Interview with Randy Raw, VP of Information Security at Veterans United Home Loans
Published on Oct 29, 2019
23 min read
Vidal: Good morning, Randy. Welcome to the Manager’s Club show. How are you?
RANDY: Thank you. It’s great to be here. I’m doing well.
Tell us about Yourself
Vidal: Maybe we could start off, tell us about your background. Well actually where do you work now? What’s your current role?
RANDY: Sure, I’m the vice president of information security at Veterans United Home Loans. We are a VA loan origination company, so our, our mission is to get our veteran heroes into homes at competitive interest rates, faster than anybody else in the industry. We do a very good job of that. Prior to being here, I actually worked for an organization in Missouri called MOREnet. That was the Missouri Research and Education Network. We provided internet connectivity to the public schools, the universities and colleges and public libraries. Most of my career prior to that was also spent in government and education doing mostly system administration work initially, and then switching over as the internet became a thing and as we saw the increased need for security and moving into security when I moved to the role at MOREnet and now here at Veterans United.
Vidal: That’s awesome that you’ve been doing stuff for veterans and also in education. I think that’s really great. Thank you. Thank you for doing those things.
RANDY: It’s our pleasure. It’s a great industry to be involved with, especially now helping veteran heroes. They’ve put their life on the line for us. This is our opportunity to give back and to serve them
What’s your background and how did you get into management?
Vidal: That’s just awesome. Could you say a little bit about how you got into management? How did you transition to being manager?
RANDY: I think like probably a lot of us, back in the early days, you do system administration work and you continue on. Then there’s a recognition that there’s a need for actually having a team instead of just an individual or a few individual contributors. Part of it was the first position that I actually had was at a small K-12 school. I hired a couple of people to be assistants for me and also actually utilize some high school students at the time in an unofficial capacity where they just were interested in technology. I really started accidentally essentially get into management from that perspective. Then it was just more intentional about seeking careers that had opportunity for both technical growth and also management growth. Each position that I moved into, I changed jobs a couple of times. That had additional people that were reporting to me and gradually just continued on to where I’m at now.
Vidal: How many people report to you now? How big a team do you manage?
RANDY: I’ve got eight direct reports right now and we also have a concept of something we call dotted in. We have three other people who are parts of other teams, but we bring them on to the information security team, so that they can really be a liaison back to those other teams that they work on. They are essential and integrated into the components of keeping our systems and our data secure.
What are the biggest challenges you face?
Vidal: Yeah, it makes sense. Yeah. I think several companies, a lot of companies have that concept. Okay. What would you say are some of the biggest challenges you face as an engineering leader?
RANDY: Yeah, so there’s really two. One is delegation. It’s really being clear about what I want to delegate and then helping the person understand, make sure that they’re able to repeat back what I need done. For me, information security is a very broad category. I have everything from vendor management and IT audit down to daily incident response and threat hunting and policies thrown in with that as well. Making sure that the individuals who are doing that specific technical work really understand what I need to have done and by when and establishing clarity around that is the biggest challenge.
Then the second one is probably more of us, especially as you move into a more senior role, fall into a trap of, and I have to avoid doing this, is not being a HIPPO. And I don’t know if you’ve heard of that before, but it’s an acronym for the highest paid person’s opinion. When you’re in a room together and you have a team meeting, if I’ve put forward an opinion, then often that stifles the conversation. I don’t want to stifle conversation. I want to encourage conversation, especially sometimes when there is a difference of opinion. I don’t want to put my opinion out, because then often people are like, “Well, he said it. That’s done. We’re going on.” That’s not at all what I want to have happen. I recognize I’m not the smartest person in the room, and I really need to not be the smartest person. I have some really smart people that work for me and with me. We need to have their opinions heard.
Vidal: I think that’s great. Yeah, I’m totally with you that those technical decisions should come from the team and not from the manager. And so lots of times as the manager, you want to speak last actually, just to hear everyone else first, so they’re not biased by anything you say.
RANDY: It’s such an, it’s such a challenge because many of us made our careers of being subject matter experts and providing that expert opinion. When you transition into a leadership role that really has to change. It can be a struggle.
Could you share with us a lesson you learned as an engineering leader?
Vidal: Totally. Yeah. You have to let, sometimes you have to let the team fail and and learn from it. Could you share with us a lesson, maybe a hard lesson you learned as an engineering leader?
RANDY: Yeah, so I think there’s a couple of different ways to go with this. One is assuming that I knew everything and not asking enough questions to really get to the foundation of what the problem was that we were trying to resolve. You get into the problem solving mode and everything looks like a nail because you’ve got a hammer. You forget oftentimes that now, especially with so many different integrations, so many different opportunities and complexities of systems, it’s not necessarily always the same as what you’ve seen before. Asking good questions instead of just assuming that I knew the answer that’s been a lesson that regularly gets repeated of make sure that we’re asking the right question. It’s also asking the right question. Sometimes we get the right answer to the wrong question, because we didn’t think deeply enough and prepare for what the question should be. It’s difficult to admit when you’re wrong at that point. That would be the other part of it is admitting that you’re wrong and going back and repairing that relationship with people, recognizing we’re in the relationship business, even though technology, it’s still people. Failing to really recognize that people are what make it work and treating those people with value can be a real detriment to moving forward both as a leader and helping the organization move forward.
What’s your approach to hiring?
Vidal: Got it. Talking about people, what is your approach to hiring and recruiting?
RANDY: I have really thought a lot about this. We can teach technical skills, but it’s really hard to motivate people. There’s a lady named Erika Anderson who’s author of a book called Be Bad First with the subtitle of Getting Good at Things Fast so You Stay Ready for the Future. She puts forward a model of, it’s called ANEW, so look for people that are Aspirational, that have a Neutral self image, that have Exceeding curiosity, and they are Willing to be bad before they’re good. If we are able to hire people that have that philosophy, then my experience has been, I don’t have to motivate them every day. They come to work ready to do good things, willing to be bad at it. They’re really curious. They already have a neutral self-image, so they’re ready to go. But they have aspirations beyond what I can motivate them to do.
Sometimes I see that and I’ll ask the question of what they’re doing already in their current role and in their personal life to really move the security needle. Being an information security, that’s a very specific area that we can look at. Oftentimes that’s a role that people move into after they’ve begun in some other area. We can often ask that question of what have you done already, what are you already doing to encourage people to be more secure and to help people in their personal lives and in other parts of the business to do secure practices. That really demonstrates that they’re already motivated.
I guess, there’s one other thing too. I just came across an article earlier this week that was on LinkedIn where somebody was talking about the difference between problem solvers and problem bringers. In an interview question, if you ask the question like, “Could you tell me about a time when you were given an assignment and you lacked the necessary skills or knowledge?” If you stop there, that’s a powerful question. Oftentimes what we’ll do is we’ll append this little part of the end “and tell me what you did to resolve the situation”. So now you’ve just let that problem bringer person off the hook and you’ve told them, “It’s okay to tell me about the one time that you solve the problem. Forgetting about the 99 times that all you did was bring a problem to your supervisor or to somebody else and you really didn’t try to solve it.” Just eliminating that last phrase and just stopping with “Could you tell me about a time when you were given an assignment and you lacked the necessary skills or knowledge?” Now, that’s an opportunity for that person to really shine and talk about how they discovered a problem and how they solved it and those are the people I want on my team.
“Could you tell me about a time when you were given an assignment and you lacked the necessary skills or knowledge?”
Vidal: Yeah, this is great. I really liked your answer. I hadn’t heard about that first framework. This is a great question, so I’m going to try that question. I like how you gave specific questions. That’s cool.
RANDY: Yeah, that’s, it’s been very powerful.
What’s your advice for managers who are just starting out?
Vidal: That’s a great behavioral question. That’s a really great behavioral question. All right, what would be your advice to a new managers or managers who are just starting out?
RANDY: I think it would be to recognize that you are now on a new learning path and a new learning journey, especially when we’re in information security and an IT/technical position. You’re going to have to learn a lot of what we’ve referred to often as soft skills and all of the things that are not technical. There’s a lady named Whitney Johnson that talks about an S curve and I really believe that that she’s onto something. With our technical people, we need to figure out how to recognize that as you’re on an S curve, it’s hard at the beginning and then you hit a sweet spot in the middle. You can’t stay in that sweet spot forever. You have to continue to look at what the next S curve, and so there’s about three things that I would point people to.
The first one will be listening to podcasts. There’s some really great ones. Three that I recommend. One is Coaching for Leaders. Our mutual friend Dave Stachowiak who did an introduction for us does a great podcast that comes out weekly. Really, really helpful there. A guy named Tom Henschel runs the Look and Sound of Leadership as a podcast. It really talks about how leadership looks and sounds and how to develop executive presence. It’s a word that I hadn’t heard before, but technical people often struggle in this area. We know all the technical things, but we don’t often know how to translate those into business language that people can understand. Tom’s podcast has been really helpful. Then Dave Ramsey’s group runs something called EntreLeadership. It’s really more about helping people who are entrepreneurial, but between those three podcasts, there’s a lot of information that technical people can really pick up on and learn.
Out of that, a second thing that I think is vital for technical leaders to learn is something called emotional intelligence. A guy named Daniel Goleman has done some really great work. Often in the technology careers, we tend to be drawn to those careers because they are technical. There’s a part of our brain that really gets it and we understand it. We leave out a significant human component of that. Emotional intelligence and understanding how to be self aware, appropriate emotional expression, how to help other people really work through some challenging things, motivation. That’s been an area, if I could go back and do over again, I would really look at and learn about emotional intelligence from a very early stage in my career.
Then the last part would be just recognize that a part of your work has changed from being an individual contributor of technology to being a coach and a mentor and really ensuring the success of your team. You’re going to spend time in meetings. You’re going to spend time doing nontechnical things, things that are HR-like, budget functions. Those are now an essential part of what you have to do to lead your team and to help them be successful. Most importantly is recognize that you’re now a barrier breaker. When your team is blocked on something you’ve got to go forward from where they are and help remove the barriers to whatever’s happening, to keep them from getting work done in an inappropriate way. That involves a lot of emotional intelligence, a lot of learning how to relate to other people. Those I think would be the things that I would really recommend for anybody that’s just starting out in the technical area of leadership, is to learn those things and recognize that the job is not just about technology, it’s about the people and the team that is supporting you.
Vidal: That’s great. Those first two podcasts you mentioned are outstanding. I’ll have to check out the third one. You’re right. Now you’re just dealing with people who are very unpredictable as opposed to computers and technologies. That’s a totally different job.
What’s your work day like and how do you manage your time, emails, etc.?
Vidal: When you’re an engineering leader, I find there’s just so much to do, there’s so many places you could spend your time so many demands. What’s your work day like? How do you manage your time, meetings, emails, all kinds of things that come in? How, how do you deal with it?
RANDY: I would guess that we’re probably not a whole lot different than a lot of technology focus areas of we live and die in email and by a calendar and meetings. It’s really learning how to delegate and to say no appropriately. I get invited to a lot of meetings where people want a subject matter expert. They know me because I’ve been at the company for a number of years. But that’s an opportunity for me to say, “I don’t need to be the one there. They really need one of my team or even somebody that’s not on my team, that’s a better subject matter expert than me.” That goes all the way back to that first question that we talked about of how can I delegate and delegate to the person and make sure they understand, “Look, you may be swimming in the deep end now, but I know you can do it.” Encourage them to do it because otherwise the tyranny of the urgent just is always in front of us.
Also figuring out how to really coach and mentor people. I used to think those were the same things. Coaching and mentoring, I thought they were the same. I’m recognizing now that they’re really different things as I’ve worked more with Dave and the Coaching for Leaders Academy. Coaching has a very different aspect. It is very powerful in how we can help the person grow and help our team, help us take things off our plate. I think also with with email is learning not to, again, be the first person to answer. If I can just wait a few minutes longer, maybe it’s overnight and see if someone on the team responds, then I’m not in the middle of that. One of the things that I find is as soon as I put myself in the middle, now I’m also the barrier. I’m the the piece that keeps things from moving. I often don’t have the opportunity to spend the time focusing on individual pieces that really need a lot of of work, but my team does. It really helps the team grow when I delegate to them.
What’s a personal habit that contributes to your success?
Vidal: All right, so using delegation, so leveraging delegation to help free up your time. That’s great. Could you, is there maybe a personal habit you feel that’s contributed to your success?
RANDY: Yes. I think, I every day on my calendar, mine happen to be 4:30 in the afternoon, I schedule 30 minutes that just as daily thought time. When I’m successful at protecting that time, it allows me to get my head up out of the water, so to speak, out of the weeds of what’s happening with the daily grind of whatever’s happened in the business and look around at what else is going on. That’s when I’ll take time to listen to the podcast, some of the leadership podcasts that we’ve talked about or to go read articles, how can I be a better person, a better leader, that really understands big picture of what we’re doing. Having that daily time to just decompress, sometimes it’s at my desk, sometimes I’ll go take a walk, sometimes it’s, I’ll actually head out a little bit early and drive a different way home just to to clear my head of what’s going on and to think about what do we need to do to develop our roadmap, what do I need to do to develop people, how do I get away from the tyranny of the urgent and really get into that quadrant that is about doing important work. Protecting that time is an important habit that when I do that, I just really see success and a lot of moving the needle.
Share an internet resource or tool that you can’t live without.
Vidal: That’s great. Yeah. The ability to kind of detach from the tyranny of the urgent, I think that’s really great. Is there maybe a tool or internet resource or app or something that you depend upon, maybe you couldn’t live without?
RANDY: Well, I thought about this one a little bit. There’s not specifically one, but I think there’s one that I use inadvertently that is actually pretty important. Generically, it’s YouTube. There’s so many free training resources that are available. Yeah, it’s also possible to waste a lot of time. But if I’m looking for something of a how-to, or information about leading, there’s a lot of YouTube videos that are there. That’s probably not the answer you were looking for, but there’s really not another resource that I use on a regular basis other than just searching and looking for people who are thinking new thoughts, different things or approaches of the way that we’re doing things, and just watch some of the videos that are available there.
Vidal: No, I think it’s a great answer. I mean, I love YouTube. I’m with you. You can find a video to teach you almost anything and you can watch conference talks from amazing people, TED talks. It’s amazing the stuff you can find on there for free.
RANDY: Yeah. Now, there are two particular websites for me that I really use for keeping up with things that are happening. One of them, a guy named Brian Krebs runs krebsonsecurity.com. That’s a must read for people in information security and even for people who are not. If it’s something important, Krebs is going to publish something about it.
Then there’s a group that I follow pretty closely. Black Hills Information Security. It’s blackhillsinfosec.com. John Strand is the owner there. I just love some of the things that John approaches life with. He talks about, especially in information security, we tend to be “wizards impressing wizards.” If you’ve ever gone to an information security presentation or conference, a lot of times it’s people trying to impress somebody else there. He says, “We really need to stop doing that. We need to go find people who want to learn and bring them along with us.” Right now on the front of their webpage, it says, “Our main goal is not to prove that we can hack into a company, but to help the customer develop a series of on-point solutions and technologies that will improve the overall security of the company.” We want to be collaborative, not adversarial. There’s, there’s so many security people that don’t get that part of it. If you raise everybody’s level of security, you’re really helping everyone. John and his team do a ton of education that also was posted on YouTube. You can find that information there. They do it for free, the educational pieces of it. They’re just awesome group of people to work with.
Vidal: I’ll put a link to it. I’ll have to check that out. Since you are a subject matter expert on information security and, and I don’t think I really had anyone on here that was an expert in this. Maybe I could just ask is there something, because I think a lot of engineering managers have this love-hate relationship with information security. Is there anything you, you would say to engineering leaders and managers maybe that they misunderstand or that might be helpful to them in thinking about this?
RANDY: Yeah, from the time that I started here, my signature line in my email has had a line that said, “Security is everybody’s business.” I want to help to help everyone understand how what they do interfaces and impacts security. So many information security people are the no people and not the K-N-O-W. They’re the N-O people. You can’t do that. As a security person, you have to go and talk to people about what they’re wanting to do and help them understand how to do it securely. Information security people fail at this on a regular basis. We still struggle with this regularly within the company here, but that’s been our approach is how can we enable and help innovation and business strategy instead of …
Because you’re right, a lot of people in technical careers are like, “Oh no, I have to deal with security. They only tell me no.” But really bringing security people in early. If we can take a look at a strategic direction we’re going really early on and maybe we need to make a one degree change. Well at ground zero one degree is not very impactful. If you wait until you’re four miles down the road, one degree change that should have been made at the beginning is a lot of change. Sometimes people force an issue where by not bringing the security people in to get an opinion early, they end up creating a situation where it’s really difficult to say yes and you sometimes have to say no, because it’s not secure. Whereas if there would’ve been a change at the very beginning, it could have been almost no impact. That’s what our desire and our goal is, is to be part of the innovation process in a way that we enable, the way to do secure coding, if it’s a developer or secure systems, if we’re on the system administration side to really enable and help people figure out how to do things securely instead of having to come back and do rework. Nobody wants to do rework. That’s often where security is brought in late enough that there’s just a lot of rework.
If you could recommend one book to managers, what would it be and why?
Vidal: Got it. Yes. You bring in security too late then it can cause a lot of rework or be a problem. That’s great. If you could recommend one book to managers, what would it be and why?
RANDY: Oh, there’s a guy named Todd Henry that wrote a book called Herding Tigers. I buy a copy of that and give it to every one of our new technical managers, because it’s not herding cats. He uses an analogy like cats can’t hurt you. Tigers can hurt you. Every one of us on our security teams have tigers. Really, really smart people that are really good at what they do. We often don’t feed them well. We don’t give them context around what they’re doing. We’ll be thinking out loud. They’ll think we just gave them a set of instructions to go do something and then they go do it. Then we come back and say, “No, why were you doing that? That’s wrong work.” We didn’t realize they were ready to go. They were hungry and ready to go. We didn’t give clarity around what was happening, and we had them working on the wrong thing.
…it’s not herding cats. He uses an analogy like cats can’t hurt you. Tigers can hurt you.
At some point the tiger can hurt you. Sometimes that hurt is by leaving, because they’re frustrated. We often hear the analogy of people go to work for great companies and they leave, because they have a bad manager or supervisor, because they’re not provided the leadership skills and the leadership and direction that they need. Todd puts a lot of context and verbiage around things that I felt and I knew, but I didn’t know how to express it. He does just a fabulous job of really talking about what that looks like. How to Manage Creative People is the subtitle of that book. Like I said, I give that to every one of our new technical managers then and offer an opportunity to sit down and talk through some of the things that I see in there. It’s probably the book that I’ve written the most notes in. I have my copy that I’ll never be able to give to anybody because I’ve got just so much in there that I go back and reference on a regular basis.
What’s your approach to mentoring and coaching members of your team?
Vidal: Wow. I haven’t heard of this book, but I love the title. That’s really interesting. I’m going to have to pick it out. Wow. All right, okay. All right, one more question. Earlier you mentioned mentoring, coaching. I think you said, you know, some of these things were a little bit different. If you could maybe talk a little bit more about your approach to how you mentor and coach members of your team or how you deal with career development, I’d love to hear maybe what you do and your thoughts on it.
RANDY: Sure. The first thing that I do is I schedule regular meetings with my team. I let them individually determine the length of time and the frequency. Most people, I schedule regular weekly meetings. The reason I do that is …
Vidal: One-on-one?
RANDY: One-on-one, regular, yeah.
Vidal: Okay.
RANDY: It does take a considerable amount of time, but I think that the investment is worth it. The individual then once they establish, “Okay, I want to have 30 minutes once a week,” then they have to bring the agenda. We’ll talk about what is concerning to them, what are the things that are top of mind for them and just asking questions.
There’s a guy named Michael Bungay Stanier who does a lot of coaching. He’s been coach of the year a couple of different times. He’s got seven questions that he asks. The first one is “What’s on your mind?” That’s a very powerful question to ask my team because they’ll tell me then. We can talk about why either that’s important or not. Sometimes if I have to cancel a meeting that’s a one-on-one, then it’s two weeks before we’ve had a conversation. At least they know every two weeks I’ve got a dedicated time where I can bring a concern that I have to my supervisor, and we can talk through what that’s like. Sometimes they’re valid. Sometimes it’s just they need more information. People need to be heard. Technical people especially, going back that herding tigers. I’ve got a team of tigers. They need to know that they’re being validated, that they’re heard, they’re understood and they’re valued. That is a time where I can do that. I would really consider that coaching, where I’m asking them questions, helping them get better.
As opposed to mentoring, which is more of what I would consider instruction, where I’m sharing my thoughts, my perspective on things as opposed to helping them draw out from themselves really what they probably already know. They’ve probably got a better insight into things than I do because they’re closer to the action every day. They see for us the phishing emails that are coming in. They’ve got an idea of how we can better educate our employees to recognize those phishes. What kind of attacks do we see attacking our systems? how do we mitigate those? How do we put controls in place and protections in place that just make some of those things go away. And we don’t have an issue with them anymore?
If I didn’t spend that time regularly with my team, I would miss out on hearing their passion, what really drives them and why they come to work every week, every day. There’s also a component of that of really understanding them as a person, to make sure that I know what’s happening in their home life. I don’t need to know all the details. If they’ve got somebody that is in their family that’s sick, I want to know what that’s about, because I want to support them with that. I want to be able to know when kid’s birthdays are coming up, so that I can just go in and say, “Hey, it’s your son’s birthday. Take off an hour early. Take off a couple of hours early. Go to that basketball game. Go do something with your wife, it’s your anniversary.” If you don’t ever invest in people as people, as humans and have a relationship with them, you just feel like you’re a cog in the wheel. Nobody wants to be a cog in the wheel. They want to have value and contribute.
Vidal: I think that’s great. That’s great. All right. Well, Randy, you’ve been really generous with your time. I think you shared a lot of really valuable things for our audience, so I really appreciate you taking the time to do this again.
RANDY: It’s my pleasure.
Where can we go to learn more about you? (e.g., LinkedIn, Twitter, Blog, GitHub)
Vidal: Where can people go to learn more about you if they wanted to just to learn more about you or connect with you?
RANDY: Sure, so I’ve got a personal website, randyraw.com. It’s R-A-W. People are often surprised that that’s how you spell my last name. That would be a starting spot. I don’t have a lot of information there. I’ve just begun putting some data there. They can connect with me on LinkedIn. I’m @randyraw, Twitter also @randyraw. I don’t tweet a whole lot of things. I do repost some things on LinkedIn. I’m just now getting to the point where I have some time, because I’ve been getting better at delegating, so that way my team can do some of those things. It allows me to share a little bit more on LinkedIn and into my personal blog that will be on my website.
Vidal: Okay. I’ll put a link to those in the notes. Randy, again, thank you very much. Really appreciate it.
RANDY: I have had a great time. Thank you for having me. I hope that I’ve provided some value for your listeners.