was really trying to accomplish some objectives. I'll be quite frank — they were focusing on the wrong thing to boost employee morale, but that wasn't my task to decide. However, how they wanted to solve it did involve me and the support of my team's work. There was a lot of communication via Slack, and sometimes Slack does not convey tone — and people can get very spun up because they misread intention.
I remember being in a conversation where we finally gathered all the players — myself, a colleague who worked on enterprise systems, our boss, and the HR team — to hammer out what was happening and why things weren't getting done. I remember feeling so defensive. In my head it was: "I've got receipts. That didn't happen." And then I thought, "That doesn't really accomplish anything. It might make me feel better for a second, but it's not important." I had to park my ego and remind myself that my boss already knew I did good work and was showing up as myself, trying to support the growth of the business. He didn't need me to come with my receipts. He already trusted me.
What we needed to spend our energy on was making sure we could all align on how to move forward to solve the problem — in a secure way. I needed to give a little and make sure they understood where I was coming from in terms that resonated with them. So I had to park the ego and the receipts conversation because it wasn't serving our purpose.
Jess Vachon: 31:07
Yeah. That's a good segue into my next question.
Jess Vachon: 31:11
You wrote for Security Magazine about building a security-first culture, and your first tip was to lead with curiosity, not threat — tell, not policy, not tools. You obviously live a life of curiosity. How do you instill that in others? And what is the payback you see when you build that security-first culture?
Courtney Hans: 31:33
People love to speak about themselves and their goals and their interests — and they like to feel listened to. Building a security-first culture starts with curiosity, starts with asking questions. What I've done is encourage the folks I've led and my peers to start with those questions — don't start with your objectives, start with understanding a little bit more about the other person.
As an adventure travel guide, I remember when we would do hiring events. The leaders they were looking for were not the strongest bikers or the most incredible bike mechanics. Those are technical or physical skills that can be taught or mastered. What they were looking for — I was told — was: "I just want to find someone I could sit down and have a beer with for three hours. Who's the person I can have a good conversation with?" Because that was so much of the job. We'd be riding along the roads having a chat with someone who could be a CEO of Otter Pops or an undertaker — I had both of these people on trips — and finding ways to connect with them.
I would look to hire people I could connect with personally, too. I had one gentleman on my team where all of our one-on-ones were very direct — he just wanted to jump into what he was working on. Great, that's how he wanted to connect. With another, we'd spend 20 minutes of our 30-minute one-on-one talking about our personal lives, and that's how he wanted to connect. We connected as people first.
Building that security culture was about finding how people wanted to interact. At Carev, I always made sure I connected with new employees within the first couple of days so they had a face to the security person. I'd remind them: "I'm never going to be upset at anyone or feel any kind of way about somebody reaching out with a question or a concern — even if they think they clicked on something. Come to me 20 times a day with questions. I'm here for you." Making that connection first made sure they felt comfortable with me and became ambassadors for involving the security team in conversations, in projects, in program management and sprint kickoffs.
In my work now, I make it really clear when I talk to policyholders: "I'm not an underwriter. Your policy is already baked. I'm not trying to look for anything you said in your application that differs from what you're sharing with me. This is just me seeing how I can help you." I understand the business has objectives, and if security doesn't serve those objectives, then it doesn't exist in a vacuum. So I want to understand what your concerns are first, what's keeping you up at night. That could be a security concern, that could be a revenue concern. Let's lead with that. Then I'll connect with you there.
Jess Vachon: 35:35
And that is a very hard shift in mindset to influence in someone — whether it's people on your team or in your case, the customers you're trying to support. Do you find — and this may have changed over the last five or six years — that there are still a lot of security professionals showing up at the table saying, "No, it has to be done this way, this is the way I learned, there can be no exceptions"? Or is that cultural shift occurring now, where leaders are showing up saying, "I'm here to support the business, and I need help finding the gray areas that are acceptable to you as an insurer"?
Courtney Hans: 36:28
I think we're seeing a shift, though there are still pockets of the former. At my former company, Carev, we were in the healthcare-adjacent space. I interfaced with a lot of healthcare facilities when they would evaluate us as a potential vendor. One that always stands out is: "Are you enforcing password changes every 30 days?" And I always want to say, "Per NIST guidelines now — we're not adhering to that. That's old guidance." I saw a lot of that in the healthcare space. It's a hard, hard industry to do security in.
Now I'm seeing folks being very open to learning: "What are you seeing out there? What is industry best practice?" They acknowledge that guidance and best practices are changing — if not daily, then seemingly by the minute these days.
And we inevitably have to touch on AI — can you have a conversation about security without talking about AI anymore? People want to know, "What should we be doing about AI?" I can't answer that until we talk more about what you're doing now, what's the comfort level of your team with AI. We work with insurers that have tens of thousands of employees and are global hospitality enterprises, all the way down to single-practitioner healthcare providers. What's the context of your business? Let's start with: do you understand that if you're not paying for a product, you are the product? If you're using free tools, just know they're using what you feed into them — and that might be okay depending on how you use it. Everyone's risk profile is different.
I think I'm seeing a lot of folks I interact with being very open to changing guidance. And the best place to start for all of us is asking: "What questions should we be asking? What considerations should we have?"
Jess Vachon: 39:14
It's nice to see the change in the insurance industry. Ten or fifteen years ago, it was kind of a difficult relationship. I remember answering questionnaires and then having the interview and being very worried about how I answered, because we desperately needed to have cybersecurity insurance. Now it is much more a collaboration. If you have tools internally to evaluate your gaps, and you meet with a cybersecurity professional from the insurance company and you're having that genuine open conversation — usually you come to the same conclusion on coverage. There might be a few recommendations on things you can do better, but it's good for both parties. If we're working together at the table, the cost for the insurers goes down and the cost for the insured goes down.
And you made a great point: if you are in information security today and you are not able to adapt quickly — if you're relying on what you knew from five or ten years ago, or even two years ago — you're going to have a hard time in this business. It's something I have to coach some of my younger staff on all the time, because they're still holding on to, "You have to do it this way." No — what you learned a year ago doesn't necessarily hold. And also: we are not the business; we are supporting the business. Critical for people to know this — and critical for people coming into cybersecurity now. What you know today is what you know today. Be open to what's going to change tomorrow. And know yourself well enough that if you find you can't change, or aren't willing to change, it might be time to pivot out of the industry — because this is not going away. This is a new world we're working in.
Jess Vachon: 41:41
Yeah.
Courtney Hans: 41:42
There's a lot. It's a full-time job just to stay abreast of the news — what's Scattered Spider up to this week, what are the latest tactics. I get different questions all the time. And from my guiding days, pre-smartphone: I think you also have to not be afraid to say, "I don't know," or more specifically, "I don't know that yet — I will get back to you." One of my former bosses was the best model of that: "Walk me through that. I don't quite understand that." Or when people say, "This is my situation — do you think it's better to do this or that?" I'm not going to hesitate to pull up a quick search, look at a few articles, and say, "Let me look into that a little bit. I'm going to shoot you an email or give you a call tomorrow. This is what I think right now, but I want to dig in a bit."
Being unafraid to say "I don't know that yet" — or "Let me look into that a little more and get back to you" — that's fine. We can't all possibly know all the things all the time. And in security — I think about this analogy a lot — you could go to a podiatrist and ask them something about a skin freckle. They're a knowledgeable medical professional, but that's not their specialty. It's kind of like that in security. We all have our niches. I can talk about privacy, but I'm not a privacy expert. I can give you a 30,000-foot — or maybe 10,000-foot — view on certain topics, but it's hard to go mile-wide and mile-deep on everything. That's something people outside of cybersecurity don't always know — there are so many different areas we could all specialize in. I'm not afraid to say, "That's not my particular specialty, but I can get you to some resources that can help."
Jess Vachon: 43:58
That is so accurate. I find myself more often now saying "I don't know" — take Mythos, right? We're about seven weeks out from that. I gave a briefing right when it came out, another two weeks later, and I was just asked a couple of days ago for an update — and I had to say, "I don't know," because I haven't had a chance to go back and review it. The talk in the industry is changing every single day. It's a good conversation, but it's evolving so quickly alongside Mythos and Glasswing that it would be foolish for any of us to say on any given day we know exactly the status of that one item, let alone everything else.
It is a constant sprint to keep up. I'm using Claude to prepare a daily briefing for me — first thing in the morning, I'm asking, "What happened overnight? What has been the evolution in the last 24 hours?" Because we're living in a world where these changes are that fast. I think you're probably doing this too. I'm coaching executives: we have to move fast. We have to do the fundamentals quicker than we used to. We have to keep learning as fast as we can, because the threat actors using these tools and reverse-engineering everything are already activating them and preparing to exploit them. But the overall game hasn't changed.
Courtney Hans: 45:37
I was glad you said that — the fundamentals are the same. Things are just moving really fast.
Jess Vachon: 45:43
Yes.
Jess Vachon: 45:44
And the AI security tools that are coming out aren't going to replace those good practices or those basic tools — like endpoint security and firewalls — that you have to have in place. You've got an existing investment and new investments coming because you are going to have to use AI-enhanced tools. You've talked a lot about tools and said: don't just go get tools because that's the tool you're supposed to get.
Jess Vachon: 46:11
Get the tool that's right for the functions of your business. Talk a little bit about that.
Courtney Hans: 46:16
What I love about the work I do is being able to actually talk to the policyholders. We get these applications, and I have to believe that a lot of them are filled out by the controller or the CFO — someone not necessarily on the security team. That's just how the paperwork gets through. From being on the other side and looking at those applications, I remember feeling so limited in how I could respond because there are so many nuanced answers. Take "Do you have MFA?" — well, yes, on many things, but this one tool doesn't support it. Do I put yes or no? It's not 100% yes, but if I put no, that's not accurate either. The conversations I get to have now let us get into that nuance.
I've been asked, "Isn't there just some tool that can make their security posture better?" And the answer is: that's not exactly how it works. It's puzzle pieces — people, process, technology. But for me, the biggest thing is the people. I do a lot of security awareness education for end users, and I don't just mean educating users to not click on things. Yes, that's important, but the key piece is understanding the culture of security within the organization.
I've had policyholders say, "Oh yeah, we'll have that conversation, but we're just going to have our managed IT team talk to you about it." That's fine — but I would love to also speak to somebody at the organization itself. "Bob's IT Consulting" might do great work, but if nobody at Acme Bread wants to be a part of this conversation, that gives me bigger concern than any list of controls they have or don't have. They need to be an active participant.
So to your question on tools — it's not just about the tools. One thing we do is talk to policyholders about their Google Workspace or M365 profile and do a kind of shoulder-surfing session to make sure they're getting the most bang for their buck at whatever license level they have, and that they're using all the security features. "We're not trying to get you to spend any more money — we're just trying to help you use the tool to its best advantage." People want to do that work. They want to spend an hour and a half with us to learn how to shore that up.
Or we'll talk to folks who are post-incident: "What could we do better?" Having that conversation is a great first step — a debrief after an incident, whether a tabletop or a real one: what happened, and how can we make sure this doesn't happen again? But it's not about throwing tools at it. You could have 45 different tools and 45 different owners of those tools, and that's not going to make you more secure. What is the holistic strategy for plugging in those tools, those processes, those people, and making sure they're all communicating and working together? There's got to be full lifecycle buy-in and management of the tools, or they're just going to be wasted money.
Jess Vachon: 50:14
Yeah, and that's the worst thing — to be in charge of security and be wasting money, because you have to answer to someone, usually the CFO, a couple times a year about how you're using the company's money. And if you're not showing a risk reduction, you're in a lot of trouble.
You've talked a lot about workforce development.
Jess Vachon: 50:34
I think you're involved with OES as well. Across our industry lately, there's been a lot of conversation about whether there's a workforce shortage. I want to ask the question in a different way — if there's not a workforce shortage, is there some other problem? Is it a diversity problem or an acceptance problem? Because you've talked about coming into the industry from a non-traditional path. Talk a little bit about your opinions around that.
Courtney Hans: 51:07
Yeah, that has been part of the zeitgeist conversation since I got into this field — that there's a person shortage. I do think it's a little bit of all of those things. We're still a little bit early in the evolution of thought around who is qualified to hold these roles. I love certs as much as the next person — I love that external validation. I'm not saying anyone should or should not pursue certifications, but when people think that security is solved by throwing money, tools, or somebody with a fancy certification at the problem, they're not going to get the results they're hoping for. When we see job descriptions wanting some sort of entry-level role that requires a CISSP, there's a real disconnect in what is actually required of that role.
I think the more folks we get with diverse backgrounds like ours, the more we can appreciate that in hiring roles. I've had the opportunity to promote and hire folks who didn't have a traditional IT background, because I know they can do it — I've seen their talents in other places. But if you've got someone who has taken a more linear pathway, or who feels pressure from their bosses to go with a more traditional hire, that's going to be really challenging.
Especially as we're getting into a zone where articles are saying, "Kids, don't major in computer science — that's not the golden ticket anymore." We're going to see different educational pathways because of artificial intelligence, as people try to figure out what the AI-proof job or course of study is. And there's a sunk cost factor — people who have gone all in on a particular course of study can feel stuck.
If I can leave anyone with one piece of advice: go read the book Range by David Epstein. The subtitle is Why Generalists Triumph in a Specialized World. It's such an interesting read. He goes somewhat antithetical to Malcolm Gladwell's 10,000-hours theorem — which, yes, is great and beneficial for things like chess or certain disciplines. But in many other cases, the human brain is far better equipped to make creative choices and find creative solutions when you are a generalist, because you draw from all your different experiences to solve problems.
So I don't think there is a person shortage per se. We've got tons of people looking for work right now. We've got lots of companies thinking that AI is going to solve all their problems and reshape their workforce. But I think there will continue to be a real need for people who are generalists — who can pull inspiration and context from so many different disciplines, fields of study, and experiences. The evolution of thought around that is what we're still waiting to catch up.
Jess Vachon: 54:48
I love that. You snuck in a little call to action there — and I didn't even have to ask you for one. Perfect. As we're closing up, where can people find you or connect with you?
Courtney Hans: 54:59
You can find me on LinkedIn. I'm pretty easy to find — Courtney Hans at ANV Cyber. I would love to connect with folks on LinkedIn. Periodically I'll hit the conference circuit and give a talk, and I love to chat with folks after that. I don't have anything on my calendar right now for giving a talk, but I'd love to meet people at conferences in the Seattle area — BSides, SecureWorld. LinkedIn is a great one.
Jess Vachon: 55:25
Courtney, thank you so much for joining me on the podcast today. People, reach out to Courtney — go and listen. She's been on multiple podcasts; listen to this one first, and re-listen to it a couple of times, like it and subscribe to it — but then go out and listen to the other talks that Courtney has given, because they're really good and there's a lot of information Courtney has to share with you. Thank you for being here for our listeners. Thank you for listening today. If this conversation resonated with you, share it with someone who needs to hear it. Until next time, everyone. Bye-bye.
